From ed50f98010c8b7878d518273703e00fa561e980b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 08:47:22 -0500 Subject: [PATCH 0001/1650] output --- usr/lib/security-misc/permission-hardening | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 3d15451..bc020ca 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -19,6 +19,7 @@ echo_wrapper() { add_nosuid_statoverride_entry() { while read -r line; do if ! read -r file_name existing_mode owner group; then + echo "ERROR: cannot parse line by 'stat' - line: '$line'" >&2 continue fi From 6f8231be70940e2afb0ec8e4a0d60bb4f166f5b9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 08:51:55 -0500 Subject: [PATCH 0002/1650] debugging --- usr/lib/security-misc/permission-hardening | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index bc020ca..4edebae 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -17,6 +17,7 @@ echo_wrapper() { } add_nosuid_statoverride_entry() { + true "line: $line" while read -r line; do if ! read -r file_name existing_mode owner group; then echo "ERROR: cannot parse line by 'stat' - line: '$line'" >&2 From 195ea522f5a8582851792b53047185717a6f679e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 08:52:14 -0500 Subject: [PATCH 0003/1650] fix --- usr/lib/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 4edebae..1e3239e 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -17,8 +17,8 @@ echo_wrapper() { } add_nosuid_statoverride_entry() { - true "line: $line" while read -r line; do + true "line: $line" if ! read -r file_name existing_mode owner group; then echo "ERROR: cannot parse line by 'stat' - line: '$line'" >&2 continue From fbe2479f486add30cd29f5c4063a140c42c502fe Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 08:54:56 -0500 Subject: [PATCH 0004/1650] count processed file system objects to be able to verify if any were "forgotten" --- usr/lib/security-misc/permission-hardening | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 1e3239e..76e2638 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -17,8 +17,11 @@ echo_wrapper() { } add_nosuid_statoverride_entry() { + fso_to_process="${fso_without_trailing_slash}/" + counter=0 while read -r line; do true "line: $line" + counter="$(( counter + 1 ))" if ! read -r file_name existing_mode owner group; then echo "ERROR: cannot parse line by 'stat' - line: '$line'" >&2 continue @@ -97,7 +100,9 @@ add_nosuid_statoverride_entry() { ## /lib will hit ARG_MAX. ## https://forums.whonix.org/t/kernel-hardening/7296/326 - done < <( find "${fso_without_trailing_slash}/" -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} ) + done < <( find "$fso_to_process" -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} ) + + echo "INFO: fso_to_process: '$fso_to_process' | counter: '$counter'" } set_file_perms() { From 55faa7b9978df52bcb98a562554473f80db1f171 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 09:43:23 -0500 Subject: [PATCH 0005/1650] fix missing processing files bug https://forums.whonix.org/t/permission-hardening/8655/16 --- usr/lib/security-misc/permission-hardening | 25 ++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 76e2638..05906ed 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -19,11 +19,32 @@ echo_wrapper() { add_nosuid_statoverride_entry() { fso_to_process="${fso_without_trailing_slash}/" counter=0 + while read -r line; do true "line: $line" counter="$(( counter + 1 ))" - if ! read -r file_name existing_mode owner group; then - echo "ERROR: cannot parse line by 'stat' - line: '$line'" >&2 + + arr=($line) + + file_name="${arr[0]}" + existing_mode="${arr[1]}" + owner="${arr[2]}" + group="${arr[3]}" + + if [ "$file_name" = "" ]; then + echo "ERROR: file_name is empty. line: '$line'" >&2 + continue + fi + if [ "$existing_mode" = "" ]; then + echo "ERROR: existing_mode is empty. line: '$line'" >&2 + continue + fi + if [ "owner" = "" ]; then + echo "ERROR: $owner is empty. line: '$line'" >&2 + continue + fi + if [ "$group" = "" ]; then + echo "ERROR: $group is empty. line: '$line'" >&2 continue fi From e28da89253f646969cdc2b0b46617bd603f917a5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 09:48:06 -0500 Subject: [PATCH 0006/1650] /bin/sudo whitelist / /bin/bwrap whitelist --- etc/permission-hardening.d/30_default.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 16830fd..a70b6e5 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -15,7 +15,9 @@ ## SUID whitelist. /usr/bin/sudo whitelist +/bin/sudo whitelist /usr/bin/bwrap whitelist +/bin/bwrap whitelist /usr/lib/policykit-1/polkit-agent-helper-1 whitelist /usr/lib/dbus-1.0/dbus-daemon-launch-helper whitelist /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper whitelist From 50b8f65490555d9d12fd28991040c00a358b3b84 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 09:59:28 -0500 Subject: [PATCH 0007/1650] add sanity test: count if we really processed all files --- usr/lib/security-misc/permission-hardening | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 05906ed..a7f5b7d 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -18,11 +18,12 @@ echo_wrapper() { add_nosuid_statoverride_entry() { fso_to_process="${fso_without_trailing_slash}/" - counter=0 + should_be_counter="$(find "$fso_to_process" | wc -l)" + counter_actual=0 while read -r line; do true "line: $line" - counter="$(( counter + 1 ))" + counter_actual="$(( counter_actual + 1 ))" arr=($line) @@ -123,7 +124,13 @@ add_nosuid_statoverride_entry() { ## https://forums.whonix.org/t/kernel-hardening/7296/326 done < <( find "$fso_to_process" -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} ) - echo "INFO: fso_to_process: '$fso_to_process' | counter: '$counter'" + ## Sanity test. + if [ ! "$should_be_counter" = "$counter_actual" ]; then + echo "INFO: fso_to_process: '$fso_to_process' | counter_actual : '$counter_actual'" + echo "INFO: fso_to_process: '$fso_to_process' | should_be_counter: '$should_be_counter'" + exit_code=202 + echo "ERROR: counter does not check out." >&2 + fi } set_file_perms() { From e36868e675cbd80a36053956dbef71992cceca24 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 10:02:46 -0500 Subject: [PATCH 0008/1650] output --- usr/lib/security-misc/permission-hardening | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index a7f5b7d..9f023fc 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -94,8 +94,6 @@ add_nosuid_statoverride_entry() { # new_mode=744 # fi - echo "INFO: $setuid_output $setguid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" - is_whitelisted="" for white_list_entry in $whitelist ; do if [ "$file_name" = "$white_list_entry" ]; then @@ -106,10 +104,12 @@ add_nosuid_statoverride_entry() { done if [ "$is_whitelisted" = "true" ]; then - echo "INFO: skip whitelisted: '$file_name'" - continue + echo "INFO: SKIP whitelisted - $setuid_output $setguid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" + continue fi + echo "INFO: $setuid_output $setguid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" + if dpkg-statoverride --list | grep -q "$file_name"; then if ! dpkg-statoverride --list | grep -q "$owner $group $new_mode $file_name"; then echo_wrapper dpkg-statoverride --remove "$file_name" From 4cfdf2c65b57f410163653304871ee3eb1d3f6ea Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 10:21:27 -0500 Subject: [PATCH 0009/1650] fix, re-enforce nosuid even if changed on the disk --- usr/lib/security-misc/permission-hardening | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 9f023fc..302ccc9 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -110,14 +110,11 @@ add_nosuid_statoverride_entry() { echo "INFO: $setuid_output $setguid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" - if dpkg-statoverride --list | grep -q "$file_name"; then - if ! dpkg-statoverride --list | grep -q "$owner $group $new_mode $file_name"; then - echo_wrapper dpkg-statoverride --remove "$file_name" - echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$new_mode" "$file_name" - fi - else - echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$new_mode" "$file_name" - fi + ## No need to check "dpkg-statoverride --list" for existing entries. + ## If existing_mode was correct already, we would not have reached this point. + ## Since existing_mode is incorrect, remove from dpkg-statoverride and re-add. + echo_wrapper dpkg-statoverride --remove "$file_name" || true + echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$new_mode" "$file_name" fi ## /lib will hit ARG_MAX. From 1ffa8e197e9ba9722d5fb2695de343df9d9db597 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 10:31:26 -0500 Subject: [PATCH 0010/1650] speed up setuid removal by using find with '-perm /u=s,g=s' https://forums.whonix.org/t/permission-hardening/8655/19 --- usr/lib/security-misc/permission-hardening | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 302ccc9..a11ca77 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -18,7 +18,7 @@ echo_wrapper() { add_nosuid_statoverride_entry() { fso_to_process="${fso_without_trailing_slash}/" - should_be_counter="$(find "$fso_to_process" | wc -l)" + should_be_counter="$(find "$fso_to_process" -perm /u=s,g=s | wc -l)" counter_actual=0 while read -r line; do @@ -119,7 +119,7 @@ add_nosuid_statoverride_entry() { ## /lib will hit ARG_MAX. ## https://forums.whonix.org/t/kernel-hardening/7296/326 - done < <( find "$fso_to_process" -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} ) + done < <( find "$fso_to_process" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} ) ## Sanity test. if [ ! "$should_be_counter" = "$counter_actual" ]; then From 133d09f2984506e0b0fd2e17a893b8d3e37b8431 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 10:33:16 -0500 Subject: [PATCH 0011/1650] output --- usr/lib/security-misc/permission-hardening | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index a11ca77..49a5866 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -154,11 +154,6 @@ set_file_perms() { continue fi - if ! [ -e "$fso" ]; then - echo "INFO: fso: '$fso' - does not exist. This is likely normal." - continue - fi - fso_without_trailing_slash="${fso%/}" if [ "$mode_from_config" = "whitelist" ]; then @@ -166,6 +161,11 @@ set_file_perms() { continue fi + if ! [ -e "$fso" ]; then + echo "INFO: fso: '$fso' - does not exist. This is likely normal." + continue + fi + ## Use dpkg-statoverride so permissions are not reset during upgrades. nosuid="" From 370f3c5e541612021fa181e39507aa4ba8131731 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 10:35:05 -0500 Subject: [PATCH 0012/1650] comment --- usr/lib/security-misc/permission-hardening | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 49a5866..a2b98ca 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -118,6 +118,7 @@ add_nosuid_statoverride_entry() { fi ## /lib will hit ARG_MAX. + ## That was before using '-perm /u=s,g=s'. ## https://forums.whonix.org/t/kernel-hardening/7296/326 done < <( find "$fso_to_process" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} ) From b3458cc6ee368968de1510e9d05ddd3791fe5f6d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 10:45:59 -0500 Subject: [PATCH 0013/1650] fix checking existing entries to avoid needless calls to dpkg-statoverride --- usr/lib/security-misc/permission-hardening | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index a2b98ca..85cf3b9 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -198,10 +198,17 @@ set_file_perms() { continue fi + mode_for_grep="$mode_from_config" + first_character_of_mode_from_config="${mode_from_config::1}" + if [ "$first_character_of_mode_from_config" = "0" ]; then + ## Remove leading '0'. + mode_for_grep="${mode_from_config:1}" + fi + ## Check there is an entry for the fso. if dpkg-statoverride --list | grep -q "$fso_without_trailing_slash"; then ## There is an fso entry. Check if owner/group/mode match. - if dpkg-statoverride --list | grep -q "$owner $group $mode_from_config $fso_without_trailing_slash"; then + if dpkg-statoverride --list | grep -q "$owner $group $mode_for_grep $fso_without_trailing_slash"; then ## The owner/group/mode matches. No further action required. true OK else From 79cd3b86b6e5e186da66fd329b04fb3b42c0276e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 10:47:23 -0500 Subject: [PATCH 0014/1650] comment --- usr/lib/security-misc/permission-hardening | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 85cf3b9..014dd1c 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -206,6 +206,12 @@ set_file_perms() { fi ## Check there is an entry for the fso. + ## + ## example: dpkg-statoverride --list | grep /home + ## output: + ## root root 755 /home + ## + ## dpkg-statoverride does not show leading '0'. if dpkg-statoverride --list | grep -q "$fso_without_trailing_slash"; then ## There is an fso entry. Check if owner/group/mode match. if dpkg-statoverride --list | grep -q "$owner $group $mode_for_grep $fso_without_trailing_slash"; then From b31abea0af60874d4a48fd0da56978b0081eaef8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 10:49:31 -0500 Subject: [PATCH 0015/1650] improve error handling --- usr/lib/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 014dd1c..478a1dc 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -13,7 +13,7 @@ exit_code=0 echo_wrapper() { echo "run: $@" - "$@" + "$@" || echo "ERROR: above command failed!" >&2 } add_nosuid_statoverride_entry() { From c0ddb76d7463753e3250fc7da466fa763ef08dd5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 10:50:51 -0500 Subject: [PATCH 0016/1650] bumped changelog version --- changelog.upstream | 102 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++ 2 files changed, 108 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index bc6f85b..5af0404 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,105 @@ +commit b31abea0af60874d4a48fd0da56978b0081eaef8 +Author: Patrick Schleizer +Date: Fri Dec 20 10:49:31 2019 -0500 + + improve error handling + +commit 79cd3b86b6e5e186da66fd329b04fb3b42c0276e +Author: Patrick Schleizer +Date: Fri Dec 20 10:47:23 2019 -0500 + + comment + +commit b3458cc6ee368968de1510e9d05ddd3791fe5f6d +Author: Patrick Schleizer +Date: Fri Dec 20 10:45:59 2019 -0500 + + fix checking existing entries to avoid needless calls to dpkg-statoverride + +commit 370f3c5e541612021fa181e39507aa4ba8131731 +Author: Patrick Schleizer +Date: Fri Dec 20 10:35:05 2019 -0500 + + comment + +commit 133d09f2984506e0b0fd2e17a893b8d3e37b8431 +Author: Patrick Schleizer +Date: Fri Dec 20 10:33:16 2019 -0500 + + output + +commit 1ffa8e197e9ba9722d5fb2695de343df9d9db597 +Author: Patrick Schleizer +Date: Fri Dec 20 10:31:26 2019 -0500 + + speed up setuid removal by using find with '-perm /u=s,g=s' + + https://forums.whonix.org/t/permission-hardening/8655/19 + +commit 4cfdf2c65b57f410163653304871ee3eb1d3f6ea +Author: Patrick Schleizer +Date: Fri Dec 20 10:21:27 2019 -0500 + + fix, re-enforce nosuid even if changed on the disk + +commit e36868e675cbd80a36053956dbef71992cceca24 +Author: Patrick Schleizer +Date: Fri Dec 20 10:02:46 2019 -0500 + + output + +commit 50b8f65490555d9d12fd28991040c00a358b3b84 +Author: Patrick Schleizer +Date: Fri Dec 20 09:59:28 2019 -0500 + + add sanity test: count if we really processed all files + +commit e28da89253f646969cdc2b0b46617bd603f917a5 +Author: Patrick Schleizer +Date: Fri Dec 20 09:48:06 2019 -0500 + + /bin/sudo whitelist / /bin/bwrap whitelist + +commit 55faa7b9978df52bcb98a562554473f80db1f171 +Author: Patrick Schleizer +Date: Fri Dec 20 09:43:23 2019 -0500 + + fix missing processing files bug + + https://forums.whonix.org/t/permission-hardening/8655/16 + +commit fbe2479f486add30cd29f5c4063a140c42c502fe +Author: Patrick Schleizer +Date: Fri Dec 20 08:54:56 2019 -0500 + + count processed file system objects + + to be able to verify if any were "forgotten" + +commit 195ea522f5a8582851792b53047185717a6f679e +Author: Patrick Schleizer +Date: Fri Dec 20 08:52:14 2019 -0500 + + fix + +commit 6f8231be70940e2afb0ec8e4a0d60bb4f166f5b9 +Author: Patrick Schleizer +Date: Fri Dec 20 08:51:55 2019 -0500 + + debugging + +commit ed50f98010c8b7878d518273703e00fa561e980b +Author: Patrick Schleizer +Date: Fri Dec 20 08:47:22 2019 -0500 + + output + +commit 089c40135f2a7f0da128808a27b696e36aff6821 +Author: Patrick Schleizer +Date: Fri Dec 20 08:15:00 2019 -0500 + + bumped changelog version + commit 6d30e3b4a2c0e5cf53d88b4a033511aa49b8f227 Author: Patrick Schleizer Date: Fri Dec 20 08:13:23 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 817f24e..c209c9f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:11.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 20 Dec 2019 15:50:51 +0000 + security-misc (3:11.6-1) unstable; urgency=medium * New upstream version (local package). From cd8efe58008c7b0e90ac88ac098b3fd08e75d716 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 11:03:22 -0500 Subject: [PATCH 0017/1650] output --- usr/lib/security-misc/permission-hardening | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 478a1dc..89c4015 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -11,7 +11,12 @@ set -e exit_code=0 -echo_wrapper() { +echo_wrapper_ignore() { + echo "run: $@" + "$@" || true +} + +echo_wrapper_audit() { echo "run: $@" "$@" || echo "ERROR: above command failed!" >&2 } @@ -113,8 +118,8 @@ add_nosuid_statoverride_entry() { ## No need to check "dpkg-statoverride --list" for existing entries. ## If existing_mode was correct already, we would not have reached this point. ## Since existing_mode is incorrect, remove from dpkg-statoverride and re-add. - echo_wrapper dpkg-statoverride --remove "$file_name" || true - echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$new_mode" "$file_name" + echo_wrapper_ignore dpkg-statoverride --remove "$file_name" + echo_wrapper_audit dpkg-statoverride --add --update "$owner" "$group" "$new_mode" "$file_name" fi ## /lib will hit ARG_MAX. @@ -221,12 +226,12 @@ set_file_perms() { ## The owner/group/mode do not match, therefore remove and re-add the entry to update it. ## fso_without_trailing_slash instead of fso to prevent ## "dpkg-statoverride: warning: stripping trailing /" - echo_wrapper dpkg-statoverride --remove "$fso_without_trailing_slash" - echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$mode_from_config" "$fso_without_trailing_slash" + echo_wrapper_audit dpkg-statoverride --remove "$fso_without_trailing_slash" + echo_wrapper_audit dpkg-statoverride --add --update "$owner" "$group" "$mode_from_config" "$fso_without_trailing_slash" fi else ## There is no fso entry. Therefore add one. - echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$mode_from_config" "$fso_without_trailing_slash" + echo_wrapper_audit dpkg-statoverride --add --update "$owner" "$group" "$mode_from_config" "$fso_without_trailing_slash" fi fi @@ -235,14 +240,14 @@ set_file_perms() { fi if [ "$capability" = "none" ]; then - echo_wrapper setcap -r "$fso" + echo_wrapper_audit setcap -r "$fso" else if ! capsh --print | grep "Bounding set" | grep -q "$capability"; then echo "ERROR: Capability '$capability' does not exist!" >&2 continue fi - echo_wrapper setcap "${capability}+ep" "$fso" + echo_wrapper_audit setcap "${capability}+ep" "$fso" fi done < "$config_file" } From 731f80289566e118ba6c121c406775abc4c03bd4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 11:04:12 -0500 Subject: [PATCH 0018/1650] output --- usr/lib/security-misc/permission-hardening | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 89c4015..1b4b5bd 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -137,6 +137,7 @@ add_nosuid_statoverride_entry() { } set_file_perms() { + echo "INFO: parsing config_file: '$config_file'" while read -r line; do if [ "$line" = "" ]; then continue From 1e11b775cf1d2994f2e0da8d0191ef38eebe21a8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 11:05:05 -0500 Subject: [PATCH 0019/1650] output --- usr/lib/security-misc/permission-hardening | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 1b4b5bd..8dba0b0 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -262,4 +262,8 @@ parse_config_folder() { parse_config_folder +if [ ! "$exit_code" = "0" ]; then + echo "ERROR: Will exist with non-zero exit code: '$exit_code'" >&2 +fi + exit "$exit_code" From 1615ebec58b563224c7c02cd2b1f83b0954c48ca Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 11:07:44 -0500 Subject: [PATCH 0020/1650] output --- usr/lib/security-misc/permission-hardening | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 8dba0b0..50f43f5 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -18,7 +18,13 @@ echo_wrapper_ignore() { echo_wrapper_audit() { echo "run: $@" - "$@" || echo "ERROR: above command failed!" >&2 + return_code=0 + "$@" || \ + { \ + return_code="$?" ; \ + exit_code=203 ; \ + echo "ERROR: above command failed with exit code '$return_code'!" >&2 ; \ + }; } add_nosuid_statoverride_entry() { From 28d12c3966e3ddfadbf7d44e7c7bcdc37e1a7d25 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 11:09:22 -0500 Subject: [PATCH 0021/1650] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 5af0404..f6d4562 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit 1615ebec58b563224c7c02cd2b1f83b0954c48ca +Author: Patrick Schleizer +Date: Fri Dec 20 11:07:44 2019 -0500 + + output + +commit 1e11b775cf1d2994f2e0da8d0191ef38eebe21a8 +Author: Patrick Schleizer +Date: Fri Dec 20 11:05:05 2019 -0500 + + output + +commit 731f80289566e118ba6c121c406775abc4c03bd4 +Author: Patrick Schleizer +Date: Fri Dec 20 11:04:12 2019 -0500 + + output + +commit cd8efe58008c7b0e90ac88ac098b3fd08e75d716 +Author: Patrick Schleizer +Date: Fri Dec 20 11:03:22 2019 -0500 + + output + +commit c0ddb76d7463753e3250fc7da466fa763ef08dd5 +Author: Patrick Schleizer +Date: Fri Dec 20 10:50:51 2019 -0500 + + bumped changelog version + commit b31abea0af60874d4a48fd0da56978b0081eaef8 Author: Patrick Schleizer Date: Fri Dec 20 10:49:31 2019 -0500 diff --git a/debian/changelog b/debian/changelog index c209c9f..045b714 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:11.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 20 Dec 2019 16:09:22 +0000 + security-misc (3:11.7-1) unstable; urgency=medium * New upstream version (local package). From 3265f9894d1c677419718de52570d304a4e69279 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 11:27:43 -0500 Subject: [PATCH 0022/1650] output --- usr/lib/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 50f43f5..8ec8592 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -13,7 +13,7 @@ exit_code=0 echo_wrapper_ignore() { echo "run: $@" - "$@" || true + "$@" 2>/dev/null || true } echo_wrapper_audit() { From cad6f328f40bb8b3c414e2bd6c7cb86e625f6d64 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 11:34:44 -0500 Subject: [PATCH 0023/1650] minor --- usr/lib/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 8ec8592..bc0d5db 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -179,7 +179,7 @@ set_file_perms() { continue fi - ## Use dpkg-statoverride so permissions are not reset during upgrades. + ## Use dpkg-statoverride so permissions are not reset during upgrades. nosuid="" if [ "$mode_from_config" = "nosuid" ]; then From b95225b6a6b45b84778ba2427ae4628f102e6d05 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 11:37:05 -0500 Subject: [PATCH 0024/1650] pipefail --- usr/lib/security-misc/permission-hardening | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index bc0d5db..c1db738 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -8,6 +8,7 @@ #set -x set -e +set -o pipefail exit_code=0 @@ -29,7 +30,7 @@ echo_wrapper_audit() { add_nosuid_statoverride_entry() { fso_to_process="${fso_without_trailing_slash}/" - should_be_counter="$(find "$fso_to_process" -perm /u=s,g=s | wc -l)" + should_be_counter="$(find "$fso_to_process" -perm /u=s,g=s | wc -l)" || true counter_actual=0 while read -r line; do From 9321ecff4139f0776f93a9bd8c9606bcaf94f568 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 11:43:53 -0500 Subject: [PATCH 0025/1650] no more need to add/remove / --- usr/lib/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index c1db738..6a2cb86 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -29,7 +29,7 @@ echo_wrapper_audit() { } add_nosuid_statoverride_entry() { - fso_to_process="${fso_without_trailing_slash}/" + fso_to_process="$fso" should_be_counter="$(find "$fso_to_process" -perm /u=s,g=s | wc -l)" || true counter_actual=0 From 71496a33ab27455d2856284d21f261dd20780dc2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 11:47:53 -0500 Subject: [PATCH 0026/1650] skip folders are these are not suid / guid --- usr/lib/security-misc/permission-hardening | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 6a2cb86..6c33089 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -71,6 +71,12 @@ add_nosuid_statoverride_entry() { continue fi + if test -d "$file_name" ; then + ## https://forums.whonix.org/t/kernel-hardening/7296/323 + true "skip folder: $file_name" + continue + fi + setuid="" setuid_output="" if test -u "$file_name" ; then From ff0a26fb5d65450c0a2b5fb86758d3d823a717e9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 11:49:19 -0500 Subject: [PATCH 0027/1650] comment --- usr/lib/security-misc/permission-hardening | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 6c33089..2305c1d 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -72,7 +72,6 @@ add_nosuid_statoverride_entry() { fi if test -d "$file_name" ; then - ## https://forums.whonix.org/t/kernel-hardening/7296/323 true "skip folder: $file_name" continue fi From 1cd5fb6a0020504c7897acf169772d39b67f4bd4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 11:50:25 -0500 Subject: [PATCH 0028/1650] bumped changelog version --- changelog.upstream | 42 ++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 48 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f6d4562..1b6e8bf 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,45 @@ +commit ff0a26fb5d65450c0a2b5fb86758d3d823a717e9 +Author: Patrick Schleizer +Date: Fri Dec 20 11:49:19 2019 -0500 + + comment + +commit 71496a33ab27455d2856284d21f261dd20780dc2 +Author: Patrick Schleizer +Date: Fri Dec 20 11:47:53 2019 -0500 + + skip folders are these are not suid / guid + +commit 9321ecff4139f0776f93a9bd8c9606bcaf94f568 +Author: Patrick Schleizer +Date: Fri Dec 20 11:43:53 2019 -0500 + + no more need to add/remove / + +commit b95225b6a6b45b84778ba2427ae4628f102e6d05 +Author: Patrick Schleizer +Date: Fri Dec 20 11:37:05 2019 -0500 + + pipefail + +commit cad6f328f40bb8b3c414e2bd6c7cb86e625f6d64 +Author: Patrick Schleizer +Date: Fri Dec 20 11:34:44 2019 -0500 + + minor + +commit 3265f9894d1c677419718de52570d304a4e69279 +Author: Patrick Schleizer +Date: Fri Dec 20 11:27:43 2019 -0500 + + output + +commit 28d12c3966e3ddfadbf7d44e7c7bcdc37e1a7d25 +Author: Patrick Schleizer +Date: Fri Dec 20 11:09:22 2019 -0500 + + bumped changelog version + commit 1615ebec58b563224c7c02cd2b1f83b0954c48ca Author: Patrick Schleizer Date: Fri Dec 20 11:07:44 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 045b714..106b863 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:11.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 20 Dec 2019 16:50:25 +0000 + security-misc (3:11.8-1) unstable; urgency=medium * New upstream version (local package). From f88ca2588920ac16a6b41e8c48021bf85801c2a9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 11:58:07 -0500 Subject: [PATCH 0029/1650] fix terminology, sguid -> sgid Thanks to @madaidan for the bug report! https://forums.whonix.org/t/permission-hardening/8655/21 --- usr/lib/security-misc/permission-hardening | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 2305c1d..b2500dc 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -82,14 +82,14 @@ add_nosuid_statoverride_entry() { setuid=true setuid_output="set-user-id" fi - setguid="" - setguid_output="" + setsgid="" + setsgid_output="" if test -g "$file_name"; then - setguid=true - setguid_output="set-group-id" + setsgid=true + setsgid_output="set-group-id" fi - if [ "$setuid" = "true" ] || [ "$setguid" = "true" ]; then + if [ "$setuid" = "true" ] || [ "$setsgid" = "true" ]; then string_length_of_existing_mode="${#existing_mode}" if [ "$string_length_of_existing_mode" = "4" ]; then new_mode="${existing_mode:1}" @@ -99,7 +99,7 @@ add_nosuid_statoverride_entry() { ## Remove 'others' / 'group' execution ('chmod og-x /path/to/binary') rights for better usability? ## Make binaries such as 'su' fail closed rather than fail open if suid was removed from these? -## Are there suid or guid binaries which are still useful if suid / guid has been removed from these? +## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these? ## https://forums.whonix.org/t/permission-hardening/8655/10 # if [ "$new_mode" = "755" ]; then # new_mode=744 @@ -121,11 +121,11 @@ add_nosuid_statoverride_entry() { done if [ "$is_whitelisted" = "true" ]; then - echo "INFO: SKIP whitelisted - $setuid_output $setguid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" + echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" continue fi - echo "INFO: $setuid_output $setguid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" + echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" ## No need to check "dpkg-statoverride --list" for existing entries. ## If existing_mode was correct already, we would not have reached this point. From 1b569ea7908dcba409c94dacd477d2fbfeafe522 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 12:32:36 -0500 Subject: [PATCH 0030/1650] comment --- etc/permission-hardening.d/30_default.conf | 1 + usr/lib/security-misc/permission-hardening | 1 + 2 files changed, 2 insertions(+) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index a70b6e5..fa77fdc 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -14,6 +14,7 @@ ## argument. ## SUID whitelist. +## TODO: white spaces inside file name untested /usr/bin/sudo whitelist /bin/sudo whitelist /usr/bin/bwrap whitelist diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index b2500dc..a58ffdf 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -176,6 +176,7 @@ set_file_perms() { fso_without_trailing_slash="${fso%/}" if [ "$mode_from_config" = "whitelist" ]; then + ## TODO: test/add white spaces inside file name support whitelist+="$fso_without_trailing_slash " continue fi From 508ec0c6fa44d9185aa22f5fa81ae9dbbefdb19c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 12:34:07 -0500 Subject: [PATCH 0031/1650] comment --- etc/permission-hardening.d/30_default.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index fa77fdc..3e5cab5 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -40,7 +40,7 @@ /usr/sbin/ nosuid /usr/local/sbin/ nosuid -## Takes 1 minute to parse. No SUID binaries there by default. +## No SUID binaries there by default. ## remount-secure mounts it with nosuid anyhow. ## Therefore no processing it here. #/lib/ nosuid From d3f16a5bf46a7d10316259788f3d97364fe2e545 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 12:47:10 -0500 Subject: [PATCH 0032/1650] sgid /usr/lib/qubes/qfile-unpacker whitelist --- etc/permission-hardening.d/30_default.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 3e5cab5..a4dfb09 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -24,6 +24,10 @@ /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper whitelist /usr/lib/x86_64-linux-gnu/utempter/utempter whitelist +## TODO: research +## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c +/usr/lib/qubes/qfile-unpacker whitelist + ## Permission hardening. /home/ 0755 root root /home/user/ 0700 user user From 3fab3876693f20303c95f03c45af9adb9ae680e2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 12:50:35 -0500 Subject: [PATCH 0033/1650] suid /usr/bin/firejail whitelist There is a controversy about firejail but those who choose to install it should be able to use it. https://www.whonix.org/wiki/Dev/Firejail#Security --- etc/permission-hardening.d/30_default.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index a4dfb09..2ce2fd0 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -24,6 +24,11 @@ /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper whitelist /usr/lib/x86_64-linux-gnu/utempter/utempter whitelist +## There is a controversy about firejail but those who choose to install it +## should be able to use it. +## https://www.whonix.org/wiki/Dev/Firejail#Security +/usr/bin/firejail whitelist + ## TODO: research ## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c /usr/lib/qubes/qfile-unpacker whitelist From 17e8605119fc671c4cbe4343851cf3c46b830508 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 12:57:24 -0500 Subject: [PATCH 0034/1650] add matchwhitelist feature add "/usr/lib/virtualbox/ matchwhitelist" --- etc/permission-hardening.d/30_default.conf | 6 +++++- usr/lib/security-misc/permission-hardening | 20 ++++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 2ce2fd0..28da07c 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -13,7 +13,7 @@ ## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" ## argument. -## SUID whitelist. +## SUID exact match whitelist. ## TODO: white spaces inside file name untested /usr/bin/sudo whitelist /bin/sudo whitelist @@ -33,6 +33,10 @@ ## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c /usr/lib/qubes/qfile-unpacker whitelist +## SUID regex match whitelist. +## TODO: white spaces inside file name untested +/usr/lib/virtualbox/ matchwhitelist + ## Permission hardening. /home/ 0755 root root /home/user/ 0700 user user diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index a58ffdf..cb598cc 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -120,11 +120,25 @@ add_nosuid_statoverride_entry() { fi done + is_match_whitelisted="" + for matchwhite_list_entry in $matchwhitelist ; do + if echo "$file_name" | grep -q "$matchwhite_list_entry" ; then + is_match_whitelisted="true" + ## Stop looping through the matchwhitelist. + break + fi + done + if [ "$is_whitelisted" = "true" ]; then echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" continue fi + if [ "$is_match_whitelisted" = "true" ]; then + echo "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'" + continue + fi + echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" ## No need to check "dpkg-statoverride --list" for existing entries. @@ -181,6 +195,12 @@ set_file_perms() { continue fi + if [ "$mode_from_config" = "matchwhitelist" ]; then + ## TODO: test/add white spaces inside file name support + matchwhitelist+="$fso " + continue + fi + if ! [ -e "$fso" ]; then echo "INFO: fso: '$fso' - does not exist. This is likely normal." continue From d7bd477e7379cd5d74d81e81080d375041cc3b29 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 12:59:27 -0500 Subject: [PATCH 0035/1650] add "/usr/lib/xorg/Xorg.wrap whitelist" until this is researched https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html https://lwn.net/Articles/590315/ --- etc/permission-hardening.d/30_default.conf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 28da07c..30e02bc 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -29,10 +29,17 @@ ## https://www.whonix.org/wiki/Dev/Firejail#Security /usr/bin/firejail whitelist -## TODO: research +## {{ TODO: research + ## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c /usr/lib/qubes/qfile-unpacker whitelist +## https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html +## https://lwn.net/Articles/590315/ +/usr/lib/xorg/Xorg.wrap whitelist + +## }} + ## SUID regex match whitelist. ## TODO: white spaces inside file name untested /usr/lib/virtualbox/ matchwhitelist From 77b3dd5d6b5de0070da7e71154ecbe2e099e3b7f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 13:02:33 -0500 Subject: [PATCH 0036/1650] comments --- etc/permission-hardening.d/30_default.conf | 28 ++++++++++++++++++---- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 30e02bc..3c6fa63 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -13,8 +13,12 @@ ## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" ## argument. -## SUID exact match whitelist. +###################################################################### +# SUID exact match whitelist +###################################################################### + ## TODO: white spaces inside file name untested + /usr/bin/sudo whitelist /bin/sudo whitelist /usr/bin/bwrap whitelist @@ -29,7 +33,11 @@ ## https://www.whonix.org/wiki/Dev/Firejail#Security /usr/bin/firejail whitelist -## {{ TODO: research +###################################################################### +# SUID exact match whitelist - research required +###################################################################### + +## TODO: research required ## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c /usr/lib/qubes/qfile-unpacker whitelist @@ -38,13 +46,18 @@ ## https://lwn.net/Articles/590315/ /usr/lib/xorg/Xorg.wrap whitelist -## }} +###################################################################### +# SUID regex match whitelist - research required +###################################################################### -## SUID regex match whitelist. ## TODO: white spaces inside file name untested + /usr/lib/virtualbox/ matchwhitelist -## Permission hardening. +###################################################################### +# Permission Hardening +###################################################################### + /home/ 0755 root root /home/user/ 0700 user user /root/ 0700 root root @@ -52,7 +65,12 @@ /etc/permission-hardening.d 0600 root root /usr/local/etc/permission-hardening.d 0600 root root +###################################################################### +# SUID/SGID Removal +###################################################################### + ## Remove all SUID/SGID binaries/libraries. + /bin/ nosuid /usr/bin/ nosuid /usr/local/bin/ nosuid From d220bb3bc4aaf923dcb2e2a48ac05dd5f1326442 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2019 13:07:01 -0500 Subject: [PATCH 0037/1650] suid /usr/lib/chromium/chrome-sandbox whitelist --- etc/permission-hardening.d/30_default.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 3c6fa63..263fa57 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -27,6 +27,7 @@ /usr/lib/dbus-1.0/dbus-daemon-launch-helper whitelist /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper whitelist /usr/lib/x86_64-linux-gnu/utempter/utempter whitelist +/usr/lib/chromium/chrome-sandbox whitelist ## There is a controversy about firejail but those who choose to install it ## should be able to use it. From cfe69dd66900f7aad5311c02d2b4ee7b400fb90b Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Fri, 20 Dec 2019 22:44:27 +0000 Subject: [PATCH 0038/1650] Delete usr.lib.security-misc.permission-lockdown --- .../usr.lib.security-misc.permission-lockdown | 42 ------------------- 1 file changed, 42 deletions(-) delete mode 100644 etc/apparmor.d/usr.lib.security-misc.permission-lockdown diff --git a/etc/apparmor.d/usr.lib.security-misc.permission-lockdown b/etc/apparmor.d/usr.lib.security-misc.permission-lockdown deleted file mode 100644 index cffcb0d..0000000 --- a/etc/apparmor.d/usr.lib.security-misc.permission-lockdown +++ /dev/null @@ -1,42 +0,0 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -#include - -/usr/lib/security-misc/permission-lockdown flags=(attach_disconnected) { - #include - #include - - capability dac_override, - capability dac_read_search, - capability fowner, - capability fsetid, - - /bin/bash rix, - /usr/bin/bash rix, - /bin/chmod mrix, - /bin/echo mrix, - /bin/mkdir mrix, - /bin/touch mrix, - /usr/bin/chmod mrix, - /usr/bin/basename mrix, - /usr/bin/touch mrix, - /usr/lib/security-misc/permission-lockdown r, - - /home/*/ w, - - /{usr/,}lib{,32,64}/** mr, - - /etc/ld.so.cache r, - owner /etc/locale.alias r, - owner /etc/nsswitch.conf r, - owner /etc/passwd r, - - owner /var/cache/security-misc/state-files/ rw, - owner /var/cache/security-misc/state-files/* rw, - - /dev/tty rw, - /dev/pts/[0-9]* rw, - - #include -} From c28ddf5c4dbfd92aba9a59874f529a4afe69c497 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Fri, 20 Dec 2019 22:44:31 +0000 Subject: [PATCH 0039/1650] Delete usr.lib.security-misc.pam_tally2-info --- .../usr.lib.security-misc.pam_tally2-info | 42 ------------------- 1 file changed, 42 deletions(-) delete mode 100644 etc/apparmor.d/usr.lib.security-misc.pam_tally2-info diff --git a/etc/apparmor.d/usr.lib.security-misc.pam_tally2-info b/etc/apparmor.d/usr.lib.security-misc.pam_tally2-info deleted file mode 100644 index 50803fb..0000000 --- a/etc/apparmor.d/usr.lib.security-misc.pam_tally2-info +++ /dev/null @@ -1,42 +0,0 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -#include - -/usr/lib/security-misc/pam_tally2-info flags=(attach_disconnected) { - #include - #include - - capability dac_override, - capability dac_read_search, - - /bin/bash ix, - /bin/cat mrix, - /usr/bin/cat mrix, - /bin/grep mrix, - /usr/bin/id rix, - /usr/bin/cut mrix, - /usr/bin/tail mrix, - /sbin/pam_tally2 mrix, - /usr/sbin/pam_tally2 mrix, - /usr/lib/security-misc/pam_tally2-info r, - - /etc/ld.so.cache r, - /etc/locale.alias r, - - /{usr/,}lib{,32,64}/** mr, - - owner /etc/nsswitch.conf r, - owner /etc/pam.d/* r, - owner /etc/passwd r, - owner /etc/group r, - owner /etc/securetty r, - - owner /usr/share/zoneinfo/** r, - owner /var/log/tallylog rw, - - /dev/tty rw, - owner /dev/pts/[0-9]* rw, - - #include -} From 89be5f2ecb998c46ff4864996cd86b97fa56d176 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 02:05:39 -0500 Subject: [PATCH 0040/1650] bumped changelog version --- changelog.upstream | 75 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 81 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1b6e8bf..f1851bd 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,78 @@ +commit d220bb3bc4aaf923dcb2e2a48ac05dd5f1326442 +Author: Patrick Schleizer +Date: Fri Dec 20 13:07:01 2019 -0500 + + suid /usr/lib/chromium/chrome-sandbox whitelist + +commit 77b3dd5d6b5de0070da7e71154ecbe2e099e3b7f +Author: Patrick Schleizer +Date: Fri Dec 20 13:02:33 2019 -0500 + + comments + +commit d7bd477e7379cd5d74d81e81080d375041cc3b29 +Author: Patrick Schleizer +Date: Fri Dec 20 12:59:27 2019 -0500 + + add "/usr/lib/xorg/Xorg.wrap whitelist" + + until this is researched + + https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html + https://lwn.net/Articles/590315/ + +commit 17e8605119fc671c4cbe4343851cf3c46b830508 +Author: Patrick Schleizer +Date: Fri Dec 20 12:57:24 2019 -0500 + + add matchwhitelist feature + + add "/usr/lib/virtualbox/ matchwhitelist" + +commit 3fab3876693f20303c95f03c45af9adb9ae680e2 +Author: Patrick Schleizer +Date: Fri Dec 20 12:50:35 2019 -0500 + + suid /usr/bin/firejail whitelist + + There is a controversy about firejail but those who choose to install it + should be able to use it. + https://www.whonix.org/wiki/Dev/Firejail#Security + +commit d3f16a5bf46a7d10316259788f3d97364fe2e545 +Author: Patrick Schleizer +Date: Fri Dec 20 12:47:10 2019 -0500 + + sgid /usr/lib/qubes/qfile-unpacker whitelist + +commit 508ec0c6fa44d9185aa22f5fa81ae9dbbefdb19c +Author: Patrick Schleizer +Date: Fri Dec 20 12:34:07 2019 -0500 + + comment + +commit 1b569ea7908dcba409c94dacd477d2fbfeafe522 +Author: Patrick Schleizer +Date: Fri Dec 20 12:32:36 2019 -0500 + + comment + +commit f88ca2588920ac16a6b41e8c48021bf85801c2a9 +Author: Patrick Schleizer +Date: Fri Dec 20 11:58:07 2019 -0500 + + fix terminology, sguid -> sgid + + Thanks to @madaidan for the bug report! + + https://forums.whonix.org/t/permission-hardening/8655/21 + +commit 1cd5fb6a0020504c7897acf169772d39b67f4bd4 +Author: Patrick Schleizer +Date: Fri Dec 20 11:50:25 2019 -0500 + + bumped changelog version + commit ff0a26fb5d65450c0a2b5fb86758d3d823a717e9 Author: Patrick Schleizer Date: Fri Dec 20 11:49:19 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 106b863..5223e6b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:12.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 07:05:39 +0000 + security-misc (3:11.9-1) unstable; urgency=medium * New upstream version (local package). From e6ea21c7757ad732bd9bcce2c6a7a364780e1b14 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 04:08:35 -0500 Subject: [PATCH 0041/1650] record existing modes in separate dpkg-statoverwrite databases to have a history of what was modified and to allow to undo changes --- usr/lib/security-misc/permission-hardening | 169 +++++++++++++++++---- 1 file changed, 143 insertions(+), 26 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index cb598cc..f106765 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -12,6 +12,11 @@ set -o pipefail exit_code=0 +mkdir -p /var/lib/permission-hardening/existing_mode +mkdir -p /var/lib/permission-hardening/new_mode +dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode" +dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode" + echo_wrapper_ignore() { echo "run: $@" "$@" 2>/dev/null || true @@ -28,22 +33,42 @@ echo_wrapper_audit() { }; } +echo_wrapper_silent_audit() { + ## TODO: remove echo + echo "run (debugging): $@" + return_code=0 + "$@" || \ + { \ + return_code="$?" ; \ + exit_code=204 ; \ + echo "ERROR: above command '$@' failed with exit code '$return_code'!" >&2 ; \ + }; +} + add_nosuid_statoverride_entry() { + local fso_to_process fso_to_process="$fso" + local should_be_counter should_be_counter="$(find "$fso_to_process" -perm /u=s,g=s | wc -l)" || true + local counter_actual counter_actual=0 + local line while read -r line; do true "line: $line" counter_actual="$(( counter_actual + 1 ))" + local arr file_name existing_mode existing_owner existing_group arr=($line) - file_name="${arr[0]}" existing_mode="${arr[1]}" - owner="${arr[2]}" - group="${arr[3]}" + existing_owner="${arr[2]}" + existing_group="${arr[3]}" + if [ "$arr" = "" ]; then + echo "ERROR: arr is empty. line: '$line'" >&2 + continue + fi if [ "$file_name" = "" ]; then echo "ERROR: file_name is empty. line: '$line'" >&2 continue @@ -52,12 +77,12 @@ add_nosuid_statoverride_entry() { echo "ERROR: existing_mode is empty. line: '$line'" >&2 continue fi - if [ "owner" = "" ]; then - echo "ERROR: $owner is empty. line: '$line'" >&2 + if [ "$existing_owner" = "" ]; then + echo "ERROR: existing_owner is empty. line: '$line'" >&2 continue fi - if [ "$group" = "" ]; then - echo "ERROR: $group is empty. line: '$line'" >&2 + if [ "$existing_group" = "" ]; then + echo "ERROR: existing_group is empty. line: '$line'" >&2 continue fi @@ -72,10 +97,11 @@ add_nosuid_statoverride_entry() { fi if test -d "$file_name" ; then - true "skip folder: $file_name" + true "skip directory: $file_name" continue fi + local setuid setuid_output setsgid setsgid_output setuid="" setuid_output="" if test -u "$file_name" ; then @@ -111,6 +137,7 @@ add_nosuid_statoverride_entry() { # new_mode=744 # fi + local is_whitelisted is_whitelisted="" for white_list_entry in $whitelist ; do if [ "$file_name" = "$white_list_entry" ]; then @@ -120,6 +147,7 @@ add_nosuid_statoverride_entry() { fi done + local is_match_whitelisted is_match_whitelisted="" for matchwhite_list_entry in $matchwhitelist ; do if echo "$file_name" | grep -q "$matchwhite_list_entry" ; then @@ -141,11 +169,30 @@ add_nosuid_statoverride_entry() { echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" + if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$file_name"; then + ## Existing mode already saved previously. No need to save again. + true OK + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + echo_wrapper_silent_audit $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$file_name" + fi + ## No need to check "dpkg-statoverride --list" for existing entries. ## If existing_mode was correct already, we would not have reached this point. ## Since existing_mode is incorrect, remove from dpkg-statoverride and re-add. + + ## Remove from real database. echo_wrapper_ignore dpkg-statoverride --remove "$file_name" - echo_wrapper_audit dpkg-statoverride --add --update "$owner" "$group" "$new_mode" "$file_name" + + ## Remove from separate database. + echo_wrapper_ignore $dpkg_admindir_parameter_new_mode dpkg-statoverride --remove "$file_name" + + ## Add to real database and use --update to make changes on disk. + echo_wrapper_audit dpkg-statoverride --add --update "$existing_owner" "$existing_group" "$new_mode" "$file_name" + + ## Not using --update as this is only for recording. + echo_wrapper_silent_audit $dpkg_admindir_parameter_new_mode dpkg-statoverride --add "$existing_owner" "$existing_group" "$new_mode" "$file_name" fi ## /lib will hit ARG_MAX. @@ -164,6 +211,7 @@ add_nosuid_statoverride_entry() { set_file_perms() { echo "INFO: parsing config_file: '$config_file'" + local line while read -r line; do if [ "$line" = "" ]; then continue @@ -181,12 +229,15 @@ set_file_perms() { continue fi - if ! read -r fso mode_from_config owner group capability <<< "$line" ; then + #global fso + local mode_from_config owner_from_config group_from_config capability_from_config + if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then exit_code=201 echo "ERROR: cannot parse line: $line" >&2 continue fi + local fso_without_trailing_slash fso_without_trailing_slash="${fso%/}" if [ "$mode_from_config" = "whitelist" ]; then @@ -208,15 +259,13 @@ set_file_perms() { ## Use dpkg-statoverride so permissions are not reset during upgrades. - nosuid="" if [ "$mode_from_config" = "nosuid" ]; then - nosuid="true" - ## If mode_from_config is "nosuid" the config does not set owner and ## group. Therefore do not enforce owner/group check. add_nosuid_statoverride_entry else + local string_length_of_mode_from_config string_length_of_mode_from_config="${#mode_from_config}" if [ "$string_length_of_mode_from_config" -gt "4" ]; then echo "ERROR: Mode '$mode_from_config' is invalid!" >&2 @@ -227,16 +276,17 @@ set_file_perms() { continue fi - if ! getent passwd | grep -q "^${owner}:"; then - echo "ERROR: User '$owner' does not exist!" >&2 + if ! getent passwd | grep -q "^${owner_from_config}:"; then + echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2 continue fi - if ! getent group | grep -q "^${group}:"; then - echo "ERROR: Group '$group' does not exist!" >&2 + if ! getent group_from_config | grep -q "^${group_from_config}:"; then + echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2 continue fi + local mode_for_grep mode_for_grep="$mode_from_config" first_character_of_mode_from_config="${mode_from_config::1}" if [ "$first_character_of_mode_from_config" = "0" ]; then @@ -244,6 +294,41 @@ set_file_perms() { mode_for_grep="${mode_from_config:1}" fi + local stat_output + stat_output="" + if ! stat_output="$(stat -c "%n %a %U %G" "$fso_without_trailing_slash")" ; then + echo "ERROR: failed to run 'stat' for fso_without_trailing_slash: '$fso_without_trailing_slash'!" >&2 + continue + fi + + local arr file_name existing_mode existing_owner existing_group + arr=($stat_output) + file_name="${arr[0]}" + existing_mode="${arr[1]}" + existing_owner="${arr[2]}" + existing_group="${arr[3]}" + + if [ "$arr" = "" ]; then + echo "ERROR: arr is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + if [ "$file_name" = "" ]; then + echo "ERROR: file_name is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + if [ "$existing_mode" = "" ]; then + echo "ERROR: existing_mode is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + if [ "$existing_owner" = "" ]; then + echo "ERROR: existing_owner is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + if [ "$existing_group" = "" ]; then + echo "ERROR: $existing_group is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + ## Check there is an entry for the fso. ## ## example: dpkg-statoverride --list | grep /home @@ -251,37 +336,69 @@ set_file_perms() { ## root root 755 /home ## ## dpkg-statoverride does not show leading '0'. - if dpkg-statoverride --list | grep -q "$fso_without_trailing_slash"; then + if dpkg-statoverride --list "$fso_without_trailing_slash"; then ## There is an fso entry. Check if owner/group/mode match. - if dpkg-statoverride --list | grep -q "$owner $group $mode_for_grep $fso_without_trailing_slash"; then + if dpkg-statoverride --list | grep -q "$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash"; then ## The owner/group/mode matches. No further action required. true OK else ## The owner/group/mode do not match, therefore remove and re-add the entry to update it. ## fso_without_trailing_slash instead of fso to prevent ## "dpkg-statoverride: warning: stripping trailing /" + + if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash"; then + ## Existing mode already saved previously. No need to save again. + true OK + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + echo_wrapper_silent_audit $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" + fi + + echo_wrapper_audit $dpkg_admindir_parameter_new_mode dpkg-statoverride --remove "$fso_without_trailing_slash" + + ## Remove from and add to real database. echo_wrapper_audit dpkg-statoverride --remove "$fso_without_trailing_slash" - echo_wrapper_audit dpkg-statoverride --add --update "$owner" "$group" "$mode_from_config" "$fso_without_trailing_slash" + echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" + + ## Save in separate database. + ## Not using --update as this is only for saving. + echo_wrapper_silent_audit $dpkg_admindir_parameter_new_mode dpkg-statoverride --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" fi else ## There is no fso entry. Therefore add one. - echo_wrapper_audit dpkg-statoverride --add --update "$owner" "$group" "$mode_from_config" "$fso_without_trailing_slash" + + if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash"; then + ## Existing mode already saved previously. No need to save again. + true OK + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + echo_wrapper_silent_audit $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" + fi + + ## Add to real database. + echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" + + ## Save in separate database. + ## Not using --update as this is only for saving. + echo_wrapper_silent_audit $dpkg_admindir_parameter_new_mode dpkg-statoverride --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" fi fi - if [ "$capability" = "" ]; then + if [ "$capability_from_config" = "" ]; then continue fi - if [ "$capability" = "none" ]; then + if [ "$capability_from_config" = "none" ]; then echo_wrapper_audit setcap -r "$fso" else - if ! capsh --print | grep "Bounding set" | grep -q "$capability"; then - echo "ERROR: Capability '$capability' does not exist!" >&2 + if ! capsh --print | grep "Bounding set" | grep -q "$capability_from_config"; then + echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2 continue fi - echo_wrapper_audit setcap "${capability}+ep" "$fso" + echo_wrapper_audit setcap "${capability_from_config}+ep" "$fso" fi done < "$config_file" } From e7fd0dadb03e7f90adfa9ebdaf07530f02a846e7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 04:09:35 -0500 Subject: [PATCH 0042/1650] output --- usr/lib/security-misc/remount-secure | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index 8f12d43..c8404d4 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -18,15 +18,15 @@ if [ -f /usr/lib/helper-scripts/pre.bsh ]; then fi if [ -e /etc/remount-disable ] || [ -e /usr/local/etc/remount-disable ]; then - echo "$0: file /etc/remount-disable exists. Doing nothing." + echo "$0: INFO: file /etc/remount-disable exists. Doing nothing." exit 0 fi if [ -e /etc/noexec ] || [ -e /usr/local/etc/noexec ]; then noexec=true - echo "$0: Will remount with noexec because file /etc/noexec exists." + echo "$0: INFO: Will remount with noexec because file /etc/noexec exists." else - echo "$0: Will not remount with noexec because file /etc/noexec does not exist." + echo "$0: INFO: Will not remount with noexec because file /etc/noexec does not exist." fi mkdir --parents "/var/run/remount-secure" From 203f4ad46e6a6950edd4b2a83f47ac71428928e5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 04:17:10 -0500 Subject: [PATCH 0043/1650] refactoring --- usr/lib/security-misc/remount-secure | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index c8404d4..21be55a 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -41,7 +41,8 @@ home() { if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then return 0 fi - mount -o remount,nosuid,nodev${noexec_maybe} /home || exit_code=2 + new_mount_options="nosuid,nodev${noexec_maybe}" + mount -o "remount,${new_mount_options}" /home || exit_code=2 touch "/var/run/remount-secure/${FUNCNAME}" } @@ -50,7 +51,8 @@ run() { return 0 fi ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html - mount -o remount,nosuid,nodev${noexec_maybe} /run || exit_code=3 + new_mount_options="nosuid,nodev${noexec_maybe}" + mount -o "remount,${new_mount_options}" /run || exit_code=3 touch "/var/run/remount-secure/${FUNCNAME}" } @@ -58,7 +60,8 @@ shm() { if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then return 0 fi - mount -o remount,nosuid,nodev${noexec_maybe} /dev/shm || exit_code=4 + new_mount_options="nosuid,nodev${noexec_maybe}" + mount -o "remount,${new_mount_options}" /dev/shm || exit_code=4 touch "/var/run/remount-secure/${FUNCNAME}" } @@ -66,7 +69,8 @@ tmp() { if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then return 0 fi - mount -o nosuid,nodev${noexec_maybe} --bind /tmp /tmp || exit_code=5 + new_mount_options="nosuid,nodev${noexec_maybe}" + mount -o "$new_mount_options" --bind /tmp /tmp || exit_code=5 touch "/var/run/remount-secure/${FUNCNAME}" } @@ -74,7 +78,8 @@ securityfs() { if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then return 0 fi - mount -o nosuid,nodev${noexec_maybe} --bind /sys/kernel/security /sys/kernel/security || exit_code=6 + new_mount_options="nosuid,nodev${noexec_maybe}" + mount -o "$new_mount_options" --bind /sys/kernel/security /sys/kernel/security || exit_code=6 touch "/var/run/remount-secure/${FUNCNAME}" } @@ -83,7 +88,8 @@ lib() { return 0 fi ## Not using noexec on /lib. - mount -o nosuid,nodev --bind /lib /lib || exit_code=7 + new_mount_options="nosuid,nodev" + mount -o "$new_mount_options" --bind /lib /lib || exit_code=7 touch "/var/run/remount-secure/${FUNCNAME}" } From 0c5848494b147b067afa2b70451fc7e5087823f2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 04:21:26 -0500 Subject: [PATCH 0044/1650] do not remount if already has intended mount options --- usr/lib/security-misc/remount-secure | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index 21be55a..1939a0e 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -42,6 +42,10 @@ home() { return 0 fi new_mount_options="nosuid,nodev${noexec_maybe}" + if mount | grep /home | grep -q "$new_mount_options" ; then + echo "INFO: $FUNCNAME has already intended mount options." + return 0 + fi mount -o "remount,${new_mount_options}" /home || exit_code=2 touch "/var/run/remount-secure/${FUNCNAME}" } @@ -52,6 +56,10 @@ run() { fi ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html new_mount_options="nosuid,nodev${noexec_maybe}" + if mount | grep /run | grep -q "$new_mount_options" ; then + echo "INFO: $FUNCNAME has already intended mount options." + return 0 + fi mount -o "remount,${new_mount_options}" /run || exit_code=3 touch "/var/run/remount-secure/${FUNCNAME}" } @@ -61,6 +69,10 @@ shm() { return 0 fi new_mount_options="nosuid,nodev${noexec_maybe}" + if mount | grep /dev/shm | grep -q "$new_mount_options" ; then + echo "INFO: $FUNCNAME has already intended mount options." + return 0 + fi mount -o "remount,${new_mount_options}" /dev/shm || exit_code=4 touch "/var/run/remount-secure/${FUNCNAME}" } @@ -70,6 +82,10 @@ tmp() { return 0 fi new_mount_options="nosuid,nodev${noexec_maybe}" + if mount | grep /tmp | grep -q "$new_mount_options" ; then + echo "INFO: $FUNCNAME has already intended mount options." + return 0 + fi mount -o "$new_mount_options" --bind /tmp /tmp || exit_code=5 touch "/var/run/remount-secure/${FUNCNAME}" } @@ -79,6 +95,10 @@ securityfs() { return 0 fi new_mount_options="nosuid,nodev${noexec_maybe}" + if mount | grep /sys/kernel/security | grep -q "$new_mount_options" ; then + echo "INFO: $FUNCNAME has already intended mount options." + return 0 + fi mount -o "$new_mount_options" --bind /sys/kernel/security /sys/kernel/security || exit_code=6 touch "/var/run/remount-secure/${FUNCNAME}" } @@ -89,6 +109,10 @@ lib() { fi ## Not using noexec on /lib. new_mount_options="nosuid,nodev" + if mount | grep /lib | grep -q "$new_mount_options" ; then + echo "INFO: $FUNCNAME has already intended mount options." + return 0 + fi mount -o "$new_mount_options" --bind /lib /lib || exit_code=7 touch "/var/run/remount-secure/${FUNCNAME}" } From 315ce86b9a66d15aea2d50f5271c228ee8bd3909 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 04:33:03 -0500 Subject: [PATCH 0045/1650] refactoring --- usr/lib/security-misc/remount-secure | 66 +++++++++++++++------------- 1 file changed, 36 insertions(+), 30 deletions(-) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index 1939a0e..6756592 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -37,83 +37,89 @@ fi exit_code=0 -home() { +_home() { + funcname_sanatized="$(echo "$FUNCNAME" | str_replace "_" "/")" if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then return 0 fi new_mount_options="nosuid,nodev${noexec_maybe}" - if mount | grep /home | grep -q "$new_mount_options" ; then - echo "INFO: $FUNCNAME has already intended mount options." + if mount | grep "$funcname_sanatized" | grep -q "$new_mount_options" ; then + echo "INFO: $funcname_sanatized has already intended mount options." return 0 fi - mount -o "remount,${new_mount_options}" /home || exit_code=2 + mount -o "remount,${new_mount_options}" "$funcname_sanatized" || exit_code=2 touch "/var/run/remount-secure/${FUNCNAME}" } -run() { +_run() { + funcname_sanatized="$(echo "$FUNCNAME" | str_replace "_" "/")" if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then return 0 fi ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html new_mount_options="nosuid,nodev${noexec_maybe}" - if mount | grep /run | grep -q "$new_mount_options" ; then - echo "INFO: $FUNCNAME has already intended mount options." + if mount | grep "$funcname_sanatized" | grep -q "$new_mount_options" ; then + echo "INFO: $funcname_sanatized has already intended mount options." return 0 fi - mount -o "remount,${new_mount_options}" /run || exit_code=3 + mount -o "remount,${new_mount_options}" "$funcname_sanatized" || exit_code=3 touch "/var/run/remount-secure/${FUNCNAME}" } -shm() { +_dev_shm() { + funcname_sanatized="$(echo "$FUNCNAME" | str_replace "_" "/")" if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then return 0 fi new_mount_options="nosuid,nodev${noexec_maybe}" - if mount | grep /dev/shm | grep -q "$new_mount_options" ; then - echo "INFO: $FUNCNAME has already intended mount options." + if mount | grep "$funcname_sanatized" | grep -q "$new_mount_options" ; then + echo "INFO: $funcname_sanatized has already intended mount options." return 0 fi - mount -o "remount,${new_mount_options}" /dev/shm || exit_code=4 + mount -o "remount,${new_mount_options}" "$funcname_sanatized" || exit_code=4 touch "/var/run/remount-secure/${FUNCNAME}" } -tmp() { +_tmp() { + funcname_sanatized="$(echo "$FUNCNAME" | str_replace "_" "/")" if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then return 0 fi new_mount_options="nosuid,nodev${noexec_maybe}" - if mount | grep /tmp | grep -q "$new_mount_options" ; then - echo "INFO: $FUNCNAME has already intended mount options." + if mount | grep "$funcname_sanatized" | grep -q "$new_mount_options" ; then + echo "INFO: $funcname_sanatized has already intended mount options." return 0 fi - mount -o "$new_mount_options" --bind /tmp /tmp || exit_code=5 + mount -o "$new_mount_options" --bind "$funcname_sanatized" "$funcname_sanatized" || exit_code=5 touch "/var/run/remount-secure/${FUNCNAME}" } -securityfs() { +_sys_kernel_security() { + funcname_sanatized="$(echo "$FUNCNAME" | str_replace "_" "/")" if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then return 0 fi new_mount_options="nosuid,nodev${noexec_maybe}" - if mount | grep /sys/kernel/security | grep -q "$new_mount_options" ; then - echo "INFO: $FUNCNAME has already intended mount options." + if mount | grep "$funcname_sanatized" | grep -q "$new_mount_options" ; then + echo "INFO: $funcname_sanatized has already intended mount options." return 0 fi - mount -o "$new_mount_options" --bind /sys/kernel/security /sys/kernel/security || exit_code=6 + mount -o "$new_mount_options" --bind "$funcname_sanatized" "$funcname_sanatized" || exit_code=6 touch "/var/run/remount-secure/${FUNCNAME}" } -lib() { +_lib() { + funcname_sanatized="$(echo "$FUNCNAME" | str_replace "_" "/")" if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then return 0 fi ## Not using noexec on /lib. new_mount_options="nosuid,nodev" - if mount | grep /lib | grep -q "$new_mount_options" ; then - echo "INFO: $FUNCNAME has already intended mount options." + if mount | grep "$funcname_sanatized" | grep -q "$new_mount_options" ; then + echo "INFO: $funcname_sanatized has already intended mount options." return 0 fi - mount -o "$new_mount_options" --bind /lib /lib || exit_code=7 + mount -o "$new_mount_options" --bind "$funcname_sanatized" "$funcname_sanatized" || exit_code=7 touch "/var/run/remount-secure/${FUNCNAME}" } @@ -122,12 +128,12 @@ end() { } main() { - home "$@" - run "$@" - shm "$@" - tmp "$@" - securityfs "$@" - lib "$@" + _home "$@" + _run "$@" + _dev_shm "$@" + _tmp "$@" + _sys_kernel_security "$@" + _lib "$@" end "$@" } From ed20980f4c6c3fb304d8436399f5e14ead7b3ae3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:07:10 -0500 Subject: [PATCH 0046/1650] refactoring --- debian/control | 2 +- usr/lib/security-misc/remount-secure | 94 +++++++++++----------------- 2 files changed, 38 insertions(+), 58 deletions(-) diff --git a/debian/control b/debian/control index dfe6cc0..6ddb85b 100644 --- a/debian/control +++ b/debian/control @@ -15,7 +15,7 @@ Standards-Version: 4.3.0 Package: security-misc Architecture: all Depends: python, libglib2.0-bin, libpam-runtime, sudo, adduser, - apparmor-profile-anondist, ${misc:Depends} + apparmor-profile-anondist, helper-scripts, ${misc:Depends} Replaces: tcp-timestamps-disable Description: enhances misc security settings Inspired by Kernel Self Protection Project (KSPP) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index 6756592..86fabf4 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -8,6 +8,7 @@ ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 +set -x set -e if [ -f /usr/lib/helper-scripts/pre.bsh ]; then @@ -37,90 +38,69 @@ fi exit_code=0 -_home() { - funcname_sanatized="$(echo "$FUNCNAME" | str_replace "_" "/")" - if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then +mount_output="$(mount)" + +remount_secure() { + ## ${FUNCNAME[1]} is the name of the calling function. I.e. the function + ## which called this function. + status_file_name="${FUNCNAME[1]}" + ## example status_file_name: + ## _home + + if [ -e "/var/run/remount-secure/${status_file_name}" ]; then return 0 fi - new_mount_options="nosuid,nodev${noexec_maybe}" - if mount | grep "$funcname_sanatized" | grep -q "$new_mount_options" ; then - echo "INFO: $funcname_sanatized has already intended mount options." + ## str_replace is provided by package helper-scripts. + mount_folder="$(echo "${status_file_name}" | str_replace "_" "/")" + ## example mount_folder: + ## /home + + if echo "$mount_output" | grep "$mount_folder" | grep -q "$new_mount_options" ; then + echo "INFO: $mount_folder has already intended mount options." return 0 fi - mount -o "remount,${new_mount_options}" "$funcname_sanatized" || exit_code=2 + + if echo "$mount_output" | grep -q "$mount_folder" ; then + ## Already mounted. Using remount. + mount -o "remount,${new_mount_options}" "$mount_folder" + else + ## Not yet mounted. Using mount bind. + mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" + fi + touch "/var/run/remount-secure/${FUNCNAME}" } +_home() { + new_mount_options="nosuid,nodev${noexec_maybe}" + remount_secure "$@" +} + _run() { - funcname_sanatized="$(echo "$FUNCNAME" | str_replace "_" "/")" - if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then - return 0 - fi ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html new_mount_options="nosuid,nodev${noexec_maybe}" - if mount | grep "$funcname_sanatized" | grep -q "$new_mount_options" ; then - echo "INFO: $funcname_sanatized has already intended mount options." - return 0 - fi - mount -o "remount,${new_mount_options}" "$funcname_sanatized" || exit_code=3 - touch "/var/run/remount-secure/${FUNCNAME}" + remount_secure "$@" } _dev_shm() { - funcname_sanatized="$(echo "$FUNCNAME" | str_replace "_" "/")" - if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then - return 0 - fi new_mount_options="nosuid,nodev${noexec_maybe}" - if mount | grep "$funcname_sanatized" | grep -q "$new_mount_options" ; then - echo "INFO: $funcname_sanatized has already intended mount options." - return 0 - fi - mount -o "remount,${new_mount_options}" "$funcname_sanatized" || exit_code=4 - touch "/var/run/remount-secure/${FUNCNAME}" + remount_secure "$@" } _tmp() { - funcname_sanatized="$(echo "$FUNCNAME" | str_replace "_" "/")" - if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then - return 0 - fi new_mount_options="nosuid,nodev${noexec_maybe}" - if mount | grep "$funcname_sanatized" | grep -q "$new_mount_options" ; then - echo "INFO: $funcname_sanatized has already intended mount options." - return 0 - fi - mount -o "$new_mount_options" --bind "$funcname_sanatized" "$funcname_sanatized" || exit_code=5 - touch "/var/run/remount-secure/${FUNCNAME}" + remount_secure "$@" } _sys_kernel_security() { - funcname_sanatized="$(echo "$FUNCNAME" | str_replace "_" "/")" - if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then - return 0 - fi new_mount_options="nosuid,nodev${noexec_maybe}" - if mount | grep "$funcname_sanatized" | grep -q "$new_mount_options" ; then - echo "INFO: $funcname_sanatized has already intended mount options." - return 0 - fi - mount -o "$new_mount_options" --bind "$funcname_sanatized" "$funcname_sanatized" || exit_code=6 - touch "/var/run/remount-secure/${FUNCNAME}" + remount_secure "$@" } _lib() { - funcname_sanatized="$(echo "$FUNCNAME" | str_replace "_" "/")" - if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then - return 0 - fi ## Not using noexec on /lib. new_mount_options="nosuid,nodev" - if mount | grep "$funcname_sanatized" | grep -q "$new_mount_options" ; then - echo "INFO: $funcname_sanatized has already intended mount options." - return 0 - fi - mount -o "$new_mount_options" --bind "$funcname_sanatized" "$funcname_sanatized" || exit_code=7 - touch "/var/run/remount-secure/${FUNCNAME}" + remount_secure "$@" } end() { From 4388fc4d5ace9046c9eacb8354d9960599735ee4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:11:19 -0500 Subject: [PATCH 0047/1650] refactoring --- usr/lib/security-misc/remount-secure | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index 86fabf4..8da041d 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -55,7 +55,9 @@ remount_secure() { ## example mount_folder: ## /home - if echo "$mount_output" | grep "$mount_folder" | grep -q "$new_mount_options" ; then + mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder")" + + if echo "$mount_line_of_mount_folder" | grep -q "$new_mount_options" ; then echo "INFO: $mount_folder has already intended mount options." return 0 fi From 1018d5b3b0b58a641aaca0419a06c246091932d5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:11:51 -0500 Subject: [PATCH 0048/1650] output --- usr/lib/security-misc/remount-secure | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index 8da041d..61dd1f9 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -19,15 +19,15 @@ if [ -f /usr/lib/helper-scripts/pre.bsh ]; then fi if [ -e /etc/remount-disable ] || [ -e /usr/local/etc/remount-disable ]; then - echo "$0: INFO: file /etc/remount-disable exists. Doing nothing." + echo "INFO: file /etc/remount-disable exists. Doing nothing." exit 0 fi if [ -e /etc/noexec ] || [ -e /usr/local/etc/noexec ]; then noexec=true - echo "$0: INFO: Will remount with noexec because file /etc/noexec exists." + echo "INFO: Will remount with noexec because file /etc/noexec exists." else - echo "$0: INFO: Will not remount with noexec because file /etc/noexec does not exist." + echo "INFO: Will not remount with noexec because file /etc/noexec does not exist." fi mkdir --parents "/var/run/remount-secure" From 0fc97c37beae5d48fed9ec714f19007f402952c9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:14:39 -0500 Subject: [PATCH 0049/1650] fix --- usr/lib/security-misc/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index 61dd1f9..43425a2 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -55,7 +55,7 @@ remount_secure() { ## example mount_folder: ## /home - mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder")" + mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder")" || true if echo "$mount_line_of_mount_folder" | grep -q "$new_mount_options" ; then echo "INFO: $mount_folder has already intended mount options." From 1fd26be864ebd0dab8419e0b2b321522166d6271 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:14:51 -0500 Subject: [PATCH 0050/1650] fix --- usr/lib/security-misc/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index 43425a2..3feb859 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -55,7 +55,7 @@ remount_secure() { ## example mount_folder: ## /home - mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder")" || true + mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder ")" || true if echo "$mount_line_of_mount_folder" | grep -q "$new_mount_options" ; then echo "INFO: $mount_folder has already intended mount options." From 486027a4d75917fe2741370aa1e707b8ca14f693 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:15:38 -0500 Subject: [PATCH 0051/1650] fix --- usr/lib/security-misc/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index 3feb859..0f8e857 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -62,7 +62,7 @@ remount_secure() { return 0 fi - if echo "$mount_output" | grep -q "$mount_folder" ; then + if echo "$mount_output" | grep -q "$mount_folder " ; then ## Already mounted. Using remount. mount -o "remount,${new_mount_options}" "$mount_folder" else From 29cd9a0c38924fc2eb7520db886efc19541476cb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:17:35 -0500 Subject: [PATCH 0052/1650] fix --- usr/lib/security-misc/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index 0f8e857..03a8250 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -70,7 +70,7 @@ remount_secure() { mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" fi - touch "/var/run/remount-secure/${FUNCNAME}" + touch "/var/run/remount-secure/${status_file_name}" } _home() { From cf5dee64fd4e1c44a8726db49b8328841ee6327f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:18:34 -0500 Subject: [PATCH 0053/1650] refactoring --- usr/lib/security-misc/remount-secure | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index 03a8250..a159100 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -46,8 +46,11 @@ remount_secure() { status_file_name="${FUNCNAME[1]}" ## example status_file_name: ## _home + status_file_full_path="/var/run/remount-secure/${status_file_name}" + ## example status_file_full_path: + ## /var/run/remount-secure/_home - if [ -e "/var/run/remount-secure/${status_file_name}" ]; then + if [ -e "$status_file_full_path" ]; then return 0 fi ## str_replace is provided by package helper-scripts. @@ -70,7 +73,7 @@ remount_secure() { mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" fi - touch "/var/run/remount-secure/${status_file_name}" + touch "$status_file_full_path" } _home() { From 8919d38de9206b4802b471c2f40787a2f9d70269 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:21:46 -0500 Subject: [PATCH 0054/1650] disable debugging --- usr/lib/security-misc/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index a159100..a2c1a83 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -8,7 +8,7 @@ ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 -set -x +#set -x set -e if [ -f /usr/lib/helper-scripts/pre.bsh ]; then From 7aa7d0b5a0e3b602b527131581f350b9b32fb0d6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:22:27 -0500 Subject: [PATCH 0055/1650] improve error handling --- usr/lib/security-misc/remount-secure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index a2c1a83..24b3308 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -67,10 +67,10 @@ remount_secure() { if echo "$mount_output" | grep -q "$mount_folder " ; then ## Already mounted. Using remount. - mount -o "remount,${new_mount_options}" "$mount_folder" + mount -o "remount,${new_mount_options}" "$mount_folder" || exit_code=100 else ## Not yet mounted. Using mount bind. - mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" + mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi touch "$status_file_full_path" From 66aaf3e22cda9bb58ab72e750a5711556cf1de25 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:25:54 -0500 Subject: [PATCH 0056/1650] output --- usr/lib/security-misc/remount-secure | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index 24b3308..a491b2e 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -50,9 +50,6 @@ remount_secure() { ## example status_file_full_path: ## /var/run/remount-secure/_home - if [ -e "$status_file_full_path" ]; then - return 0 - fi ## str_replace is provided by package helper-scripts. mount_folder="$(echo "${status_file_name}" | str_replace "_" "/")" ## example mount_folder: @@ -65,11 +62,18 @@ remount_secure() { return 0 fi + if [ -e "$status_file_full_path" ]; then + echo "INFO: Already remounted $mount_folder earlier. Not remounting again." + return 0 + fi + if echo "$mount_output" | grep -q "$mount_folder " ; then ## Already mounted. Using remount. + echo mount -o "remount,${new_mount_options}" "$mount_folder" mount -o "remount,${new_mount_options}" "$mount_folder" || exit_code=100 else ## Not yet mounted. Using mount bind. + echo mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi From e1a5ee4bcf5ecb447ae7da0b137f81d520673cde Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:26:55 -0500 Subject: [PATCH 0057/1650] output --- usr/lib/security-misc/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index a491b2e..cb1b3a3 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -63,7 +63,7 @@ remount_secure() { fi if [ -e "$status_file_full_path" ]; then - echo "INFO: Already remounted $mount_folder earlier. Not remounting again." + echo "INFO: $mount_folder already remounted earlier. Not remounting again." return 0 fi From 2b5a49a61b221161f3b42d3a692d2e22df2afec2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:31:55 -0500 Subject: [PATCH 0058/1650] bumped changelog version --- changelog.upstream | 110 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++ 2 files changed, 116 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f1851bd..56bdc44 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,113 @@ +commit e1a5ee4bcf5ecb447ae7da0b137f81d520673cde +Author: Patrick Schleizer +Date: Sat Dec 21 05:26:55 2019 -0500 + + output + +commit 66aaf3e22cda9bb58ab72e750a5711556cf1de25 +Author: Patrick Schleizer +Date: Sat Dec 21 05:25:54 2019 -0500 + + output + +commit 7aa7d0b5a0e3b602b527131581f350b9b32fb0d6 +Author: Patrick Schleizer +Date: Sat Dec 21 05:22:27 2019 -0500 + + improve error handling + +commit 8919d38de9206b4802b471c2f40787a2f9d70269 +Author: Patrick Schleizer +Date: Sat Dec 21 05:21:46 2019 -0500 + + disable debugging + +commit cf5dee64fd4e1c44a8726db49b8328841ee6327f +Author: Patrick Schleizer +Date: Sat Dec 21 05:18:34 2019 -0500 + + refactoring + +commit 29cd9a0c38924fc2eb7520db886efc19541476cb +Author: Patrick Schleizer +Date: Sat Dec 21 05:17:35 2019 -0500 + + fix + +commit 486027a4d75917fe2741370aa1e707b8ca14f693 +Author: Patrick Schleizer +Date: Sat Dec 21 05:15:38 2019 -0500 + + fix + +commit 1fd26be864ebd0dab8419e0b2b321522166d6271 +Author: Patrick Schleizer +Date: Sat Dec 21 05:14:51 2019 -0500 + + fix + +commit 0fc97c37beae5d48fed9ec714f19007f402952c9 +Author: Patrick Schleizer +Date: Sat Dec 21 05:14:39 2019 -0500 + + fix + +commit 1018d5b3b0b58a641aaca0419a06c246091932d5 +Author: Patrick Schleizer +Date: Sat Dec 21 05:11:51 2019 -0500 + + output + +commit 4388fc4d5ace9046c9eacb8354d9960599735ee4 +Author: Patrick Schleizer +Date: Sat Dec 21 05:11:19 2019 -0500 + + refactoring + +commit ed20980f4c6c3fb304d8436399f5e14ead7b3ae3 +Author: Patrick Schleizer +Date: Sat Dec 21 05:07:10 2019 -0500 + + refactoring + +commit 315ce86b9a66d15aea2d50f5271c228ee8bd3909 +Author: Patrick Schleizer +Date: Sat Dec 21 04:33:03 2019 -0500 + + refactoring + +commit 0c5848494b147b067afa2b70451fc7e5087823f2 +Author: Patrick Schleizer +Date: Sat Dec 21 04:21:26 2019 -0500 + + do not remount if already has intended mount options + +commit 203f4ad46e6a6950edd4b2a83f47ac71428928e5 +Author: Patrick Schleizer +Date: Sat Dec 21 04:17:10 2019 -0500 + + refactoring + +commit e7fd0dadb03e7f90adfa9ebdaf07530f02a846e7 +Author: Patrick Schleizer +Date: Sat Dec 21 04:09:35 2019 -0500 + + output + +commit e6ea21c7757ad732bd9bcce2c6a7a364780e1b14 +Author: Patrick Schleizer +Date: Sat Dec 21 04:08:35 2019 -0500 + + record existing modes in separate dpkg-statoverwrite databases + + to have a history of what was modified and to allow to undo changes + +commit 89be5f2ecb998c46ff4864996cd86b97fa56d176 +Author: Patrick Schleizer +Date: Sat Dec 21 02:05:39 2019 -0500 + + bumped changelog version + commit d220bb3bc4aaf923dcb2e2a48ac05dd5f1326442 Author: Patrick Schleizer Date: Fri Dec 20 13:07:01 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 5223e6b..81f976e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:12.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 10:31:55 +0000 + security-misc (3:12.0-1) unstable; urgency=medium * New upstream version (local package). From 7ff900c20457ee42d415c4eddf3b08f1ac5e4461 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:37:43 -0500 Subject: [PATCH 0059/1650] fix --- usr/lib/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index f106765..06b7533 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -281,7 +281,7 @@ set_file_perms() { continue fi - if ! getent group_from_config | grep -q "^${group_from_config}:"; then + if ! getent group | grep -q "^${group_from_config}:"; then echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2 continue fi From 65b5adb2d731f52533bda24eb6868d9e2968e2ed Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:38:39 -0500 Subject: [PATCH 0060/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 56bdc44..92fc7d1 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 7ff900c20457ee42d415c4eddf3b08f1ac5e4461 +Author: Patrick Schleizer +Date: Sat Dec 21 05:37:43 2019 -0500 + + fix + +commit 2b5a49a61b221161f3b42d3a692d2e22df2afec2 +Author: Patrick Schleizer +Date: Sat Dec 21 05:31:55 2019 -0500 + + bumped changelog version + commit e1a5ee4bcf5ecb447ae7da0b137f81d520673cde Author: Patrick Schleizer Date: Sat Dec 21 05:26:55 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 81f976e..80a7b63 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:12.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 10:38:39 +0000 + security-misc (3:12.1-1) unstable; urgency=medium * New upstream version (local package). From 234ec5fe93c9b03c02e076621ac919f12062c4e5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:47:35 -0500 Subject: [PATCH 0061/1650] fix --- usr/lib/security-misc/permission-hardening | 34 +++++++++++----------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 06b7533..188ccb9 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -110,7 +110,7 @@ add_nosuid_statoverride_entry() { fi setsgid="" setsgid_output="" - if test -g "$file_name"; then + if test -g "$file_name" ; then setsgid=true setsgid_output="set-group-id" fi @@ -169,13 +169,13 @@ add_nosuid_statoverride_entry() { echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" - if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$file_name"; then + if dpkg-statoverride --list "$file_name" $dpkg_admindir_parameter_existing_mode ; then ## Existing mode already saved previously. No need to save again. true OK else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$file_name" + echo_wrapper_silent_audit --add "$existing_owner" "$existing_group" "$existing_mode" "$file_name" $dpkg_admindir_parameter_existing_mode fi ## No need to check "dpkg-statoverride --list" for existing entries. @@ -186,13 +186,13 @@ add_nosuid_statoverride_entry() { echo_wrapper_ignore dpkg-statoverride --remove "$file_name" ## Remove from separate database. - echo_wrapper_ignore $dpkg_admindir_parameter_new_mode dpkg-statoverride --remove "$file_name" + echo_wrapper_ignore dpkg-statoverride --remove "$file_name" $dpkg_admindir_parameter_new_mode ## Add to real database and use --update to make changes on disk. echo_wrapper_audit dpkg-statoverride --add --update "$existing_owner" "$existing_group" "$new_mode" "$file_name" ## Not using --update as this is only for recording. - echo_wrapper_silent_audit $dpkg_admindir_parameter_new_mode dpkg-statoverride --add "$existing_owner" "$existing_group" "$new_mode" "$file_name" + echo_wrapper_silent_audit dpkg-statoverride --add "$existing_owner" "$existing_group" "$new_mode" "$file_name" fi ## /lib will hit ARG_MAX. @@ -276,12 +276,12 @@ set_file_perms() { continue fi - if ! getent passwd | grep -q "^${owner_from_config}:"; then + if ! getent passwd | grep -q "^${owner_from_config}:" ; then echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2 continue fi - if ! getent group | grep -q "^${group_from_config}:"; then + if ! getent group | grep -q "^${group_from_config}:" ; then echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2 continue fi @@ -336,9 +336,9 @@ set_file_perms() { ## root root 755 /home ## ## dpkg-statoverride does not show leading '0'. - if dpkg-statoverride --list "$fso_without_trailing_slash"; then + if dpkg-statoverride --list "$fso_without_trailing_slash" ; then ## There is an fso entry. Check if owner/group/mode match. - if dpkg-statoverride --list | grep -q "$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash"; then + if dpkg-statoverride --list | grep -q "$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash" ; then ## The owner/group/mode matches. No further action required. true OK else @@ -346,16 +346,16 @@ set_file_perms() { ## fso_without_trailing_slash instead of fso to prevent ## "dpkg-statoverride: warning: stripping trailing /" - if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash"; then + if dpkg-statoverride --list "$fso_without_trailing_slash" $dpkg_admindir_parameter_existing_mode ; then ## Existing mode already saved previously. No need to save again. true OK else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" + echo_wrapper_silent_audit --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" $dpkg_admindir_parameter_existing_mode fi - echo_wrapper_audit $dpkg_admindir_parameter_new_mode dpkg-statoverride --remove "$fso_without_trailing_slash" + echo_wrapper_audit dpkg-statoverride --remove "$fso_without_trailing_slash" $dpkg_admindir_parameter_new_mode ## Remove from and add to real database. echo_wrapper_audit dpkg-statoverride --remove "$fso_without_trailing_slash" @@ -363,18 +363,18 @@ set_file_perms() { ## Save in separate database. ## Not using --update as this is only for saving. - echo_wrapper_silent_audit $dpkg_admindir_parameter_new_mode dpkg-statoverride --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" + echo_wrapper_silent_audit dpkg-statoverride --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" $dpkg_admindir_parameter_new_mode fi else ## There is no fso entry. Therefore add one. - if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash"; then + if dpkg-statoverride --list "$fso_without_trailing_slash" $dpkg_admindir_parameter_existing_mode ; then ## Existing mode already saved previously. No need to save again. true OK else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" + echo_wrapper_silent_audit --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" $dpkg_admindir_parameter_existing_mode fi ## Add to real database. @@ -382,7 +382,7 @@ set_file_perms() { ## Save in separate database. ## Not using --update as this is only for saving. - echo_wrapper_silent_audit $dpkg_admindir_parameter_new_mode dpkg-statoverride --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" + echo_wrapper_silent_audit dpkg-statoverride --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" $dpkg_admindir_parameter_new_mode fi fi @@ -393,7 +393,7 @@ set_file_perms() { if [ "$capability_from_config" = "none" ]; then echo_wrapper_audit setcap -r "$fso" else - if ! capsh --print | grep "Bounding set" | grep -q "$capability_from_config"; then + if ! capsh --print | grep "Bounding set" | grep -q "$capability_from_config" ; then echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2 continue fi From e3355843c835c650d4701a2b94b93cc0040ca419 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:51:22 -0500 Subject: [PATCH 0062/1650] fix --- usr/lib/security-misc/permission-hardening | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 188ccb9..efc20b5 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -169,13 +169,13 @@ add_nosuid_statoverride_entry() { echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" - if dpkg-statoverride --list "$file_name" $dpkg_admindir_parameter_existing_mode ; then + if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$file_name" ; then ## Existing mode already saved previously. No need to save again. true OK else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit --add "$existing_owner" "$existing_group" "$existing_mode" "$file_name" $dpkg_admindir_parameter_existing_mode + echo_wrapper_silent_audit $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$file_name" fi ## No need to check "dpkg-statoverride --list" for existing entries. @@ -186,7 +186,7 @@ add_nosuid_statoverride_entry() { echo_wrapper_ignore dpkg-statoverride --remove "$file_name" ## Remove from separate database. - echo_wrapper_ignore dpkg-statoverride --remove "$file_name" $dpkg_admindir_parameter_new_mode + echo_wrapper_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" ## Add to real database and use --update to make changes on disk. echo_wrapper_audit dpkg-statoverride --add --update "$existing_owner" "$existing_group" "$new_mode" "$file_name" @@ -346,16 +346,16 @@ set_file_perms() { ## fso_without_trailing_slash instead of fso to prevent ## "dpkg-statoverride: warning: stripping trailing /" - if dpkg-statoverride --list "$fso_without_trailing_slash" $dpkg_admindir_parameter_existing_mode ; then + if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" ; then ## Existing mode already saved previously. No need to save again. true OK else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" $dpkg_admindir_parameter_existing_mode + echo_wrapper_silent_audit $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" fi - echo_wrapper_audit dpkg-statoverride --remove "$fso_without_trailing_slash" $dpkg_admindir_parameter_new_mode + echo_wrapper_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$fso_without_trailing_slash" ## Remove from and add to real database. echo_wrapper_audit dpkg-statoverride --remove "$fso_without_trailing_slash" @@ -363,18 +363,18 @@ set_file_perms() { ## Save in separate database. ## Not using --update as this is only for saving. - echo_wrapper_silent_audit dpkg-statoverride --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" $dpkg_admindir_parameter_new_mode + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" fi else ## There is no fso entry. Therefore add one. - if dpkg-statoverride --list "$fso_without_trailing_slash" $dpkg_admindir_parameter_existing_mode ; then + if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" ; then ## Existing mode already saved previously. No need to save again. true OK else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" $dpkg_admindir_parameter_existing_mode + echo_wrapper_silent_audit $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" fi ## Add to real database. @@ -382,7 +382,7 @@ set_file_perms() { ## Save in separate database. ## Not using --update as this is only for saving. - echo_wrapper_silent_audit dpkg-statoverride --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" $dpkg_admindir_parameter_new_mode + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" fi fi From 4f12664362fb4304ed43185ed5805f686bdeb0af Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:54:07 -0500 Subject: [PATCH 0063/1650] output --- usr/lib/security-misc/permission-hardening | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index efc20b5..26490f0 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -29,7 +29,7 @@ echo_wrapper_audit() { { \ return_code="$?" ; \ exit_code=203 ; \ - echo "ERROR: above command failed with exit code '$return_code'!" >&2 ; \ + echo "ERROR: above command failed with exit code '$return_code'! calling function name: '${FUNCNAME[1]}'" >&2 ; \ }; } @@ -41,7 +41,7 @@ echo_wrapper_silent_audit() { { \ return_code="$?" ; \ exit_code=204 ; \ - echo "ERROR: above command '$@' failed with exit code '$return_code'!" >&2 ; \ + echo "ERROR: above command '$@' failed with exit code '$return_code'! calling function name: '${FUNCNAME[1]}'" >&2 ; \ }; } From 2a248fe0de1b86b416c705ecce81dcb549581d9b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:54:39 -0500 Subject: [PATCH 0064/1650] fix --- usr/lib/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 26490f0..5bf24fc 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -175,7 +175,7 @@ add_nosuid_statoverride_entry() { else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$file_name" + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$file_name" fi ## No need to check "dpkg-statoverride --list" for existing entries. From da15265e1c311be16c1dd0a8681e630548fac0e9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:55:23 -0500 Subject: [PATCH 0065/1650] fix --- usr/lib/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 5bf24fc..49599c1 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -352,7 +352,7 @@ set_file_perms() { else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" fi echo_wrapper_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$fso_without_trailing_slash" From 8436da2b7b0b9d309b57ed6ab36f2042fd82f4ae Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 05:58:50 -0500 Subject: [PATCH 0066/1650] output --- usr/lib/security-misc/permission-hardening | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 49599c1..98a3320 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -169,7 +169,7 @@ add_nosuid_statoverride_entry() { echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" - if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$file_name" ; then + if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$file_name" >/dev/null ; then ## Existing mode already saved previously. No need to save again. true OK else @@ -336,7 +336,7 @@ set_file_perms() { ## root root 755 /home ## ## dpkg-statoverride does not show leading '0'. - if dpkg-statoverride --list "$fso_without_trailing_slash" ; then + if dpkg-statoverride --list "$fso_without_trailing_slash" >/dev/null ; then ## There is an fso entry. Check if owner/group/mode match. if dpkg-statoverride --list | grep -q "$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash" ; then ## The owner/group/mode matches. No further action required. @@ -346,7 +346,7 @@ set_file_perms() { ## fso_without_trailing_slash instead of fso to prevent ## "dpkg-statoverride: warning: stripping trailing /" - if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" ; then + if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then ## Existing mode already saved previously. No need to save again. true OK else @@ -368,7 +368,7 @@ set_file_perms() { else ## There is no fso entry. Therefore add one. - if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" ; then + if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then ## Existing mode already saved previously. No need to save again. true OK else From ff48b672a8537e65c3d0b3ccfb65fb29c2d3766c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 06:00:17 -0500 Subject: [PATCH 0067/1650] bumped changelog version --- changelog.upstream | 42 ++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 48 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 92fc7d1..b96f384 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,45 @@ +commit 8436da2b7b0b9d309b57ed6ab36f2042fd82f4ae +Author: Patrick Schleizer +Date: Sat Dec 21 05:58:50 2019 -0500 + + output + +commit da15265e1c311be16c1dd0a8681e630548fac0e9 +Author: Patrick Schleizer +Date: Sat Dec 21 05:55:23 2019 -0500 + + fix + +commit 2a248fe0de1b86b416c705ecce81dcb549581d9b +Author: Patrick Schleizer +Date: Sat Dec 21 05:54:39 2019 -0500 + + fix + +commit 4f12664362fb4304ed43185ed5805f686bdeb0af +Author: Patrick Schleizer +Date: Sat Dec 21 05:54:07 2019 -0500 + + output + +commit e3355843c835c650d4701a2b94b93cc0040ca419 +Author: Patrick Schleizer +Date: Sat Dec 21 05:51:22 2019 -0500 + + fix + +commit 234ec5fe93c9b03c02e076621ac919f12062c4e5 +Author: Patrick Schleizer +Date: Sat Dec 21 05:47:35 2019 -0500 + + fix + +commit 65b5adb2d731f52533bda24eb6868d9e2968e2ed +Author: Patrick Schleizer +Date: Sat Dec 21 05:38:39 2019 -0500 + + bumped changelog version + commit 7ff900c20457ee42d415c4eddf3b08f1ac5e4461 Author: Patrick Schleizer Date: Sat Dec 21 05:37:43 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 80a7b63..c4517e7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:12.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 11:00:17 +0000 + security-misc (3:12.2-1) unstable; urgency=medium * New upstream version (local package). From 4b21b6df4167a2a95392a39182c636bdc097bc7e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 06:11:44 -0500 Subject: [PATCH 0068/1650] fix --- usr/lib/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 98a3320..df51666 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -374,7 +374,7 @@ set_file_perms() { else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" fi ## Add to real database. From 78d33d8b57fdef3b16e8ab5b4f6b0487d51b9657 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 06:12:20 -0500 Subject: [PATCH 0069/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b96f384..ff1c49b 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 4b21b6df4167a2a95392a39182c636bdc097bc7e +Author: Patrick Schleizer +Date: Sat Dec 21 06:11:44 2019 -0500 + + fix + +commit ff48b672a8537e65c3d0b3ccfb65fb29c2d3766c +Author: Patrick Schleizer +Date: Sat Dec 21 06:00:17 2019 -0500 + + bumped changelog version + commit 8436da2b7b0b9d309b57ed6ab36f2042fd82f4ae Author: Patrick Schleizer Date: Sat Dec 21 05:58:50 2019 -0500 diff --git a/debian/changelog b/debian/changelog index c4517e7..7a33878 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:12.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 11:12:20 +0000 + security-misc (3:12.3-1) unstable; urgency=medium * New upstream version (local package). From 195e00cc8796d532a68f90b7c1f8f30d17f24246 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 06:16:38 -0500 Subject: [PATCH 0070/1650] output --- usr/lib/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index df51666..50162c7 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -413,7 +413,7 @@ parse_config_folder() { parse_config_folder if [ ! "$exit_code" = "0" ]; then - echo "ERROR: Will exist with non-zero exit code: '$exit_code'" >&2 + echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2 fi exit "$exit_code" From 2dca031527fa38a932619ed2336a5aa472a85205 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 06:22:46 -0500 Subject: [PATCH 0071/1650] debugging --- usr/lib/security-misc/permission-hardening | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 50162c7..64ca42f 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -170,8 +170,7 @@ add_nosuid_statoverride_entry() { echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$file_name" >/dev/null ; then - ## Existing mode already saved previously. No need to save again. - true OK + true "OK Existing mode already saved previously. No need to save again." else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. @@ -222,7 +221,7 @@ set_file_perms() { fi if [[ "$line" =~ [0-9a-zA-Z/] ]]; then - true OK + true "OK line contains only white listed characters." else exit_code=200 echo "ERROR: cannot parse line with invalid character: $line" >&2 @@ -339,16 +338,14 @@ set_file_perms() { if dpkg-statoverride --list "$fso_without_trailing_slash" >/dev/null ; then ## There is an fso entry. Check if owner/group/mode match. if dpkg-statoverride --list | grep -q "$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash" ; then - ## The owner/group/mode matches. No further action required. - true OK + true "OK The owner/group/mode matches. No further action required." else ## The owner/group/mode do not match, therefore remove and re-add the entry to update it. ## fso_without_trailing_slash instead of fso to prevent ## "dpkg-statoverride: warning: stripping trailing /" if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then - ## Existing mode already saved previously. No need to save again. - true OK + true "OK Existing mode already saved previously. No need to save again." else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. @@ -369,8 +366,7 @@ set_file_perms() { ## There is no fso entry. Therefore add one. if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then - ## Existing mode already saved previously. No need to save again. - true OK + true "OK Existing mode already saved previously. No need to save again." else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. From 2088628c8d44306e51c8a1407caee99e5eb4ce5b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 06:24:08 -0500 Subject: [PATCH 0072/1650] debugging --- usr/lib/security-misc/permission-hardening | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 64ca42f..e9d2a48 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -336,11 +336,11 @@ set_file_perms() { ## ## dpkg-statoverride does not show leading '0'. if dpkg-statoverride --list "$fso_without_trailing_slash" >/dev/null ; then - ## There is an fso entry. Check if owner/group/mode match. + true "There is an fso entry. Check if owner/group/mode match." if dpkg-statoverride --list | grep -q "$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash" ; then true "OK The owner/group/mode matches. No further action required." else - ## The owner/group/mode do not match, therefore remove and re-add the entry to update it. + true "The owner/group/mode do not match, therefore remove and re-add the entry to update it." ## fso_without_trailing_slash instead of fso to prevent ## "dpkg-statoverride: warning: stripping trailing /" @@ -363,7 +363,7 @@ set_file_perms() { echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" fi else - ## There is no fso entry. Therefore add one. + true "There is no fso entry. Therefore add one." if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then true "OK Existing mode already saved previously. No need to save again." From b5f88efe2072eca99c245fc60442c82a270fab8e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 06:27:01 -0500 Subject: [PATCH 0073/1650] fix --- usr/lib/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index e9d2a48..4b84a1a 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -191,7 +191,7 @@ add_nosuid_statoverride_entry() { echo_wrapper_audit dpkg-statoverride --add --update "$existing_owner" "$existing_group" "$new_mode" "$file_name" ## Not using --update as this is only for recording. - echo_wrapper_silent_audit dpkg-statoverride --add "$existing_owner" "$existing_group" "$new_mode" "$file_name" + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$existing_owner" "$existing_group" "$new_mode" "$file_name" fi ## /lib will hit ARG_MAX. From fac17a963d3dec1b399fd9b41ebebcedb7e90f43 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 06:28:19 -0500 Subject: [PATCH 0074/1650] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index ff1c49b..4434730 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit b5f88efe2072eca99c245fc60442c82a270fab8e +Author: Patrick Schleizer +Date: Sat Dec 21 06:27:01 2019 -0500 + + fix + +commit 2088628c8d44306e51c8a1407caee99e5eb4ce5b +Author: Patrick Schleizer +Date: Sat Dec 21 06:24:08 2019 -0500 + + debugging + +commit 2dca031527fa38a932619ed2336a5aa472a85205 +Author: Patrick Schleizer +Date: Sat Dec 21 06:22:46 2019 -0500 + + debugging + +commit 195e00cc8796d532a68f90b7c1f8f30d17f24246 +Author: Patrick Schleizer +Date: Sat Dec 21 06:16:38 2019 -0500 + + output + +commit 78d33d8b57fdef3b16e8ab5b4f6b0487d51b9657 +Author: Patrick Schleizer +Date: Sat Dec 21 06:12:20 2019 -0500 + + bumped changelog version + commit 4b21b6df4167a2a95392a39182c636bdc097bc7e Author: Patrick Schleizer Date: Sat Dec 21 06:11:44 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 7a33878..6396e97 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:12.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 11:28:19 +0000 + security-misc (3:12.4-1) unstable; urgency=medium * New upstream version (local package). From c336bc4fd229d9a6370df5520aaa4e872465de5a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 06:39:13 -0500 Subject: [PATCH 0075/1650] comment --- usr/lib/security-misc/permission-hardening | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 4b84a1a..f850dee 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -6,6 +6,9 @@ ## https://forums.whonix.org/t/permission-hardening/8655 ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 +## To view previous modes and how these were changed: +## meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride + #set -x set -e set -o pipefail From 3ea587187e9d0a927799a66d15d163ee56a41978 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 06:53:07 -0500 Subject: [PATCH 0076/1650] no need to exclude xorg nosuid on Debian http://forums.whonix.org/t/permission-hardening/8655/25 --- etc/permission-hardening.d/30_default.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 263fa57..f1a97cf 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -45,7 +45,8 @@ ## https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html ## https://lwn.net/Articles/590315/ -/usr/lib/xorg/Xorg.wrap whitelist +## http://forums.whonix.org/t/permission-hardening/8655/25 +#/usr/lib/xorg/Xorg.wrap whitelist ###################################################################### # SUID regex match whitelist - research required From af8b04b73d6d64792fc1ffb7f6b04b273c0ca7ec Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 06:58:01 -0500 Subject: [PATCH 0077/1650] rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown https://github.com/Whonix/security-misc/pull/45 --- debian/security-misc.maintscript | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 2c93164..7441686 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -8,3 +8,7 @@ rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg ## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079 rm_conffile /etc/sysctl.d/sysrq.conf + +## https://github.com/Whonix/security-misc/pull/45 +rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info +rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown From 6b13a644df279ec3ccf3814e86233baafc0cf437 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 07:37:41 -0500 Subject: [PATCH 0078/1650] add /usr/lib/security-misc/permission-hardening-undo --- .../security-misc/permission-hardening-undo | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100755 usr/lib/security-misc/permission-hardening-undo diff --git a/usr/lib/security-misc/permission-hardening-undo b/usr/lib/security-misc/permission-hardening-undo new file mode 100755 index 0000000..73b871f --- /dev/null +++ b/usr/lib/security-misc/permission-hardening-undo @@ -0,0 +1,56 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +#set -x +set -e +set -o pipefail + +exit_code=0 + +dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode" +dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode" + +undo_all() { + if [ ! -f /var/lib/permission-hardening/existing_mode/statoverride ]; then + return 0 + fi + + local line + + while read -r line; do + ## example line: + ## root root 4755 /usr/lib/eject/dmcrypt-get-device + + local owner group mode file_name + if ! read -r owner group mode file_name <<< "$line" ; then + exit_code=201 + echo "ERROR: cannot parse line: $line" >&2 + continue + fi + true "owner: '$owner' group: '$group' mode: '$mode' file_name: '$file_name'" + + stat -c "%n %a %U %G" "$file_name" || true + + chmod "$mode" "$file_name" || exit_code=202 + chown "${owner}:${group}" "$file_name" || exit_code=203 + + stat -c "%n %a %U %G" "$file_name" || true + + dpkg-statoverride --remove "$file_name" &>/dev/null || true + dpkg-statoverride $dpkg_admindir_parameter_existing_mode --remove "$file_name" &>/dev/null || true + dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" &>/dev/null || true + + stat -c "%n %a %U %G" "$file_name" || true + + done < "/var/lib/permission-hardening/existing_mode/statoverride" +} + +undo_all + +if [ ! "$exit_code" = "0" ]; then + echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2 +fi + +exit "$exit_code" From 0c4db8c2b054a10554f163c31e3e626a80981c52 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 07:38:25 -0500 Subject: [PATCH 0079/1650] bumped changelog version --- changelog.upstream | 63 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 69 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 4434730..6f14137 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,54 @@ +commit 6b13a644df279ec3ccf3814e86233baafc0cf437 +Author: Patrick Schleizer +Date: Sat Dec 21 07:37:41 2019 -0500 + + add /usr/lib/security-misc/permission-hardening-undo + +commit af8b04b73d6d64792fc1ffb7f6b04b273c0ca7ec +Author: Patrick Schleizer +Date: Sat Dec 21 06:58:01 2019 -0500 + + rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info + rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown + + https://github.com/Whonix/security-misc/pull/45 + +commit 2350e0f5d06d9625835ba1547aab0054b795c0c5 +Merge: 3ea5871 efd65a3 +Author: Patrick Schleizer +Date: Sat Dec 21 06:57:10 2019 -0500 + + Merge remote-tracking branch 'origin/master' + +commit efd65a3f15fc9380e2019c9d7ad0bf82adcc230d +Merge: c336bc4 c28ddf5 +Author: Patrick Schleizer +Date: Sat Dec 21 11:56:31 2019 +0000 + + Merge pull request #45 from madaidan/apparmor + + Delete apparmor profiles + +commit 3ea587187e9d0a927799a66d15d163ee56a41978 +Author: Patrick Schleizer +Date: Sat Dec 21 06:53:07 2019 -0500 + + no need to exclude xorg nosuid on Debian + + http://forums.whonix.org/t/permission-hardening/8655/25 + +commit c336bc4fd229d9a6370df5520aaa4e872465de5a +Author: Patrick Schleizer +Date: Sat Dec 21 06:39:13 2019 -0500 + + comment + +commit fac17a963d3dec1b399fd9b41ebebcedb7e90f43 +Author: Patrick Schleizer +Date: Sat Dec 21 06:28:19 2019 -0500 + + bumped changelog version + commit b5f88efe2072eca99c245fc60442c82a270fab8e Author: Patrick Schleizer Date: Sat Dec 21 06:27:01 2019 -0500 @@ -204,6 +255,18 @@ Date: Sat Dec 21 02:05:39 2019 -0500 bumped changelog version +commit c28ddf5c4dbfd92aba9a59874f529a4afe69c497 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Fri Dec 20 22:44:31 2019 +0000 + + Delete usr.lib.security-misc.pam_tally2-info + +commit cfe69dd66900f7aad5311c02d2b4ee7b400fb90b +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Fri Dec 20 22:44:27 2019 +0000 + + Delete usr.lib.security-misc.permission-lockdown + commit d220bb3bc4aaf923dcb2e2a48ac05dd5f1326442 Author: Patrick Schleizer Date: Fri Dec 20 13:07:01 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 6396e97..f643f8c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:12.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 12:38:25 +0000 + security-misc (3:12.5-1) unstable; urgency=medium * New upstream version (local package). From 9050058bc2427a701095901a5bd275767437391b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 07:42:01 -0500 Subject: [PATCH 0080/1650] fix --- usr/lib/security-misc/permission-hardening-undo | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening-undo b/usr/lib/security-misc/permission-hardening-undo index 73b871f..594a11e 100755 --- a/usr/lib/security-misc/permission-hardening-undo +++ b/usr/lib/security-misc/permission-hardening-undo @@ -33,8 +33,8 @@ undo_all() { stat -c "%n %a %U %G" "$file_name" || true - chmod "$mode" "$file_name" || exit_code=202 - chown "${owner}:${group}" "$file_name" || exit_code=203 + chown "${owner}:${group}" "$file_name" || exit_code=202 + chmod "$mode" "$file_name" || exit_code=203 stat -c "%n %a %U %G" "$file_name" || true From 7c3da38bd53427501bcb0ac0d56bd626ce9e6adb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 07:42:25 -0500 Subject: [PATCH 0081/1650] comment --- usr/lib/security-misc/permission-hardening-undo | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/security-misc/permission-hardening-undo b/usr/lib/security-misc/permission-hardening-undo index 594a11e..0daba11 100755 --- a/usr/lib/security-misc/permission-hardening-undo +++ b/usr/lib/security-misc/permission-hardening-undo @@ -34,6 +34,7 @@ undo_all() { stat -c "%n %a %U %G" "$file_name" || true chown "${owner}:${group}" "$file_name" || exit_code=202 + ## chmod need to be run after chown since chown would remove suid. chmod "$mode" "$file_name" || exit_code=203 stat -c "%n %a %U %G" "$file_name" || true From 1fe83d683f97af6730948aecce3216a51979c695 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 07:43:55 -0500 Subject: [PATCH 0082/1650] comment --- usr/lib/security-misc/permission-hardening-undo | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening-undo b/usr/lib/security-misc/permission-hardening-undo index 0daba11..2368091 100755 --- a/usr/lib/security-misc/permission-hardening-undo +++ b/usr/lib/security-misc/permission-hardening-undo @@ -34,7 +34,8 @@ undo_all() { stat -c "%n %a %U %G" "$file_name" || true chown "${owner}:${group}" "$file_name" || exit_code=202 - ## chmod need to be run after chown since chown would remove suid. + ## chmod need to be run after chown since chown removes suid. + ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature chmod "$mode" "$file_name" || exit_code=203 stat -c "%n %a %U %G" "$file_name" || true From aef796a524f9156b584a7d8d203decc446c5d3b9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 07:44:23 -0500 Subject: [PATCH 0083/1650] disable debugging --- usr/lib/security-misc/permission-hardening-undo | 6 ------ 1 file changed, 6 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening-undo b/usr/lib/security-misc/permission-hardening-undo index 2368091..5f2324d 100755 --- a/usr/lib/security-misc/permission-hardening-undo +++ b/usr/lib/security-misc/permission-hardening-undo @@ -31,21 +31,15 @@ undo_all() { fi true "owner: '$owner' group: '$group' mode: '$mode' file_name: '$file_name'" - stat -c "%n %a %U %G" "$file_name" || true - chown "${owner}:${group}" "$file_name" || exit_code=202 ## chmod need to be run after chown since chown removes suid. ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature chmod "$mode" "$file_name" || exit_code=203 - stat -c "%n %a %U %G" "$file_name" || true - dpkg-statoverride --remove "$file_name" &>/dev/null || true dpkg-statoverride $dpkg_admindir_parameter_existing_mode --remove "$file_name" &>/dev/null || true dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" &>/dev/null || true - stat -c "%n %a %U %G" "$file_name" || true - done < "/var/lib/permission-hardening/existing_mode/statoverride" } From 8fb17624bc3471a3676e76b3695179cde1ec21da Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 07:44:51 -0500 Subject: [PATCH 0084/1650] comment --- usr/lib/security-misc/permission-hardening | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index f850dee..44b0460 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -9,6 +9,9 @@ ## To view previous modes and how these were changed: ## meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride +## To undo: +## sudo /usr/lib/security-misc/permission-hardening-undo + #set -x set -e set -o pipefail From b74e5ca97244209e041f55483027365eacdf44c9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 07:47:00 -0500 Subject: [PATCH 0085/1650] comment --- debian/control | 2 +- usr/lib/security-misc/permission-hardening | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/control b/debian/control index 6ddb85b..33fe7d4 100644 --- a/debian/control +++ b/debian/control @@ -223,7 +223,7 @@ Description: enhances misc security settings often used in privilege escalation attacks. It is disabled by default for now during testing and can optionally be enabled by running `systemctl enable permission-hardening.service` as root. - https://forums.whonix.org/t/permission-hardening/8655 + https://forums.whonix.org/t/disable-suid-binaries/7706 /usr/lib/security-misc/permission-hardening /lib/systemd/system/permission-hardening.service /etc/permission-hardening.d/30_default.conf diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 44b0460..264a370 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -3,7 +3,7 @@ ## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## https://forums.whonix.org/t/permission-hardening/8655 +## https://forums.whonix.org/t/disable-suid-binaries/7706 ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 ## To view previous modes and how these were changed: From 161b6f6b885586cd65b8ac13b0bd113691465522 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 07:49:29 -0500 Subject: [PATCH 0086/1650] readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 369a3dd..12f7442 100644 --- a/README.md +++ b/README.md @@ -205,7 +205,7 @@ A systemd service removed SUID / GUID from non-essential binaries as these are often used in privilege escalation attacks. It is disabled by default for now during testing and can optionally be enabled by running `systemctl enable permission-hardening.service` as root. -https://forums.whonix.org/t/permission-hardening/8655 +https://forums.whonix.org/t/disable-suid-binaries/7706 /usr/lib/security-misc/permission-hardening /lib/systemd/system/permission-hardening.service /etc/permission-hardening.d/30_default.conf From 1c99b56c9b99cceab6fe38580d06197dd4bcfb77 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 07:49:55 -0500 Subject: [PATCH 0087/1650] bumped changelog version --- changelog.upstream | 48 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 54 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 6f14137..a5a4dbe 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,51 @@ +commit 161b6f6b885586cd65b8ac13b0bd113691465522 +Author: Patrick Schleizer +Date: Sat Dec 21 07:49:29 2019 -0500 + + readme + +commit b74e5ca97244209e041f55483027365eacdf44c9 +Author: Patrick Schleizer +Date: Sat Dec 21 07:47:00 2019 -0500 + + comment + +commit 8fb17624bc3471a3676e76b3695179cde1ec21da +Author: Patrick Schleizer +Date: Sat Dec 21 07:44:51 2019 -0500 + + comment + +commit aef796a524f9156b584a7d8d203decc446c5d3b9 +Author: Patrick Schleizer +Date: Sat Dec 21 07:44:23 2019 -0500 + + disable debugging + +commit 1fe83d683f97af6730948aecce3216a51979c695 +Author: Patrick Schleizer +Date: Sat Dec 21 07:43:55 2019 -0500 + + comment + +commit 7c3da38bd53427501bcb0ac0d56bd626ce9e6adb +Author: Patrick Schleizer +Date: Sat Dec 21 07:42:25 2019 -0500 + + comment + +commit 9050058bc2427a701095901a5bd275767437391b +Author: Patrick Schleizer +Date: Sat Dec 21 07:42:01 2019 -0500 + + fix + +commit 0c4db8c2b054a10554f163c31e3e626a80981c52 +Author: Patrick Schleizer +Date: Sat Dec 21 07:38:25 2019 -0500 + + bumped changelog version + commit 6b13a644df279ec3ccf3814e86233baafc0cf437 Author: Patrick Schleizer Date: Sat Dec 21 07:37:41 2019 -0500 diff --git a/debian/changelog b/debian/changelog index f643f8c..3318540 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:12.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 12:49:55 +0000 + security-misc (3:12.6-1) unstable; urgency=medium * New upstream version (local package). From b2260f48f4ab978b531d8ca9df2dc1a787b6666f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 08:03:33 -0500 Subject: [PATCH 0088/1650] add support for /etc/exec / /usr/local/etc/exec to allow enabling exec on a per VM basis --- usr/lib/security-misc/remount-secure | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index cb1b3a3..f2bc696 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -23,11 +23,16 @@ if [ -e /etc/remount-disable ] || [ -e /usr/local/etc/remount-disable ]; then exit 0 fi -if [ -e /etc/noexec ] || [ -e /usr/local/etc/noexec ]; then - noexec=true - echo "INFO: Will remount with noexec because file /etc/noexec exists." +if [ -e /etc/exec ] || [ -e /usr/local/etc/exec ]; then + noexec=false + echo "INFO: Will remount with exec because file /etc/exec or /usr/local/etc/exec exists." else - echo "INFO: Will not remount with noexec because file /etc/noexec does not exist." + if [ -e /etc/noexec ] || [ -e /usr/local/etc/noexec ]; then + noexec=true + echo "INFO: Will remount with noexec because file /etc/noexec or /usr/local/etc/noexec exists." + else + echo "INFO: Will not remount with noexec because file /etc/noexec or /usr/local/etc/noexec does not exist." + fi fi mkdir --parents "/var/run/remount-secure" From f5a52aeddc4742b4dbd8a0075d759b2ceaaae691 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sat, 21 Dec 2019 14:55:28 +0000 Subject: [PATCH 0089/1650] Don't remount /sys/kernel/security --- usr/lib/security-misc/remount-secure | 6 ------ 1 file changed, 6 deletions(-) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index cb1b3a3..6acc12d 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -101,11 +101,6 @@ _tmp() { remount_secure "$@" } -_sys_kernel_security() { - new_mount_options="nosuid,nodev${noexec_maybe}" - remount_secure "$@" -} - _lib() { ## Not using noexec on /lib. new_mount_options="nosuid,nodev" @@ -121,7 +116,6 @@ main() { _run "$@" _dev_shm "$@" _tmp "$@" - _sys_kernel_security "$@" _lib "$@" end "$@" } From 1e8457ea476a693dd1e455e4c455bf2e763cec23 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 14:06:10 -0500 Subject: [PATCH 0090/1650] no longer remount /lib https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 --- usr/lib/security-misc/remount-secure | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index e43406f..ae263b8 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -106,11 +106,12 @@ _tmp() { remount_secure "$@" } -_lib() { - ## Not using noexec on /lib. - new_mount_options="nosuid,nodev" - remount_secure "$@" -} +## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 +# _lib() { +# ## Not using noexec on /lib. +# new_mount_options="nosuid,nodev" +# remount_secure "$@" +# } end() { exit $exit_code @@ -121,7 +122,7 @@ main() { _run "$@" _dev_shm "$@" _tmp "$@" - _lib "$@" + #_lib "$@" end "$@" } From 2ddf7b5db5d335d4f64d0df2c0caab0c80a2a046 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 14:06:51 -0500 Subject: [PATCH 0091/1650] /lib/ nosuid --- etc/permission-hardening.d/30_default.conf | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index f1a97cf..5810d76 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -79,12 +79,7 @@ /sbin/ nosuid /usr/sbin/ nosuid /usr/local/sbin/ nosuid - -## No SUID binaries there by default. -## remount-secure mounts it with nosuid anyhow. -## Therefore no processing it here. -#/lib/ nosuid - +/lib/ nosuid /lib32/ nosuid /lib64/ nosuid /usr/lib/ nosuid From 1213415ce649e7305af0b6c6ef2f8435caab5cd8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 14:23:35 -0500 Subject: [PATCH 0092/1650] bumped changelog version --- changelog.upstream | 50 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 56 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index a5a4dbe..d6040cc 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,53 @@ +commit 2ddf7b5db5d335d4f64d0df2c0caab0c80a2a046 +Author: Patrick Schleizer +Date: Sat Dec 21 14:06:51 2019 -0500 + + /lib/ nosuid + +commit 1e8457ea476a693dd1e455e4c455bf2e763cec23 +Author: Patrick Schleizer +Date: Sat Dec 21 14:06:10 2019 -0500 + + no longer remount /lib + + https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 + +commit 10c19d6a8fc6b6bc03067dc3be88f486aa78d438 +Merge: b2260f4 fffdf50 +Author: Patrick Schleizer +Date: Sat Dec 21 13:00:41 2019 -0500 + + Merge remote-tracking branch 'origin/master' + +commit fffdf5090c707c698de4adacfd5837809b33aa99 +Merge: 1c99b56 f5a52ae +Author: Patrick Schleizer +Date: Sat Dec 21 17:59:56 2019 +0000 + + Merge pull request #46 from madaidan/remount-secure + + Don't remount /sys/kernel/security + +commit f5a52aeddc4742b4dbd8a0075d759b2ceaaae691 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sat Dec 21 14:55:28 2019 +0000 + + Don't remount /sys/kernel/security + +commit b2260f48f4ab978b531d8ca9df2dc1a787b6666f +Author: Patrick Schleizer +Date: Sat Dec 21 08:03:33 2019 -0500 + + add support for /etc/exec / /usr/local/etc/exec + + to allow enabling exec on a per VM basis + +commit 1c99b56c9b99cceab6fe38580d06197dd4bcfb77 +Author: Patrick Schleizer +Date: Sat Dec 21 07:49:55 2019 -0500 + + bumped changelog version + commit 161b6f6b885586cd65b8ac13b0bd113691465522 Author: Patrick Schleizer Date: Sat Dec 21 07:49:29 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 3318540..9fd20f4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:12.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 19:23:35 +0000 + security-misc (3:12.7-1) unstable; urgency=medium * New upstream version (local package). From 3921846df6e21a80d87f451e89f96f5b3092dd53 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 14:36:42 -0500 Subject: [PATCH 0093/1650] comment --- usr/lib/security-misc/permission-hardening | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 264a370..8e541ff 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -200,9 +200,9 @@ add_nosuid_statoverride_entry() { echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$existing_owner" "$existing_group" "$new_mode" "$file_name" fi - ## /lib will hit ARG_MAX. - ## That was before using '-perm /u=s,g=s'. - ## https://forums.whonix.org/t/kernel-hardening/7296/326 + ## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'. + ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 done < <( find "$fso_to_process" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} ) ## Sanity test. From d300db3cde0f7ee8e3884a1225ec1d196a318728 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 14:45:11 -0500 Subject: [PATCH 0094/1650] output --- usr/lib/security-misc/permission-hardening | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 8e541ff..998f23d 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -215,7 +215,7 @@ add_nosuid_statoverride_entry() { } set_file_perms() { - echo "INFO: parsing config_file: '$config_file'" + echo "INFO: START parsing config_file: '$config_file'" local line while read -r line; do if [ "$line" = "" ]; then @@ -403,6 +403,7 @@ set_file_perms() { echo_wrapper_audit setcap "${capability_from_config}+ep" "$fso" fi done < "$config_file" + echo "INFO: END parsing config_file: '$config_file'" } parse_config_folder() { From 008ce4817c6ad2218af05d14626b0f2c70a6e90d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 14:55:03 -0500 Subject: [PATCH 0095/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d6040cc..d1f4258 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit d300db3cde0f7ee8e3884a1225ec1d196a318728 +Author: Patrick Schleizer +Date: Sat Dec 21 14:45:11 2019 -0500 + + output + +commit 3921846df6e21a80d87f451e89f96f5b3092dd53 +Author: Patrick Schleizer +Date: Sat Dec 21 14:36:42 2019 -0500 + + comment + +commit 1213415ce649e7305af0b6c6ef2f8435caab5cd8 +Author: Patrick Schleizer +Date: Sat Dec 21 14:23:35 2019 -0500 + + bumped changelog version + commit 2ddf7b5db5d335d4f64d0df2c0caab0c80a2a046 Author: Patrick Schleizer Date: Sat Dec 21 14:06:51 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 9fd20f4..5595fd7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:12.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 19:55:03 +0000 + security-misc (3:12.8-1) unstable; urgency=medium * New upstream version (local package). From dd93b11321e171c56affcd660c0830d6a91ad87e Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 22 Dec 2019 13:52:43 +0000 Subject: [PATCH 0096/1650] Blacklist CPU MSRs --- etc/modprobe.d/msr.conf | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 etc/modprobe.d/msr.conf diff --git a/etc/modprobe.d/msr.conf b/etc/modprobe.d/msr.conf new file mode 100644 index 0000000..c9a39bf --- /dev/null +++ b/etc/modprobe.d/msr.conf @@ -0,0 +1,3 @@ +# Blacklist CPU MSRs as they can be abused to write to +# arbitrary memory. +install msr /bin/false From 8f11a520f4c406fa3187ad530f945a564b78a28c Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 22 Dec 2019 13:54:16 +0000 Subject: [PATCH 0097/1650] Update control --- debian/control | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/control b/debian/control index 33fe7d4..bfabc0f 100644 --- a/debian/control +++ b/debian/control @@ -103,6 +103,9 @@ Description: enhances misc security settings /lib/systemd/system/hide-hardware-info.service /lib/systemd/system/user@.service.d/sysfs.conf /etc/hide-hardware-info.d/30_default.conf + . + * The MSR kernel module is blacklisted to prevent CPU MSRs from being + abused to write to arbitrary memory. . Improve Entropy Collection . From 6eb8fd257aecd84686b4d7a9824a98bace9a705e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Dec 2019 18:56:36 -0500 Subject: [PATCH 0098/1650] suid utempter/utempter matchwhitelist to cover both: /usr/lib/x86_64-linux-gnu/utempter/utempter /lib/x86_64-linux-gnu/utempter/utempter --- etc/permission-hardening.d/30_default.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 5810d76..837d398 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -26,7 +26,6 @@ /usr/lib/policykit-1/polkit-agent-helper-1 whitelist /usr/lib/dbus-1.0/dbus-daemon-launch-helper whitelist /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper whitelist -/usr/lib/x86_64-linux-gnu/utempter/utempter whitelist /usr/lib/chromium/chrome-sandbox whitelist ## There is a controversy about firejail but those who choose to install it @@ -55,6 +54,7 @@ ## TODO: white spaces inside file name untested /usr/lib/virtualbox/ matchwhitelist +/utempter/utempter matchwhitelist ###################################################################### # Permission Hardening From 15e3a2832da603f5caa9aadc6d68aaf503f013c9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Dec 2019 18:57:23 -0500 Subject: [PATCH 0099/1650] comment --- etc/permission-hardening.d/30_default.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 837d398..800c2ea 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -54,6 +54,11 @@ ## TODO: white spaces inside file name untested /usr/lib/virtualbox/ matchwhitelist + +###################################################################### +# SUID regex match whitelist +###################################################################### + /utempter/utempter matchwhitelist ###################################################################### From 58a4e0bc7d1b87d4d169f31dc5935c75e929c0b4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Dec 2019 19:12:10 -0500 Subject: [PATCH 0100/1650] dbus-daemon-launch-helper matchwhitelist --- etc/permission-hardening.d/30_default.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 800c2ea..f61a8d2 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -24,7 +24,6 @@ /usr/bin/bwrap whitelist /bin/bwrap whitelist /usr/lib/policykit-1/polkit-agent-helper-1 whitelist -/usr/lib/dbus-1.0/dbus-daemon-launch-helper whitelist /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper whitelist /usr/lib/chromium/chrome-sandbox whitelist @@ -59,6 +58,7 @@ # SUID regex match whitelist ###################################################################### +dbus-daemon-launch-helper matchwhitelist /utempter/utempter matchwhitelist ###################################################################### From f4b1df02ee66309d12724cf7124b14180c855f14 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Dec 2019 19:42:40 -0500 Subject: [PATCH 0101/1650] Remove suid / gid and execute permission for 'group' and 'others'. Similar to: chmod og-ugx /path/to/filename Removing execution permission is useful to make binaries such as 'su' fail closed rather than fail open if suid was removed from these. Do not remove read access since no security benefit and easier to manually undo for users. chmod 744 --- usr/lib/security-misc/permission-hardening | 216 ++++++++++----------- 1 file changed, 105 insertions(+), 111 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 998f23d..d67c865 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -52,125 +52,120 @@ echo_wrapper_silent_audit() { } add_nosuid_statoverride_entry() { - local fso_to_process - fso_to_process="$fso" - local should_be_counter - should_be_counter="$(find "$fso_to_process" -perm /u=s,g=s | wc -l)" || true - local counter_actual - counter_actual=0 + local fso_to_process + fso_to_process="$fso" + local should_be_counter + should_be_counter="$(find "$fso_to_process" -perm /u=s,g=s | wc -l)" || true + local counter_actual + counter_actual=0 - local line - while read -r line; do - true "line: $line" - counter_actual="$(( counter_actual + 1 ))" + local line + while read -r line; do + true "line: $line" + counter_actual="$(( counter_actual + 1 ))" - local arr file_name existing_mode existing_owner existing_group - arr=($line) - file_name="${arr[0]}" - existing_mode="${arr[1]}" - existing_owner="${arr[2]}" - existing_group="${arr[3]}" + local arr file_name existing_mode existing_owner existing_group + arr=($line) + file_name="${arr[0]}" + existing_mode="${arr[1]}" + existing_owner="${arr[2]}" + existing_group="${arr[3]}" - if [ "$arr" = "" ]; then - echo "ERROR: arr is empty. line: '$line'" >&2 - continue - fi - if [ "$file_name" = "" ]; then - echo "ERROR: file_name is empty. line: '$line'" >&2 - continue - fi - if [ "$existing_mode" = "" ]; then - echo "ERROR: existing_mode is empty. line: '$line'" >&2 - continue - fi - if [ "$existing_owner" = "" ]; then - echo "ERROR: existing_owner is empty. line: '$line'" >&2 - continue - fi - if [ "$existing_group" = "" ]; then - echo "ERROR: existing_group is empty. line: '$line'" >&2 - continue - fi - - ## -h file True if file is a symbolic Link. - ## -u file True if file has its set-user-id bit set. - ## -g file True if file has its set-group-id bit set. - - if test -h "$file_name" ; then - ## https://forums.whonix.org/t/kernel-hardening/7296/323 - true "skip symlink: $file_name" - continue - fi - - if test -d "$file_name" ; then - true "skip directory: $file_name" - continue - fi - - local setuid setuid_output setsgid setsgid_output - setuid="" - setuid_output="" - if test -u "$file_name" ; then - setuid=true - setuid_output="set-user-id" - fi - setsgid="" - setsgid_output="" - if test -g "$file_name" ; then - setsgid=true - setsgid_output="set-group-id" - fi - - if [ "$setuid" = "true" ] || [ "$setsgid" = "true" ]; then - string_length_of_existing_mode="${#existing_mode}" - if [ "$string_length_of_existing_mode" = "4" ]; then - new_mode="${existing_mode:1}" - else - new_mode="$existing_mode" + if [ "$arr" = "" ]; then + echo "ERROR: arr is empty. line: '$line'" >&2 + continue + fi + if [ "$file_name" = "" ]; then + echo "ERROR: file_name is empty. line: '$line'" >&2 + continue + fi + if [ "$existing_mode" = "" ]; then + echo "ERROR: existing_mode is empty. line: '$line'" >&2 + continue + fi + if [ "$existing_owner" = "" ]; then + echo "ERROR: existing_owner is empty. line: '$line'" >&2 + continue + fi + if [ "$existing_group" = "" ]; then + echo "ERROR: existing_group is empty. line: '$line'" >&2 + continue fi -## Remove 'others' / 'group' execution ('chmod og-x /path/to/binary') rights for better usability? -## Make binaries such as 'su' fail closed rather than fail open if suid was removed from these? -## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these? -## https://forums.whonix.org/t/permission-hardening/8655/10 -# if [ "$new_mode" = "755" ]; then -# new_mode=744 -# fi -# if [ "$new_mode" = "754" ]; then -# new_mode=744 -# fi -# if [ "$new_mode" = "745" ]; then -# new_mode=744 -# fi + ## -h file True if file is a symbolic Link. + ## -u file True if file has its set-user-id bit set. + ## -g file True if file has its set-group-id bit set. + + if test -h "$file_name" ; then + ## https://forums.whonix.org/t/kernel-hardening/7296/323 + true "skip symlink: $file_name" + continue + fi + + if test -d "$file_name" ; then + true "skip directory: $file_name" + continue + fi + + local setuid setuid_output setsgid setsgid_output + setuid="" + setuid_output="" + if test -u "$file_name" ; then + setuid=true + setuid_output="set-user-id" + fi + setsgid="" + setsgid_output="" + if test -g "$file_name" ; then + setsgid=true + setsgid_output="set-group-id" + fi + + local setuid_or_setsgid + setuid_or_setsgid="" + if [ "$setuid" = "true" ] || [ "$setsgid" = "true" ]; then + setuid_or_setsgid=true + fi + if [ "$setuid_or_setsgid" = "" ]; then + continue + fi + + ## Remove suid / gid and execute permission for 'group' and 'others'. + ## Similar to: chmod og-ugx /path/to/filename + ## Removing execution permission is useful to make binaries such as 'su' fail closed rather + ## than fail open if suid was removed from these. + ## Do not remove read access since no security benefit and easier to manually undo for users. + ## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these? + new_mode="744" local is_whitelisted is_whitelisted="" for white_list_entry in $whitelist ; do - if [ "$file_name" = "$white_list_entry" ]; then - is_whitelisted="true" - ## Stop looping through the whitelist. - break - fi + if [ "$file_name" = "$white_list_entry" ]; then + is_whitelisted="true" + ## Stop looping through the whitelist. + break + fi done local is_match_whitelisted is_match_whitelisted="" for matchwhite_list_entry in $matchwhitelist ; do - if echo "$file_name" | grep -q "$matchwhite_list_entry" ; then - is_match_whitelisted="true" - ## Stop looping through the matchwhitelist. - break - fi + if echo "$file_name" | grep -q "$matchwhite_list_entry" ; then + is_match_whitelisted="true" + ## Stop looping through the matchwhitelist. + break + fi done if [ "$is_whitelisted" = "true" ]; then - echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" - continue + echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" + continue fi if [ "$is_match_whitelisted" = "true" ]; then - echo "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'" - continue + echo "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'" + continue fi echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" @@ -198,20 +193,19 @@ add_nosuid_statoverride_entry() { ## Not using --update as this is only for recording. echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$existing_owner" "$existing_group" "$new_mode" "$file_name" - fi - ## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'. - ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 - done < <( find "$fso_to_process" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} ) + ## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'. + ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 + done < <( find "$fso_to_process" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} ) - ## Sanity test. - if [ ! "$should_be_counter" = "$counter_actual" ]; then - echo "INFO: fso_to_process: '$fso_to_process' | counter_actual : '$counter_actual'" - echo "INFO: fso_to_process: '$fso_to_process' | should_be_counter: '$should_be_counter'" - exit_code=202 - echo "ERROR: counter does not check out." >&2 - fi + ## Sanity test. + if [ ! "$should_be_counter" = "$counter_actual" ]; then + echo "INFO: fso_to_process: '$fso_to_process' | counter_actual : '$counter_actual'" + echo "INFO: fso_to_process: '$fso_to_process' | should_be_counter: '$should_be_counter'" + exit_code=202 + echo "ERROR: counter does not check out." >&2 + fi } set_file_perms() { From 7aea304549cea2c885c2d813c7a15f617f4ebf2a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 00:26:15 -0500 Subject: [PATCH 0102/1650] comment --- usr/lib/security-misc/permission-hardening | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index d67c865..0f8a223 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -387,6 +387,9 @@ set_file_perms() { fi if [ "$capability_from_config" = "none" ]; then + # sudo setcap -r /usr/bin/ping + # Failed to set capabilities on file `/usr/bin/ping' (No data available) + # The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file echo_wrapper_audit setcap -r "$fso" else if ! capsh --print | grep "Bounding set" | grep -q "$capability_from_config" ; then From b631e2ecd8ae0e08850edd81bf64b02666fb6234 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 00:36:41 -0500 Subject: [PATCH 0103/1650] refactoring --- usr/lib/security-misc/permission-hardening | 363 ++++++++++----------- 1 file changed, 181 insertions(+), 182 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 0f8a223..0cd1cff 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -209,198 +209,197 @@ add_nosuid_statoverride_entry() { } set_file_perms() { - echo "INFO: START parsing config_file: '$config_file'" - local line - while read -r line; do - if [ "$line" = "" ]; then - continue - fi - - if [[ "$line" =~ ^# ]]; then - continue - fi - - if [[ "$line" =~ [0-9a-zA-Z/] ]]; then - true "OK line contains only white listed characters." - else - exit_code=200 - echo "ERROR: cannot parse line with invalid character: $line" >&2 - continue - fi - - #global fso - local mode_from_config owner_from_config group_from_config capability_from_config - if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then - exit_code=201 - echo "ERROR: cannot parse line: $line" >&2 - continue - fi - - local fso_without_trailing_slash - fso_without_trailing_slash="${fso%/}" - - if [ "$mode_from_config" = "whitelist" ]; then - ## TODO: test/add white spaces inside file name support - whitelist+="$fso_without_trailing_slash " - continue - fi - - if [ "$mode_from_config" = "matchwhitelist" ]; then - ## TODO: test/add white spaces inside file name support - matchwhitelist+="$fso " - continue - fi - - if ! [ -e "$fso" ]; then - echo "INFO: fso: '$fso' - does not exist. This is likely normal." - continue - fi - - ## Use dpkg-statoverride so permissions are not reset during upgrades. - - if [ "$mode_from_config" = "nosuid" ]; then - ## If mode_from_config is "nosuid" the config does not set owner and - ## group. Therefore do not enforce owner/group check. - - add_nosuid_statoverride_entry - else - local string_length_of_mode_from_config - string_length_of_mode_from_config="${#mode_from_config}" - if [ "$string_length_of_mode_from_config" -gt "4" ]; then - echo "ERROR: Mode '$mode_from_config' is invalid!" >&2 - continue - fi - if [ "$string_length_of_mode_from_config" -lt "3" ]; then - echo "ERROR: Mode '$mode_from_config' is invalid!" >&2 + echo "INFO: START parsing config_file: '$config_file'" + local line + while read -r line; do + if [ "$line" = "" ]; then continue fi - if ! getent passwd | grep -q "^${owner_from_config}:" ; then - echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2 + if [[ "$line" =~ ^# ]]; then continue fi - if ! getent group | grep -q "^${group_from_config}:" ; then - echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2 - continue - fi - - local mode_for_grep - mode_for_grep="$mode_from_config" - first_character_of_mode_from_config="${mode_from_config::1}" - if [ "$first_character_of_mode_from_config" = "0" ]; then - ## Remove leading '0'. - mode_for_grep="${mode_from_config:1}" - fi - - local stat_output - stat_output="" - if ! stat_output="$(stat -c "%n %a %U %G" "$fso_without_trailing_slash")" ; then - echo "ERROR: failed to run 'stat' for fso_without_trailing_slash: '$fso_without_trailing_slash'!" >&2 - continue - fi - - local arr file_name existing_mode existing_owner existing_group - arr=($stat_output) - file_name="${arr[0]}" - existing_mode="${arr[1]}" - existing_owner="${arr[2]}" - existing_group="${arr[3]}" - - if [ "$arr" = "" ]; then - echo "ERROR: arr is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - if [ "$file_name" = "" ]; then - echo "ERROR: file_name is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - if [ "$existing_mode" = "" ]; then - echo "ERROR: existing_mode is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - if [ "$existing_owner" = "" ]; then - echo "ERROR: existing_owner is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - if [ "$existing_group" = "" ]; then - echo "ERROR: $existing_group is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - - ## Check there is an entry for the fso. - ## - ## example: dpkg-statoverride --list | grep /home - ## output: - ## root root 755 /home - ## - ## dpkg-statoverride does not show leading '0'. - if dpkg-statoverride --list "$fso_without_trailing_slash" >/dev/null ; then - true "There is an fso entry. Check if owner/group/mode match." - if dpkg-statoverride --list | grep -q "$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash" ; then - true "OK The owner/group/mode matches. No further action required." - else - true "The owner/group/mode do not match, therefore remove and re-add the entry to update it." - ## fso_without_trailing_slash instead of fso to prevent - ## "dpkg-statoverride: warning: stripping trailing /" - - if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then - true "OK Existing mode already saved previously. No need to save again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" - fi - - echo_wrapper_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$fso_without_trailing_slash" - - ## Remove from and add to real database. - echo_wrapper_audit dpkg-statoverride --remove "$fso_without_trailing_slash" - echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" - - ## Save in separate database. - ## Not using --update as this is only for saving. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" - fi + if [[ "$line" =~ [0-9a-zA-Z/] ]]; then + true "OK line contains only white listed characters." else - true "There is no fso entry. Therefore add one." - - if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then - true "OK Existing mode already saved previously. No need to save again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" - fi - - ## Add to real database. - echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" - - ## Save in separate database. - ## Not using --update as this is only for saving. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" - fi - fi - - if [ "$capability_from_config" = "" ]; then - continue - fi - - if [ "$capability_from_config" = "none" ]; then - # sudo setcap -r /usr/bin/ping - # Failed to set capabilities on file `/usr/bin/ping' (No data available) - # The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file - echo_wrapper_audit setcap -r "$fso" - else - if ! capsh --print | grep "Bounding set" | grep -q "$capability_from_config" ; then - echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2 + exit_code=200 + echo "ERROR: cannot parse line with invalid character: $line" >&2 continue fi - echo_wrapper_audit setcap "${capability_from_config}+ep" "$fso" - fi - done < "$config_file" - echo "INFO: END parsing config_file: '$config_file'" + #global fso + local mode_from_config owner_from_config group_from_config capability_from_config + if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then + exit_code=201 + echo "ERROR: cannot parse line: $line" >&2 + continue + fi + + local fso_without_trailing_slash + fso_without_trailing_slash="${fso%/}" + + if [ "$mode_from_config" = "whitelist" ]; then + ## TODO: test/add white spaces inside file name support + whitelist+="$fso_without_trailing_slash " + continue + fi + + if [ "$mode_from_config" = "matchwhitelist" ]; then + ## TODO: test/add white spaces inside file name support + matchwhitelist+="$fso " + continue + fi + + if ! [ -e "$fso" ]; then + echo "INFO: fso: '$fso' - does not exist. This is likely normal." + continue + fi + + ## Use dpkg-statoverride so permissions are not reset during upgrades. + + if [ "$mode_from_config" = "nosuid" ]; then + ## If mode_from_config is "nosuid" the config does not set owner and + ## group. Therefore do not enforce owner/group check. + + add_nosuid_statoverride_entry + else + local string_length_of_mode_from_config + string_length_of_mode_from_config="${#mode_from_config}" + if [ "$string_length_of_mode_from_config" -gt "4" ]; then + echo "ERROR: Mode '$mode_from_config' is invalid!" >&2 + continue + fi + if [ "$string_length_of_mode_from_config" -lt "3" ]; then + echo "ERROR: Mode '$mode_from_config' is invalid!" >&2 + continue + fi + + if ! getent passwd | grep -q "^${owner_from_config}:" ; then + echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2 + continue + fi + + if ! getent group | grep -q "^${group_from_config}:" ; then + echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2 + continue + fi + + local mode_for_grep + mode_for_grep="$mode_from_config" + first_character_of_mode_from_config="${mode_from_config::1}" + if [ "$first_character_of_mode_from_config" = "0" ]; then + ## Remove leading '0'. + mode_for_grep="${mode_from_config:1}" + fi + + local stat_output + stat_output="" + if ! stat_output="$(stat -c "%n %a %U %G" "$fso_without_trailing_slash")" ; then + echo "ERROR: failed to run 'stat' for fso_without_trailing_slash: '$fso_without_trailing_slash'!" >&2 + continue + fi + + local arr file_name existing_mode existing_owner existing_group + arr=($stat_output) + file_name="${arr[0]}" + existing_mode="${arr[1]}" + existing_owner="${arr[2]}" + existing_group="${arr[3]}" + + if [ "$arr" = "" ]; then + echo "ERROR: arr is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + if [ "$file_name" = "" ]; then + echo "ERROR: file_name is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + if [ "$existing_mode" = "" ]; then + echo "ERROR: existing_mode is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + if [ "$existing_owner" = "" ]; then + echo "ERROR: existing_owner is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + if [ "$existing_group" = "" ]; then + echo "ERROR: $existing_group is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + + ## Check there is an entry for the fso. + ## + ## example: dpkg-statoverride --list | grep /home + ## output: + ## root root 755 /home + ## + ## dpkg-statoverride does not show leading '0'. + if dpkg-statoverride --list "$fso_without_trailing_slash" >/dev/null ; then + true "There is an fso entry. Check if owner/group/mode match." + if dpkg-statoverride --list | grep -q "$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash" ; then + true "OK The owner/group/mode matches. No further action required." + else + true "The owner/group/mode do not match, therefore remove and re-add the entry to update it." + ## fso_without_trailing_slash instead of fso to prevent + ## "dpkg-statoverride: warning: stripping trailing /" + + if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then + true "OK Existing mode already saved previously. No need to save again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" + fi + + echo_wrapper_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$fso_without_trailing_slash" + + ## Remove from and add to real database. + echo_wrapper_audit dpkg-statoverride --remove "$fso_without_trailing_slash" + echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" + + ## Save in separate database. + ## Not using --update as this is only for saving. + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" + fi + else + true "There is no fso entry. Therefore add one." + + if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then + true "OK Existing mode already saved previously. No need to save again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" + fi + + ## Add to real database. + echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" + + ## Save in separate database. + ## Not using --update as this is only for saving. + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" + fi + fi + if [ "$capability_from_config" = "" ]; then + continue + fi + + if [ "$capability_from_config" = "none" ]; then + # sudo setcap -r /usr/bin/ping + # Failed to set capabilities on file `/usr/bin/ping' (No data available) + # The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file + echo_wrapper_audit setcap -r "$fso" + else + if ! capsh --print | grep "Bounding set" | grep -q "$capability_from_config" ; then + echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2 + continue + fi + + echo_wrapper_audit setcap "${capability_from_config}+ep" "$fso" + fi + done < "$config_file" + echo "INFO: END parsing config_file: '$config_file'" } parse_config_folder() { From 17a8c294702acb30c397abc984d69c356cec2cd7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 00:47:49 -0500 Subject: [PATCH 0104/1650] fix capability removal error handling https://forums.whonix.org/t/disable-suid-binaries/7706/45 --- usr/lib/security-misc/permission-hardening | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 0cd1cff..9dc381f 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -386,10 +386,17 @@ set_file_perms() { fi if [ "$capability_from_config" = "none" ]; then - # sudo setcap -r /usr/bin/ping + ## https://forums.whonix.org/t/disable-suid-binaries/7706/45 + # sudo setcap -r /usr/bin/ping 2>/dev/null # Failed to set capabilities on file `/usr/bin/ping' (No data available) # The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file - echo_wrapper_audit setcap -r "$fso" + ## Therefore use echo_wrapper_ignore. + echo_wrapper_ignore setcap -r "$fso" + getcap_output="$(getcap "$fso")" + if [ ! "$getcap_output" = "" ]; then + echo "ERROR: removing capabilities for fso '$fso' failed!" >&2 + continue + fi else if ! capsh --print | grep "Bounding set" | grep -q "$capability_from_config" ; then echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2 From 3670fcf48baecffe098c96eb67cbd601bc3e0069 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 00:49:33 -0500 Subject: [PATCH 0105/1650] depend on libcap2-bin for setcap / getcap / capsh --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index bfabc0f..8d62e4a 100644 --- a/debian/control +++ b/debian/control @@ -14,7 +14,7 @@ Standards-Version: 4.3.0 Package: security-misc Architecture: all -Depends: python, libglib2.0-bin, libpam-runtime, sudo, adduser, +Depends: python, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, apparmor-profile-anondist, helper-scripts, ${misc:Depends} Replaces: tcp-timestamps-disable Description: enhances misc security settings From fef1469fe62bf923ba89077934c8b0e5d8cd0258 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 00:51:14 -0500 Subject: [PATCH 0106/1650] exit non-zero if capability removal failed --- usr/lib/security-misc/permission-hardening | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 9dc381f..6ab8b36 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -394,6 +394,7 @@ set_file_perms() { echo_wrapper_ignore setcap -r "$fso" getcap_output="$(getcap "$fso")" if [ ! "$getcap_output" = "" ]; then + exit_code=205 echo "ERROR: removing capabilities for fso '$fso' failed!" >&2 continue fi From 065ff4bd058ab26df3d3af1022da9d6a7405ab61 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 00:59:24 -0500 Subject: [PATCH 0107/1650] sanity_tests --- usr/lib/security-misc/permission-hardening | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 6ab8b36..162252f 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -51,6 +51,11 @@ echo_wrapper_silent_audit() { }; } +sanity_tests() { + echo_wrapper_audit which \ + capsh getcap setcap stat find dpkg-statoverride group passwd xargs grep +} + add_nosuid_statoverride_entry() { local fso_to_process fso_to_process="$fso" @@ -417,6 +422,7 @@ parse_config_folder() { done } +sanity_tests parse_config_folder if [ ! "$exit_code" = "0" ]; then From 87b999f92aab4f4176f366308c27c4fe5471580c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 00:59:43 -0500 Subject: [PATCH 0108/1650] refactoring --- usr/lib/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 162252f..dda43e6 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -256,7 +256,7 @@ set_file_perms() { continue fi - if ! [ -e "$fso" ]; then + if [ ! -e "$fso" ]; then echo "INFO: fso: '$fso' - does not exist. This is likely normal." continue fi From dc6e5d8508a09bd7f2b9bfed02bc502797c11361 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 01:06:38 -0500 Subject: [PATCH 0109/1650] fix --- usr/lib/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index dda43e6..8dfcd83 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -53,7 +53,7 @@ echo_wrapper_silent_audit() { sanity_tests() { echo_wrapper_audit which \ - capsh getcap setcap stat find dpkg-statoverride group passwd xargs grep + capsh getcap setcap stat find dpkg-statoverride getent xargs grep } add_nosuid_statoverride_entry() { From 4f76867da6ce5710cf486175cd84adcd72640049 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 01:08:02 -0500 Subject: [PATCH 0110/1650] lower debugging --- usr/lib/security-misc/permission-hardening | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 8dfcd83..f653599 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -40,8 +40,7 @@ echo_wrapper_audit() { } echo_wrapper_silent_audit() { - ## TODO: remove echo - echo "run (debugging): $@" + #echo "run (debugging): $@" return_code=0 "$@" || \ { \ @@ -52,7 +51,7 @@ echo_wrapper_silent_audit() { } sanity_tests() { - echo_wrapper_audit which \ + echo_wrapper_silent_audit which \ capsh getcap setcap stat find dpkg-statoverride getent xargs grep } From 906b3d32e769bbd30ed5698268899a7d2ec71d95 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 01:09:57 -0500 Subject: [PATCH 0111/1650] output --- usr/lib/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index f653599..1b8046d 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -52,7 +52,7 @@ echo_wrapper_silent_audit() { sanity_tests() { echo_wrapper_silent_audit which \ - capsh getcap setcap stat find dpkg-statoverride getent xargs grep + capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null } add_nosuid_statoverride_entry() { From a1e78e8515a87ebc8fc2211b3e1e91824fd3865a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 01:20:56 -0500 Subject: [PATCH 0112/1650] fix needlessly re-adding entries --- usr/lib/security-misc/permission-hardening | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 1b8046d..5a02e07 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -339,9 +339,15 @@ set_file_perms() { ## root root 755 /home ## ## dpkg-statoverride does not show leading '0'. - if dpkg-statoverride --list "$fso_without_trailing_slash" >/dev/null ; then + local dpkg_statoverride_list_output="" + local dpkg_statoverride_list_exit_code=0 + dpkg_statoverride_list_output="$(dpkg-statoverride --list "$fso_without_trailing_slash")" || { dpkg_statoverride_list_exit_code=$? ; true; }; + + if [ "$dpkg_statoverride_list_exit_code" = "0" ]; then true "There is an fso entry. Check if owner/group/mode match." - if dpkg-statoverride --list | grep -q "$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash" ; then + local grep_line + grep_line="$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash" + if echo "$dpkg_statoverride_list_output" | grep -q "$grep_line" ; then true "OK The owner/group/mode matches. No further action required." else true "The owner/group/mode do not match, therefore remove and re-add the entry to update it." From 6d05359abcf460cbec266401530a9ab1aaaaf47f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 01:21:52 -0500 Subject: [PATCH 0113/1650] output --- usr/lib/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 5a02e07..2122f3b 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -362,7 +362,7 @@ set_file_perms() { echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" fi - echo_wrapper_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$fso_without_trailing_slash" + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$fso_without_trailing_slash" ## Remove from and add to real database. echo_wrapper_audit dpkg-statoverride --remove "$fso_without_trailing_slash" From ee9c5742da99673785068b0393e3587a77c99a31 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 01:29:48 -0500 Subject: [PATCH 0114/1650] output --- usr/lib/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 2122f3b..5aa0c90 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -362,7 +362,7 @@ set_file_perms() { echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" fi - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$fso_without_trailing_slash" + echo_wrapper_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$fso_without_trailing_slash" ## Remove from and add to real database. echo_wrapper_audit dpkg-statoverride --remove "$fso_without_trailing_slash" From ba30e45d15ec53b2d0a67ce96f5132d3f59bf870 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 01:32:42 -0500 Subject: [PATCH 0115/1650] output --- usr/lib/security-misc/permission-hardening | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 5aa0c90..b6ed04c 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -28,6 +28,11 @@ echo_wrapper_ignore() { "$@" 2>/dev/null || true } +echo_wrapper_silent_ignore() { + #echo "run: $@" + "$@" 2>/dev/null || true +} + echo_wrapper_audit() { echo "run: $@" return_code=0 @@ -190,7 +195,7 @@ add_nosuid_statoverride_entry() { echo_wrapper_ignore dpkg-statoverride --remove "$file_name" ## Remove from separate database. - echo_wrapper_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" + echo_wrapper_silent_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" ## Add to real database and use --update to make changes on disk. echo_wrapper_audit dpkg-statoverride --add --update "$existing_owner" "$existing_group" "$new_mode" "$file_name" From 34bf2457136db227cc27a5d0fe9282f09780a310 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 01:35:45 -0500 Subject: [PATCH 0116/1650] output --- usr/lib/security-misc/permission-hardening | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index b6ed04c..663ddcd 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -192,7 +192,7 @@ add_nosuid_statoverride_entry() { ## Since existing_mode is incorrect, remove from dpkg-statoverride and re-add. ## Remove from real database. - echo_wrapper_ignore dpkg-statoverride --remove "$file_name" + echo_wrapper_silent_ignore dpkg-statoverride --remove "$file_name" ## Remove from separate database. echo_wrapper_silent_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" @@ -367,10 +367,10 @@ set_file_perms() { echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" fi - echo_wrapper_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$fso_without_trailing_slash" + echo_wrapper_silent_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$fso_without_trailing_slash" ## Remove from and add to real database. - echo_wrapper_audit dpkg-statoverride --remove "$fso_without_trailing_slash" + echo_wrapper_silent_ignore dpkg-statoverride --remove "$fso_without_trailing_slash" echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" ## Save in separate database. From d484b299ea1a93a401d00a212d675b5837b8aaa9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 01:38:31 -0500 Subject: [PATCH 0117/1650] matchwhitelist /qubes/qfile-unpacker to match both - /usr/lib/qubes/qfile-unpacker whitelist - /lib/qubes/qfile-unpacker --- etc/permission-hardening.d/30_default.conf | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index f61a8d2..45417d6 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -33,14 +33,9 @@ /usr/bin/firejail whitelist ###################################################################### -# SUID exact match whitelist - research required +# SUID exact match whitelist ###################################################################### -## TODO: research required - -## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c -/usr/lib/qubes/qfile-unpacker whitelist - ## https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html ## https://lwn.net/Articles/590315/ ## http://forums.whonix.org/t/permission-hardening/8655/25 @@ -54,6 +49,12 @@ /usr/lib/virtualbox/ matchwhitelist +## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c +## match both: +#/usr/lib/qubes/qfile-unpacker whitelist +#/lib/qubes/qfile-unpacker +/qubes/qfile-unpacker matchwhitelist + ###################################################################### # SUID regex match whitelist ###################################################################### From 1ff56625a170c392f6099b41f371c56032362ea0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 01:42:03 -0500 Subject: [PATCH 0118/1650] polkit-agent-helper-1 matchwhitelist to match both - /usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist - /lib/policykit-1/polkit-agent-helper-1 --- etc/permission-hardening.d/30_default.conf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 45417d6..9b6eee7 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -23,7 +23,6 @@ /bin/sudo whitelist /usr/bin/bwrap whitelist /bin/bwrap whitelist -/usr/lib/policykit-1/polkit-agent-helper-1 whitelist /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper whitelist /usr/lib/chromium/chrome-sandbox whitelist @@ -55,6 +54,11 @@ #/lib/qubes/qfile-unpacker /qubes/qfile-unpacker matchwhitelist +## match both: +#/usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist +#/lib/policykit-1/polkit-agent-helper-1 +polkit-agent-helper-1 matchwhitelist + ###################################################################### # SUID regex match whitelist ###################################################################### From 0409aac3aeb7acc273e19b16e78409994c731f2a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 02:09:04 -0500 Subject: [PATCH 0119/1650] readme --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 12f7442..6239abf 100644 --- a/README.md +++ b/README.md @@ -86,6 +86,9 @@ things, it is disabled by default and can optionally be enabled by running /lib/systemd/system/user@.service.d/sysfs.conf /etc/hide-hardware-info.d/30_default.conf +* The MSR kernel module is blacklisted to prevent CPU MSRs from being +abused to write to arbitrary memory. + Improve Entropy Collection * Load jitterentropy_rng kernel module. From 175d1c284552a08881286e8c3ca5d8eb9b97a144 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 02:13:13 -0500 Subject: [PATCH 0120/1650] bumped changelog version --- changelog.upstream | 188 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 194 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d1f4258..63b1e52 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,191 @@ +commit 0409aac3aeb7acc273e19b16e78409994c731f2a +Author: Patrick Schleizer +Date: Mon Dec 23 02:09:04 2019 -0500 + + readme + +commit 1ff56625a170c392f6099b41f371c56032362ea0 +Author: Patrick Schleizer +Date: Mon Dec 23 01:42:03 2019 -0500 + + polkit-agent-helper-1 matchwhitelist to match both + + - /usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist + - /lib/policykit-1/polkit-agent-helper-1 + +commit d484b299ea1a93a401d00a212d675b5837b8aaa9 +Author: Patrick Schleizer +Date: Mon Dec 23 01:38:31 2019 -0500 + + matchwhitelist /qubes/qfile-unpacker to match both + + - /usr/lib/qubes/qfile-unpacker whitelist + - /lib/qubes/qfile-unpacker + +commit 34bf2457136db227cc27a5d0fe9282f09780a310 +Author: Patrick Schleizer +Date: Mon Dec 23 01:35:45 2019 -0500 + + output + +commit ba30e45d15ec53b2d0a67ce96f5132d3f59bf870 +Author: Patrick Schleizer +Date: Mon Dec 23 01:32:42 2019 -0500 + + output + +commit ee9c5742da99673785068b0393e3587a77c99a31 +Author: Patrick Schleizer +Date: Mon Dec 23 01:29:48 2019 -0500 + + output + +commit 6d05359abcf460cbec266401530a9ab1aaaaf47f +Author: Patrick Schleizer +Date: Mon Dec 23 01:21:52 2019 -0500 + + output + +commit a1e78e8515a87ebc8fc2211b3e1e91824fd3865a +Author: Patrick Schleizer +Date: Mon Dec 23 01:20:56 2019 -0500 + + fix needlessly re-adding entries + +commit 906b3d32e769bbd30ed5698268899a7d2ec71d95 +Author: Patrick Schleizer +Date: Mon Dec 23 01:09:57 2019 -0500 + + output + +commit 4f76867da6ce5710cf486175cd84adcd72640049 +Author: Patrick Schleizer +Date: Mon Dec 23 01:08:02 2019 -0500 + + lower debugging + +commit dc6e5d8508a09bd7f2b9bfed02bc502797c11361 +Author: Patrick Schleizer +Date: Mon Dec 23 01:06:38 2019 -0500 + + fix + +commit 87b999f92aab4f4176f366308c27c4fe5471580c +Author: Patrick Schleizer +Date: Mon Dec 23 00:59:43 2019 -0500 + + refactoring + +commit 065ff4bd058ab26df3d3af1022da9d6a7405ab61 +Author: Patrick Schleizer +Date: Mon Dec 23 00:59:24 2019 -0500 + + sanity_tests + +commit fef1469fe62bf923ba89077934c8b0e5d8cd0258 +Author: Patrick Schleizer +Date: Mon Dec 23 00:51:14 2019 -0500 + + exit non-zero if capability removal failed + +commit 3670fcf48baecffe098c96eb67cbd601bc3e0069 +Author: Patrick Schleizer +Date: Mon Dec 23 00:49:33 2019 -0500 + + depend on libcap2-bin for setcap / getcap / capsh + +commit 17a8c294702acb30c397abc984d69c356cec2cd7 +Author: Patrick Schleizer +Date: Mon Dec 23 00:47:49 2019 -0500 + + fix capability removal error handling + + https://forums.whonix.org/t/disable-suid-binaries/7706/45 + +commit b631e2ecd8ae0e08850edd81bf64b02666fb6234 +Author: Patrick Schleizer +Date: Mon Dec 23 00:36:41 2019 -0500 + + refactoring + +commit 7aea304549cea2c885c2d813c7a15f617f4ebf2a +Author: Patrick Schleizer +Date: Mon Dec 23 00:26:15 2019 -0500 + + comment + +commit f4b1df02ee66309d12724cf7124b14180c855f14 +Author: Patrick Schleizer +Date: Sun Dec 22 19:42:40 2019 -0500 + + Remove suid / gid and execute permission for 'group' and 'others'. + + Similar to: chmod og-ugx /path/to/filename + + Removing execution permission is useful to make binaries such as 'su' fail closed rather + than fail open if suid was removed from these. + + Do not remove read access since no security benefit and easier to manually undo for users. + + chmod 744 + +commit 58a4e0bc7d1b87d4d169f31dc5935c75e929c0b4 +Author: Patrick Schleizer +Date: Sun Dec 22 19:12:10 2019 -0500 + + dbus-daemon-launch-helper matchwhitelist + +commit 15e3a2832da603f5caa9aadc6d68aaf503f013c9 +Author: Patrick Schleizer +Date: Sun Dec 22 18:57:23 2019 -0500 + + comment + +commit 6eb8fd257aecd84686b4d7a9824a98bace9a705e +Author: Patrick Schleizer +Date: Sun Dec 22 18:56:36 2019 -0500 + + suid utempter/utempter matchwhitelist + + to cover both: + + /usr/lib/x86_64-linux-gnu/utempter/utempter + /lib/x86_64-linux-gnu/utempter/utempter + +commit 9409209b48fb8f803b88d72c0e7febaa74f5bd2c +Merge: 008ce48 bce02ff +Author: Patrick Schleizer +Date: Sun Dec 22 10:29:08 2019 -0500 + + Merge remote-tracking branch 'origin/master' + +commit bce02ffdc01c22c8d5528eb5eaa7729a6b3137dd +Merge: 008ce48 8f11a52 +Author: Patrick Schleizer +Date: Sun Dec 22 15:26:07 2019 +0000 + + Merge pull request #47 from madaidan/msr + + Blacklist CPU MSRs + +commit 8f11a520f4c406fa3187ad530f945a564b78a28c +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun Dec 22 13:54:16 2019 +0000 + + Update control + +commit dd93b11321e171c56affcd660c0830d6a91ad87e +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun Dec 22 13:52:43 2019 +0000 + + Blacklist CPU MSRs + +commit 008ce4817c6ad2218af05d14626b0f2c70a6e90d +Author: Patrick Schleizer +Date: Sat Dec 21 14:55:03 2019 -0500 + + bumped changelog version + commit d300db3cde0f7ee8e3884a1225ec1d196a318728 Author: Patrick Schleizer Date: Sat Dec 21 14:45:11 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 5595fd7..ba8fe20 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:13.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 23 Dec 2019 07:13:13 +0000 + security-misc (3:12.9-1) unstable; urgency=medium * New upstream version (local package). From 47ddcad0c0af27093f61cf77008224bf66572532 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 02:29:47 -0500 Subject: [PATCH 0121/1650] rename keyword whitelist to exactwhitelist add new keyword disablewhitelist refactoring --- etc/permission-hardening.d/30_default.conf | 18 +++++--- usr/lib/security-misc/permission-hardening | 50 +++++++++++++++------- 2 files changed, 46 insertions(+), 22 deletions(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 9b6eee7..b030e55 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -13,23 +13,27 @@ ## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" ## argument. +###################################################################### +# SUID disablewhitelist +###################################################################### + ###################################################################### # SUID exact match whitelist ###################################################################### ## TODO: white spaces inside file name untested -/usr/bin/sudo whitelist -/bin/sudo whitelist -/usr/bin/bwrap whitelist -/bin/bwrap whitelist -/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper whitelist -/usr/lib/chromium/chrome-sandbox whitelist +/usr/bin/sudo exactwhitelist +/bin/sudo exactwhitelist +/usr/bin/bwrap exactwhitelist +/bin/bwrap exactwhitelist +/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist +/usr/lib/chromium/chrome-sandbox exactwhitelist ## There is a controversy about firejail but those who choose to install it ## should be able to use it. ## https://www.whonix.org/wiki/Dev/Firejail#Security -/usr/bin/firejail whitelist +/usr/bin/firejail exactwhitelist ###################################################################### # SUID exact match whitelist diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 663ddcd..d6335bc 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -147,11 +147,11 @@ add_nosuid_statoverride_entry() { ## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these? new_mode="744" - local is_whitelisted - is_whitelisted="" - for white_list_entry in $whitelist ; do + local is_exact_whitelisted + is_exact_whitelisted="" + for white_list_entry in $exact_white_list ; do if [ "$file_name" = "$white_list_entry" ]; then - is_whitelisted="true" + is_exact_whitelisted="true" ## Stop looping through the whitelist. break fi @@ -159,22 +159,36 @@ add_nosuid_statoverride_entry() { local is_match_whitelisted is_match_whitelisted="" - for matchwhite_list_entry in $matchwhitelist ; do + for matchwhite_list_entry in $match_white_list ; do if echo "$file_name" | grep -q "$matchwhite_list_entry" ; then is_match_whitelisted="true" - ## Stop looping through the matchwhitelist. + ## Stop looping through the match_white_list. break fi done - if [ "$is_whitelisted" = "true" ]; then - echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" - continue - fi + local is_disable_whitelisted + is_disable_whitelisted="" + for disablematch_list_entry in $disable_white_list ; do + if [ "$file_name" = "$disablematch_list_entry" ]; then + is_disable_whitelisted="true" + ## Stop looping through the disablewhitelist. + break + fi + done - if [ "$is_match_whitelisted" = "true" ]; then - echo "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'" + if [ "$is_disable_whitelisted" = "true" ]; then + echo "INFO: white list disabled - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" continue + else + if [ "$is_exact_whitelisted" = "true" ]; then + echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" + continue + fi + if [ "$is_match_whitelisted" = "true" ]; then + echo "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'" + continue + fi fi echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" @@ -248,15 +262,21 @@ set_file_perms() { local fso_without_trailing_slash fso_without_trailing_slash="${fso%/}" - if [ "$mode_from_config" = "whitelist" ]; then + if [ "$mode_from_config" = "disablewhitelist" ]; then ## TODO: test/add white spaces inside file name support - whitelist+="$fso_without_trailing_slash " + disable_white_list+="$fso " + continue + fi + + if [ "$mode_from_config" = "exactwhitelist" ]; then + ## TODO: test/add white spaces inside file name support + exact_white_list+="$fso " continue fi if [ "$mode_from_config" = "matchwhitelist" ]; then ## TODO: test/add white spaces inside file name support - matchwhitelist+="$fso " + match_white_list+="$fso " continue fi From f8f2e6c7041d98572452be2e53094d0c539b1616 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 02:35:13 -0500 Subject: [PATCH 0122/1650] fix disablewhitelist feature --- etc/permission-hardening.d/30_default.conf | 2 ++ usr/lib/security-misc/permission-hardening | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index b030e55..9527253 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -17,6 +17,8 @@ # SUID disablewhitelist ###################################################################### +#/utempter/utempter disablewhitelist + ###################################################################### # SUID exact match whitelist ###################################################################### diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index d6335bc..d175acb 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -170,7 +170,7 @@ add_nosuid_statoverride_entry() { local is_disable_whitelisted is_disable_whitelisted="" for disablematch_list_entry in $disable_white_list ; do - if [ "$file_name" = "$disablematch_list_entry" ]; then + if echo "$file_name" | grep -q "$disablematch_list_entry" ; then is_disable_whitelisted="true" ## Stop looping through the disablewhitelist. break @@ -179,7 +179,6 @@ add_nosuid_statoverride_entry() { if [ "$is_disable_whitelisted" = "true" ]; then echo "INFO: white list disabled - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" - continue else if [ "$is_exact_whitelisted" = "true" ]; then echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" From 2152fa2d61fa72935b70e60b98ccbe2e1b31db43 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 02:38:53 -0500 Subject: [PATCH 0123/1650] comment --- etc/permission-hardening.d/30_default.conf | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 9527253..7da4b18 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -13,18 +13,24 @@ ## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" ## argument. +## TODO: white spaces inside file name untested and probably will not work. + ###################################################################### # SUID disablewhitelist ###################################################################### +## disablewhitelist disables below (or in lexically higher) files +## exactwhitelist and matchwhitelist. Add these here (discouraged) or better +## in file "/etc/permission-hardening.d/20_user.conf". + +## For example, if you are not using SELinux the following might make sense to +## enable. TODO: research #/utempter/utempter disablewhitelist ###################################################################### # SUID exact match whitelist ###################################################################### -## TODO: white spaces inside file name untested - /usr/bin/sudo exactwhitelist /bin/sudo exactwhitelist /usr/bin/bwrap exactwhitelist @@ -50,8 +56,6 @@ # SUID regex match whitelist - research required ###################################################################### -## TODO: white spaces inside file name untested - /usr/lib/virtualbox/ matchwhitelist ## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c From 42ff53e9ad26190dcbff154f6cfd039e3f6bdf83 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 02:42:07 -0500 Subject: [PATCH 0124/1650] bumped changelog version --- changelog.upstream | 28 ++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 63b1e52..4157429 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,31 @@ +commit 2152fa2d61fa72935b70e60b98ccbe2e1b31db43 +Author: Patrick Schleizer +Date: Mon Dec 23 02:38:53 2019 -0500 + + comment + +commit f8f2e6c7041d98572452be2e53094d0c539b1616 +Author: Patrick Schleizer +Date: Mon Dec 23 02:35:13 2019 -0500 + + fix disablewhitelist feature + +commit 47ddcad0c0af27093f61cf77008224bf66572532 +Author: Patrick Schleizer +Date: Mon Dec 23 02:29:47 2019 -0500 + + rename keyword whitelist to exactwhitelist + + add new keyword disablewhitelist + + refactoring + +commit 175d1c284552a08881286e8c3ca5d8eb9b97a144 +Author: Patrick Schleizer +Date: Mon Dec 23 02:13:13 2019 -0500 + + bumped changelog version + commit 0409aac3aeb7acc273e19b16e78409994c731f2a Author: Patrick Schleizer Date: Mon Dec 23 02:09:04 2019 -0500 diff --git a/debian/changelog b/debian/changelog index ba8fe20..4bc5e8e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:13.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 23 Dec 2019 07:42:07 +0000 + security-misc (3:13.0-1) unstable; urgency=medium * New upstream version (local package). From 11b4192fbdbc02af97e7dc32677bdb3a549b0000 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 03:28:42 -0500 Subject: [PATCH 0125/1650] comments --- etc/permission-hardening.d/30_default.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 7da4b18..e6083b2 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -43,6 +43,11 @@ ## https://www.whonix.org/wiki/Dev/Firejail#Security /usr/bin/firejail exactwhitelist +## In case you need to use 'su'. See also: +## https://www.whonix.org/wiki/root#su +#/bin/su exactwhitelist +#/usr/bin/su exactwhitelist + ###################################################################### # SUID exact match whitelist ###################################################################### From 535c258b834028e5638fd2b37b1a6f352e2b4558 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 18 Dec 2019 20:43:01 +0000 Subject: [PATCH 0126/1650] More kernel hardening --- etc/default/grub.d/40_kernel_hardening.cfg | 40 +++++++++++++++++----- 1 file changed, 32 insertions(+), 8 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 7a50db8..c6fc47c 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -1,18 +1,29 @@ ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Disables the merging of slabs of similar sizes. Sometimes a slab can be used in a vulnerable way which an attacker can exploit. +kver="$(uname -r)" + +## Disables the merging of slabs of similar sizes. +## Sometimes a slab can be used in a vulnerable way which an attacker can exploit. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -## Enables sanity checks (F), redzoning (Z) and poisoning (P). -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZP" +## Enables sanity checks (F) and redzoning (Z). +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" -if command -v "qubesdb-read" >/dev/null 2>&1 ; then - ## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012 - true "skip adding page_poison=1 in Qubes" +## Zero memory at allocation and free time. +if dpkg --compare-versions "${kver}" ge "5.3"; then + GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" else - ## Wipes free memory so it can't leak in various ways and prevents some use-after-free vulnerabilites. - GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1" + ## SLUB poisoning and page poisoning is used if the kernel + ## does not yet support init_on_{,alloc,free}. + GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=P" + + if command -v "qubesdb-read" >/dev/null 2>&1 ; then + ## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012 + true "skip adding page_poison=1 in Qubes" + else + GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1" + fi fi ## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit. @@ -24,3 +35,16 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" ## Enables all mitigations for the MDS vulnerability. ## Disables smt which can be used to exploit the MDS vulnerability. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" + +## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" + +## Enables page allocator freelist randomization. +if dpkg --compare-versions "${kver}" ge "5.2"; then + GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" +fi + +## Enables kernel lockdown. +if dpkg --compare-versions "${kver}" ge "5.4"; then + GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" +fi From 1ff51ee061dcdb1a898ebb68c0267ce926e0fca0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 03:37:28 -0500 Subject: [PATCH 0127/1650] merge --- debian/control | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 8d62e4a..2d10db3 100644 --- a/debian/control +++ b/debian/control @@ -56,7 +56,9 @@ Description: enhances misc security settings * Slab merging is disabled as sometimes a slab can be used in a vulnerable way which an attacker can exploit. . - * Sanity checks, redzoning, and memory poisoning are enabled. + * Sanity checks and redzoning are enabled. + . + * Memory zeroing at allocation and free time is enabled. . * Machine checks (MCE) are disabled which makes the kernel panic on uncorrectable errors in ECC memory that could be exploited. @@ -106,6 +108,14 @@ Description: enhances misc security settings . * The MSR kernel module is blacklisted to prevent CPU MSRs from being abused to write to arbitrary memory. + . + * Vsyscalls are disabled as they are obsolete, are at fixed addresses and are + a target for ROP. + . + * Page allocator freelist randomization is enabled. + . + * Kernel lockdown is enabled. + . . Improve Entropy Collection . From 9ec5b0ee82263e1afb38c44348e69437ddc5c9c2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 03:38:49 -0500 Subject: [PATCH 0128/1650] description: lockdown not enabled yet --- debian/control | 3 --- 1 file changed, 3 deletions(-) diff --git a/debian/control b/debian/control index 2d10db3..9e56d6c 100644 --- a/debian/control +++ b/debian/control @@ -113,9 +113,6 @@ Description: enhances misc security settings a target for ROP. . * Page allocator freelist randomization is enabled. - . - * Kernel lockdown is enabled. - . . Improve Entropy Collection . From 26fe9394fff2eb5be2f19272ea76ed187a8237e5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 03:41:54 -0500 Subject: [PATCH 0129/1650] disable lockdown for now due to module loading --- etc/default/grub.d/40_kernel_hardening.cfg | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index c6fc47c..b11f1c2 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -45,6 +45,10 @@ if dpkg --compare-versions "${kver}" ge "5.2"; then fi ## Enables kernel lockdown. -if dpkg --compare-versions "${kver}" ge "5.4"; then - GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" -fi +## +## Disabled for now as it enforces module signature verification which breaks +## too many things. +## +#if dpkg --compare-versions "${kver}" ge "5.4"; then +# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" +#fi From 9f072ce4f99467f82986be348c9cedc2eb7f017d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 03:46:02 -0500 Subject: [PATCH 0130/1650] comment --- etc/default/grub.d/40_kernel_hardening.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b11f1c2..d88ba7f 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -48,6 +48,7 @@ fi ## ## Disabled for now as it enforces module signature verification which breaks ## too many things. +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 ## #if dpkg --compare-versions "${kver}" ge "5.4"; then # GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" From 046ceeae4df3b45916f35b0789af341c4f3d911a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 03:57:36 -0500 Subject: [PATCH 0131/1650] readme --- README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 6239abf..4d655df 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,9 @@ uncommenting settings in file /etc/sysctl.d/tcp_sack.conf. * Slab merging is disabled as sometimes a slab can be used in a vulnerable way which an attacker can exploit. -* Sanity checks, redzoning, and memory poisoning are enabled. +* Sanity checks and redzoning are enabled. + +* Memory zeroing at allocation and free time is enabled. * Machine checks (MCE) are disabled which makes the kernel panic on uncorrectable errors in ECC memory that could be exploited. @@ -89,6 +91,11 @@ things, it is disabled by default and can optionally be enabled by running * The MSR kernel module is blacklisted to prevent CPU MSRs from being abused to write to arbitrary memory. +* Vsyscalls are disabled as they are obsolete, are at fixed addresses and are +a target for ROP. + +* Page allocator freelist randomization is enabled. + Improve Entropy Collection * Load jitterentropy_rng kernel module. From bef41a38c26548d50101f7ea636316e1e2107a55 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 03:58:00 -0500 Subject: [PATCH 0132/1650] bumped changelog version --- changelog.upstream | 55 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 61 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 4157429..1365186 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,58 @@ +commit 046ceeae4df3b45916f35b0789af341c4f3d911a +Author: Patrick Schleizer +Date: Mon Dec 23 03:57:36 2019 -0500 + + readme + +commit 9f072ce4f99467f82986be348c9cedc2eb7f017d +Author: Patrick Schleizer +Date: Mon Dec 23 03:46:02 2019 -0500 + + comment + +commit 26fe9394fff2eb5be2f19272ea76ed187a8237e5 +Author: Patrick Schleizer +Date: Mon Dec 23 03:41:54 2019 -0500 + + disable lockdown for now due to module loading + +commit 9ec5b0ee82263e1afb38c44348e69437ddc5c9c2 +Author: Patrick Schleizer +Date: Mon Dec 23 03:38:49 2019 -0500 + + description: lockdown not enabled yet + +commit b05669accfe6fac8070003bbd57939ca2c621445 +Merge: 11b4192 1ff51ee +Author: Patrick Schleizer +Date: Mon Dec 23 03:38:04 2019 -0500 + + Merge branch 'madaidan-kernel-hardening' + +commit 1ff51ee061dcdb1a898ebb68c0267ce926e0fca0 +Author: Patrick Schleizer +Date: Mon Dec 23 03:37:28 2019 -0500 + + merge + +commit 535c258b834028e5638fd2b37b1a6f352e2b4558 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Wed Dec 18 20:43:01 2019 +0000 + + More kernel hardening + +commit 11b4192fbdbc02af97e7dc32677bdb3a549b0000 +Author: Patrick Schleizer +Date: Mon Dec 23 03:28:42 2019 -0500 + + comments + +commit 42ff53e9ad26190dcbff154f6cfd039e3f6bdf83 +Author: Patrick Schleizer +Date: Mon Dec 23 02:42:07 2019 -0500 + + bumped changelog version + commit 2152fa2d61fa72935b70e60b98ccbe2e1b31db43 Author: Patrick Schleizer Date: Mon Dec 23 02:38:53 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 4bc5e8e..f8b707b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:13.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 23 Dec 2019 08:58:00 +0000 + security-misc (3:13.1-1) unstable; urgency=medium * New upstream version (local package). From 3e131174d5919303462295cb0852a9254885ae7c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 05:00:35 -0500 Subject: [PATCH 0133/1650] comments --- etc/default/grub.d/40_kernel_hardening.cfg | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index d88ba7f..47fd62f 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -2,6 +2,7 @@ ## See the file COPYING for copying conditions. kver="$(uname -r)" +#echo "## kver: $kver" ## Disables the merging of slabs of similar sizes. ## Sometimes a slab can be used in a vulnerable way which an attacker can exploit. @@ -11,9 +12,11 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" ## Zero memory at allocation and free time. -if dpkg --compare-versions "${kver}" ge "5.3"; then +if dpkg --compare-versions "$kver" ge "5.3"; then + #echo "## $kver grater or equal 5.3: yes" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" else + #echo "## $kver grater or equal 5.3: no" ## SLUB poisoning and page poisoning is used if the kernel ## does not yet support init_on_{,alloc,free}. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=P" From 617c0a0e15f1c113b6e7fd748bb75978e4f23fcd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 07:21:26 -0500 Subject: [PATCH 0134/1650] disable remount-secure.service - Disable for now until development finished / tested. --- lib/systemd/system-preset/50-security-misc.preset | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/systemd/system-preset/50-security-misc.preset b/lib/systemd/system-preset/50-security-misc.preset index 802414b..7debfe2 100644 --- a/lib/systemd/system-preset/50-security-misc.preset +++ b/lib/systemd/system-preset/50-security-misc.preset @@ -6,3 +6,6 @@ disable hide-hardware-info.service ## Disable for now until development finished / tested. disable permission-hardening.service + +## Disable for now until development finished / tested. +disable remount-secure.service From 7a80837b4f0a7201f3e092ad9b99b4cddb6043b3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 08:48:04 -0500 Subject: [PATCH 0135/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1365186..2182c48 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 617c0a0e15f1c113b6e7fd748bb75978e4f23fcd +Author: Patrick Schleizer +Date: Mon Dec 23 07:21:26 2019 -0500 + + disable remount-secure.service - Disable for now until development finished / tested. + +commit 3e131174d5919303462295cb0852a9254885ae7c +Author: Patrick Schleizer +Date: Mon Dec 23 05:00:35 2019 -0500 + + comments + +commit bef41a38c26548d50101f7ea636316e1e2107a55 +Author: Patrick Schleizer +Date: Mon Dec 23 03:58:00 2019 -0500 + + bumped changelog version + commit 046ceeae4df3b45916f35b0789af341c4f3d911a Author: Patrick Schleizer Date: Mon Dec 23 03:57:36 2019 -0500 diff --git a/debian/changelog b/debian/changelog index f8b707b..5f192ba 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:13.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 23 Dec 2019 13:48:04 +0000 + security-misc (3:13.2-1) unstable; urgency=medium * New upstream version (local package). From 9d77d88a4dfd0f42a2a671bbec49f4ebd90af882 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 23 Dec 2019 09:39:50 -0500 Subject: [PATCH 0136/1650] comments --- etc/permission-hardening.d/30_default.conf | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index e6083b2..96fe0e8 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -113,3 +113,15 @@ dbus-daemon-launch-helper matchwhitelist /usr/local/lib/ nosuid /usr/local/lib32/ nosuid /usr/local/lib64/ nosuid + +###################################################################### +# Capability Removal +###################################################################### + +## Ping doesn't work with Tor anyway so its capabilities are removed to +## reduce attack surface. +## anon-apps-config does this. +#/bin/ping 0744 root root none + +## TODO: research +#/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper 0744 root root none From d1a0650fd944973ab614c1da06f8e555b31b73ae Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Mon, 23 Dec 2019 19:44:52 +0000 Subject: [PATCH 0137/1650] Use only one slub_debug parameter --- etc/default/grub.d/40_kernel_hardening.cfg | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 47fd62f..530c810 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -8,18 +8,18 @@ kver="$(uname -r)" ## Sometimes a slab can be used in a vulnerable way which an attacker can exploit. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -## Enables sanity checks (F) and redzoning (Z). -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" - -## Zero memory at allocation and free time. if dpkg --compare-versions "$kver" ge "5.3"; then + ## Enables sanity checks (F) and redzoning (Z). + GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" + #echo "## $kver grater or equal 5.3: yes" + ## Zero memory at allocation and free time. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" else #echo "## $kver grater or equal 5.3: no" ## SLUB poisoning and page poisoning is used if the kernel ## does not yet support init_on_{,alloc,free}. - GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=P" + GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZP" if command -v "qubesdb-read" >/dev/null 2>&1 ; then ## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012 From 98e88d1456ca0e8fa23809115c51c380a4bb2d3b Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Mon, 23 Dec 2019 19:57:43 +0000 Subject: [PATCH 0138/1650] Detect kernel upgrades --- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 47fd62f..1a992a5 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -1,7 +1,7 @@ ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -kver="$(uname -r)" +kver="$(dpkg-query --show --showformat='${Version}' linux-image-amd64)" #echo "## kver: $kver" ## Disables the merging of slabs of similar sizes. From 79241c5d09c4a7123cf90b45289b53d893135efb Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Mon, 23 Dec 2019 20:28:29 +0000 Subject: [PATCH 0139/1650] Make /lib/modules unreadable --- etc/permission-hardening.d/30_default.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 96fe0e8..6f883bb 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -91,6 +91,7 @@ dbus-daemon-launch-helper matchwhitelist /boot/ 0700 root root /etc/permission-hardening.d 0600 root root /usr/local/etc/permission-hardening.d 0600 root root +/lib/modules/ 0700 root root ###################################################################### # SUID/SGID Removal From ede536913daa0c7ddfe55e20c93d7b752daa5de3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 24 Dec 2019 06:00:41 -0500 Subject: [PATCH 0140/1650] no longer hardcode amd64 --- etc/default/grub.d/40_kernel_hardening.cfg | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index f3e3c6e..b741b20 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -1,7 +1,8 @@ ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -kver="$(dpkg-query --show --showformat='${Version}' linux-image-amd64)" +kpkg="linux-image-$(dpkg --print-architecture)" +kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" #echo "## kver: $kver" ## Disables the merging of slabs of similar sizes. From 0326cd5ee9371213420d2afdcbfb0a05d9a808e6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 24 Dec 2019 08:07:55 -0500 Subject: [PATCH 0141/1650] bumped changelog version --- changelog.upstream | 70 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 76 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 2182c48..dc2ee00 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,73 @@ +commit ede536913daa0c7ddfe55e20c93d7b752daa5de3 +Author: Patrick Schleizer +Date: Tue Dec 24 06:00:41 2019 -0500 + + no longer hardcode amd64 + +commit d03a3d9ac03bc29ba349107855936dd194e12271 +Merge: 9d77d88 27a42a9 +Author: Patrick Schleizer +Date: Tue Dec 24 05:57:24 2019 -0500 + + Merge remote-tracking branch 'origin/master' + +commit 27a42a9da82bc1f22135ffa509925f63177f25d9 +Merge: ac49c55 79241c5 +Author: Patrick Schleizer +Date: Tue Dec 24 10:55:11 2019 +0000 + + Merge pull request #50 from madaidan/modules + + Make /lib/modules unreadable + +commit ac49c55d1fafff5f36bd7c595f50db295ff616a2 +Merge: 0c3d4ad 98e88d1 +Author: Patrick Schleizer +Date: Tue Dec 24 10:55:03 2019 +0000 + + Merge pull request #49 from madaidan/kver + + Detect kernel upgrades + +commit 0c3d4ad255de75b57a2e316bf8a7fd77a2fc0d4d +Merge: 9d77d88 d1a0650 +Author: Patrick Schleizer +Date: Tue Dec 24 10:54:23 2019 +0000 + + Merge pull request #48 from madaidan/kernel-hardening + + Use only one slub_debug parameter + +commit 79241c5d09c4a7123cf90b45289b53d893135efb +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Mon Dec 23 20:28:29 2019 +0000 + + Make /lib/modules unreadable + +commit 98e88d1456ca0e8fa23809115c51c380a4bb2d3b +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Mon Dec 23 19:57:43 2019 +0000 + + Detect kernel upgrades + +commit d1a0650fd944973ab614c1da06f8e555b31b73ae +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Mon Dec 23 19:44:52 2019 +0000 + + Use only one slub_debug parameter + +commit 9d77d88a4dfd0f42a2a671bbec49f4ebd90af882 +Author: Patrick Schleizer +Date: Mon Dec 23 09:39:50 2019 -0500 + + comments + +commit 7a80837b4f0a7201f3e092ad9b99b4cddb6043b3 +Author: Patrick Schleizer +Date: Mon Dec 23 08:48:04 2019 -0500 + + bumped changelog version + commit 617c0a0e15f1c113b6e7fd748bb75978e4f23fcd Author: Patrick Schleizer Date: Mon Dec 23 07:21:26 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 5f192ba..b0d08a7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:13.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 24 Dec 2019 13:07:55 +0000 + security-misc (3:13.3-1) unstable; urgency=medium * New upstream version (local package). From e18ec533c3ebb382f974d30db3cd1f5eace648c2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 24 Dec 2019 17:54:02 -0500 Subject: [PATCH 0142/1650] comment --- usr/lib/security-misc/remount-secure | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index ae263b8..3d1c1ca 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -72,6 +72,7 @@ remount_secure() { return 0 fi + ## BUG: echo: write error: Broken pipe if echo "$mount_output" | grep -q "$mount_folder " ; then ## Already mounted. Using remount. echo mount -o "remount,${new_mount_options}" "$mount_folder" From 9da0e428ed4635fb5ca98b2d72b56b553404a742 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 24 Dec 2019 17:54:31 -0500 Subject: [PATCH 0143/1650] debugging --- usr/lib/security-misc/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index 3d1c1ca..84cd909 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -8,7 +8,7 @@ ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 -#set -x +set -x set -e if [ -f /usr/lib/helper-scripts/pre.bsh ]; then From 04f438f75d4566822026373e78988e9d4e42b8b5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 24 Dec 2019 18:09:37 -0500 Subject: [PATCH 0144/1650] comment --- usr/lib/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index d175acb..1b43ed2 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -106,7 +106,7 @@ add_nosuid_statoverride_entry() { ## -g file True if file has its set-group-id bit set. if test -h "$file_name" ; then - ## https://forums.whonix.org/t/kernel-hardening/7296/323 + ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 true "skip symlink: $file_name" continue fi From 507a30d6e39f17fcb09b92033fe1d831e7d4baf4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 24 Dec 2019 18:35:49 -0500 Subject: [PATCH 0145/1650] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index dc2ee00..b3af657 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit 04f438f75d4566822026373e78988e9d4e42b8b5 +Author: Patrick Schleizer +Date: Tue Dec 24 18:09:37 2019 -0500 + + comment + +commit 9da0e428ed4635fb5ca98b2d72b56b553404a742 +Author: Patrick Schleizer +Date: Tue Dec 24 17:54:31 2019 -0500 + + debugging + +commit e18ec533c3ebb382f974d30db3cd1f5eace648c2 +Author: Patrick Schleizer +Date: Tue Dec 24 17:54:02 2019 -0500 + + comment + +commit 0326cd5ee9371213420d2afdcbfb0a05d9a808e6 +Author: Patrick Schleizer +Date: Tue Dec 24 08:07:55 2019 -0500 + + bumped changelog version + commit ede536913daa0c7ddfe55e20c93d7b752daa5de3 Author: Patrick Schleizer Date: Tue Dec 24 06:00:41 2019 -0500 diff --git a/debian/changelog b/debian/changelog index b0d08a7..2b4dc2d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:13.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 24 Dec 2019 23:35:49 +0000 + security-misc (3:13.4-1) unstable; urgency=medium * New upstream version (local package). From 674840e6f9fb362dc713da3edde07132b5ae17d4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 26 Dec 2019 05:44:35 -0500 Subject: [PATCH 0146/1650] /fusermount matchwhitelist unbreak AppImages such as electrum Bitcoin wallet https://forums.whonix.org/t/disable-suid-binaries/7706/57 --- etc/permission-hardening.d/30_default.conf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 6f883bb..bec19fe 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -27,6 +27,9 @@ ## enable. TODO: research #/utempter/utempter disablewhitelist +## If you are not going to use AppImages such as electrum Bitcoin wallet. +#/fusermount disablewhitelist + ###################################################################### # SUID exact match whitelist ###################################################################### @@ -81,6 +84,10 @@ polkit-agent-helper-1 matchwhitelist dbus-daemon-launch-helper matchwhitelist /utempter/utempter matchwhitelist +## required for AppImages such as electrum Bitcoin wallet +## https://forums.whonix.org/t/disable-suid-binaries/7706/57 +/fusermount matchwhitelist + ###################################################################### # Permission Hardening ###################################################################### From d7f58db52c926c11157671c4555ca97f02929a76 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 27 Dec 2019 05:30:12 -0500 Subject: [PATCH 0147/1650] bumped changelog version --- changelog.upstream | 16 ++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 22 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b3af657..7c9d980 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,19 @@ +commit 674840e6f9fb362dc713da3edde07132b5ae17d4 +Author: Patrick Schleizer +Date: Thu Dec 26 05:44:35 2019 -0500 + + /fusermount matchwhitelist + + unbreak AppImages such as electrum Bitcoin wallet + + https://forums.whonix.org/t/disable-suid-binaries/7706/57 + +commit 507a30d6e39f17fcb09b92033fe1d831e7d4baf4 +Author: Patrick Schleizer +Date: Tue Dec 24 18:35:49 2019 -0500 + + bumped changelog version + commit 04f438f75d4566822026373e78988e9d4e42b8b5 Author: Patrick Schleizer Date: Tue Dec 24 18:09:37 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 2b4dc2d..b644059 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:13.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 27 Dec 2019 10:30:12 +0000 + security-misc (3:13.5-1) unstable; urgency=medium * New upstream version (local package). From e5623fcd2b32b58e72c2ef80955072f013672e0d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 29 Dec 2019 04:21:52 -0500 Subject: [PATCH 0148/1650] comment --- etc/permission-hardening.d/30_default.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index bec19fe..380b87b 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/50_user.conf" or -## "/usr/local/etc/permission-hardening.d/50_user.conf" for your custom +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## File permission hardening. From d5c99f3a60372a00ded4b1b4340775aab1421d31 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 29 Dec 2019 04:27:21 -0500 Subject: [PATCH 0149/1650] output --- usr/lib/security-misc/permission-hardening | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 1b43ed2..8ae7344 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -246,7 +246,7 @@ set_file_perms() { true "OK line contains only white listed characters." else exit_code=200 - echo "ERROR: cannot parse line with invalid character: $line" >&2 + echo "ERROR: cannot parse line with invalid character. line: '$line'" >&2 continue fi @@ -254,7 +254,7 @@ set_file_perms() { local mode_from_config owner_from_config group_from_config capability_from_config if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then exit_code=201 - echo "ERROR: cannot parse line: $line" >&2 + echo "ERROR: cannot parse. line: '$line'" >&2 continue fi From e3e1ff2a310c46fab67309edd88e73096843edcb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 29 Dec 2019 04:35:46 -0500 Subject: [PATCH 0150/1650] exit with error if a config line cannot be processed rather than skipping https://forums.whonix.org/t/disable-suid-binaries/7706/59 --- usr/lib/security-misc/permission-hardening | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 8ae7344..d89444e 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -247,7 +247,9 @@ set_file_perms() { else exit_code=200 echo "ERROR: cannot parse line with invalid character. line: '$line'" >&2 - continue + ## Safer to exit with error in this case. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 + exit "$exit_code" fi #global fso @@ -255,7 +257,9 @@ set_file_perms() { if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then exit_code=201 echo "ERROR: cannot parse. line: '$line'" >&2 - continue + ## Safer to exit with error in this case. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 + exit "$exit_code" fi local fso_without_trailing_slash From 683028049c46516ba105b1b73364960b3b87efd6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 29 Dec 2019 04:41:23 -0500 Subject: [PATCH 0151/1650] debugging --- usr/lib/security-misc/permission-hardening | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index d89444e..adc7724 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -257,6 +257,8 @@ set_file_perms() { if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then exit_code=201 echo "ERROR: cannot parse. line: '$line'" >&2 + ## Debugging. + du -hs /tmp /var/log || true ## Safer to exit with error in this case. ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 exit "$exit_code" From 5271892cb1e4646b79388d064227d4662b682583 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 29 Dec 2019 04:42:54 -0500 Subject: [PATCH 0152/1650] debugging --- usr/lib/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index adc7724..386f1e8 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -258,7 +258,7 @@ set_file_perms() { exit_code=201 echo "ERROR: cannot parse. line: '$line'" >&2 ## Debugging. - du -hs /tmp /var/log || true + du -hs /tmp || true ## Safer to exit with error in this case. ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 exit "$exit_code" From 1a0f7a77335940a11e33ca519d8f64429b8ee966 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 29 Dec 2019 04:43:32 -0500 Subject: [PATCH 0153/1650] debugging --- usr/lib/security-misc/permission-hardening | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 386f1e8..3a1b2c4 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -259,6 +259,7 @@ set_file_perms() { echo "ERROR: cannot parse. line: '$line'" >&2 ## Debugging. du -hs /tmp || true + echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true ## Safer to exit with error in this case. ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 exit "$exit_code" From 0e14706f32728123f1d345b73266934fe454a989 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 29 Dec 2019 04:45:26 -0500 Subject: [PATCH 0154/1650] copyright --- lib/systemd/system/permission-hardening.service | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardening.service index 216da23..54a2d7b 100644 --- a/lib/systemd/system/permission-hardening.service +++ b/lib/systemd/system/permission-hardening.service @@ -1,3 +1,6 @@ +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + [Unit] Description=File permission hardening Documentation=https://github.com/Whonix/security-misc From 6d56eb9ef0e2cfbba46df2294deb9c8e6b9aa2b7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 29 Dec 2019 04:56:18 -0500 Subject: [PATCH 0155/1650] minor --- lib/systemd/system/permission-hardening.service | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardening.service index 54a2d7b..c7c8f2d 100644 --- a/lib/systemd/system/permission-hardening.service +++ b/lib/systemd/system/permission-hardening.service @@ -4,6 +4,7 @@ [Unit] Description=File permission hardening Documentation=https://github.com/Whonix/security-misc + DefaultDependencies=no Before=sysinit.target Requires=local-fs.target From 2787ae976580d20ea4da5213c7f624f984510934 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 29 Dec 2019 04:56:35 -0500 Subject: [PATCH 0156/1650] copyright --- lib/systemd/system/remount-secure.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service index 52c7c2e..9250912 100644 --- a/lib/systemd/system/remount-secure.service +++ b/lib/systemd/system/remount-secure.service @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] From 3ea946b365d8b05cabce63f4d26b3153559aa465 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 29 Dec 2019 04:56:51 -0500 Subject: [PATCH 0157/1650] RemainAfterExit=yes --- lib/systemd/system/permission-hardening.service | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardening.service index c7c8f2d..d603064 100644 --- a/lib/systemd/system/permission-hardening.service +++ b/lib/systemd/system/permission-hardening.service @@ -12,6 +12,7 @@ After=local-fs.target [Service] Type=oneshot +RemainAfterExit=yes ExecStart=/usr/lib/security-misc/permission-hardening [Install] From 9156d3584cd7ba9064d5af54afd95b6d8e73907b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 29 Dec 2019 04:59:05 -0500 Subject: [PATCH 0158/1650] Description --- lib/systemd/system/permission-hardening.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardening.service index d603064..31c5ac3 100644 --- a/lib/systemd/system/permission-hardening.service +++ b/lib/systemd/system/permission-hardening.service @@ -2,7 +2,7 @@ ## See the file COPYING for copying conditions. [Unit] -Description=File permission hardening +Description=SUID, SGID, Capability and File Permission Hardening Documentation=https://github.com/Whonix/security-misc DefaultDependencies=no From edc08988f26532daf90bc4a4f007aef53e62eeaf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 29 Dec 2019 05:08:53 -0500 Subject: [PATCH 0159/1650] copyright --- lib/systemd/system/proc-hidepid.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/systemd/system/proc-hidepid.service b/lib/systemd/system/proc-hidepid.service index e4cd70e..f2e9e91 100644 --- a/lib/systemd/system/proc-hidepid.service +++ b/lib/systemd/system/proc-hidepid.service @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] From 9c0d6b605707dbcb7db9cd227257a5dcd612f784 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 29 Dec 2019 05:09:07 -0500 Subject: [PATCH 0160/1650] copyright --- lib/systemd/system/remove-system-map.service | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/systemd/system/remove-system-map.service b/lib/systemd/system/remove-system-map.service index fdfbf6b..562b195 100644 --- a/lib/systemd/system/remove-system-map.service +++ b/lib/systemd/system/remove-system-map.service @@ -1,3 +1,6 @@ +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + [Unit] Description=Removes the System.map files Documentation=https://github.com/Whonix/security-misc From e4e9c4e3b09138af25e94a6db81b0f759ddb4d1b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 30 Dec 2019 05:59:43 -0500 Subject: [PATCH 0161/1650] bumped changelog version --- changelog.upstream | 86 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 92 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7c9d980..af03bf7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,89 @@ +commit 9c0d6b605707dbcb7db9cd227257a5dcd612f784 +Author: Patrick Schleizer +Date: Sun Dec 29 05:09:07 2019 -0500 + + copyright + +commit edc08988f26532daf90bc4a4f007aef53e62eeaf +Author: Patrick Schleizer +Date: Sun Dec 29 05:08:53 2019 -0500 + + copyright + +commit 9156d3584cd7ba9064d5af54afd95b6d8e73907b +Author: Patrick Schleizer +Date: Sun Dec 29 04:59:05 2019 -0500 + + Description + +commit 3ea946b365d8b05cabce63f4d26b3153559aa465 +Author: Patrick Schleizer +Date: Sun Dec 29 04:56:51 2019 -0500 + + RemainAfterExit=yes + +commit 2787ae976580d20ea4da5213c7f624f984510934 +Author: Patrick Schleizer +Date: Sun Dec 29 04:56:35 2019 -0500 + + copyright + +commit 6d56eb9ef0e2cfbba46df2294deb9c8e6b9aa2b7 +Author: Patrick Schleizer +Date: Sun Dec 29 04:56:18 2019 -0500 + + minor + +commit 0e14706f32728123f1d345b73266934fe454a989 +Author: Patrick Schleizer +Date: Sun Dec 29 04:45:26 2019 -0500 + + copyright + +commit 1a0f7a77335940a11e33ca519d8f64429b8ee966 +Author: Patrick Schleizer +Date: Sun Dec 29 04:43:32 2019 -0500 + + debugging + +commit 5271892cb1e4646b79388d064227d4662b682583 +Author: Patrick Schleizer +Date: Sun Dec 29 04:42:54 2019 -0500 + + debugging + +commit 683028049c46516ba105b1b73364960b3b87efd6 +Author: Patrick Schleizer +Date: Sun Dec 29 04:41:23 2019 -0500 + + debugging + +commit e3e1ff2a310c46fab67309edd88e73096843edcb +Author: Patrick Schleizer +Date: Sun Dec 29 04:35:46 2019 -0500 + + exit with error if a config line cannot be processed rather than skipping + + https://forums.whonix.org/t/disable-suid-binaries/7706/59 + +commit d5c99f3a60372a00ded4b1b4340775aab1421d31 +Author: Patrick Schleizer +Date: Sun Dec 29 04:27:21 2019 -0500 + + output + +commit e5623fcd2b32b58e72c2ef80955072f013672e0d +Author: Patrick Schleizer +Date: Sun Dec 29 04:21:52 2019 -0500 + + comment + +commit d7f58db52c926c11157671c4555ca97f02929a76 +Author: Patrick Schleizer +Date: Fri Dec 27 05:30:12 2019 -0500 + + bumped changelog version + commit 674840e6f9fb362dc713da3edde07132b5ae17d4 Author: Patrick Schleizer Date: Thu Dec 26 05:44:35 2019 -0500 diff --git a/debian/changelog b/debian/changelog index b644059..78538b0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:13.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 30 Dec 2019 10:59:43 +0000 + security-misc (3:13.6-1) unstable; urgency=medium * New upstream version (local package). From f3ff32ddbb8a7cf7555b9f1b2154e83154532a3d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 30 Dec 2019 06:39:24 -0500 Subject: [PATCH 0162/1650] Protect /bin/mount from 'chmod -x'. /bin/mount exactwhitelist /usr/bin/mount exactwhitelist Remove SUID from 'mount' but keep executable. /bin/mount 745 root root /usr/bin/mount 745 root root https://forums.whonix.org/t/disable-suid-binaries/7706/61 --- etc/permission-hardening.d/30_default.conf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 380b87b..1d0e0df 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -41,6 +41,12 @@ /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist /usr/lib/chromium/chrome-sandbox exactwhitelist +## https://forums.whonix.org/t/disable-suid-binaries/7706/61 +## Protect from 'chmod -x' (and SUID removal). +## SUID will be removed below in separate step. +/bin/mount exactwhitelist +/usr/bin/mount exactwhitelist + ## There is a controversy about firejail but those who choose to install it ## should be able to use it. ## https://www.whonix.org/wiki/Dev/Firejail#Security @@ -92,6 +98,11 @@ dbus-daemon-launch-helper matchwhitelist # Permission Hardening ###################################################################### +## Remove SUID from 'mount' but keep executable. +## https://forums.whonix.org/t/disable-suid-binaries/7706/61 +/bin/mount 745 root root +/usr/bin/mount 745 root root + /home/ 0755 root root /home/user/ 0700 user user /root/ 0700 root root From 06ed728d791abe0ad3c93091fd8ebc088f73c4ef Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 30 Dec 2019 06:42:14 -0500 Subject: [PATCH 0163/1650] bumped changelog version --- changelog.upstream | 22 ++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 28 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index af03bf7..a40caca 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit f3ff32ddbb8a7cf7555b9f1b2154e83154532a3d +Author: Patrick Schleizer +Date: Mon Dec 30 06:39:24 2019 -0500 + + Protect /bin/mount from 'chmod -x'. + + /bin/mount exactwhitelist + /usr/bin/mount exactwhitelist + + Remove SUID from 'mount' but keep executable. + + /bin/mount 745 root root + /usr/bin/mount 745 root root + + https://forums.whonix.org/t/disable-suid-binaries/7706/61 + +commit e4e9c4e3b09138af25e94a6db81b0f759ddb4d1b +Author: Patrick Schleizer +Date: Mon Dec 30 05:59:43 2019 -0500 + + bumped changelog version + commit 9c0d6b605707dbcb7db9cd227257a5dcd612f784 Author: Patrick Schleizer Date: Sun Dec 29 05:09:07 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 78538b0..0b4c33c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:13.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 30 Dec 2019 11:42:14 +0000 + security-misc (3:13.7-1) unstable; urgency=medium * New upstream version (local package). From 788914de95ee9299d685e8b65466feee1085cf18 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 31 Dec 2019 02:46:32 -0500 Subject: [PATCH 0164/1650] group ssh check was removed https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/27 --- usr/lib/security-misc/pam_tally2-info | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/usr/lib/security-misc/pam_tally2-info b/usr/lib/security-misc/pam_tally2-info index a392f7b..8b6ae52 100755 --- a/usr/lib/security-misc/pam_tally2-info +++ b/usr/lib/security-misc/pam_tally2-info @@ -8,26 +8,6 @@ grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pa if ! echo "$grep_result" | grep -q "#" ; then ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 - if [ "$PAM_SERVICE" = "sshd" ]; then - if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "ssh"; then - ssh_allowed=true - fi - if [ ! "$ssh_allowed" = "true" ]; then - echo "$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'ssh'" >&2 - echo "$0: To unlock, run the following command as superuser:" >&2 - echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 - echo "" >&2 - echo "addgroup $PAM_USER ssh" >&2 - echo "" >&2 - echo "$0: However, possibly unlock procedure is required." >&2 - echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 - echo "$0: See also:" >&2 - echo "https://www.whonix.org/wiki/root#ssh" >&2 - echo "" >&2 - exit 0 - fi - fi - if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console"; then console_allowed=true fi From 20697db3ee5d227176c4d31e6c96454a64f47797 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 31 Dec 2019 02:53:02 -0500 Subject: [PATCH 0165/1650] improve console lockdown info output --- usr/lib/security-misc/pam_tally2-info | 51 ++++++++++++++++----------- 1 file changed, 30 insertions(+), 21 deletions(-) diff --git a/usr/lib/security-misc/pam_tally2-info b/usr/lib/security-misc/pam_tally2-info index 8b6ae52..4bcbdf6 100755 --- a/usr/lib/security-misc/pam_tally2-info +++ b/usr/lib/security-misc/pam_tally2-info @@ -5,28 +5,37 @@ grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" -if ! echo "$grep_result" | grep -q "#" ; then - ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 +## Check if grep matched something. +if [ ! "$grep_result" = "" ]; then + ## Yes, grep matched. - if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console"; then - console_allowed=true - fi - if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console-unrestricted"; then - console_allowed=true - fi - if [ ! "$console_allowed" = "true" ]; then - echo "$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console'" >&2 - echo "$0: To unlock, run the following command as superuser:" >&2 - echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 - echo "" >&2 - echo "addgroup $PAM_USER console" >&2 - echo "" >&2 - echo "$0: However, possibly unlock procedure is required." >&2 - echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 - echo "$0: See also:" >&2 - echo "https://www.whonix.org/wiki/root#console" >&2 - echo "" >&2 - exit 0 + ## Check if not out commented. + if ! echo "$grep_result" | grep -q "#" ; then + ## Not out commented indeed. + + ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 + + if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console"; then + console_allowed=true + fi + if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console-unrestricted"; then + console_allowed=true + fi + + if [ ! "$console_allowed" = "true" ]; then + echo "$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console'" >&2 + echo "$0: To unlock, run the following command as superuser:" >&2 + echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 + echo "" >&2 + echo "addgroup $PAM_USER console" >&2 + echo "" >&2 + echo "$0: However, possibly unlock procedure is required." >&2 + echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 + echo "$0: See also:" >&2 + echo "https://www.whonix.org/wiki/root#console" >&2 + echo "" >&2 + exit 0 + fi fi fi From b5a2d1dc581b53974aaa148f6d8f3054c9d1c5fe Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 31 Dec 2019 02:54:58 -0500 Subject: [PATCH 0166/1650] bumped changelog version --- changelog.upstream | 20 ++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 26 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index a40caca..e6f1616 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,23 @@ +commit 20697db3ee5d227176c4d31e6c96454a64f47797 +Author: Patrick Schleizer +Date: Tue Dec 31 02:53:02 2019 -0500 + + improve console lockdown info output + +commit 788914de95ee9299d685e8b65466feee1085cf18 +Author: Patrick Schleizer +Date: Tue Dec 31 02:46:32 2019 -0500 + + group ssh check was removed + + https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/27 + +commit 06ed728d791abe0ad3c93091fd8ebc088f73c4ef +Author: Patrick Schleizer +Date: Mon Dec 30 06:42:14 2019 -0500 + + bumped changelog version + commit f3ff32ddbb8a7cf7555b9f1b2154e83154532a3d Author: Patrick Schleizer Date: Mon Dec 30 06:39:24 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 0b4c33c..7dfecf8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:13.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 31 Dec 2019 07:54:58 +0000 + security-misc (3:13.8-1) unstable; urgency=medium * New upstream version (local package). From e89552c9846f85b4bbf73595080d71dcd873fe29 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 31 Dec 2019 05:55:44 -0500 Subject: [PATCH 0167/1650] add user "user" to group "console" in Whonix and Kicksecure enable Console Lockdown in Whonix and Kicksecure --- debian/security-misc.preinst | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 4fa5c52..60b3733 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -138,7 +138,42 @@ console_users_check() { fi } +legacy() { + if [ -f "/var/lib/legacy/do_once/${FUNCNAME}_version_1" ]; then + return 0 + fi + + if [ -f "/usr/share/whonix/marker" ]; then + continue_yes=true + if [ -f "/usr/share/kicksecure/marker" ]; then + continue_yes=true + fi + + if [ "$continue_yes" = "yes" ]; then + return 0 + fi + + if command -v "qubesdb-read" &>/dev/null; then + ## Qubes users can use dom0 to get a root terminal emulator. + ## For example: + ## qvm-run -u root debian-10 xterm + return 0 + fi + + ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/7 + + user_to_be_created=user + + addgroup "$user_to_be_created" console + + pam-auth-update --enable console-lockdown-security-misc + + mkdir --parents "/var/lib/legacy/do_once" + touch "/var/lib/legacy/do_once/${FUNCNAME}_version_1" +} + user_groups_modifications +legacy if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then sudo_users_check From 427deec3f50664f2fbb244b6cf060bb5b9e821b6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 31 Dec 2019 06:03:48 -0500 Subject: [PATCH 0168/1650] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index e6f1616..a27c0e3 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit e89552c9846f85b4bbf73595080d71dcd873fe29 +Author: Patrick Schleizer +Date: Tue Dec 31 05:55:44 2019 -0500 + + add user "user" to group "console" in Whonix and Kicksecure + + enable Console Lockdown in Whonix and Kicksecure + +commit b5a2d1dc581b53974aaa148f6d8f3054c9d1c5fe +Author: Patrick Schleizer +Date: Tue Dec 31 02:54:58 2019 -0500 + + bumped changelog version + commit 20697db3ee5d227176c4d31e6c96454a64f47797 Author: Patrick Schleizer Date: Tue Dec 31 02:53:02 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 7dfecf8..ecb9247 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:14.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 31 Dec 2019 11:03:48 +0000 + security-misc (3:13.9-1) unstable; urgency=medium * New upstream version (local package). From 2a3aae62b1cf97313b925fac94261e28af7ea3d1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 31 Dec 2019 06:06:52 -0500 Subject: [PATCH 0169/1650] fix --- debian/security-misc.preinst | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 60b3733..0c00452 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -145,6 +145,7 @@ legacy() { if [ -f "/usr/share/whonix/marker" ]; then continue_yes=true + fi if [ -f "/usr/share/kicksecure/marker" ]; then continue_yes=true fi From b2bdeb90957da4ebe38e7f12fba0330b89e0983d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 31 Dec 2019 06:08:32 -0500 Subject: [PATCH 0170/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index a27c0e3..b07f148 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 2a3aae62b1cf97313b925fac94261e28af7ea3d1 +Author: Patrick Schleizer +Date: Tue Dec 31 06:06:52 2019 -0500 + + fix + +commit 427deec3f50664f2fbb244b6cf060bb5b9e821b6 +Author: Patrick Schleizer +Date: Tue Dec 31 06:03:48 2019 -0500 + + bumped changelog version + commit e89552c9846f85b4bbf73595080d71dcd873fe29 Author: Patrick Schleizer Date: Tue Dec 31 05:55:44 2019 -0500 diff --git a/debian/changelog b/debian/changelog index ecb9247..0038515 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:14.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 31 Dec 2019 11:08:32 +0000 + security-misc (3:14.0-1) unstable; urgency=medium * New upstream version (local package). From 5031e7cc4b8bfc4037ba6ea029e20637090ccacb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 31 Dec 2019 08:18:38 -0500 Subject: [PATCH 0171/1650] better output if trying to login with non-existing user --- usr/lib/security-misc/pam-abort-on-locked-password | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr/lib/security-misc/pam-abort-on-locked-password b/usr/lib/security-misc/pam-abort-on-locked-password index fcd5b23..71b432c 100755 --- a/usr/lib/security-misc/pam-abort-on-locked-password +++ b/usr/lib/security-misc/pam-abort-on-locked-password @@ -1,6 +1,11 @@ #!/bin/bash -if [ "$(passwd -S "$PAM_USER" | cut -d ' ' -f 2)" = "P" ]; then +if ! passwd_output="$(passwd -S "$PAM_USER" 2>/dev/null)" ; then + echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2 + exit 1 +fi + +if [ "$(echo "$passwd_output" | cut -d ' ' -f 2)" = "P" ]; then true "INFO: Password not locked." else echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2 From 13a1e1321e05965ad9449fafa4406c4d3b781dcf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 1 Jan 2020 05:59:59 -0500 Subject: [PATCH 0172/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b07f148..a359e56 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 5031e7cc4b8bfc4037ba6ea029e20637090ccacb +Author: Patrick Schleizer +Date: Tue Dec 31 08:18:38 2019 -0500 + + better output if trying to login with non-existing user + +commit b2bdeb90957da4ebe38e7f12fba0330b89e0983d +Author: Patrick Schleizer +Date: Tue Dec 31 06:08:32 2019 -0500 + + bumped changelog version + commit 2a3aae62b1cf97313b925fac94261e28af7ea3d1 Author: Patrick Schleizer Date: Tue Dec 31 06:06:52 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 0038515..3a17dfa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:14.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 01 Jan 2020 10:59:58 +0000 + security-misc (3:14.1-1) unstable; urgency=medium * New upstream version (local package). From a662a76a52970530a4a3c3d6a284ce9400dc74c6 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sat, 11 Jan 2020 18:37:00 +0000 Subject: [PATCH 0173/1650] Blacklist vivid --- etc/modprobe.d/vivid.conf | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 etc/modprobe.d/vivid.conf diff --git a/etc/modprobe.d/vivid.conf b/etc/modprobe.d/vivid.conf new file mode 100644 index 0000000..f8d8059 --- /dev/null +++ b/etc/modprobe.d/vivid.conf @@ -0,0 +1,10 @@ +## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Blacklists the vivid kernel module as it's only required for +## testing and has been the cause of multiple vulnerabilities. +## +## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 +## https://www.openwall.com/lists/oss-security/2019/11/02/1 +## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 +install vivid /bin/false From 6088444c371f021ca23daa3a0ab1ee431d429a61 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sat, 11 Jan 2020 18:38:17 +0000 Subject: [PATCH 0174/1650] Update control --- debian/control | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/control b/debian/control index 9e56d6c..cc4d29f 100644 --- a/debian/control +++ b/debian/control @@ -113,6 +113,9 @@ Description: enhances misc security settings a target for ROP. . * Page allocator freelist randomization is enabled. + . + * The vivid kernel module is blacklisted as it's only required for testing and + has been the cause of multiple vulnerabilities. . Improve Entropy Collection . From 61a2d390a7d6195d556898db8afa57822a9bc76a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 11 Jan 2020 15:15:12 -0500 Subject: [PATCH 0175/1650] lintian --- debian/control | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/control b/debian/control index cc4d29f..9b872bc 100644 --- a/debian/control +++ b/debian/control @@ -114,8 +114,8 @@ Description: enhances misc security settings . * Page allocator freelist randomization is enabled. . - * The vivid kernel module is blacklisted as it's only required for testing and - has been the cause of multiple vulnerabilities. + * The vivid kernel module is blacklisted as it's only required for testing + and has been the cause of multiple vulnerabilities. . Improve Entropy Collection . From 130a4cf6d433f4d862e10e31abbc2b1f3b1614d2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 11 Jan 2020 15:17:06 -0500 Subject: [PATCH 0176/1650] readme --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 4d655df..90b5c83 100644 --- a/README.md +++ b/README.md @@ -96,6 +96,9 @@ a target for ROP. * Page allocator freelist randomization is enabled. +* The vivid kernel module is blacklisted as it's only required for testing +and has been the cause of multiple vulnerabilities. + Improve Entropy Collection * Load jitterentropy_rng kernel module. From 8341242abc342d9cbd82afe12f512daf73a9e59a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 11 Jan 2020 15:19:29 -0500 Subject: [PATCH 0177/1650] bumped changelog version --- changelog.upstream | 46 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 52 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index a359e56..f18bef7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,49 @@ +commit 130a4cf6d433f4d862e10e31abbc2b1f3b1614d2 +Author: Patrick Schleizer +Date: Sat Jan 11 15:17:06 2020 -0500 + + readme + +commit 61a2d390a7d6195d556898db8afa57822a9bc76a +Author: Patrick Schleizer +Date: Sat Jan 11 15:15:12 2020 -0500 + + lintian + +commit 3fae8e771ffbdd3023921b296e46cf982034d2ac +Merge: 13a1e13 e9f4dbd +Author: Patrick Schleizer +Date: Sat Jan 11 15:14:43 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit e9f4dbdda579db83f330054253100bc7c5d1e2be +Merge: 13a1e13 6088444 +Author: Patrick Schleizer +Date: Sat Jan 11 20:14:10 2020 +0000 + + Merge pull request #52 from madaidan/vivid + + Blacklist the vivid kernel module + +commit 6088444c371f021ca23daa3a0ab1ee431d429a61 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sat Jan 11 18:38:17 2020 +0000 + + Update control + +commit a662a76a52970530a4a3c3d6a284ce9400dc74c6 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sat Jan 11 18:37:00 2020 +0000 + + Blacklist vivid + +commit 13a1e1321e05965ad9449fafa4406c4d3b781dcf +Author: Patrick Schleizer +Date: Wed Jan 1 05:59:59 2020 -0500 + + bumped changelog version + commit 5031e7cc4b8bfc4037ba6ea029e20637090ccacb Author: Patrick Schleizer Date: Tue Dec 31 08:18:38 2019 -0500 diff --git a/debian/changelog b/debian/changelog index 3a17dfa..3e3c03b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:14.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 11 Jan 2020 20:19:28 +0000 + security-misc (3:14.2-1) unstable; urgency=medium * New upstream version (local package). From 8c4e0ff1c4d6191dbb40b28cfc23a8185cc0cbdb Mon Sep 17 00:00:00 2001 From: madaidan Date: Sun, 12 Jan 2020 21:37:37 +0000 Subject: [PATCH 0178/1650] Set sysctl values in initramfs --- etc/initramfs-tools/hooks/sysctl-initramfs | 21 +++++++++++++++++++ .../scripts/init-bottom/sysctl-initramfs | 18 ++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100755 etc/initramfs-tools/hooks/sysctl-initramfs create mode 100755 etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs diff --git a/etc/initramfs-tools/hooks/sysctl-initramfs b/etc/initramfs-tools/hooks/sysctl-initramfs new file mode 100755 index 0000000..d091ca8 --- /dev/null +++ b/etc/initramfs-tools/hooks/sysctl-initramfs @@ -0,0 +1,21 @@ +#!/bin/sh + +## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -e + +PREREQ="" +prereqs() +{ + echo "$PREREQ" +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +copy_exec /sbin/sysctl /sbin diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs new file mode 100755 index 0000000..534d8a7 --- /dev/null +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -0,0 +1,18 @@ +#!/bin/sh + +## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +PREREQ="" +prereqs() +{ + echo "$PREREQ" +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +sysctl -p ${rootmnt}/etc/sysctl.d/*.conf From 9dc43eae38b55951cae2a9bf93114bcf742f8c8b Mon Sep 17 00:00:00 2001 From: madaidan <> Date: Sun, 12 Jan 2020 21:42:07 +0000 Subject: [PATCH 0179/1650] Description --- debian/control | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/control b/debian/control index 9b872bc..a674a35 100644 --- a/debian/control +++ b/debian/control @@ -116,6 +116,9 @@ Description: enhances misc security settings . * The vivid kernel module is blacklisted as it's only required for testing and has been the cause of multiple vulnerabilities. + . + * An initramfs hook sets the sysctl values in /etc/sysctl.d before init + is executed so our hardening is enabled as early as possible. . Improve Entropy Collection . From 0953bbe1d7f3e789aef2218a65c14c586dab4bcb Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Mon, 13 Jan 2020 21:05:35 +0000 Subject: [PATCH 0180/1650] Update control --- debian/control | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/control b/debian/control index 9b872bc..cdb78eb 100644 --- a/debian/control +++ b/debian/control @@ -116,6 +116,9 @@ Description: enhances misc security settings . * The vivid kernel module is blacklisted as it's only required for testing and has been the cause of multiple vulnerabilities. + . + * The kernel panics on oopses to prevent it from continuing to run a flawed + process and to deter brute forcing. . Improve Entropy Collection . From 2078cd237f2aaad8d68c1c5eab3f9942460ecd3c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2020 09:18:30 -0500 Subject: [PATCH 0181/1650] readme --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 90b5c83..2344ce7 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,9 @@ a target for ROP. * The vivid kernel module is blacklisted as it's only required for testing and has been the cause of multiple vulnerabilities. +* The kernel panics on oopses to prevent it from continuing to run a flawed +process and to deter brute forcing. + Improve Entropy Collection * Load jitterentropy_rng kernel module. From cc21f912a372faef8322801e9a48882f29159c2d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2020 09:20:36 -0500 Subject: [PATCH 0182/1650] bumped changelog version --- changelog.upstream | 34 ++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 40 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f18bef7..ab20f8a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,37 @@ +commit 2078cd237f2aaad8d68c1c5eab3f9942460ecd3c +Author: Patrick Schleizer +Date: Tue Jan 14 09:18:30 2020 -0500 + + readme + +commit c377c5ff83437a5447ecc9c873150421f4f1e691 +Merge: 8341242 539f24b +Author: Patrick Schleizer +Date: Tue Jan 14 09:01:38 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit 539f24b65ee7739487d8038fcb1fdfb1ed62ab22 +Merge: 8341242 0953bbe +Author: Patrick Schleizer +Date: Tue Jan 14 14:01:17 2020 +0000 + + Merge pull request #54 from madaidan/panic_on_oops + + Document panic_on_oops + +commit 0953bbe1d7f3e789aef2218a65c14c586dab4bcb +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Mon Jan 13 21:05:35 2020 +0000 + + Update control + +commit 8341242abc342d9cbd82afe12f512daf73a9e59a +Author: Patrick Schleizer +Date: Sat Jan 11 15:19:29 2020 -0500 + + bumped changelog version + commit 130a4cf6d433f4d862e10e31abbc2b1f3b1614d2 Author: Patrick Schleizer Date: Sat Jan 11 15:17:06 2020 -0500 diff --git a/debian/changelog b/debian/changelog index 3e3c03b..85db93d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:14.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2020 14:20:36 +0000 + security-misc (3:14.3-1) unstable; urgency=medium * New upstream version (local package). From b8652681e741236af2e20876d7103b2dfb0ae9bf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2020 09:21:47 -0500 Subject: [PATCH 0183/1650] fix legacy --- debian/security-misc.preinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 0c00452..a63ca48 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -150,7 +150,7 @@ legacy() { continue_yes=true fi - if [ "$continue_yes" = "yes" ]; then + if [ ! "$continue_yes" = "yes" ]; then return 0 fi From 18c726c3eebc93f69062f1e4c1d3c7ab394985c3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2020 09:23:02 -0500 Subject: [PATCH 0184/1650] comment --- debian/security-misc.preinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index a63ca48..3937ba4 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -102,7 +102,7 @@ console_users_check() { fi console_users="$(getent group console | cut -d: -f4)" - ## example ssh_users: + ## example console_users: ## user console_unrestricted_users="$(getent group console-unrestricted | cut -d: -f4)" From 660837dc380440f6b00d3baf9395222376163b3b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2020 09:25:32 -0500 Subject: [PATCH 0185/1650] fix case when user "user" does not exists --- debian/security-misc.preinst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 3937ba4..0f77ca4 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -165,6 +165,11 @@ legacy() { user_to_be_created=user + if ! id "$user_to_be_created" &>/dev/null ; then + true "INFO: user '$user_to_be_created' does not exist. Skipping addgroup console and pam-auth-update." + return 0 + fi + addgroup "$user_to_be_created" console pam-auth-update --enable console-lockdown-security-misc From 1059ccf2254d0aac40d2c14680fea2a4012a2d66 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2020 09:28:28 -0500 Subject: [PATCH 0186/1650] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index ab20f8a..31cfb29 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit 660837dc380440f6b00d3baf9395222376163b3b +Author: Patrick Schleizer +Date: Tue Jan 14 09:25:32 2020 -0500 + + fix case when user "user" does not exists + +commit 18c726c3eebc93f69062f1e4c1d3c7ab394985c3 +Author: Patrick Schleizer +Date: Tue Jan 14 09:23:02 2020 -0500 + + comment + +commit b8652681e741236af2e20876d7103b2dfb0ae9bf +Author: Patrick Schleizer +Date: Tue Jan 14 09:21:47 2020 -0500 + + fix legacy + +commit cc21f912a372faef8322801e9a48882f29159c2d +Author: Patrick Schleizer +Date: Tue Jan 14 09:20:36 2020 -0500 + + bumped changelog version + commit 2078cd237f2aaad8d68c1c5eab3f9942460ecd3c Author: Patrick Schleizer Date: Tue Jan 14 09:18:30 2020 -0500 diff --git a/debian/changelog b/debian/changelog index 85db93d..36cc82f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:14.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2020 14:28:28 +0000 + security-misc (3:14.4-1) unstable; urgency=medium * New upstream version (local package). From 082f04f2d4101828455a4a9b2852376a72ced6ce Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2020 15:04:58 -0500 Subject: [PATCH 0187/1650] add logging to pkexec wrapper --- usr/bin/pkexec.security-misc | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc index b6e3f91..0a1ac9a 100755 --- a/usr/bin/pkexec.security-misc +++ b/usr/bin/pkexec.security-misc @@ -10,6 +10,9 @@ set -e +my_pstree="$(pstree -p $$)" || true +echo "my_pstree: '$my_pstree' | $0 $@" | systemd-cat --identifier="$0" || true + ## If hidepid is not in use, just use pkexec normally. if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then pkexec.security-misc-orig "$@" @@ -82,8 +85,13 @@ fi PATH="$(sudo --non-interactive /usr/lib/security-misc/echo-path)" export PATH +exit_code=0 if [ "$use_sudo" = "true" ]; then - lxqt-sudo sudo --user "$user_pkexec_wrapper" --set-home "$@" + lxqt-sudo sudo --user "$user_pkexec_wrapper" --set-home "$@" || { exit_code=$? ; true; }; else - lxqt-sudo "$@" + lxqt-sudo "$@" || { exit_code=$? ; true; }; fi + +echo "exit_code: '$exit_code'" | systemd-cat --identifier="$0" || true + +exit "$exit_code" From d90ca4b1ad18289d6bcfcef51cfb032a0b4423eb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2020 15:12:13 -0500 Subject: [PATCH 0188/1650] refactoring --- usr/bin/pkexec.security-misc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc index 0a1ac9a..6a718ab 100755 --- a/usr/bin/pkexec.security-misc +++ b/usr/bin/pkexec.security-misc @@ -79,16 +79,17 @@ if [[ "$@" = "" ]]; then exit $? fi -## set PATH same as root -## This is required for gdebi. -## REVIEW: is it ok that users can find out the PATH setting of root? -PATH="$(sudo --non-interactive /usr/lib/security-misc/echo-path)" -export PATH - exit_code=0 if [ "$use_sudo" = "true" ]; then + ## 'sudo --user user' environment variables such as PATH. lxqt-sudo sudo --user "$user_pkexec_wrapper" --set-home "$@" || { exit_code=$? ; true; }; else + ## set PATH same as root + ## This is required for gdebi. + ## REVIEW: is it ok that users can find out the PATH setting of root? + ## lxqt-sudo does not clear environment variables such as PATH. + PATH="$(sudo --non-interactive /usr/lib/security-misc/echo-path)" + export PATH lxqt-sudo "$@" || { exit_code=$? ; true; }; fi From 80159545a580830565ec01a507915add9c44838a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 15 Jan 2020 02:42:10 -0500 Subject: [PATCH 0189/1650] fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 do show lxqt-sudo password prompt if there is a sudoers exceptoin improved pkexec wrapper logging --- etc/sudoers.d/pkexec-security-misc | 11 +++++++ etc/sudoers.d/security-misc | 2 -- etc/sudoers.d/xfce-security-misc | 19 +++++++++++ usr/bin/pkexec.security-misc | 51 ++++++++++++++++++++++++------ 4 files changed, 72 insertions(+), 11 deletions(-) create mode 100644 etc/sudoers.d/pkexec-security-misc create mode 100644 etc/sudoers.d/xfce-security-misc diff --git a/etc/sudoers.d/pkexec-security-misc b/etc/sudoers.d/pkexec-security-misc new file mode 100644 index 0000000..1572b03 --- /dev/null +++ b/etc/sudoers.d/pkexec-security-misc @@ -0,0 +1,11 @@ +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## REVIEW: is it ok that users can find out the PATH setting of root? +%sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path + +## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be +## set. Would otherwise error out with the following error message: +## "This program must only be run through pkexec" +## REVIEW: Can bad things be done by spoofing PKEXEC_UID? +Defaults:ALL env_keep += "PKEXEC_UID" diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index a3a7114..3f98634 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -3,5 +3,3 @@ user ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops %sudo ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops - -%sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path diff --git a/etc/sudoers.d/xfce-security-misc b/etc/sudoers.d/xfce-security-misc new file mode 100644 index 0000000..8e75102 --- /dev/null +++ b/etc/sudoers.d/xfce-security-misc @@ -0,0 +1,19 @@ +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 +## /usr/share/polkit-1/actions/org.xfce.power.policy + +## Feel free to out comment this if you are not using xfce4-power-manager or XFCE. + +%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]] +%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]] +%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]][[\:digit\:]] + +%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]] +%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]] +%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]][[\:digit\:]] + +## XXX: Should we allow this? +#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --suspend +#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --hibernate diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc index 6a718ab..8a844fc 100755 --- a/usr/bin/pkexec.security-misc +++ b/usr/bin/pkexec.security-misc @@ -10,8 +10,18 @@ set -e +my_real_path="$(realpath "$0")" || true +identifier="$my_real_path wrapper" +exec > >(systemd-cat --identifier="$identifier output by program:") 2>&1 + +log_to_journal() { + echo "$@" | systemd-cat --identifier="$identifier output by wrapper:" || true +} + +log_to_journal "$0 $@" +log_to_journal "DISPLAY: '$DISPLAY'" my_pstree="$(pstree -p $$)" || true -echo "my_pstree: '$my_pstree' | $0 $@" | systemd-cat --identifier="$0" || true +log_to_journal "my_pstree: '$my_pstree'" ## If hidepid is not in use, just use pkexec normally. if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then @@ -19,8 +29,7 @@ if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then exit $? fi -## Prefer lxqt-sudo. -use_sudo=false +switch_user=false original_args="$@" @@ -58,7 +67,8 @@ do else shift 2 fi - use_sudo=true + switch_user=true + maybe_switch_to_user="--user $user_pkexec_wrapper" ;; --) shift @@ -73,6 +83,17 @@ done ## If there are input files (for example) that follow the options, they ## will remain in the "$@" positional parameters. +if [ "$PKEXEC_UID" = "" ]; then + if [ ! "$user_pkexec_wrapper" = "" ]; then + PKEXEC_UID="$user_pkexec_wrapper" + elif [ ! "$SUDO_USER" = "" ]; then + PKEXEC_UID="$SUDO_USER" + else + PKEXEC_UID="$(whoami)" + fi +fi +export PKEXEC_UID + if [[ "$@" = "" ]]; then ## Call original pkexec in case there are no arguments. pkexec.security-misc-orig $original_args @@ -80,19 +101,31 @@ if [[ "$@" = "" ]]; then fi exit_code=0 -if [ "$use_sudo" = "true" ]; then - ## 'sudo --user user' environment variables such as PATH. - lxqt-sudo sudo --user "$user_pkexec_wrapper" --set-home "$@" || { exit_code=$? ; true; }; + +## lxqt-sudo does not check /etc/sudoers / /etc/sudoers.d exceptions. +## Therefore use 'sudo -l' to see if there is any already existing sudoers exception. +if sudo -l --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" ; then + log_to_journal "sudoers exception: yes" + sudo --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; }; + log_to_journal "sudo --user | exit_code: '$exit_code'" + exit "$exit_code" +fi + +log_to_journal "sudoers exception: no" + +if [ "$switch_user" = "true" ]; then + ## 'sudo --user user' clears environment variables such as PATH. + lxqt-sudo sudo $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; }; else ## set PATH same as root ## This is required for gdebi. ## REVIEW: is it ok that users can find out the PATH setting of root? - ## lxqt-sudo does not clear environment variables such as PATH. + ## lxqt-sudo does not clear environment variable PATH. PATH="$(sudo --non-interactive /usr/lib/security-misc/echo-path)" export PATH lxqt-sudo "$@" || { exit_code=$? ; true; }; fi -echo "exit_code: '$exit_code'" | systemd-cat --identifier="$0" || true +log_to_journal "exit_code: '$exit_code'" exit "$exit_code" From 73e830d0ac1ece338b0e80ca1a020d84a15d1774 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 15 Jan 2020 10:08:57 -0500 Subject: [PATCH 0190/1650] readme --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 2344ce7..1bcb84c 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,9 @@ a target for ROP. * The vivid kernel module is blacklisted as it's only required for testing and has been the cause of multiple vulnerabilities. +* An initramfs hook sets the sysctl values in /etc/sysctl.d before init +is executed so our hardening is enabled as early as possible. + * The kernel panics on oopses to prevent it from continuing to run a flawed process and to deter brute forcing. From 47ce3bec75f9aeb808993a70579ba93d2527a371 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 15 Jan 2020 11:05:54 -0500 Subject: [PATCH 0191/1650] bumped changelog version --- changelog.upstream | 71 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 77 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 31cfb29..1ec851a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,62 @@ +commit 73e830d0ac1ece338b0e80ca1a020d84a15d1774 +Author: Patrick Schleizer +Date: Wed Jan 15 10:08:57 2020 -0500 + + readme + +commit 8ab4623f8e81ad1b67858b458f2ae4085e7c8e65 +Merge: 8015954 087465a +Author: Patrick Schleizer +Date: Wed Jan 15 06:06:39 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit 087465a0cdecc4765f7b659256cdd5e8cdef73ab +Merge: 8015954 528c5fc +Author: Patrick Schleizer +Date: Wed Jan 15 11:02:30 2020 +0000 + + Merge pull request #53 from madaidan/sysctl-initramfs + + Set sysctl values in initramfs + +commit 528c5fc4c41026396a63ac91af7c156dd0d4f191 +Merge: 9dc43ea 8015954 +Author: Patrick Schleizer +Date: Wed Jan 15 11:02:03 2020 +0000 + + Merge branch 'master' into sysctl-initramfs + +commit 80159545a580830565ec01a507915add9c44838a +Author: Patrick Schleizer +Date: Wed Jan 15 02:42:10 2020 -0500 + + fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup + + https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 + + do show lxqt-sudo password prompt if there is a sudoers exceptoin + + improved pkexec wrapper logging + +commit d90ca4b1ad18289d6bcfcef51cfb032a0b4423eb +Author: Patrick Schleizer +Date: Tue Jan 14 15:12:13 2020 -0500 + + refactoring + +commit 082f04f2d4101828455a4a9b2852376a72ced6ce +Author: Patrick Schleizer +Date: Tue Jan 14 15:04:58 2020 -0500 + + add logging to pkexec wrapper + +commit 1059ccf2254d0aac40d2c14680fea2a4012a2d66 +Author: Patrick Schleizer +Date: Tue Jan 14 09:28:28 2020 -0500 + + bumped changelog version + commit 660837dc380440f6b00d3baf9395222376163b3b Author: Patrick Schleizer Date: Tue Jan 14 09:25:32 2020 -0500 @@ -50,6 +109,18 @@ Date: Mon Jan 13 21:05:35 2020 +0000 Update control +commit 9dc43eae38b55951cae2a9bf93114bcf742f8c8b +Author: madaidan <> +Date: Sun Jan 12 21:42:07 2020 +0000 + + Description + +commit 8c4e0ff1c4d6191dbb40b28cfc23a8185cc0cbdb +Author: madaidan +Date: Sun Jan 12 21:37:37 2020 +0000 + + Set sysctl values in initramfs + commit 8341242abc342d9cbd82afe12f512daf73a9e59a Author: Patrick Schleizer Date: Sat Jan 11 15:19:29 2020 -0500 diff --git a/debian/changelog b/debian/changelog index 36cc82f..381306d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:14.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 15 Jan 2020 16:05:54 +0000 + security-misc (3:14.5-1) unstable; urgency=medium * New upstream version (local package). From 0618b5346493723865cc6f2a632822c8b6fa690a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 15 Jan 2020 11:35:07 -0500 Subject: [PATCH 0192/1650] fix lintian warning --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 516f2fa..e4dd75d 100644 --- a/debian/control +++ b/debian/control @@ -118,7 +118,7 @@ Description: enhances misc security settings and has been the cause of multiple vulnerabilities. . * An initramfs hook sets the sysctl values in /etc/sysctl.d before init - is executed so our hardening is enabled as early as possible. + is executed so sysctl hardening is enabled as early as possible. . * The kernel panics on oopses to prevent it from continuing to run a flawed process and to deter brute forcing. From 0f17596aacb86afb7abcdd4781a9995dde23d3bb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 15 Jan 2020 11:35:41 -0500 Subject: [PATCH 0193/1650] readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1bcb84c..ec5aeff 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ a target for ROP. and has been the cause of multiple vulnerabilities. * An initramfs hook sets the sysctl values in /etc/sysctl.d before init -is executed so our hardening is enabled as early as possible. +is executed so sysctl hardening is enabled as early as possible. * The kernel panics on oopses to prevent it from continuing to run a flawed process and to deter brute forcing. From e110ea0b84329dfbe0175298b21e7732f7105436 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 15 Jan 2020 11:37:52 -0500 Subject: [PATCH 0194/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1ec851a..0683dbf 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 0f17596aacb86afb7abcdd4781a9995dde23d3bb +Author: Patrick Schleizer +Date: Wed Jan 15 11:35:41 2020 -0500 + + readme + +commit 0618b5346493723865cc6f2a632822c8b6fa690a +Author: Patrick Schleizer +Date: Wed Jan 15 11:35:07 2020 -0500 + + fix lintian warning + +commit 47ce3bec75f9aeb808993a70579ba93d2527a371 +Author: Patrick Schleizer +Date: Wed Jan 15 11:05:54 2020 -0500 + + bumped changelog version + commit 73e830d0ac1ece338b0e80ca1a020d84a15d1774 Author: Patrick Schleizer Date: Wed Jan 15 10:08:57 2020 -0500 diff --git a/debian/changelog b/debian/changelog index 381306d..c2e2169 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:14.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 15 Jan 2020 16:37:52 +0000 + security-misc (3:14.6-1) unstable; urgency=medium * New upstream version (local package). From f7fde60b67a7ef44658cde3b835565407aafd133 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 15 Jan 2020 20:28:32 +0000 Subject: [PATCH 0195/1650] Process sysctl.conf too --- etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index 534d8a7..b3c6cb6 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -15,4 +15,5 @@ prereqs) ;; esac +sysctl -p ${rootmnt}/etc/sysctl.conf sysctl -p ${rootmnt}/etc/sysctl.d/*.conf From 1df48a226d83b98dadc8bfb8dbc479dd656e2313 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 15 Jan 2020 20:30:17 +0000 Subject: [PATCH 0196/1650] Update control --- debian/control | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/debian/control b/debian/control index e4dd75d..63f94aa 100644 --- a/debian/control +++ b/debian/control @@ -117,8 +117,9 @@ Description: enhances misc security settings * The vivid kernel module is blacklisted as it's only required for testing and has been the cause of multiple vulnerabilities. . - * An initramfs hook sets the sysctl values in /etc/sysctl.d before init - is executed so sysctl hardening is enabled as early as possible. + * An initramfs hook sets the sysctl values in /etc/sysctl.conf and + /etc/sysctl.d before init is executed so sysctl hardening is enabled + as early as possible. . * The kernel panics on oopses to prevent it from continuing to run a flawed process and to deter brute forcing. From 6f8d89c6c5609ed83d9dcd174375cb1ccfca91d8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 15 Jan 2020 15:54:06 -0500 Subject: [PATCH 0197/1650] error handling --- etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index b3c6cb6..33d98d7 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -17,3 +17,5 @@ esac sysctl -p ${rootmnt}/etc/sysctl.conf sysctl -p ${rootmnt}/etc/sysctl.d/*.conf + +true From 130434186811930d40407115af99116d4982da49 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 17 Jan 2020 03:10:56 -0500 Subject: [PATCH 0198/1650] readme --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ec5aeff..79a46cf 100644 --- a/README.md +++ b/README.md @@ -99,8 +99,9 @@ a target for ROP. * The vivid kernel module is blacklisted as it's only required for testing and has been the cause of multiple vulnerabilities. -* An initramfs hook sets the sysctl values in /etc/sysctl.d before init -is executed so sysctl hardening is enabled as early as possible. +* An initramfs hook sets the sysctl values in /etc/sysctl.conf and +/etc/sysctl.d before init is executed so sysctl hardening is enabled +as early as possible. * The kernel panics on oopses to prevent it from continuing to run a flawed process and to deter brute forcing. From 960e1ff6e82f8593c2d242a6a0f1e1cf5805c85b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 17 Jan 2020 03:32:57 -0500 Subject: [PATCH 0199/1650] bumped changelog version --- changelog.upstream | 46 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 52 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0683dbf..d497d12 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,49 @@ +commit 130434186811930d40407115af99116d4982da49 +Author: Patrick Schleizer +Date: Fri Jan 17 03:10:56 2020 -0500 + + readme + +commit 6f8d89c6c5609ed83d9dcd174375cb1ccfca91d8 +Author: Patrick Schleizer +Date: Wed Jan 15 15:54:06 2020 -0500 + + error handling + +commit 7211f6e0199d2ccb50437c7a5b0842050590b5dc +Merge: e110ea0 f6cc76a +Author: Patrick Schleizer +Date: Wed Jan 15 15:53:36 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit f6cc76acd729428f83d3497a2e83bfc4b14f1ff8 +Merge: e110ea0 1df48a2 +Author: Patrick Schleizer +Date: Wed Jan 15 20:52:33 2020 +0000 + + Merge pull request #55 from madaidan/sysctl.conf + + Process sysctl.conf in initramfs + +commit 1df48a226d83b98dadc8bfb8dbc479dd656e2313 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Wed Jan 15 20:30:17 2020 +0000 + + Update control + +commit f7fde60b67a7ef44658cde3b835565407aafd133 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Wed Jan 15 20:28:32 2020 +0000 + + Process sysctl.conf too + +commit e110ea0b84329dfbe0175298b21e7732f7105436 +Author: Patrick Schleizer +Date: Wed Jan 15 11:37:52 2020 -0500 + + bumped changelog version + commit 0f17596aacb86afb7abcdd4781a9995dde23d3bb Author: Patrick Schleizer Date: Wed Jan 15 11:35:41 2020 -0500 diff --git a/debian/changelog b/debian/changelog index c2e2169..dd494c0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:14.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 17 Jan 2020 08:32:57 +0000 + security-misc (3:14.7-1) unstable; urgency=medium * New upstream version (local package). From fbe9b60d95d43452bf661461197efced431806a5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 20 Jan 2020 08:49:02 -0500 Subject: [PATCH 0200/1650] fix Whonix / Kicksecure /var/lib/dpkg/tmp.ci/preinst: ERROR: No user is a member of group 'console'. Installation aborted. /var/lib/dpkg/tmp.ci/preinst: ERROR: You probably want to run: sudo adduser user console --- debian/security-misc.preinst | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 0f77ca4..428bf82 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -56,6 +56,8 @@ sudo_users_check () { return 0 fi + local sudo_users user_with_sudo are_there_any_sudo_users OLD_IFS + sudo_users="$(getent group sudo | cut -d: -f4)" ## example sudo_users: ## user,root @@ -101,6 +103,8 @@ console_users_check() { return 0 fi + local console_users console_unrestricted_users user_with_console are_there_any_console_users OLD_IFS + console_users="$(getent group console | cut -d: -f4)" ## example console_users: ## user @@ -143,6 +147,8 @@ legacy() { return 0 fi + local continue_yes user_to_be_created + if [ -f "/usr/share/whonix/marker" ]; then continue_yes=true fi @@ -150,7 +156,7 @@ legacy() { continue_yes=true fi - if [ ! "$continue_yes" = "yes" ]; then + if [ ! "$continue_yes" = "true" ]; then return 0 fi From 627b95e0b363e2e46a5de8a7aa5065bc66242293 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 20 Jan 2020 08:51:25 -0500 Subject: [PATCH 0201/1650] bumped changelog version --- changelog.upstream | 17 +++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 23 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d497d12..5042c72 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,20 @@ +commit fbe9b60d95d43452bf661461197efced431806a5 +Author: Patrick Schleizer +Date: Mon Jan 20 08:49:02 2020 -0500 + + fix Whonix / Kicksecure + + /var/lib/dpkg/tmp.ci/preinst: ERROR: No user is a member of group 'console'. Installation aborted. + /var/lib/dpkg/tmp.ci/preinst: ERROR: You probably want to run: + + sudo adduser user console + +commit 960e1ff6e82f8593c2d242a6a0f1e1cf5805c85b +Author: Patrick Schleizer +Date: Fri Jan 17 03:32:57 2020 -0500 + + bumped changelog version + commit 130434186811930d40407115af99116d4982da49 Author: Patrick Schleizer Date: Fri Jan 17 03:10:56 2020 -0500 diff --git a/debian/changelog b/debian/changelog index dd494c0..868cfb5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:14.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 20 Jan 2020 13:51:25 +0000 + security-misc (3:14.8-1) unstable; urgency=medium * New upstream version (local package). From 18041efa2f704d2a177b033ff8008aacdb7dde3f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 21 Jan 2020 10:01:17 -0500 Subject: [PATCH 0202/1650] fix pam tally2 check when read-only disk boot without ro-mode-init or grub-live --- usr/lib/security-misc/pam_tally2-info | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/lib/security-misc/pam_tally2-info b/usr/lib/security-misc/pam_tally2-info index 4bcbdf6..b3e7f12 100755 --- a/usr/lib/security-misc/pam_tally2-info +++ b/usr/lib/security-misc/pam_tally2-info @@ -73,7 +73,8 @@ fi # fi # fi -pam_tally2_output="$(pam_tally2 --user "$PAM_USER")" +## Using || true to not break read-only disk boot without ro-mode-init or grub-live. +pam_tally2_output="$(pam_tally2 --user "$PAM_USER")" || true if [ "$pam_tally2_output" = "" ]; then true "$0: no failed login" From df0b2afda1e1d5a3fddfd8c48b62a5de8295d687 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 21 Jan 2020 10:12:32 -0500 Subject: [PATCH 0203/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 5042c72..c969b7f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 18041efa2f704d2a177b033ff8008aacdb7dde3f +Author: Patrick Schleizer +Date: Tue Jan 21 10:01:17 2020 -0500 + + fix pam tally2 check when read-only disk boot without ro-mode-init or grub-live + +commit 627b95e0b363e2e46a5de8a7aa5065bc66242293 +Author: Patrick Schleizer +Date: Mon Jan 20 08:51:25 2020 -0500 + + bumped changelog version + commit fbe9b60d95d43452bf661461197efced431806a5 Author: Patrick Schleizer Date: Mon Jan 20 08:49:02 2020 -0500 diff --git a/debian/changelog b/debian/changelog index 868cfb5..69539df 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:15.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 21 Jan 2020 15:12:32 +0000 + security-misc (3:14.9-1) unstable; urgency=medium * New upstream version (local package). From 531f17cb68b331beb19a6e6c8b76575ebe38f95e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 22 Jan 2020 07:08:08 -0500 Subject: [PATCH 0204/1650] add update initramfs trigger https://github.com/Whonix/security-misc/pull/53 --- debian/security-misc.triggers | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 debian/security-misc.triggers diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers new file mode 100644 index 0000000..4aa5743 --- /dev/null +++ b/debian/security-misc.triggers @@ -0,0 +1,12 @@ +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +#### meta start +#### project Whonix +#### category security +#### description + +## Activate initramfs hook that sets the sysctl values before init is executed. +activate-noawait update-initramfs + +#### meta end From 3b283ec00f03b580d2f8b76f95449240a163dd48 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 22 Jan 2020 07:10:47 -0500 Subject: [PATCH 0205/1650] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c969b7f..6f653e5 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit 531f17cb68b331beb19a6e6c8b76575ebe38f95e +Author: Patrick Schleizer +Date: Wed Jan 22 07:08:08 2020 -0500 + + add update initramfs trigger + + https://github.com/Whonix/security-misc/pull/53 + +commit df0b2afda1e1d5a3fddfd8c48b62a5de8295d687 +Author: Patrick Schleizer +Date: Tue Jan 21 10:12:32 2020 -0500 + + bumped changelog version + commit 18041efa2f704d2a177b033ff8008aacdb7dde3f Author: Patrick Schleizer Date: Tue Jan 21 10:01:17 2020 -0500 diff --git a/debian/changelog b/debian/changelog index 69539df..bc828f8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:15.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 22 Jan 2020 12:10:47 +0000 + security-misc (3:15.0-1) unstable; urgency=medium * New upstream version (local package). From d4a37b6df2a2de4822e3e4bac93ca3e10712af7c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 24 Jan 2020 03:18:17 -0500 Subject: [PATCH 0206/1650] remove-system.map: source /usr/lib/helper-scripts/pre.bsh --- usr/lib/security-misc/remove-system.map | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/usr/lib/security-misc/remove-system.map b/usr/lib/security-misc/remove-system.map index 0cb8823..c99b286 100755 --- a/usr/lib/security-misc/remove-system.map +++ b/usr/lib/security-misc/remove-system.map @@ -3,6 +3,13 @@ ## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +if [ -f /usr/lib/helper-scripts/pre.bsh ]; then + ## pre.bsh would `source` the following folders: + ## /etc/remove-system.map_pre.d/*.conf + ## /usr/local/etc/remove-system.map_pre.d/*.conf + source /usr/lib/helper-scripts/pre.bsh +fi + shopt -s nullglob system_map_location="/boot/System.map* /usr/src/*/System.map* /lib/modules/*/*/System.map* /System.map*" From 8616728ce0a6e5eaa799949abb5bfccd0a7effa7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 24 Jan 2020 03:35:15 -0500 Subject: [PATCH 0207/1650] remove duplicate --- debian/control | 3 --- 1 file changed, 3 deletions(-) diff --git a/debian/control b/debian/control index 63f94aa..9c45f86 100644 --- a/debian/control +++ b/debian/control @@ -87,9 +87,6 @@ Description: enhances misc security settings used for DMA (Direct Memory Access) attacks. . * IOMMU is enabled with a boot parameter to prevent DMA attacks. - . - * The kernel now panics on oopses to prevent it from continuing running a - flawed process. . * Bluetooth is blacklisted to reduce attack surface. Bluetooth also has a history of security concerns. From ca057713e2e1f3c4a47216aadb51ba0ca012e39e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 24 Jan 2020 03:39:04 -0500 Subject: [PATCH 0208/1650] readme --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index 79a46cf..2ee14bc 100644 --- a/README.md +++ b/README.md @@ -70,9 +70,6 @@ used for DMA (Direct Memory Access) attacks. * IOMMU is enabled with a boot parameter to prevent DMA attacks. -* The kernel now panics on oopses to prevent it from continuing running a -flawed process. - * Bluetooth is blacklisted to reduce attack surface. Bluetooth also has a history of security concerns. https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns From f653b94e7747436323e2083d416ab86560e3cd71 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 24 Jan 2020 03:49:02 -0500 Subject: [PATCH 0209/1650] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 6f653e5..eeac35f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit ca057713e2e1f3c4a47216aadb51ba0ca012e39e +Author: Patrick Schleizer +Date: Fri Jan 24 03:39:04 2020 -0500 + + readme + +commit 8616728ce0a6e5eaa799949abb5bfccd0a7effa7 +Author: Patrick Schleizer +Date: Fri Jan 24 03:35:15 2020 -0500 + + remove duplicate + +commit d4a37b6df2a2de4822e3e4bac93ca3e10712af7c +Author: Patrick Schleizer +Date: Fri Jan 24 03:18:17 2020 -0500 + + remove-system.map: source /usr/lib/helper-scripts/pre.bsh + +commit 3b283ec00f03b580d2f8b76f95449240a163dd48 +Author: Patrick Schleizer +Date: Wed Jan 22 07:10:47 2020 -0500 + + bumped changelog version + commit 531f17cb68b331beb19a6e6c8b76575ebe38f95e Author: Patrick Schleizer Date: Wed Jan 22 07:08:08 2020 -0500 diff --git a/debian/changelog b/debian/changelog index bc828f8..89cb9d2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:15.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 24 Jan 2020 08:49:02 +0000 + security-misc (3:15.1-1) unstable; urgency=medium * New upstream version (local package). From 6a4c493213929b354a3c8d2acf2325473ae63cfd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 24 Jan 2020 04:26:36 -0500 Subject: [PATCH 0210/1650] merge the many sysctl config files into 1 and use a name starting with double digits to make it easier to disable settings using a lexically higher config file --- debian/security-misc.maintscript | 13 ++++ etc/sysctl.d/30_security-misc.conf | 114 +++++++++++++++++++++++++++++ etc/sysctl.d/coredumps.conf | 6 -- etc/sysctl.d/dmesg_restrict.conf | 5 -- etc/sysctl.d/fs_protected.conf | 6 -- etc/sysctl.d/harden_bpf.conf | 6 -- etc/sysctl.d/kexec.conf | 11 --- etc/sysctl.d/kptr_restrict.conf | 8 -- etc/sysctl.d/mmap_aslr.conf | 6 -- etc/sysctl.d/ptrace_scope.conf | 10 --- etc/sysctl.d/suid_dumpable.conf | 5 -- etc/sysctl.d/tcp_hardening.conf | 42 ----------- etc/sysctl.d/tcp_sack.conf | 8 -- etc/sysctl.d/tcp_timestamps.conf | 12 --- 14 files changed, 127 insertions(+), 125 deletions(-) create mode 100644 etc/sysctl.d/30_security-misc.conf delete mode 100644 etc/sysctl.d/coredumps.conf delete mode 100644 etc/sysctl.d/dmesg_restrict.conf delete mode 100644 etc/sysctl.d/fs_protected.conf delete mode 100644 etc/sysctl.d/harden_bpf.conf delete mode 100644 etc/sysctl.d/kexec.conf delete mode 100644 etc/sysctl.d/kptr_restrict.conf delete mode 100644 etc/sysctl.d/mmap_aslr.conf delete mode 100644 etc/sysctl.d/ptrace_scope.conf delete mode 100644 etc/sysctl.d/suid_dumpable.conf delete mode 100644 etc/sysctl.d/tcp_hardening.conf delete mode 100644 etc/sysctl.d/tcp_sack.conf delete mode 100644 etc/sysctl.d/tcp_timestamps.conf diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 7441686..2ee7f0f 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -12,3 +12,16 @@ rm_conffile /etc/sysctl.d/sysrq.conf ## https://github.com/Whonix/security-misc/pull/45 rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown + +rm_conffile /etc/sysctl.d/fs_protected.conf +rm_conffile /etc/sysctl.d/kptr_restrict.conf +rm_conffile /etc/sysctl.d/suid_dumpable.conf +rm_conffile /etc/sysctl.d/harden_bpf.conf +rm_conffile /etc/sysctl.d/ptrace_scope.conf +rm_conffile /etc/sysctl.d/tcp_timestamps.conf +rm_conffile /etc/sysctl.d/mmap_aslr.conf +rm_conffile /etc/sysctl.d/dmesg_restrict.conf +rm_conffile /etc/sysctl.d/coredumps.conf +rm_conffile /etc/sysctl.d/kexec.conf +rm_conffile /etc/sysctl.d/tcp_hardening.conf +rm_conffile /etc/sysctl.d/tcp_sack.conf diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf new file mode 100644 index 0000000..ae374de --- /dev/null +++ b/etc/sysctl.d/30_security-misc.conf @@ -0,0 +1,114 @@ +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. +## security-misc also disables coredumps in other ways. +kernel.core_pattern=|/bin/false + + +## Restricts the kernel log to root only. +kernel.dmesg_restrict=1 + + +## Makes some data spoofing attacks harder. +fs.protected_fifos=2 +fs.protected_regular=2 + + +## Hardens the BPF JIT compiler and restricts it to root. +kernel.unprivileged_bpf_disabled=1 +net.core.bpf_jit_harden=2 + + +## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html +## +## kexec_load_disabled: +## +## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. + +## Disables kexec which can be used to replace the running kernel. +kernel.kexec_load_disabled=1 + + +## Hides kernel addresses in various files in /proc. +## Kernel addresses can be very useful in certain exploits. +## +## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak +kernel.kptr_restrict=2 + + +## Improves ASLR effectiveness for mmap. +vm.mmap_rnd_bits=32 +vm.mmap_rnd_compat_bits=16 + + +## Restricts the use of ptrace to root. This might break some programs running under WINE. +## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: +## +## sudo apt-get install libcap2-bin +## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver +## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader +kernel.yama.ptrace_scope=2 + + +## Prevent setuid processes from creating coredumps. +fs.suid_dumpable=0 + + +#### meta start +#### project Kicksecure +#### category networking and security +#### description +## TCP/IP stack hardening + +## Protects against time-wait assassination. +## It drops RST packets for sockets in the time-wait state. +net.ipv4.tcp_rfc1337=1 + +## Disables ICMP redirect acceptance. +net.ipv4.conf.all.accept_redirects=0 +net.ipv4.conf.default.accept_redirects=0 +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.conf.default.secure_redirects=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.default.accept_redirects=0 + +## Disables ICMP redirect sending. +net.ipv4.conf.all.send_redirects=0 +net.ipv4.conf.default.send_redirects=0 + +## Ignores ICMP requests. +net.ipv4.icmp_echo_ignore_all=1 + +## Enables TCP syncookies. +net.ipv4.tcp_syncookies=1 + +## Disable source routing. +net.ipv4.conf.all.accept_source_route=0 +net.ipv4.conf.default.accept_source_route=0 + +## Enable reverse path filtering to prevent IP spoofing and +## mitigate vulnerabilities such as CVE-2019-14899. +## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 +net.ipv4.conf.default.rp_filter=1 +net.ipv4.conf.all.rp_filter=1 + +#### meta end + + +## Disables SACK as it is commonly exploited and likely not needed. +## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109 +#net.ipv4.tcp_sack=0 +#net.ipv4.tcp_dsack=0 +#net.ipv4.tcp_fack=0 + + +#### meta start +#### project Kicksecure +#### category networking and security +#### description +## disable IPv4 TCP Timestamps + +net.ipv4.tcp_timestamps=0 + +#### meta end diff --git a/etc/sysctl.d/coredumps.conf b/etc/sysctl.d/coredumps.conf deleted file mode 100644 index 79c2922..0000000 --- a/etc/sysctl.d/coredumps.conf +++ /dev/null @@ -1,6 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. -## security-misc also disables coredumps in other ways. -kernel.core_pattern=|/bin/false diff --git a/etc/sysctl.d/dmesg_restrict.conf b/etc/sysctl.d/dmesg_restrict.conf deleted file mode 100644 index 0883bd3..0000000 --- a/etc/sysctl.d/dmesg_restrict.conf +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Restricts the kernel log to root only. -kernel.dmesg_restrict=1 diff --git a/etc/sysctl.d/fs_protected.conf b/etc/sysctl.d/fs_protected.conf deleted file mode 100644 index 19c3920..0000000 --- a/etc/sysctl.d/fs_protected.conf +++ /dev/null @@ -1,6 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Makes some data spoofing attacks harder. -fs.protected_fifos=2 -fs.protected_regular=2 diff --git a/etc/sysctl.d/harden_bpf.conf b/etc/sysctl.d/harden_bpf.conf deleted file mode 100644 index e1c84b4..0000000 --- a/etc/sysctl.d/harden_bpf.conf +++ /dev/null @@ -1,6 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Hardens the BPF JIT compiler and restricts it to root. -kernel.unprivileged_bpf_disabled=1 -net.core.bpf_jit_harden=2 diff --git a/etc/sysctl.d/kexec.conf b/etc/sysctl.d/kexec.conf deleted file mode 100644 index 6fc9689..0000000 --- a/etc/sysctl.d/kexec.conf +++ /dev/null @@ -1,11 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html -## -## kexec_load_disabled: -## -## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. - -## Disables kexec which can be used to replace the running kernel. -kernel.kexec_load_disabled=1 diff --git a/etc/sysctl.d/kptr_restrict.conf b/etc/sysctl.d/kptr_restrict.conf deleted file mode 100644 index 0ea871e..0000000 --- a/etc/sysctl.d/kptr_restrict.conf +++ /dev/null @@ -1,8 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Hides kernel addresses in various files in /proc. -## Kernel addresses can be very useful in certain exploits. -## -## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak -kernel.kptr_restrict=2 diff --git a/etc/sysctl.d/mmap_aslr.conf b/etc/sysctl.d/mmap_aslr.conf deleted file mode 100644 index e38151b..0000000 --- a/etc/sysctl.d/mmap_aslr.conf +++ /dev/null @@ -1,6 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Improves ASLR effectiveness for mmap. -vm.mmap_rnd_bits=32 -vm.mmap_rnd_compat_bits=16 diff --git a/etc/sysctl.d/ptrace_scope.conf b/etc/sysctl.d/ptrace_scope.conf deleted file mode 100644 index b48ad18..0000000 --- a/etc/sysctl.d/ptrace_scope.conf +++ /dev/null @@ -1,10 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Restricts the use of ptrace to root. This might break some programs running under WINE. -## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: -## -## sudo apt-get install libcap2-bin -## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver -## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader -kernel.yama.ptrace_scope=2 diff --git a/etc/sysctl.d/suid_dumpable.conf b/etc/sysctl.d/suid_dumpable.conf deleted file mode 100644 index 54f19b6..0000000 --- a/etc/sysctl.d/suid_dumpable.conf +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Prevent setuid processes from creating coredumps. -fs.suid_dumpable=0 diff --git a/etc/sysctl.d/tcp_hardening.conf b/etc/sysctl.d/tcp_hardening.conf deleted file mode 100644 index 85b6ddf..0000000 --- a/etc/sysctl.d/tcp_hardening.conf +++ /dev/null @@ -1,42 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -#### meta start -#### project Kicksecure -#### category networking and security -#### description -## TCP/IP stack hardening - -## Protects against time-wait assassination. -## It drops RST packets for sockets in the time-wait state. -net.ipv4.tcp_rfc1337=1 - -## Disables ICMP redirect acceptance. -net.ipv4.conf.all.accept_redirects=0 -net.ipv4.conf.default.accept_redirects=0 -net.ipv4.conf.all.secure_redirects=0 -net.ipv4.conf.default.secure_redirects=0 -net.ipv6.conf.all.accept_redirects=0 -net.ipv6.conf.default.accept_redirects=0 - -## Disables ICMP redirect sending. -net.ipv4.conf.all.send_redirects=0 -net.ipv4.conf.default.send_redirects=0 - -## Ignores ICMP requests. -net.ipv4.icmp_echo_ignore_all=1 - -## Enables TCP syncookies. -net.ipv4.tcp_syncookies=1 - -## Disable source routing. -net.ipv4.conf.all.accept_source_route=0 -net.ipv4.conf.default.accept_source_route=0 - -## Enable reverse path filtering to prevent IP spoofing and -## mitigate vulnerabilities such as CVE-2019-14899. -## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 -net.ipv4.conf.default.rp_filter=1 -net.ipv4.conf.all.rp_filter=1 - -#### meta end diff --git a/etc/sysctl.d/tcp_sack.conf b/etc/sysctl.d/tcp_sack.conf deleted file mode 100644 index 4bd07eb..0000000 --- a/etc/sysctl.d/tcp_sack.conf +++ /dev/null @@ -1,8 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Disables SACK as it is commonly exploited and likely not needed. -## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109 -#net.ipv4.tcp_sack=0 -#net.ipv4.tcp_dsack=0 -#net.ipv4.tcp_fack=0 diff --git a/etc/sysctl.d/tcp_timestamps.conf b/etc/sysctl.d/tcp_timestamps.conf deleted file mode 100644 index a1b874c..0000000 --- a/etc/sysctl.d/tcp_timestamps.conf +++ /dev/null @@ -1,12 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -#### meta start -#### project Kicksecure -#### category networking and security -#### description -## disable IPv4 TCP Timestamps - -net.ipv4.tcp_timestamps=0 - -#### meta end From e0aa67677d3561cae6544c24e12021dd04f26133 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 24 Jan 2020 04:30:36 -0500 Subject: [PATCH 0211/1650] merge the many modprobe.d config files into 1 and use a name starting with double digits to make it easier to disable settings using a lexically higher config file --- debian/security-misc.maintscript | 7 +++ .../30_nf_conntrack_helper_disable.conf | 2 - etc/modprobe.d/30_security-misc.conf | 54 +++++++++++++++++++ etc/modprobe.d/blacklist-bluetooth.conf | 6 --- etc/modprobe.d/blacklist-dma.conf | 3 -- etc/modprobe.d/msr.conf | 3 -- .../uncommon-network-protocols.conf | 25 --------- etc/modprobe.d/vivid.conf | 10 ---- 8 files changed, 61 insertions(+), 49 deletions(-) delete mode 100644 etc/modprobe.d/30_nf_conntrack_helper_disable.conf create mode 100644 etc/modprobe.d/30_security-misc.conf delete mode 100644 etc/modprobe.d/blacklist-bluetooth.conf delete mode 100644 etc/modprobe.d/blacklist-dma.conf delete mode 100644 etc/modprobe.d/msr.conf delete mode 100644 etc/modprobe.d/uncommon-network-protocols.conf delete mode 100644 etc/modprobe.d/vivid.conf diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 2ee7f0f..a2aa848 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -25,3 +25,10 @@ rm_conffile /etc/sysctl.d/coredumps.conf rm_conffile /etc/sysctl.d/kexec.conf rm_conffile /etc/sysctl.d/tcp_hardening.conf rm_conffile /etc/sysctl.d/tcp_sack.conf + +rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf +rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf +rm_conffile /etc/modprobe.d/vivid.conf +rm_conffile /etc/modprobe.d/blacklist-dma.conf +rm_conffile /etc/modprobe.d/msr.conf +rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf diff --git a/etc/modprobe.d/30_nf_conntrack_helper_disable.conf b/etc/modprobe.d/30_nf_conntrack_helper_disable.conf deleted file mode 100644 index bd42a28..0000000 --- a/etc/modprobe.d/30_nf_conntrack_helper_disable.conf +++ /dev/null @@ -1,2 +0,0 @@ -## https://phabricator.whonix.org/T486 -options nf_conntrack nf_conntrack_helper=0 diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf new file mode 100644 index 0000000..a43a60b --- /dev/null +++ b/etc/modprobe.d/30_security-misc.conf @@ -0,0 +1,54 @@ +## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## https://phabricator.whonix.org/T486 +options nf_conntrack nf_conntrack_helper=0 + +# Blacklists bluetooth to reduce attack surface. +# Bluetooth also has a history of security vulnerabilities: +# +# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns +install bluetooth /bin/false +install btusb /bin/false + +# Blacklist thunderbolt and firewire to prevent some DMA attacks. +install firewire-core /bin/false +install thunderbolt /bin/false + +# Blacklist CPU MSRs as they can be abused to write to +# arbitrary memory. +install msr /bin/false + +# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. +# +# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. +# +# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. +# +# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. +# +install dccp /bin/false +install sctp /bin/false +install rds /bin/false +install tipc /bin/false +install n-hdlc /bin/false +install ax25 /bin/false +install netrom /bin/false +install x25 /bin/false +install rose /bin/false +install decnet /bin/false +install econet /bin/false +install af_802154 /bin/false +install ipx /bin/false +install appletalk /bin/false +install psnap /bin/false +install p8023 /bin/false +install p8022 /bin/false + +## Blacklists the vivid kernel module as it's only required for +## testing and has been the cause of multiple vulnerabilities. +## +## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 +## https://www.openwall.com/lists/oss-security/2019/11/02/1 +## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 +install vivid /bin/false diff --git a/etc/modprobe.d/blacklist-bluetooth.conf b/etc/modprobe.d/blacklist-bluetooth.conf deleted file mode 100644 index 2bfc7fb..0000000 --- a/etc/modprobe.d/blacklist-bluetooth.conf +++ /dev/null @@ -1,6 +0,0 @@ -# Blacklists bluetooth to reduce attack surface. -# Bluetooth also has a history of security vulnerabilities: -# -# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -install bluetooth /bin/false -install btusb /bin/false diff --git a/etc/modprobe.d/blacklist-dma.conf b/etc/modprobe.d/blacklist-dma.conf deleted file mode 100644 index e06eaa1..0000000 --- a/etc/modprobe.d/blacklist-dma.conf +++ /dev/null @@ -1,3 +0,0 @@ -# Blacklist thunderbolt and firewire to prevent some DMA attacks. -install firewire-core /bin/false -install thunderbolt /bin/false diff --git a/etc/modprobe.d/msr.conf b/etc/modprobe.d/msr.conf deleted file mode 100644 index c9a39bf..0000000 --- a/etc/modprobe.d/msr.conf +++ /dev/null @@ -1,3 +0,0 @@ -# Blacklist CPU MSRs as they can be abused to write to -# arbitrary memory. -install msr /bin/false diff --git a/etc/modprobe.d/uncommon-network-protocols.conf b/etc/modprobe.d/uncommon-network-protocols.conf deleted file mode 100644 index 500ee10..0000000 --- a/etc/modprobe.d/uncommon-network-protocols.conf +++ /dev/null @@ -1,25 +0,0 @@ -# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. -# -# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. -# -# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. -# -# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. -# -install dccp /bin/false -install sctp /bin/false -install rds /bin/false -install tipc /bin/false -install n-hdlc /bin/false -install ax25 /bin/false -install netrom /bin/false -install x25 /bin/false -install rose /bin/false -install decnet /bin/false -install econet /bin/false -install af_802154 /bin/false -install ipx /bin/false -install appletalk /bin/false -install psnap /bin/false -install p8023 /bin/false -install p8022 /bin/false diff --git a/etc/modprobe.d/vivid.conf b/etc/modprobe.d/vivid.conf deleted file mode 100644 index f8d8059..0000000 --- a/etc/modprobe.d/vivid.conf +++ /dev/null @@ -1,10 +0,0 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Blacklists the vivid kernel module as it's only required for -## testing and has been the cause of multiple vulnerabilities. -## -## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 -## https://www.openwall.com/lists/oss-security/2019/11/02/1 -## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -install vivid /bin/false From 3a4d283169b381bdc93c4ff5ce7b08c11a0830b3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 24 Jan 2020 04:33:30 -0500 Subject: [PATCH 0212/1650] description --- debian/control | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/debian/control b/debian/control index 9c45f86..63c0f64 100644 --- a/debian/control +++ b/debian/control @@ -37,7 +37,7 @@ Description: enhances misc security settings very useful for kernel exploits. . * Kexec is disabled as it can be used to load a malicious kernel. - /etc/sysctl.d/kexec.conf + /etc/sysctl.d/security-misc.conf . * ASLR effectiveness for mmap is increased. . @@ -51,7 +51,7 @@ Description: enhances misc security settings * Some data spoofing attacks are made harder. . * SACK can be disabled as it is commonly exploited and is rarely used by - uncommenting settings in file /etc/sysctl.d/tcp_sack.conf. + uncommenting settings in file /etc/sysctl.d/security-misc.conf. . * Slab merging is disabled as sometimes a slab can be used in a vulnerable way which an attacker can exploit. @@ -80,7 +80,7 @@ Description: enhances misc security settings * Coredumps are disabled as they may contain important information such as encryption keys or passwords. /etc/security/limits.d/disable-coredumps.conf - /etc/sysctl.d/coredumps.conf + /etc/sysctl.d/security-misc.conf /lib/systemd/coredump.conf.d/disable-coredumps.conf . * The thunderbolt and firewire kernel modules are blacklisted as they can be @@ -286,7 +286,7 @@ Description: enhances misc security settings public IP used by a user. . Hence, this package disables this feature by shipping the - /etc/sysctl.d/tcp_timestamps.conf configuration file. + /etc/sysctl.d/security-misc.conf configuration file. . Note that TCP time stamps normally have some usefulness. They are needed for: From bac6cd601baaca7453c55719e9dfa84d5109135d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 24 Jan 2020 04:33:54 -0500 Subject: [PATCH 0213/1650] readme --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 2ee14bc..fd22b23 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ the kernel. (!) Hence, this package disables this feature by shipping the very useful for kernel exploits. * Kexec is disabled as it can be used to load a malicious kernel. -/etc/sysctl.d/kexec.conf +/etc/sysctl.d/security-misc.conf * ASLR effectiveness for mmap is increased. @@ -33,7 +33,7 @@ mitigate vulnerabilities such as CVE-2019-14899. * Some data spoofing attacks are made harder. * SACK can be disabled as it is commonly exploited and is rarely used by -uncommenting settings in file /etc/sysctl.d/tcp_sack.conf. +uncommenting settings in file /etc/sysctl.d/security-misc.conf. * Slab merging is disabled as sometimes a slab can be used in a vulnerable way which an attacker can exploit. @@ -62,7 +62,7 @@ that could be useful to an attacker. * Coredumps are disabled as they may contain important information such as encryption keys or passwords. /etc/security/limits.d/disable-coredumps.conf -/etc/sysctl.d/coredumps.conf +/etc/sysctl.d/security-misc.conf /lib/systemd/coredump.conf.d/disable-coredumps.conf * The thunderbolt and firewire kernel modules are blacklisted as they can be @@ -268,7 +268,7 @@ also allow one to look for clocks that match an expected value to find the public IP used by a user. Hence, this package disables this feature by shipping the -/etc/sysctl.d/tcp_timestamps.conf configuration file. +/etc/sysctl.d/security-misc.conf configuration file. Note that TCP time stamps normally have some usefulness. They are needed for: From 2ab940c60311ae38079d2ceb09e04eedac2aad90 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 24 Jan 2020 04:34:18 -0500 Subject: [PATCH 0214/1650] bumped changelog version --- changelog.upstream | 38 ++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 44 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index eeac35f..50c0fa8 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,41 @@ +commit bac6cd601baaca7453c55719e9dfa84d5109135d +Author: Patrick Schleizer +Date: Fri Jan 24 04:33:54 2020 -0500 + + readme + +commit 3a4d283169b381bdc93c4ff5ce7b08c11a0830b3 +Author: Patrick Schleizer +Date: Fri Jan 24 04:33:30 2020 -0500 + + description + +commit e0aa67677d3561cae6544c24e12021dd04f26133 +Author: Patrick Schleizer +Date: Fri Jan 24 04:30:36 2020 -0500 + + merge the many modprobe.d config files into 1 + + and use a name starting with double digits + + to make it easier to disable settings using a lexically higher config file + +commit 6a4c493213929b354a3c8d2acf2325473ae63cfd +Author: Patrick Schleizer +Date: Fri Jan 24 04:26:36 2020 -0500 + + merge the many sysctl config files into 1 + + and use a name starting with double digits + + to make it easier to disable settings using a lexically higher config file + +commit f653b94e7747436323e2083d416ab86560e3cd71 +Author: Patrick Schleizer +Date: Fri Jan 24 03:49:02 2020 -0500 + + bumped changelog version + commit ca057713e2e1f3c4a47216aadb51ba0ca012e39e Author: Patrick Schleizer Date: Fri Jan 24 03:39:04 2020 -0500 diff --git a/debian/changelog b/debian/changelog index 89cb9d2..75201a1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:15.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 24 Jan 2020 09:34:18 +0000 + security-misc (3:15.2-1) unstable; urgency=medium * New upstream version (local package). From a37da1c96880b14a8271712801e6da3d3ea766eb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 24 Jan 2020 04:39:06 -0500 Subject: [PATCH 0215/1650] add digits to drop-in file names --- debian/control | 4 ++-- debian/security-misc.maintscript | 3 +++ .../{disable-coredumps.conf => 30_security-misc.conf} | 0 .../{disable-coredumps.conf => 30_security-misc.conf} | 0 4 files changed, 5 insertions(+), 2 deletions(-) rename etc/security/limits.d/{disable-coredumps.conf => 30_security-misc.conf} (100%) rename lib/systemd/coredump.conf.d/{disable-coredumps.conf => 30_security-misc.conf} (100%) diff --git a/debian/control b/debian/control index 63c0f64..2444db6 100644 --- a/debian/control +++ b/debian/control @@ -79,9 +79,9 @@ Description: enhances misc security settings . * Coredumps are disabled as they may contain important information such as encryption keys or passwords. - /etc/security/limits.d/disable-coredumps.conf + /etc/security/limits.d/30_security-misc.conf /etc/sysctl.d/security-misc.conf - /lib/systemd/coredump.conf.d/disable-coredumps.conf + /lib/systemd/coredump.conf.d/30_security-misc.conf . * The thunderbolt and firewire kernel modules are blacklisted as they can be used for DMA (Direct Memory Access) attacks. diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index a2aa848..32ea40a 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -32,3 +32,6 @@ rm_conffile /etc/modprobe.d/vivid.conf rm_conffile /etc/modprobe.d/blacklist-dma.conf rm_conffile /etc/modprobe.d/msr.conf rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf + +## renamed to /etc/security/limits.d/30_security-misc.conf +rm_conffile /etc/security/limits.d/disable-coredumps.conf diff --git a/etc/security/limits.d/disable-coredumps.conf b/etc/security/limits.d/30_security-misc.conf similarity index 100% rename from etc/security/limits.d/disable-coredumps.conf rename to etc/security/limits.d/30_security-misc.conf diff --git a/lib/systemd/coredump.conf.d/disable-coredumps.conf b/lib/systemd/coredump.conf.d/30_security-misc.conf similarity index 100% rename from lib/systemd/coredump.conf.d/disable-coredumps.conf rename to lib/systemd/coredump.conf.d/30_security-misc.conf From c0d3726b002d136e602c6bdaf07c5d94c5591ee4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 24 Jan 2020 04:40:03 -0500 Subject: [PATCH 0216/1650] comment --- debian/security-misc.maintscript | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 32ea40a..1423646 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -13,6 +13,7 @@ rm_conffile /etc/sysctl.d/sysrq.conf rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown +## merged into 1 file /etc/sysctl.d/30_security-misc.conf rm_conffile /etc/sysctl.d/fs_protected.conf rm_conffile /etc/sysctl.d/kptr_restrict.conf rm_conffile /etc/sysctl.d/suid_dumpable.conf @@ -26,6 +27,7 @@ rm_conffile /etc/sysctl.d/kexec.conf rm_conffile /etc/sysctl.d/tcp_hardening.conf rm_conffile /etc/sysctl.d/tcp_sack.conf +## merged into 1 file /etc/modprobe.d/30_security-misc.conf rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf rm_conffile /etc/modprobe.d/vivid.conf From be79f0688a47dca129ac61dd78b18a2638e8650c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 24 Jan 2020 04:40:20 -0500 Subject: [PATCH 0217/1650] readme --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fd22b23..cb0d3ab 100644 --- a/README.md +++ b/README.md @@ -61,9 +61,9 @@ that could be useful to an attacker. * Coredumps are disabled as they may contain important information such as encryption keys or passwords. -/etc/security/limits.d/disable-coredumps.conf +/etc/security/limits.d/30_security-misc.conf /etc/sysctl.d/security-misc.conf -/lib/systemd/coredump.conf.d/disable-coredumps.conf +/lib/systemd/coredump.conf.d/30_security-misc.conf * The thunderbolt and firewire kernel modules are blacklisted as they can be used for DMA (Direct Memory Access) attacks. From 25317f23e3a80fdd9f6965990cd397ddcab11a4b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 24 Jan 2020 04:41:16 -0500 Subject: [PATCH 0218/1650] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 50c0fa8..b9755fa 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit be79f0688a47dca129ac61dd78b18a2638e8650c +Author: Patrick Schleizer +Date: Fri Jan 24 04:40:20 2020 -0500 + + readme + +commit c0d3726b002d136e602c6bdaf07c5d94c5591ee4 +Author: Patrick Schleizer +Date: Fri Jan 24 04:40:03 2020 -0500 + + comment + +commit a37da1c96880b14a8271712801e6da3d3ea766eb +Author: Patrick Schleizer +Date: Fri Jan 24 04:39:06 2020 -0500 + + add digits to drop-in file names + +commit 2ab940c60311ae38079d2ceb09e04eedac2aad90 +Author: Patrick Schleizer +Date: Fri Jan 24 04:34:18 2020 -0500 + + bumped changelog version + commit bac6cd601baaca7453c55719e9dfa84d5109135d Author: Patrick Schleizer Date: Fri Jan 24 04:33:54 2020 -0500 diff --git a/debian/changelog b/debian/changelog index 75201a1..d138b89 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:15.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 24 Jan 2020 09:41:16 +0000 + security-misc (3:15.3-1) unstable; urgency=medium * New upstream version (local package). From f4c54881ac21ed095f54a59f9c0baf582ef76d9b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 24 Jan 2020 04:49:19 -0500 Subject: [PATCH 0219/1650] description --- debian/control | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/debian/control b/debian/control index 2444db6..b194240 100644 --- a/debian/control +++ b/debian/control @@ -37,7 +37,7 @@ Description: enhances misc security settings very useful for kernel exploits. . * Kexec is disabled as it can be used to load a malicious kernel. - /etc/sysctl.d/security-misc.conf + /etc/sysctl.d/30_security-misc.conf . * ASLR effectiveness for mmap is increased. . @@ -51,7 +51,7 @@ Description: enhances misc security settings * Some data spoofing attacks are made harder. . * SACK can be disabled as it is commonly exploited and is rarely used by - uncommenting settings in file /etc/sysctl.d/security-misc.conf. + uncommenting settings in file /etc/sysctl.d/30_security-misc.conf. . * Slab merging is disabled as sometimes a slab can be used in a vulnerable way which an attacker can exploit. @@ -80,7 +80,7 @@ Description: enhances misc security settings * Coredumps are disabled as they may contain important information such as encryption keys or passwords. /etc/security/limits.d/30_security-misc.conf - /etc/sysctl.d/security-misc.conf + /etc/sysctl.d/30_security-misc.conf /lib/systemd/coredump.conf.d/30_security-misc.conf . * The thunderbolt and firewire kernel modules are blacklisted as they can be @@ -286,7 +286,7 @@ Description: enhances misc security settings public IP used by a user. . Hence, this package disables this feature by shipping the - /etc/sysctl.d/security-misc.conf configuration file. + /etc/sysctl.d/30_security-misc.conf configuration file. . Note that TCP time stamps normally have some usefulness. They are needed for: From 07dcb32fc28abf33eaf0425c67cc5cf9ee1f5a5b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 24 Jan 2020 11:55:38 -0500 Subject: [PATCH 0220/1650] readme --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index cb0d3ab..64cbaa6 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ the kernel. (!) Hence, this package disables this feature by shipping the very useful for kernel exploits. * Kexec is disabled as it can be used to load a malicious kernel. -/etc/sysctl.d/security-misc.conf +/etc/sysctl.d/30_security-misc.conf * ASLR effectiveness for mmap is increased. @@ -33,7 +33,7 @@ mitigate vulnerabilities such as CVE-2019-14899. * Some data spoofing attacks are made harder. * SACK can be disabled as it is commonly exploited and is rarely used by -uncommenting settings in file /etc/sysctl.d/security-misc.conf. +uncommenting settings in file /etc/sysctl.d/30_security-misc.conf. * Slab merging is disabled as sometimes a slab can be used in a vulnerable way which an attacker can exploit. @@ -62,7 +62,7 @@ that could be useful to an attacker. * Coredumps are disabled as they may contain important information such as encryption keys or passwords. /etc/security/limits.d/30_security-misc.conf -/etc/sysctl.d/security-misc.conf +/etc/sysctl.d/30_security-misc.conf /lib/systemd/coredump.conf.d/30_security-misc.conf * The thunderbolt and firewire kernel modules are blacklisted as they can be @@ -268,7 +268,7 @@ also allow one to look for clocks that match an expected value to find the public IP used by a user. Hence, this package disables this feature by shipping the -/etc/sysctl.d/security-misc.conf configuration file. +/etc/sysctl.d/30_security-misc.conf configuration file. Note that TCP time stamps normally have some usefulness. They are needed for: From efc40da4fb1fffcc760685cda0e49dc04da4c5fe Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 24 Jan 2020 12:02:27 -0500 Subject: [PATCH 0221/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b9755fa..3e66abc 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 07dcb32fc28abf33eaf0425c67cc5cf9ee1f5a5b +Author: Patrick Schleizer +Date: Fri Jan 24 11:55:38 2020 -0500 + + readme + +commit f4c54881ac21ed095f54a59f9c0baf582ef76d9b +Author: Patrick Schleizer +Date: Fri Jan 24 04:49:19 2020 -0500 + + description + +commit 25317f23e3a80fdd9f6965990cd397ddcab11a4b +Author: Patrick Schleizer +Date: Fri Jan 24 04:41:16 2020 -0500 + + bumped changelog version + commit be79f0688a47dca129ac61dd78b18a2638e8650c Author: Patrick Schleizer Date: Fri Jan 24 04:40:20 2020 -0500 diff --git a/debian/changelog b/debian/changelog index d138b89..98a54d0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:15.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 24 Jan 2020 17:02:27 +0000 + security-misc (3:15.4-1) unstable; urgency=medium * New upstream version (local package). From c1a0da60beacd027c1c7c94ae44a9d7b1ab708b9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 30 Jan 2020 00:46:48 -0500 Subject: [PATCH 0222/1650] set kernel boot parameter `l1tf=full,force` and `nosmt=force` https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 --- debian/control | 2 ++ etc/default/grub.d/40_kernel_hardening.cfg | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/debian/control b/debian/control index b194240..6a97d69 100644 --- a/debian/control +++ b/debian/control @@ -70,6 +70,8 @@ Description: enhances misc security settings vulnerabilities. . * All mitigations for the MDS vulnerability are enabled. + . + * Enables mitigations for the L1TF (L1 Terminal Fault) vulnerability. . * A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b741b20..e8da9a2 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -40,6 +40,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" ## Disables smt which can be used to exploit the MDS vulnerability. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" + +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" + ## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" From 4df0d6c01cc91139dc9eef1dc4265e8cacde8cdf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 30 Jan 2020 01:22:06 -0500 Subject: [PATCH 0223/1650] readme --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 64cbaa6..5bf4053 100644 --- a/README.md +++ b/README.md @@ -53,6 +53,8 @@ vulnerabilities. * All mitigations for the MDS vulnerability are enabled. +* Enables mitigations for the L1TF (L1 Terminal Fault) vulnerability. + * A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. /etc/kernel/postinst.d/30_remove-system-map From 2711d0f7f08362f97383fbae81ce9d520b19dcbc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 30 Jan 2020 01:22:32 -0500 Subject: [PATCH 0224/1650] bumped changelog version --- changelog.upstream | 20 ++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 26 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3e66abc..0f6c170 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,23 @@ +commit 4df0d6c01cc91139dc9eef1dc4265e8cacde8cdf +Author: Patrick Schleizer +Date: Thu Jan 30 01:22:06 2020 -0500 + + readme + +commit c1a0da60beacd027c1c7c94ae44a9d7b1ab708b9 +Author: Patrick Schleizer +Date: Thu Jan 30 00:46:48 2020 -0500 + + set kernel boot parameter `l1tf=full,force` and `nosmt=force` + + https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 + +commit efc40da4fb1fffcc760685cda0e49dc04da4c5fe +Author: Patrick Schleizer +Date: Fri Jan 24 12:02:27 2020 -0500 + + bumped changelog version + commit 07dcb32fc28abf33eaf0425c67cc5cf9ee1f5a5b Author: Patrick Schleizer Date: Fri Jan 24 11:55:38 2020 -0500 diff --git a/debian/changelog b/debian/changelog index 98a54d0..9f1244b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:15.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 30 Jan 2020 06:22:32 +0000 + security-misc (3:15.5-1) unstable; urgency=medium * New upstream version (local package). From b9d65338bcc76552e4d2169106cd04e6276eb320 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 30 Jan 2020 05:55:13 -0500 Subject: [PATCH 0225/1650] unconditionally enable all CPU bugs (spectre, meltdown, L1TF, ...) this might reduce performance * `spectre_v2=on` * `spec_store_bypass_disable=on` * `tsx=off` * `tsx_async_abort=full,nosmt` Thanks to @madaidan for the suggestion! https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 --- etc/default/grub.d/40_kernel_hardening.cfg | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index e8da9a2..82a2bb8 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -36,6 +36,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" ## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" + +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" + +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off" + +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" + ## Enables all mitigations for the MDS vulnerability. ## Disables smt which can be used to exploit the MDS vulnerability. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" From d69c1839cd30145c30247e0962a97cfd38f79d60 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 30 Jan 2020 06:02:26 -0500 Subject: [PATCH 0226/1650] bumped changelog version --- changelog.upstream | 23 +++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 29 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0f6c170..988b928 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,26 @@ +commit b9d65338bcc76552e4d2169106cd04e6276eb320 +Author: Patrick Schleizer +Date: Thu Jan 30 05:55:13 2020 -0500 + + unconditionally enable all CPU bugs (spectre, meltdown, L1TF, ...) + + this might reduce performance + + * `spectre_v2=on` + * `spec_store_bypass_disable=on` + * `tsx=off` + * `tsx_async_abort=full,nosmt` + + Thanks to @madaidan for the suggestion! + + https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 + +commit 2711d0f7f08362f97383fbae81ce9d520b19dcbc +Author: Patrick Schleizer +Date: Thu Jan 30 01:22:32 2020 -0500 + + bumped changelog version + commit 4df0d6c01cc91139dc9eef1dc4265e8cacde8cdf Author: Patrick Schleizer Date: Thu Jan 30 01:22:06 2020 -0500 diff --git a/debian/changelog b/debian/changelog index 9f1244b..b3151f8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:15.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 30 Jan 2020 11:02:26 +0000 + security-misc (3:15.6-1) unstable; urgency=medium * New upstream version (local package). From 85d2aa1365ae5dfc43944a938794954452c26fe0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 30 Jan 2020 06:13:42 -0500 Subject: [PATCH 0227/1650] hide stdout (but not stderr) by sysctl during initramfs --- etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index 33d98d7..71e82f4 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -15,7 +15,7 @@ prereqs) ;; esac -sysctl -p ${rootmnt}/etc/sysctl.conf -sysctl -p ${rootmnt}/etc/sysctl.d/*.conf +sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null +sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null true From 0bd0a4a647aef9899e1cbb5671ccfa3ca36efe18 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 30 Jan 2020 06:14:34 -0500 Subject: [PATCH 0228/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 988b928..3aa7579 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 85d2aa1365ae5dfc43944a938794954452c26fe0 +Author: Patrick Schleizer +Date: Thu Jan 30 06:13:42 2020 -0500 + + hide stdout (but not stderr) by sysctl during initramfs + +commit d69c1839cd30145c30247e0962a97cfd38f79d60 +Author: Patrick Schleizer +Date: Thu Jan 30 06:02:26 2020 -0500 + + bumped changelog version + commit b9d65338bcc76552e4d2169106cd04e6276eb320 Author: Patrick Schleizer Date: Thu Jan 30 05:55:13 2020 -0500 diff --git a/debian/changelog b/debian/changelog index b3151f8..c96bef5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:15.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 30 Jan 2020 11:14:34 +0000 + security-misc (3:15.7-1) unstable; urgency=medium * New upstream version (local package). From 829e28aa90ff5cb38edcc3cfab8ec91939ae5844 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 31 Jan 2020 12:17:07 -0500 Subject: [PATCH 0229/1650] /usr/lib/security-misc/apt-get-update environment variable timeout_after kill_after support --- usr/lib/security-misc/apt-get-update | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/security-misc/apt-get-update b/usr/lib/security-misc/apt-get-update index d1c6772..6d9c485 100755 --- a/usr/lib/security-misc/apt-get-update +++ b/usr/lib/security-misc/apt-get-update @@ -18,8 +18,8 @@ sigterm_trap() { trap "sigterm_trap" SIGTERM SIGINT -timeout_after="240" -kill_after="10" +[ -n "$timeout_after" ] || timeout_after="240" +[ -n "$kill_after" ] || kill_after="10" timeout \ --kill-after="$kill_after" \ From 8627c9f76d1bdf26a423a92506d3d8c0eb1afc2e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 31 Jan 2020 12:18:02 -0500 Subject: [PATCH 0230/1650] /usr/lib/security-misc/apt-get-update increase default timeout_after="600" --- usr/lib/security-misc/apt-get-update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/apt-get-update b/usr/lib/security-misc/apt-get-update index 6d9c485..cc44769 100755 --- a/usr/lib/security-misc/apt-get-update +++ b/usr/lib/security-misc/apt-get-update @@ -18,7 +18,7 @@ sigterm_trap() { trap "sigterm_trap" SIGTERM SIGINT -[ -n "$timeout_after" ] || timeout_after="240" +[ -n "$timeout_after" ] || timeout_after="600" [ -n "$kill_after" ] || kill_after="10" timeout \ From 2291b7f787bcec5f64f632c6f3e8dfb12c67b4ee Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 3 Feb 2020 08:43:31 -0500 Subject: [PATCH 0231/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3aa7579..9f670c4 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 8627c9f76d1bdf26a423a92506d3d8c0eb1afc2e +Author: Patrick Schleizer +Date: Fri Jan 31 12:18:02 2020 -0500 + + /usr/lib/security-misc/apt-get-update increase default timeout_after="600" + +commit 829e28aa90ff5cb38edcc3cfab8ec91939ae5844 +Author: Patrick Schleizer +Date: Fri Jan 31 12:17:07 2020 -0500 + + /usr/lib/security-misc/apt-get-update environment variable timeout_after kill_after support + +commit 0bd0a4a647aef9899e1cbb5671ccfa3ca36efe18 +Author: Patrick Schleizer +Date: Thu Jan 30 06:14:34 2020 -0500 + + bumped changelog version + commit 85d2aa1365ae5dfc43944a938794954452c26fe0 Author: Patrick Schleizer Date: Thu Jan 30 06:13:42 2020 -0500 diff --git a/debian/changelog b/debian/changelog index c96bef5..52769de 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:15.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 03 Feb 2020 13:43:31 +0000 + security-misc (3:15.8-1) unstable; urgency=medium * New upstream version (local package). From 1f6ed2cc7047e1144e811d94dddc7306ee93b61e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 3 Feb 2020 08:55:20 -0500 Subject: [PATCH 0232/1650] add support for passing parameters to usr/lib/security-misc/apt-get-update --- usr/lib/security-misc/apt-get-update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/apt-get-update b/usr/lib/security-misc/apt-get-update index cc44769..03df63d 100755 --- a/usr/lib/security-misc/apt-get-update +++ b/usr/lib/security-misc/apt-get-update @@ -24,7 +24,7 @@ trap "sigterm_trap" SIGTERM SIGINT timeout \ --kill-after="$kill_after" \ "$timeout_after" \ - /usr/lib/security-misc/apt-get-wrapper update & + /usr/lib/security-misc/apt-get-wrapper update "$@" & lastpid="$!" wait "$lastpid" From 8c5cd865f49cea986cdfc00a4cb4f0f913d4d3e6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 3 Feb 2020 09:23:13 -0500 Subject: [PATCH 0233/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 9f670c4..aadfc6e 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 1f6ed2cc7047e1144e811d94dddc7306ee93b61e +Author: Patrick Schleizer +Date: Mon Feb 3 08:55:20 2020 -0500 + + add support for passing parameters to usr/lib/security-misc/apt-get-update + +commit 2291b7f787bcec5f64f632c6f3e8dfb12c67b4ee +Author: Patrick Schleizer +Date: Mon Feb 3 08:43:31 2020 -0500 + + bumped changelog version + commit 8627c9f76d1bdf26a423a92506d3d8c0eb1afc2e Author: Patrick Schleizer Date: Fri Jan 31 12:18:02 2020 -0500 diff --git a/debian/changelog b/debian/changelog index 52769de..833969e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:16.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 03 Feb 2020 14:23:13 +0000 + security-misc (3:15.9-1) unstable; urgency=medium * New upstream version (local package). From e4c6e897cf37cbf5de6d90888a0ddbe56db11c2f Mon Sep 17 00:00:00 2001 From: HulaHoop0 <55955185+HulaHoop0@users.noreply.github.com> Date: Mon, 3 Feb 2020 16:06:46 +0000 Subject: [PATCH 0234/1650] kvm.nx_huge_pages=force --- etc/default/grub.d/40_kernel_hardening.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 82a2bb8..e9f7aae 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -54,6 +54,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html#mitigation-control-on-the-kernel-command-line-and-kvm-module-parameter +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" + ## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" From 163e20b886f298cb9d3aca54c14f66991001b396 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 5 Feb 2020 06:31:48 -0500 Subject: [PATCH 0235/1650] bumped changelog version --- changelog.upstream | 28 ++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index aadfc6e..80b4ae3 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,31 @@ +commit 3024006f63be34f0c9d2968b1839a855419792dd +Merge: 8c5cd86 024576e +Author: Patrick Schleizer +Date: Tue Feb 4 00:24:50 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit 024576e3307e45c90b97ed8658ee82ceb1ed00aa +Merge: 8c5cd86 e4c6e89 +Author: Patrick Schleizer +Date: Tue Feb 4 05:24:05 2020 +0000 + + Merge pull request #56 from HulaHoop0/patch-1 + + kvm.nx_huge_pages=force + +commit e4c6e897cf37cbf5de6d90888a0ddbe56db11c2f +Author: HulaHoop0 <55955185+HulaHoop0@users.noreply.github.com> +Date: Mon Feb 3 16:06:46 2020 +0000 + + kvm.nx_huge_pages=force + +commit 8c5cd865f49cea986cdfc00a4cb4f0f913d4d3e6 +Author: Patrick Schleizer +Date: Mon Feb 3 09:23:13 2020 -0500 + + bumped changelog version + commit 1f6ed2cc7047e1144e811d94dddc7306ee93b61e Author: Patrick Schleizer Date: Mon Feb 3 08:55:20 2020 -0500 diff --git a/debian/changelog b/debian/changelog index 833969e..71952c2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:16.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 05 Feb 2020 11:31:48 +0000 + security-misc (3:16.0-1) unstable; urgency=medium * New upstream version (local package). From 5cb21d0d4d36fd516f17a9b5378443859f497027 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 12 Feb 2020 18:03:23 +0000 Subject: [PATCH 0236/1650] Prevent symlink/hardlink TOCTOU races --- etc/sysctl.d/30_security-misc.conf | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index ae374de..4c17bcb 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -5,21 +5,31 @@ ## security-misc also disables coredumps in other ways. kernel.core_pattern=|/bin/false - ## Restricts the kernel log to root only. kernel.dmesg_restrict=1 - -## Makes some data spoofing attacks harder. +## Don't allow writes to files that we don't own +## in world writable sticky directories, unless +## they are owned by the owner of the directory. fs.protected_fifos=2 fs.protected_regular=2 +## Only allow symlinks to be followed when outside of +## a world-writable sticky directory, or when the owner +## of the symlink and follower match, or when the directory +## owner matches the symlink's owner. +## +## Prevent hardlinks from being created by users that do not +## have read/write access to the source file. +## +## These prevent many TOCTOU races. +fs.protected_symlinks=1 +fs.protected_hardlinks=1 ## Hardens the BPF JIT compiler and restricts it to root. kernel.unprivileged_bpf_disabled=1 net.core.bpf_jit_harden=2 - ## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html ## ## kexec_load_disabled: @@ -29,19 +39,16 @@ net.core.bpf_jit_harden=2 ## Disables kexec which can be used to replace the running kernel. kernel.kexec_load_disabled=1 - ## Hides kernel addresses in various files in /proc. ## Kernel addresses can be very useful in certain exploits. ## ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak kernel.kptr_restrict=2 - ## Improves ASLR effectiveness for mmap. vm.mmap_rnd_bits=32 vm.mmap_rnd_compat_bits=16 - ## Restricts the use of ptrace to root. This might break some programs running under WINE. ## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: ## @@ -50,7 +57,6 @@ vm.mmap_rnd_compat_bits=16 ## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader kernel.yama.ptrace_scope=2 - ## Prevent setuid processes from creating coredumps. fs.suid_dumpable=0 From 14f845837476810f1eb3038d9d41f9ad8088b916 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 12 Feb 2020 18:05:32 +0000 Subject: [PATCH 0237/1650] Update control --- debian/control | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 6a97d69..653f292 100644 --- a/debian/control +++ b/debian/control @@ -48,7 +48,9 @@ Description: enhances misc security settings attacks and enabling reverse path filtering to prevent IP spoofing and mitigate vulnerabilities such as CVE-2019-14899. . - * Some data spoofing attacks are made harder. + * Avoids unintentional writes to attacker-controlled files. + . + * Prevents symlink/hardlink TOCTOU races. . * SACK can be disabled as it is commonly exploited and is rarely used by uncommenting settings in file /etc/sysctl.d/30_security-misc.conf. From ba0043b8a7249e55e0a0d3b87f6c54de5283f057 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 12 Feb 2020 18:36:05 +0000 Subject: [PATCH 0238/1650] Update 40_kernel_hardening.cfg --- etc/default/grub.d/40_kernel_hardening.cfg | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index e9f7aae..e456416 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -36,27 +36,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" ## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" - -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" - -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off" - -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" - -## Enables all mitigations for the MDS vulnerability. -## Disables smt which can be used to exploit the MDS vulnerability. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" - -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" - -## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" - -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html#mitigation-control-on-the-kernel-command-line-and-kvm-module-parameter -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" - ## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" From 700c7ed9085f2c9f0f271ddf8781f119e8ac5714 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 12 Feb 2020 18:42:13 +0000 Subject: [PATCH 0239/1650] Create 40_cpu_mitigations.cfg --- etc/default/grub.d/40_cpu_mitigations.cfg | 42 +++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 etc/default/grub.d/40_cpu_mitigations.cfg diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg new file mode 100644 index 0000000..c18d80c --- /dev/null +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -0,0 +1,42 @@ +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Enables all mitigations for CPU vulnerabilities. +## +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 + +## Enable all mitigations for Spectre Variant 2. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" + +## Disable Speculative Store Bypass. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" + +## Disable TSX, enable all mitigations for the TSX Async Abort +## vulnerability and disable SMT. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" + +## Enable all mitigations for the MDS vulnerability and disable +## SMT. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" + +## Enable all mitigations for the L1TF vulnerability and disable SMT +## and L1D flush runtime control. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" + +## Force disable SMT as it has caused numerous CPU vulnerabilities. +## +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" + +## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html#mitigation-control-on-the-kernel-command-line-and-kvm-module-parameter +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" From 2796c2dd00fca0bb458bdb4ea5c2cdbd35854bef Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 12 Feb 2020 18:43:19 +0000 Subject: [PATCH 0240/1650] Update control --- debian/control | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/debian/control b/debian/control index 6a97d69..7407373 100644 --- a/debian/control +++ b/debian/control @@ -66,12 +66,7 @@ Description: enhances misc security settings * Kernel Page Table Isolation is enabled to mitigate Meltdown and increase KASLR effectiveness. . - * SMT is disabled as it can be used to exploit the MDS and other - vulnerabilities. - . - * All mitigations for the MDS vulnerability are enabled. - . - * Enables mitigations for the L1TF (L1 Terminal Fault) vulnerability. + * Enables all mitigations for CPU vulnerabilities and disables SMT. . * A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. From d1fa191bc0ad58ea4fbb5b4db383311f87319dfe Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 13 Feb 2020 13:38:21 -0500 Subject: [PATCH 0241/1650] readme --- README.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/README.md b/README.md index 5bf4053..d08af65 100644 --- a/README.md +++ b/README.md @@ -48,12 +48,7 @@ on uncorrectable errors in ECC memory that could be exploited. * Kernel Page Table Isolation is enabled to mitigate Meltdown and increase KASLR effectiveness. -* SMT is disabled as it can be used to exploit the MDS and other -vulnerabilities. - -* All mitigations for the MDS vulnerability are enabled. - -* Enables mitigations for the L1TF (L1 Terminal Fault) vulnerability. +* Enables all mitigations for CPU vulnerabilities and disables SMT. * A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. From 14140ad41ba45b2457570a7df28b42cfd3bf3155 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 13 Feb 2020 13:39:45 -0500 Subject: [PATCH 0242/1650] bumped changelog version --- changelog.upstream | 46 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 52 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 80b4ae3..f1fcc8b 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,49 @@ +commit d1fa191bc0ad58ea4fbb5b4db383311f87319dfe +Author: Patrick Schleizer +Date: Thu Feb 13 13:38:21 2020 -0500 + + readme + +commit 76a51a3b45113b4f771397bf32daae3fb38af6a6 +Merge: 163e20b 5ebab39 +Author: Patrick Schleizer +Date: Thu Feb 13 13:37:34 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit 5ebab397b201f431e3d0ca3bebfb71fa61a7ed2b +Merge: 163e20b 2796c2d +Author: Patrick Schleizer +Date: Thu Feb 13 18:36:41 2020 +0000 + + Merge pull request #58 from madaidan/mitigations + + Improve CPU mitigations documentation + +commit 2796c2dd00fca0bb458bdb4ea5c2cdbd35854bef +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Wed Feb 12 18:43:19 2020 +0000 + + Update control + +commit 700c7ed9085f2c9f0f271ddf8781f119e8ac5714 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Wed Feb 12 18:42:13 2020 +0000 + + Create 40_cpu_mitigations.cfg + +commit ba0043b8a7249e55e0a0d3b87f6c54de5283f057 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Wed Feb 12 18:36:05 2020 +0000 + + Update 40_kernel_hardening.cfg + +commit 163e20b886f298cb9d3aca54c14f66991001b396 +Author: Patrick Schleizer +Date: Wed Feb 5 06:31:48 2020 -0500 + + bumped changelog version + commit 3024006f63be34f0c9d2968b1839a855419792dd Merge: 8c5cd86 024576e Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 71952c2..f1357e0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:16.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 13 Feb 2020 18:39:45 +0000 + security-misc (3:16.1-1) unstable; urgency=medium * New upstream version (local package). From 0ea7dd161b3e643c23624e6dcb450116824b6301 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Fri, 14 Feb 2020 17:50:19 +0000 Subject: [PATCH 0243/1650] Restrict loading line disciplines to CAP_SYS_MODULE --- etc/sysctl.d/30_security-misc.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 4c17bcb..8305bd1 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -118,3 +118,8 @@ net.ipv4.conf.all.rp_filter=1 net.ipv4.tcp_timestamps=0 #### meta end + +## Restrict loading line disciplines to CAP_SYS_MODULE to prevent +## unprivileged attackers from loading vulnerable line disciplines +## with the TIOCSETD ioctl to exploit them. +dev.tty.ldisc_autoload=0 From ace62111761451a13c446767dfd3c32b9b70a7f8 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Fri, 14 Feb 2020 17:51:17 +0000 Subject: [PATCH 0244/1650] Update control --- debian/control | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/control b/debian/control index 2abb7ee..99871c4 100644 --- a/debian/control +++ b/debian/control @@ -119,6 +119,8 @@ Description: enhances misc security settings . * The kernel panics on oopses to prevent it from continuing to run a flawed process and to deter brute forcing. + . + * Restricts loading line disciplines to CAP_SYS_MODULE. . Improve Entropy Collection . From d251c43344a04e1dd8afbf12352432810874e021 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Fri, 14 Feb 2020 18:17:20 +0000 Subject: [PATCH 0245/1650] Restrict the SysRq key --- etc/sysctl.d/30_security-misc.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 4c17bcb..399c5d2 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -118,3 +118,9 @@ net.ipv4.conf.all.rp_filter=1 net.ipv4.tcp_timestamps=0 #### meta end + +## Only allow the SysRq key to be used for shutdowns and the +## Secure Attention Key (SAK). +## +## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/ +kernel.sysrq=132 From 0f497369574811b0e7fb832636a5618e62618619 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Fri, 14 Feb 2020 18:18:18 +0000 Subject: [PATCH 0246/1650] Update control --- debian/control | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/control b/debian/control index 2abb7ee..de04d2a 100644 --- a/debian/control +++ b/debian/control @@ -119,6 +119,9 @@ Description: enhances misc security settings . * The kernel panics on oopses to prevent it from continuing to run a flawed process and to deter brute forcing. + . + * Restricts the SysRq key so it can only be used for shutdowns and the + Secure Attention Key. . Improve Entropy Collection . From 9b767139ef82279e00d86f7f1e1e8bf73d795651 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Fri, 14 Feb 2020 18:52:01 +0000 Subject: [PATCH 0247/1650] Avoid holes in IOMMU --- etc/default/grub.d/40_enable_iommu.cfg | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg index 1d6dd0a..6e49d49 100644 --- a/etc/default/grub.d/40_enable_iommu.cfg +++ b/etc/default/grub.d/40_enable_iommu.cfg @@ -3,3 +3,10 @@ ## Enables IOMMU to prevent DMA attacks. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on" + +## Disable the busmaster bit on all PCI bridges during very +## early boot to avoid holes in IOMMU. +## +## https://mjg59.dreamwidth.org/54433.html +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" From 31009f0bfa10e7b67f5823a5be92273e5414fff3 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Fri, 14 Feb 2020 23:46:19 +0000 Subject: [PATCH 0248/1650] Shred System.map files --- usr/lib/security-misc/remove-system.map | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/remove-system.map b/usr/lib/security-misc/remove-system.map index c99b286..7e7f787 100755 --- a/usr/lib/security-misc/remove-system.map +++ b/usr/lib/security-misc/remove-system.map @@ -26,7 +26,7 @@ fi ## Removes the System.map files as they are only used for debugging or malware. for filename in ${system_map_location} ; do if [ -f "${filename}" ]; then - rm --verbose --force "${filename}" + shred --verbose --force --zero -u "${filename}" fi done From 9bbae903fe5ee58d4a22dfeab51cbb179b8cfb14 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 15 Feb 2020 05:29:48 -0500 Subject: [PATCH 0249/1650] remove-system.map: lower verbosity output --- usr/lib/security-misc/remove-system.map | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/lib/security-misc/remove-system.map b/usr/lib/security-misc/remove-system.map index 7e7f787..72ce407 100755 --- a/usr/lib/security-misc/remove-system.map +++ b/usr/lib/security-misc/remove-system.map @@ -26,7 +26,9 @@ fi ## Removes the System.map files as they are only used for debugging or malware. for filename in ${system_map_location} ; do if [ -f "${filename}" ]; then - shred --verbose --force --zero -u "${filename}" + ## 'shred' with '--verbose' is too chatty. (7 lines) + shred --force --zero -u "${filename}" + echo "removed '${filename}'" fi done From a79ce7fa68c22048d3e10789fe209b14b818d0fb Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sat, 15 Feb 2020 17:30:21 +0000 Subject: [PATCH 0250/1650] Document ldisc_autoload better --- etc/sysctl.d/30_security-misc.conf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 846670e..d14b46d 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -126,7 +126,10 @@ net.ipv4.tcp_timestamps=0 ## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/ kernel.sysrq=132 -## Restrict loading line disciplines to CAP_SYS_MODULE to prevent +## Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent ## unprivileged attackers from loading vulnerable line disciplines -## with the TIOCSETD ioctl to exploit them. +## with the TIOCSETD ioctl which has been used in exploits before +## such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html +## +## https://lkml.org/lkml/2019/4/15/890 dev.tty.ldisc_autoload=0 From 3df008f0b9aa08c8b92c89439abeb029f5d1f316 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 15 Feb 2020 15:28:30 -0500 Subject: [PATCH 0251/1650] readme --- README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d08af65..5b4ff90 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,9 @@ attacks, enabling RFC1337 to protect against time-wait assassination attacks and enabling reverse path filtering to prevent IP spoofing and mitigate vulnerabilities such as CVE-2019-14899. -* Some data spoofing attacks are made harder. +* Avoids unintentional writes to attacker-controlled files. + +* Prevents symlink/hardlink TOCTOU races. * SACK can be disabled as it is commonly exploited and is rarely used by uncommenting settings in file /etc/sysctl.d/30_security-misc.conf. @@ -100,6 +102,11 @@ as early as possible. * The kernel panics on oopses to prevent it from continuing to run a flawed process and to deter brute forcing. +* Restricts the SysRq key so it can only be used for shutdowns and the +Secure Attention Key. + +* Restricts loading line disciplines to CAP_SYS_MODULE. + Improve Entropy Collection * Load jitterentropy_rng kernel module. From dce54d5d0f7c6017037b5fb6a5851dd90ce5d762 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 15 Feb 2020 15:29:38 -0500 Subject: [PATCH 0252/1650] bumped changelog version --- changelog.upstream | 132 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++ 2 files changed, 138 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f1fcc8b..6731302 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,123 @@ +commit 3df008f0b9aa08c8b92c89439abeb029f5d1f316 +Author: Patrick Schleizer +Date: Sat Feb 15 15:28:30 2020 -0500 + + readme + +commit 757df8fceb29d9b6143cf26e73cb31dde69d0a71 +Merge: 9bbae90 a9a1581 +Author: Patrick Schleizer +Date: Sat Feb 15 05:43:43 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit a9a1581720739966e94f18be556552e9d75d63b1 +Merge: 9bbae90 1e5946c +Author: Patrick Schleizer +Date: Sat Feb 15 10:42:20 2020 +0000 + + Merge pull request #60 from madaidan/sysrq + + Restrict the SysRq key + +commit 1e5946c795e3962fdc2229146b9331d36a1d6c41 +Merge: 0f49736 9bbae90 +Author: Patrick Schleizer +Date: Sat Feb 15 10:41:52 2020 +0000 + + Merge branch 'master' into sysrq + +commit 9bbae903fe5ee58d4a22dfeab51cbb179b8cfb14 +Author: Patrick Schleizer +Date: Sat Feb 15 05:29:48 2020 -0500 + + remove-system.map: lower verbosity output + +commit cce35e5109489df44916a08722d9016bb1e578ec +Merge: 14140ad e403517 +Author: Patrick Schleizer +Date: Sat Feb 15 05:27:52 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit e40351796e297673e1ec45dee7483079e96d9639 +Merge: 5124f8c 31009f0 +Author: Patrick Schleizer +Date: Sat Feb 15 10:25:15 2020 +0000 + + Merge pull request #62 from madaidan/shred + + Shred System.map files + +commit 5124f8cebcf6113547d11fc5193f83af1a2b6f84 +Merge: ac8757a 9b76713 +Author: Patrick Schleizer +Date: Sat Feb 15 10:18:56 2020 +0000 + + Merge pull request #61 from madaidan/disable_early_pci_dma + + Avoid holes in IOMMU + +commit ac8757a031a02c6cbad564e6a857954c0cf01a54 +Merge: ad6b766 ace6211 +Author: Patrick Schleizer +Date: Sat Feb 15 10:09:46 2020 +0000 + + Merge pull request #59 from madaidan/ldisc + + Restrict loading line disciplines to CAP_SYS_MODULE + +commit 31009f0bfa10e7b67f5823a5be92273e5414fff3 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Fri Feb 14 23:46:19 2020 +0000 + + Shred System.map files + +commit 9b767139ef82279e00d86f7f1e1e8bf73d795651 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Fri Feb 14 18:52:01 2020 +0000 + + Avoid holes in IOMMU + +commit 0f497369574811b0e7fb832636a5618e62618619 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Fri Feb 14 18:18:18 2020 +0000 + + Update control + +commit d251c43344a04e1dd8afbf12352432810874e021 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Fri Feb 14 18:17:20 2020 +0000 + + Restrict the SysRq key + +commit ace62111761451a13c446767dfd3c32b9b70a7f8 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Fri Feb 14 17:51:17 2020 +0000 + + Update control + +commit 0ea7dd161b3e643c23624e6dcb450116824b6301 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Fri Feb 14 17:50:19 2020 +0000 + + Restrict loading line disciplines to CAP_SYS_MODULE + +commit ad6b76688677cd4f9f0b2f2524c0f6b0a381bf29 +Merge: 14140ad 14f8458 +Author: Patrick Schleizer +Date: Thu Feb 13 18:40:58 2020 +0000 + + Merge pull request #57 from madaidan/sysctl + + Prevent symlink/hardlink TOCTOU races + +commit 14140ad41ba45b2457570a7df28b42cfd3bf3155 +Author: Patrick Schleizer +Date: Thu Feb 13 13:39:45 2020 -0500 + + bumped changelog version + commit d1fa191bc0ad58ea4fbb5b4db383311f87319dfe Author: Patrick Schleizer Date: Thu Feb 13 13:38:21 2020 -0500 @@ -38,6 +158,18 @@ Date: Wed Feb 12 18:36:05 2020 +0000 Update 40_kernel_hardening.cfg +commit 14f845837476810f1eb3038d9d41f9ad8088b916 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Wed Feb 12 18:05:32 2020 +0000 + + Update control + +commit 5cb21d0d4d36fd516f17a9b5378443859f497027 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Wed Feb 12 18:03:23 2020 +0000 + + Prevent symlink/hardlink TOCTOU races + commit 163e20b886f298cb9d3aca54c14f66991001b396 Author: Patrick Schleizer Date: Wed Feb 5 06:31:48 2020 -0500 diff --git a/debian/changelog b/debian/changelog index f1357e0..4657b62 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:16.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 15 Feb 2020 20:29:38 +0000 + security-misc (3:16.2-1) unstable; urgency=medium * New upstream version (local package). From 01eaee997e34aa73a11dffe032ace5ef23c37e28 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 15 Feb 2020 15:35:44 -0500 Subject: [PATCH 0253/1650] bumped changelog version --- changelog.upstream | 28 ++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 6731302..e21dba5 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,9 +1,37 @@ +commit 412a83923dd09f36a25ebf9ce1991369d09c5e34 +Merge: dce54d5 4399a51 +Author: Patrick Schleizer +Date: Sat Feb 15 15:30:32 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit dce54d5d0f7c6017037b5fb6a5851dd90ce5d762 +Author: Patrick Schleizer +Date: Sat Feb 15 15:29:38 2020 -0500 + + bumped changelog version + commit 3df008f0b9aa08c8b92c89439abeb029f5d1f316 Author: Patrick Schleizer Date: Sat Feb 15 15:28:30 2020 -0500 readme +commit 4399a512bef77ddec428bd4150cacebb77fc22da +Merge: 757df8f a79ce7f +Author: Patrick Schleizer +Date: Sat Feb 15 19:43:05 2020 +0000 + + Merge pull request #63 from madaidan/ldisc_autoload + + Document ldisc_autoload better + +commit a79ce7fa68c22048d3e10789fe209b14b818d0fb +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sat Feb 15 17:30:21 2020 +0000 + + Document ldisc_autoload better + commit 757df8fceb29d9b6143cf26e73cb31dde69d0a71 Merge: 9bbae90 a9a1581 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 4657b62..8f37076 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:16.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 15 Feb 2020 20:35:44 +0000 + security-misc (3:16.3-1) unstable; urgency=medium * New upstream version (local package). From f6b6ab374ea2b24dfd4ac49bc1a595b50ab3d952 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 16 Feb 2020 19:51:32 +0000 Subject: [PATCH 0254/1650] Gather more entropy during boot --- etc/default/grub.d/40_kernel_hardening.cfg | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index e456416..6bdbff2 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -53,3 +53,9 @@ fi #if dpkg --compare-versions "${kver}" ge "5.4"; then # GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" #fi + +## Gather more entropy during boot. +## +## Requires linux-hardened kernel patch. +## https://github.com/anthraxx/linux-hardened +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" From 8ea4e50c8e9c3c9ee650b665a32b78f67aedc1aa Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 16 Feb 2020 19:52:40 +0000 Subject: [PATCH 0255/1650] Update control --- debian/control | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/control b/debian/control index ecf129e..be53466 100644 --- a/debian/control +++ b/debian/control @@ -136,6 +136,8 @@ Description: enhances misc security settings * https://twitter.com/pid_eins/status/1149649806056280069 * For more references, see: * /etc/default/grub.d/40_distrust_cpu.cfg + . + * Gathers more entropy during boot if using the linux-hardened kernel patch. . Uncommon network protocols are blacklisted: These are rarely used and may have unknown vulnerabilities. From 6b64b36b0190198f5edfda6c704a9efe3ea5b9a6 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Mon, 24 Feb 2020 18:23:15 +0000 Subject: [PATCH 0256/1650] Restrict the userfaultfd() syscall to root --- etc/sysctl.d/30_security-misc.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index d14b46d..e83df56 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -133,3 +133,9 @@ kernel.sysrq=132 ## ## https://lkml.org/lkml/2019/4/15/890 dev.tty.ldisc_autoload=0 + +## Restrict the userfaultfd() syscall to root as it can make heap sprays +## easier. +## +## https://duasynt.com/blog/linux-kernel-heap-spray +vm.unprivileged_userfaultfd=0 From 60fbf8b0de8a631d8a63c64f7e8181fee501c237 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Mon, 24 Feb 2020 18:24:07 +0000 Subject: [PATCH 0257/1650] Update control --- debian/control | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/control b/debian/control index be53466..09b34f4 100644 --- a/debian/control +++ b/debian/control @@ -124,6 +124,8 @@ Description: enhances misc security settings Secure Attention Key. . * Restricts loading line disciplines to CAP_SYS_MODULE. + . + * Restricts the `userfaultfd()` syscall to root. . Improve Entropy Collection . From 0e5187ff249c686908506896e01125e37d194543 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 25 Feb 2020 02:00:27 -0500 Subject: [PATCH 0258/1650] description --- debian/control | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/control b/debian/control index be53466..45355db 100644 --- a/debian/control +++ b/debian/control @@ -90,6 +90,7 @@ Description: enhances misc security settings * Bluetooth is blacklisted to reduce attack surface. Bluetooth also has a history of security concerns. https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns + `/etc/modprobe.d/30_security-misc.conf` . * A systemd service restricts /proc/cpuinfo, /proc/bus, /proc/scsi and /sys to the root user only. This hides a lot of hardware identifiers from From 4043d2af3f8239a2056610363fc9d53770ebc336 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 25 Feb 2020 02:06:48 -0500 Subject: [PATCH 0259/1650] description --- debian/control | 135 +++++++++++++++++++++++++------------------------ 1 file changed, 68 insertions(+), 67 deletions(-) diff --git a/debian/control b/debian/control index 45355db..f959cbc 100644 --- a/debian/control +++ b/debian/control @@ -31,13 +31,13 @@ Description: enhances misc security settings Netfilter's connection tracking helper module increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. (!) Hence, this package disables this feature by shipping the - /etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file. + `/etc/modprobe.d/30_security-misc.conf` configuration file. . - * Kernel symbols in various files in /proc are hidden as they can be + * Kernel symbols in various files in `/proc` are hidden as they can be very useful for kernel exploits. . * Kexec is disabled as it can be used to load a malicious kernel. - /etc/sysctl.d/30_security-misc.conf + `/etc/modprobe.d/30_security-misc.conf` . * ASLR effectiveness for mmap is increased. . @@ -53,7 +53,7 @@ Description: enhances misc security settings * Prevents symlink/hardlink TOCTOU races. . * SACK can be disabled as it is commonly exploited and is rarely used by - uncommenting settings in file /etc/sysctl.d/30_security-misc.conf. + uncommenting settings in file `/etc/sysctl.d/30_security-misc.conf`. . * Slab merging is disabled as sometimes a slab can be used in a vulnerable way which an attacker can exploit. @@ -72,15 +72,15 @@ Description: enhances misc security settings . * A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. - /etc/kernel/postinst.d/30_remove-system-map - /lib/systemd/system/remove-system-map.service - /usr/lib/security-misc/remove-system.map + `/etc/kernel/postinst.d/30_remove-system-map` + `/lib/systemd/system/remove-system-map.service` + `/usr/lib/security-misc/remove-system.map` . * Coredumps are disabled as they may contain important information such as encryption keys or passwords. - /etc/security/limits.d/30_security-misc.conf - /etc/sysctl.d/30_security-misc.conf - /lib/systemd/coredump.conf.d/30_security-misc.conf + `/etc/security/limits.d/30_security-misc.conf` + `/etc/sysctl.d/30_security-misc.conf` + `/lib/systemd/coredump.conf.d/30_security-misc.conf` . * The thunderbolt and firewire kernel modules are blacklisted as they can be used for DMA (Direct Memory Access) attacks. @@ -92,16 +92,16 @@ Description: enhances misc security settings https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns `/etc/modprobe.d/30_security-misc.conf` . - * A systemd service restricts /proc/cpuinfo, /proc/bus, /proc/scsi and - /sys to the root user only. This hides a lot of hardware identifiers from - unprivileged users and increases security as /sys exposes a lot of information + * A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and + `/sys` to the root user only. This hides a lot of hardware identifiers from + unprivileged users and increases security as `/sys` exposes a lot of information that shouldn't be accessible to unprivileged users. As this will break many things, it is disabled by default and can optionally be enabled by running `systemctl enable hide-hardware-info.service` as root. - /usr/lib/security-misc/hide-hardware-info - /lib/systemd/system/hide-hardware-info.service - /lib/systemd/system/user@.service.d/sysfs.conf - /etc/hide-hardware-info.d/30_default.conf + `/usr/lib/security-misc/hide-hardware-info` + `/lib/systemd/system/hide-hardware-info.service` + `/lib/systemd/system/user@.service.d/sysfs.conf` + `/etc/hide-hardware-info.d/30_default.conf` . * The MSR kernel module is blacklisted to prevent CPU MSRs from being abused to write to arbitrary memory. @@ -114,8 +114,8 @@ Description: enhances misc security settings * The vivid kernel module is blacklisted as it's only required for testing and has been the cause of multiple vulnerabilities. . - * An initramfs hook sets the sysctl values in /etc/sysctl.conf and - /etc/sysctl.d before init is executed so sysctl hardening is enabled + * An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and + `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as early as possible. . * The kernel panics on oopses to prevent it from continuing to run a flawed @@ -124,25 +124,25 @@ Description: enhances misc security settings * Restricts the SysRq key so it can only be used for shutdowns and the Secure Attention Key. . - * Restricts loading line disciplines to CAP_SYS_MODULE. + * Restricts loading line disciplines to `CAP_SYS_MODULE`. . Improve Entropy Collection . - * Load jitterentropy_rng kernel module. - /usr/lib/modules-load.d/30_security-misc.conf + * Load `jitterentropy_rng` kernel module. + `/usr/lib/modules-load.d/30_security-misc.conf` . * Distrusts the CPU for initial entropy at boot as it is not possible to audit, may contain weaknesses or a backdoor. * https://en.wikipedia.org/wiki/RDRAND#Reception * https://twitter.com/pid_eins/status/1149649806056280069 * For more references, see: - * /etc/default/grub.d/40_distrust_cpu.cfg + * `/etc/default/grub.d/40_distrust_cpu.cfg` . * Gathers more entropy during boot if using the linux-hardened kernel patch. . Uncommon network protocols are blacklisted: These are rarely used and may have unknown vulnerabilities. - /etc/modprobe.d/uncommon-network-protocols.conf + `/etc/modprobe.d/30_security-misc.conf` The network protocols that are blacklisted are: . * DCCP - Datagram Congestion Control Protocol @@ -165,16 +165,17 @@ Description: enhances misc security settings . user restrictions: . - * remount /home, /tmp, /dev/shm and /run with nosuid,nodev (default) and - noexec (opt-in). To disable this, run "sudo touch /etc/remount-disable". To - opt-in noexec, run "sudo touch /etc/noexec" and reboot (easiest). - Alternatively file /usr/local/etc/remount-disable or file - /usr/local/etc/noexec could be used. - /lib/systemd/system/remount-secure.service - /usr/lib/security-misc/remount-secure + * remount `/home`, `/tmp`, `/dev/shm` and `/run` with `nosuid,nodev` + (default) and `noexec` (opt-in). To disable this, run + `sudo touch /etc/remount-disable`. To opt-in `noexec`, run + `sudo touch /etc/noexec` and reboot (easiest). + Alternatively file `/usr/local/etc/remount-disable` or file + `/usr/local/etc/noexec` could be used. + `/lib/systemd/system/remount-secure.service` + `/usr/lib/security-misc/remount-secure` . - * A systemd service mounts /proc with hidepid=2 at boot to prevent users from - seeing each other's processes. + * A systemd service mounts `/proc` with `hidepid=2` at boot to prevent users + from seeing each other's processes. . * The kernel logs are restricted to root only. . @@ -186,35 +187,35 @@ Description: enhances misc security settings . * `su` is restricted to only users within the group `sudo` which prevents users from using `su` to gain root access or to switch user accounts. - /usr/share/pam-configs/wheel-security-misc + `/usr/share/pam-configs/wheel-security-misc` (Which results in a change in file `/etc/pam.d/common-auth`.) . * Add user `root` to group `sudo`. This is required to make above work so login as a user in a virtual console is still possible. - debian/security-misc.postinst + `debian/security-misc.postinst` . * Abort login for users with locked passwords. - /usr/lib/security-misc/pam-abort-on-locked-password + `/usr/lib/security-misc/pam-abort-on-locked-password` . * Logging into the root account from a virtual, serial, whatnot console is - prevented by shipping an existing and empty /etc/securetty. - (Deletion of /etc/securetty has a different effect.) - /etc/securetty.security-misc + prevented by shipping an existing and empty `/etc/securetty`. + (Deletion of `/etc/securetty` has a different effect.) + `/etc/securetty.security-misc` . * Console Lockdown. Allow members of group 'console' to use console. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, - unpopular login methods such as using /bin/login over networks, which might + unpopular login methods such as using `/bin/login` over networks, which might be exploitable. (CVE-2001-0797) Using pam_access. Not enabled by default in this package since this package does not know which users shall be added to group 'console' and would break console. - /usr/share/pam-configs/console-lockdown-security-misc - /etc/security/access-security-misc.conf + `/usr/share/pam-configs/console-lockdown-security-misc` + `/etc/security/access-security-misc.conf` . Protect Linux user accounts against brute force attacks. - Lock user accounts after 50 failed login attempts using pam_tally2. - /usr/share/pam-configs/tally2-security-misc + Lock user accounts after 50 failed login attempts using `pam_tally2`. + `/usr/share/pam-configs/tally2-security-misc` . informational output during Linux PAM: . @@ -222,25 +223,25 @@ Description: enhances misc security settings * Document unlock procedure if Linux user account got locked. * Point out, that there is no password feedback for `su`. * Explain locked (root) account if locked. - * /usr/share/pam-configs/tally2-security-misc - * /usr/lib/security-misc/pam_tally2-info - * /usr/lib/security-misc/pam-abort-on-locked-password + * `/usr/share/pam-configs/tally2-security-misc` + * `/usr/lib/security-misc/pam_tally2-info` + * `/usr/lib/security-misc/pam-abort-on-locked-password` . access rights restrictions: . * Strong Linux User Account Separation. Removes read, write and execute access for others for all users who have - home folders under folder /home by running for example + home folders under folder `/home` by running for example "chmod o-rwx /home/user" - during package installation, upgrade or pam mkhomedir. This will be done only - once per - folder in folder /home so users who wish to relax file permissions are free to + during package installation, upgrade or pam `mkhomedir`. This will be done + only once per folder in folder `/home` so users who wish to relax file + permissions are free to do so. This is to protect previously created files in user home folder which were previously created with lax file permissions prior installation of this package. - debian/security-misc.postinst - /usr/lib/security-misc/permission-lockdown - /usr/share/pam-configs/mkhomedir-security-misc + `debian/security-misc.postinst` + `/usr/lib/security-misc/permission-lockdown` + `/usr/share/pam-configs/mkhomedir-security-misc` . * SUID / GUID removal and permission hardening. A systemd service removed SUID / GUID from non-essential binaries as these are @@ -248,17 +249,17 @@ Description: enhances misc security settings It is disabled by default for now during testing and can optionally be enabled by running `systemctl enable permission-hardening.service` as root. https://forums.whonix.org/t/disable-suid-binaries/7706 - /usr/lib/security-misc/permission-hardening - /lib/systemd/system/permission-hardening.service - /etc/permission-hardening.d/30_default.conf + `/usr/lib/security-misc/permission-hardening` + `/lib/systemd/system/permission-hardening.service` + `/etc/permission-hardening.d/30_default.conf` . access rights relaxations: . - Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with - hidepid. + Redirect calls for `pkexec` to `lxqt-sudo` because `pkexec` is incompatible + with `hidepid`. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 https://forums.whonix.org/t/cannot-use-pkexec/8129 - /usr/bin/pkexec.security-misc + `/usr/bin/pkexec.security-misc` . This package does (not yet) automatically lock the root account password. It is not clear that would be sane in such a package. @@ -269,14 +270,14 @@ Description: enhances misc security settings https://www.whonix.org/wiki/Dev/Permissions https://forums.whonix.org/t/restrict-root-access/7658 However, a locked root password will break rescue and emergency shell. - Therefore this package enables passwordless resuce and emergency shell. - This is the same solution that Debian will likely addapt for Debian + Therefore this package enables passwordless rescue and emergency shell. + This is the same solution that Debian will likely adapt for Debian installer. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 Adverse security effects can be prevented by setting up BIOS password protection, grub password protection and/or full disk encryption. - /etc/systemd/system/emergency.service.d/override.conf - /etc/systemd/system/rescue.service.d/override.conf + `/etc/systemd/system/emergency.service.d/override.conf` + `/etc/systemd/system/rescue.service.d/override.conf` . Disables TCP Time Stamps: . @@ -293,7 +294,7 @@ Description: enhances misc security settings public IP used by a user. . Hence, this package disables this feature by shipping the - /etc/sysctl.d/30_security-misc.conf configuration file. + `/etc/sysctl.d/30_security-misc.conf` configuration file. . Note that TCP time stamps normally have some usefulness. They are needed for: @@ -311,10 +312,10 @@ Description: enhances misc security settings . Application specific hardening: . - * Enables APT seccomp-BPF sandboxing. /etc/apt/apt.conf.d/40sandbox + * Enables APT seccomp-BPF sandboxing. `/etc/apt/apt.conf.d/40sandbox` * Deactivates previews in Dolphin. * Deactivates previews in Nautilus. - /usr/share/glib-2.0/schemas/30_security-misc.gschema.override + `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override` * Deactivates thumbnails in Thunar. * Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird to make phising attacks more difficult. Fixing URL not showing real Domain From d04d4bf0950b60b8e5bf51b2303bbecdbc5fe326 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 25 Feb 2020 02:08:10 -0500 Subject: [PATCH 0260/1650] description --- README.md | 138 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 71 insertions(+), 67 deletions(-) diff --git a/README.md b/README.md index 5b4ff90..4b78da9 100644 --- a/README.md +++ b/README.md @@ -13,13 +13,13 @@ kernel hardening: Netfilter's connection tracking helper module increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. (!) Hence, this package disables this feature by shipping the -/etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file. +`/etc/modprobe.d/30_security-misc.conf` configuration file. -* Kernel symbols in various files in /proc are hidden as they can be +* Kernel symbols in various files in `/proc` are hidden as they can be very useful for kernel exploits. * Kexec is disabled as it can be used to load a malicious kernel. -/etc/sysctl.d/30_security-misc.conf +`/etc/modprobe.d/30_security-misc.conf` * ASLR effectiveness for mmap is increased. @@ -35,7 +35,7 @@ mitigate vulnerabilities such as CVE-2019-14899. * Prevents symlink/hardlink TOCTOU races. * SACK can be disabled as it is commonly exploited and is rarely used by -uncommenting settings in file /etc/sysctl.d/30_security-misc.conf. +uncommenting settings in file `/etc/sysctl.d/30_security-misc.conf`. * Slab merging is disabled as sometimes a slab can be used in a vulnerable way which an attacker can exploit. @@ -54,15 +54,15 @@ KASLR effectiveness. * A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. -/etc/kernel/postinst.d/30_remove-system-map -/lib/systemd/system/remove-system-map.service -/usr/lib/security-misc/remove-system.map +`/etc/kernel/postinst.d/30_remove-system-map` +`/lib/systemd/system/remove-system-map.service` +`/usr/lib/security-misc/remove-system.map` * Coredumps are disabled as they may contain important information such as encryption keys or passwords. -/etc/security/limits.d/30_security-misc.conf -/etc/sysctl.d/30_security-misc.conf -/lib/systemd/coredump.conf.d/30_security-misc.conf +`/etc/security/limits.d/30_security-misc.conf` +`/etc/sysctl.d/30_security-misc.conf` +`/lib/systemd/coredump.conf.d/30_security-misc.conf` * The thunderbolt and firewire kernel modules are blacklisted as they can be used for DMA (Direct Memory Access) attacks. @@ -72,17 +72,18 @@ used for DMA (Direct Memory Access) attacks. * Bluetooth is blacklisted to reduce attack surface. Bluetooth also has a history of security concerns. https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns +`/etc/modprobe.d/30_security-misc.conf` -* A systemd service restricts /proc/cpuinfo, /proc/bus, /proc/scsi and -/sys to the root user only. This hides a lot of hardware identifiers from -unprivileged users and increases security as /sys exposes a lot of information +* A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and +`/sys` to the root user only. This hides a lot of hardware identifiers from +unprivileged users and increases security as `/sys` exposes a lot of information that shouldn't be accessible to unprivileged users. As this will break many things, it is disabled by default and can optionally be enabled by running `systemctl enable hide-hardware-info.service` as root. -/usr/lib/security-misc/hide-hardware-info -/lib/systemd/system/hide-hardware-info.service -/lib/systemd/system/user@.service.d/sysfs.conf -/etc/hide-hardware-info.d/30_default.conf +`/usr/lib/security-misc/hide-hardware-info` +`/lib/systemd/system/hide-hardware-info.service` +`/lib/systemd/system/user@.service.d/sysfs.conf` +`/etc/hide-hardware-info.d/30_default.conf` * The MSR kernel module is blacklisted to prevent CPU MSRs from being abused to write to arbitrary memory. @@ -95,8 +96,8 @@ a target for ROP. * The vivid kernel module is blacklisted as it's only required for testing and has been the cause of multiple vulnerabilities. -* An initramfs hook sets the sysctl values in /etc/sysctl.conf and -/etc/sysctl.d before init is executed so sysctl hardening is enabled +* An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and +`/etc/sysctl.d` before init is executed so sysctl hardening is enabled as early as possible. * The kernel panics on oopses to prevent it from continuing to run a flawed @@ -105,23 +106,25 @@ process and to deter brute forcing. * Restricts the SysRq key so it can only be used for shutdowns and the Secure Attention Key. -* Restricts loading line disciplines to CAP_SYS_MODULE. +* Restricts loading line disciplines to `CAP_SYS_MODULE`. Improve Entropy Collection -* Load jitterentropy_rng kernel module. -/usr/lib/modules-load.d/30_security-misc.conf +* Load `jitterentropy_rng` kernel module. +`/usr/lib/modules-load.d/30_security-misc.conf` * Distrusts the CPU for initial entropy at boot as it is not possible to audit, may contain weaknesses or a backdoor. * https://en.wikipedia.org/wiki/RDRAND#Reception * https://twitter.com/pid_eins/status/1149649806056280069 * For more references, see: -* /etc/default/grub.d/40_distrust_cpu.cfg +* `/etc/default/grub.d/40_distrust_cpu.cfg` + +* Gathers more entropy during boot if using the linux-hardened kernel patch. Uncommon network protocols are blacklisted: These are rarely used and may have unknown vulnerabilities. -/etc/modprobe.d/uncommon-network-protocols.conf +`/etc/modprobe.d/30_security-misc.conf` The network protocols that are blacklisted are: * DCCP - Datagram Congestion Control Protocol @@ -144,16 +147,17 @@ The network protocols that are blacklisted are: user restrictions: -* remount /home, /tmp, /dev/shm and /run with nosuid,nodev (default) and -noexec (opt-in). To disable this, run "sudo touch /etc/remount-disable". To -opt-in noexec, run "sudo touch /etc/noexec" and reboot (easiest). -Alternatively file /usr/local/etc/remount-disable or file -/usr/local/etc/noexec could be used. -/lib/systemd/system/remount-secure.service -/usr/lib/security-misc/remount-secure +* remount `/home`, `/tmp`, `/dev/shm` and `/run` with `nosuid,nodev` +(default) and `noexec` (opt-in). To disable this, run +`sudo touch /etc/remount-disable`. To opt-in `noexec`, run +`sudo touch /etc/noexec` and reboot (easiest). +Alternatively file `/usr/local/etc/remount-disable` or file +`/usr/local/etc/noexec` could be used. +`/lib/systemd/system/remount-secure.service` +`/usr/lib/security-misc/remount-secure` -* A systemd service mounts /proc with hidepid=2 at boot to prevent users from -seeing each other's processes. +* A systemd service mounts `/proc` with `hidepid=2` at boot to prevent users +from seeing each other's processes. * The kernel logs are restricted to root only. @@ -165,35 +169,35 @@ restricts access to the root account: * `su` is restricted to only users within the group `sudo` which prevents users from using `su` to gain root access or to switch user accounts. -/usr/share/pam-configs/wheel-security-misc +`/usr/share/pam-configs/wheel-security-misc` (Which results in a change in file `/etc/pam.d/common-auth`.) * Add user `root` to group `sudo`. This is required to make above work so login as a user in a virtual console is still possible. -debian/security-misc.postinst +`debian/security-misc.postinst` * Abort login for users with locked passwords. -/usr/lib/security-misc/pam-abort-on-locked-password +`/usr/lib/security-misc/pam-abort-on-locked-password` * Logging into the root account from a virtual, serial, whatnot console is -prevented by shipping an existing and empty /etc/securetty. -(Deletion of /etc/securetty has a different effect.) -/etc/securetty.security-misc +prevented by shipping an existing and empty `/etc/securetty`. +(Deletion of `/etc/securetty` has a different effect.) +`/etc/securetty.security-misc` * Console Lockdown. Allow members of group 'console' to use console. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, -unpopular login methods such as using /bin/login over networks, which might +unpopular login methods such as using `/bin/login` over networks, which might be exploitable. (CVE-2001-0797) Using pam_access. Not enabled by default in this package since this package does not know which users shall be added to group 'console' and would break console. -/usr/share/pam-configs/console-lockdown-security-misc -/etc/security/access-security-misc.conf +`/usr/share/pam-configs/console-lockdown-security-misc` +`/etc/security/access-security-misc.conf` Protect Linux user accounts against brute force attacks. -Lock user accounts after 50 failed login attempts using pam_tally2. -/usr/share/pam-configs/tally2-security-misc +Lock user accounts after 50 failed login attempts using `pam_tally2`. +`/usr/share/pam-configs/tally2-security-misc` informational output during Linux PAM: @@ -201,25 +205,25 @@ informational output during Linux PAM: * Document unlock procedure if Linux user account got locked. * Point out, that there is no password feedback for `su`. * Explain locked (root) account if locked. -* /usr/share/pam-configs/tally2-security-misc -* /usr/lib/security-misc/pam_tally2-info -* /usr/lib/security-misc/pam-abort-on-locked-password +* `/usr/share/pam-configs/tally2-security-misc` +* `/usr/lib/security-misc/pam_tally2-info` +* `/usr/lib/security-misc/pam-abort-on-locked-password` access rights restrictions: * Strong Linux User Account Separation. Removes read, write and execute access for others for all users who have -home folders under folder /home by running for example +home folders under folder `/home` by running for example "chmod o-rwx /home/user" -during package installation, upgrade or pam mkhomedir. This will be done only -once per -folder in folder /home so users who wish to relax file permissions are free to +during package installation, upgrade or pam `mkhomedir`. This will be done +only once per folder in folder `/home` so users who wish to relax file +permissions are free to do so. This is to protect previously created files in user home folder which were previously created with lax file permissions prior installation of this package. -debian/security-misc.postinst -/usr/lib/security-misc/permission-lockdown -/usr/share/pam-configs/mkhomedir-security-misc +`debian/security-misc.postinst` +`/usr/lib/security-misc/permission-lockdown` +`/usr/share/pam-configs/mkhomedir-security-misc` * SUID / GUID removal and permission hardening. A systemd service removed SUID / GUID from non-essential binaries as these are @@ -227,17 +231,17 @@ often used in privilege escalation attacks. It is disabled by default for now during testing and can optionally be enabled by running `systemctl enable permission-hardening.service` as root. https://forums.whonix.org/t/disable-suid-binaries/7706 -/usr/lib/security-misc/permission-hardening -/lib/systemd/system/permission-hardening.service -/etc/permission-hardening.d/30_default.conf +`/usr/lib/security-misc/permission-hardening` +`/lib/systemd/system/permission-hardening.service` +`/etc/permission-hardening.d/30_default.conf` access rights relaxations: -Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with -hidepid. +Redirect calls for `pkexec` to `lxqt-sudo` because `pkexec` is incompatible +with `hidepid`. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 https://forums.whonix.org/t/cannot-use-pkexec/8129 -/usr/bin/pkexec.security-misc +`/usr/bin/pkexec.security-misc` This package does (not yet) automatically lock the root account password. It is not clear that would be sane in such a package. @@ -248,14 +252,14 @@ https://www.whonix.org/wiki/Root https://www.whonix.org/wiki/Dev/Permissions https://forums.whonix.org/t/restrict-root-access/7658 However, a locked root password will break rescue and emergency shell. -Therefore this package enables passwordless resuce and emergency shell. -This is the same solution that Debian will likely addapt for Debian +Therefore this package enables passwordless rescue and emergency shell. +This is the same solution that Debian will likely adapt for Debian installer. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 Adverse security effects can be prevented by setting up BIOS password protection, grub password protection and/or full disk encryption. -/etc/systemd/system/emergency.service.d/override.conf -/etc/systemd/system/rescue.service.d/override.conf +`/etc/systemd/system/emergency.service.d/override.conf` +`/etc/systemd/system/rescue.service.d/override.conf` Disables TCP Time Stamps: @@ -272,7 +276,7 @@ also allow one to look for clocks that match an expected value to find the public IP used by a user. Hence, this package disables this feature by shipping the -/etc/sysctl.d/30_security-misc.conf configuration file. +`/etc/sysctl.d/30_security-misc.conf` configuration file. Note that TCP time stamps normally have some usefulness. They are needed for: @@ -290,10 +294,10 @@ of the user connection. Application specific hardening: -* Enables APT seccomp-BPF sandboxing. /etc/apt/apt.conf.d/40sandbox +* Enables APT seccomp-BPF sandboxing. `/etc/apt/apt.conf.d/40sandbox` * Deactivates previews in Dolphin. * Deactivates previews in Nautilus. -/usr/share/glib-2.0/schemas/30_security-misc.gschema.override +`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override` * Deactivates thumbnails in Thunar. * Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird to make phising attacks more difficult. Fixing URL not showing real Domain From 42d3b986c41854fc2990557d2333874e9379793b Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Thu, 27 Feb 2020 17:41:14 +0000 Subject: [PATCH 0261/1650] Update control --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index be53466..84b2880 100644 --- a/debian/control +++ b/debian/control @@ -62,7 +62,7 @@ Description: enhances misc security settings . * Memory zeroing at allocation and free time is enabled. . - * Machine checks (MCE) are disabled which makes the kernel panic + * The machine check tolerance level is decreased which makes the kernel panic on uncorrectable errors in ECC memory that could be exploited. . * Kernel Page Table Isolation is enabled to mitigate Meltdown and increase From b31caefdeb8b76537982e359e708b57081d7b381 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 29 Feb 2020 04:59:02 -0500 Subject: [PATCH 0262/1650] description --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index f959cbc..a814e85 100644 --- a/debian/control +++ b/debian/control @@ -323,7 +323,7 @@ Description: enhances misc security settings . Want more? Look into these: . - * Linux Kernel Runtime Guard (LKRG). Kills whole Classes of Kernel Exploits. + * Linux Kernel Runtime Guard (LKRG) * tirdad - TCP ISN CPU Information Leak Protection. * Whonix ™ - Anonymous Operating System * Kicksecure ™ - A Security-hardened, Non-anonymous Linux Distribution From 32269d32b63e549f76b4090b675dd53256fbc42d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 29 Feb 2020 04:59:15 -0500 Subject: [PATCH 0263/1650] description --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4b78da9..0150535 100644 --- a/README.md +++ b/README.md @@ -305,7 +305,7 @@ Name (Homograph attack). Want more? Look into these: -* Linux Kernel Runtime Guard (LKRG). Kills whole Classes of Kernel Exploits. +* Linux Kernel Runtime Guard (LKRG) * tirdad - TCP ISN CPU Information Leak Protection. * Whonix ™ - Anonymous Operating System * Kicksecure ™ - A Security-hardened, Non-anonymous Linux Distribution From 649ec5dfa1d2c0e324d8054b4c7402ab2b462d93 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 29 Feb 2020 04:59:56 -0500 Subject: [PATCH 0264/1650] pkexec wrapper: fix gdebi / synaptic but at cost of checking for passwordless sudo /etc/suders /etc/sudoers.d exceptions. http://forums.whonix.org/t/cannot-use-pkexec/8129/53 --- usr/bin/pkexec.security-misc | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc index 8a844fc..03d7f9a 100755 --- a/usr/bin/pkexec.security-misc +++ b/usr/bin/pkexec.security-misc @@ -104,14 +104,15 @@ exit_code=0 ## lxqt-sudo does not check /etc/sudoers / /etc/sudoers.d exceptions. ## Therefore use 'sudo -l' to see if there is any already existing sudoers exception. -if sudo -l --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" ; then - log_to_journal "sudoers exception: yes" - sudo --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; }; - log_to_journal "sudo --user | exit_code: '$exit_code'" - exit "$exit_code" -fi - -log_to_journal "sudoers exception: no" +## Did not work. 'sudo -l' will always exit with exit code '0'. +# if sudo -l --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" ; then +# log_to_journal "sudoers exception: yes" +# sudo --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; }; +# log_to_journal "sudo --user | exit_code: '$exit_code'" +# exit "$exit_code" +# fi +# +# log_to_journal "sudoers exception: no" if [ "$switch_user" = "true" ]; then ## 'sudo --user user' clears environment variables such as PATH. From 201d6b5efc355b08b5f94f9284d2242dec9c56b8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 3 Mar 2020 09:07:42 -0500 Subject: [PATCH 0265/1650] readme --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0150535..a638679 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ way which an attacker can exploit. * Memory zeroing at allocation and free time is enabled. -* Machine checks (MCE) are disabled which makes the kernel panic +* The machine check tolerance level is decreased which makes the kernel panic on uncorrectable errors in ECC memory that could be exploited. * Kernel Page Table Isolation is enabled to mitigate Meltdown and increase @@ -108,6 +108,8 @@ Secure Attention Key. * Restricts loading line disciplines to `CAP_SYS_MODULE`. +* Restricts the `userfaultfd()` syscall to root. + Improve Entropy Collection * Load `jitterentropy_rng` kernel module. From 7e3fedefb234e584d900c036c424ac083a9efa3d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 3 Mar 2020 09:12:50 -0500 Subject: [PATCH 0266/1650] bumped changelog version --- changelog.upstream | 131 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++ 2 files changed, 137 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index e21dba5..1bebee3 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,134 @@ +commit 201d6b5efc355b08b5f94f9284d2242dec9c56b8 +Author: Patrick Schleizer +Date: Tue Mar 3 09:07:42 2020 -0500 + + readme + +commit 63c6405ab74f0dd5f3ec3838135b29304a3d1fc8 +Merge: e3e39f2 453aa8a +Author: Patrick Schleizer +Date: Sat Feb 29 07:34:46 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit 453aa8a4eb76fe56ad67f1aea8abfeb122e68a9c +Merge: e3e39f2 60fbf8b +Author: Patrick Schleizer +Date: Sat Feb 29 12:28:32 2020 +0000 + + Merge pull request #65 from madaidan/userfaultfd + + Restrict the userfaultfd() syscall to root + +commit e3e39f22354595c9f21c243d7bdadc1487374db8 +Merge: 649ec5d bd7678c +Author: Patrick Schleizer +Date: Sat Feb 29 05:01:41 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit 649ec5dfa1d2c0e324d8054b4c7402ab2b462d93 +Author: Patrick Schleizer +Date: Sat Feb 29 04:59:56 2020 -0500 + + pkexec wrapper: fix gdebi / synaptic + + but at cost of checking for passwordless sudo /etc/suders /etc/sudoers.d + exceptions. + + http://forums.whonix.org/t/cannot-use-pkexec/8129/53 + +commit 32269d32b63e549f76b4090b675dd53256fbc42d +Author: Patrick Schleizer +Date: Sat Feb 29 04:59:15 2020 -0500 + + description + +commit b31caefdeb8b76537982e359e708b57081d7b381 +Author: Patrick Schleizer +Date: Sat Feb 29 04:59:02 2020 -0500 + + description + +commit bd7678c574819298b364185fe7e3362c7e8d4930 +Merge: d04d4bf 42d3b98 +Author: Patrick Schleizer +Date: Fri Feb 28 12:04:05 2020 +0000 + + Merge pull request #66 from madaidan/mce + + Fix docs + +commit 42d3b986c41854fc2990557d2333874e9379793b +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Thu Feb 27 17:41:14 2020 +0000 + + Update control + +commit d04d4bf0950b60b8e5bf51b2303bbecdbc5fe326 +Author: Patrick Schleizer +Date: Tue Feb 25 02:08:10 2020 -0500 + + description + +commit 4043d2af3f8239a2056610363fc9d53770ebc336 +Author: Patrick Schleizer +Date: Tue Feb 25 02:06:48 2020 -0500 + + description + +commit 0e5187ff249c686908506896e01125e37d194543 +Author: Patrick Schleizer +Date: Tue Feb 25 02:00:27 2020 -0500 + + description + +commit 60fbf8b0de8a631d8a63c64f7e8181fee501c237 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Mon Feb 24 18:24:07 2020 +0000 + + Update control + +commit 6b64b36b0190198f5edfda6c704a9efe3ea5b9a6 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Mon Feb 24 18:23:15 2020 +0000 + + Restrict the userfaultfd() syscall to root + +commit 221000db5b184664c09dfe9cb7055de45331a7e1 +Merge: 01eaee9 c7f2537 +Author: Patrick Schleizer +Date: Mon Feb 17 03:17:11 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit c7f2537930925e3ec250db81791a107af003079b +Merge: 01eaee9 8ea4e50 +Author: Patrick Schleizer +Date: Mon Feb 17 08:16:34 2020 +0000 + + Merge pull request #64 from madaidan/extra_latent_entropy + + Gather more entropy during boot + +commit 8ea4e50c8e9c3c9ee650b665a32b78f67aedc1aa +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun Feb 16 19:52:40 2020 +0000 + + Update control + +commit f6b6ab374ea2b24dfd4ac49bc1a595b50ab3d952 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun Feb 16 19:51:32 2020 +0000 + + Gather more entropy during boot + +commit 01eaee997e34aa73a11dffe032ace5ef23c37e28 +Author: Patrick Schleizer +Date: Sat Feb 15 15:35:44 2020 -0500 + + bumped changelog version + commit 412a83923dd09f36a25ebf9ce1991369d09c5e34 Merge: dce54d5 4399a51 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 8f37076..d718b1a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:16.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 03 Mar 2020 14:12:50 +0000 + security-misc (3:16.4-1) unstable; urgency=medium * New upstream version (local package). From cd19c2da006d38cd0cd3653b31e398d16396d825 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 3 Mar 2020 09:18:24 -0500 Subject: [PATCH 0267/1650] fix lintian warning --- debian/control | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/debian/control b/debian/control index 3c62bfa..51e1fa8 100644 --- a/debian/control +++ b/debian/control @@ -94,10 +94,10 @@ Description: enhances misc security settings . * A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and `/sys` to the root user only. This hides a lot of hardware identifiers from - unprivileged users and increases security as `/sys` exposes a lot of information - that shouldn't be accessible to unprivileged users. As this will break many - things, it is disabled by default and can optionally be enabled by running - `systemctl enable hide-hardware-info.service` as root. + unprivileged users and increases security as `/sys` exposes a lot of + information that shouldn't be accessible to unprivileged users. As this will + break many things, it is disabled by default and can optionally be enabled by + running `systemctl enable hide-hardware-info.service` as root. `/usr/lib/security-misc/hide-hardware-info` `/lib/systemd/system/hide-hardware-info.service` `/lib/systemd/system/user@.service.d/sysfs.conf` From 1dea4dbcf6fa3299e513d01005b514e42bf51538 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 3 Mar 2020 09:18:38 -0500 Subject: [PATCH 0268/1650] readme --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a638679..4117d54 100644 --- a/README.md +++ b/README.md @@ -76,10 +76,10 @@ https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns * A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and `/sys` to the root user only. This hides a lot of hardware identifiers from -unprivileged users and increases security as `/sys` exposes a lot of information -that shouldn't be accessible to unprivileged users. As this will break many -things, it is disabled by default and can optionally be enabled by running -`systemctl enable hide-hardware-info.service` as root. +unprivileged users and increases security as `/sys` exposes a lot of +information that shouldn't be accessible to unprivileged users. As this will +break many things, it is disabled by default and can optionally be enabled by +running `systemctl enable hide-hardware-info.service` as root. `/usr/lib/security-misc/hide-hardware-info` `/lib/systemd/system/hide-hardware-info.service` `/lib/systemd/system/user@.service.d/sysfs.conf` From 8887af26d6a82613ee1f9c3a10ba42fdd2444d1c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 3 Mar 2020 09:19:49 -0500 Subject: [PATCH 0269/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1bebee3..bd155f5 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 1dea4dbcf6fa3299e513d01005b514e42bf51538 +Author: Patrick Schleizer +Date: Tue Mar 3 09:18:38 2020 -0500 + + readme + +commit cd19c2da006d38cd0cd3653b31e398d16396d825 +Author: Patrick Schleizer +Date: Tue Mar 3 09:18:24 2020 -0500 + + fix lintian warning + +commit 7e3fedefb234e584d900c036c424ac083a9efa3d +Author: Patrick Schleizer +Date: Tue Mar 3 09:12:50 2020 -0500 + + bumped changelog version + commit 201d6b5efc355b08b5f94f9284d2242dec9c56b8 Author: Patrick Schleizer Date: Tue Mar 3 09:07:42 2020 -0500 diff --git a/debian/changelog b/debian/changelog index d718b1a..6e3cc31 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:16.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 03 Mar 2020 14:19:49 +0000 + security-misc (3:16.5-1) unstable; urgency=medium * New upstream version (local package). From 15dde15a36c3cac0088773670b84f7e1e2b1423f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 3 Mar 2020 09:42:24 -0500 Subject: [PATCH 0270/1650] typo --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 51e1fa8..3c79730 100644 --- a/debian/control +++ b/debian/control @@ -320,7 +320,7 @@ Description: enhances misc security settings `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override` * Deactivates thumbnails in Thunar. * Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird - to make phising attacks more difficult. Fixing URL not showing real Domain + to make phishing attacks more difficult. Fixing URL not showing real Domain Name (Homograph attack). . Want more? Look into these: From 76eb9579a3038982301fc622c84cd48fa3d88ffd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 5 Mar 2020 08:33:00 -0500 Subject: [PATCH 0271/1650] readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4117d54..a15e3a1 100644 --- a/README.md +++ b/README.md @@ -302,7 +302,7 @@ Application specific hardening: `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override` * Deactivates thumbnails in Thunar. * Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird -to make phising attacks more difficult. Fixing URL not showing real Domain +to make phishing attacks more difficult. Fixing URL not showing real Domain Name (Homograph attack). Want more? Look into these: From 71ae6239168d829e25670ffa856ee0f011a168a9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 5 Mar 2020 08:36:27 -0500 Subject: [PATCH 0272/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index bd155f5..6cdac32 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 76eb9579a3038982301fc622c84cd48fa3d88ffd +Author: Patrick Schleizer +Date: Thu Mar 5 08:33:00 2020 -0500 + + readme + +commit 15dde15a36c3cac0088773670b84f7e1e2b1423f +Author: Patrick Schleizer +Date: Tue Mar 3 09:42:24 2020 -0500 + + typo + +commit 8887af26d6a82613ee1f9c3a10ba42fdd2444d1c +Author: Patrick Schleizer +Date: Tue Mar 3 09:19:49 2020 -0500 + + bumped changelog version + commit 1dea4dbcf6fa3299e513d01005b514e42bf51538 Author: Patrick Schleizer Date: Tue Mar 3 09:18:38 2020 -0500 diff --git a/debian/changelog b/debian/changelog index 6e3cc31..e420169 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:16.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 05 Mar 2020 13:36:27 +0000 + security-misc (3:16.6-1) unstable; urgency=medium * New upstream version (local package). From 44351ec9b78d59aeeef44675e8e203c7ace243f0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Mar 2020 21:44:19 -0500 Subject: [PATCH 0273/1650] remove no longer needed code for installation of apparmor profiles --- debian/rules | 5 ----- 1 file changed, 5 deletions(-) diff --git a/debian/rules b/debian/rules index 963b738..f200f9e 100755 --- a/debian/rules +++ b/debian/rules @@ -10,8 +10,3 @@ override_dh_installchangelogs: dh_installchangelogs changelog.upstream upstream - -override_dh_install: - dh_apparmor --profile-name='usr.lib.security-misc.pam_tally2-info' - dh_apparmor --profile-name='usr.lib.security-misc.permission-lockdown' - dh_install From 284a49110030b21aa3136447217273337a12acaf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 8 Mar 2020 08:07:10 -0400 Subject: [PATCH 0274/1650] disable `vm.unprivileged_userfaultfd=0` for now because broken https://forums.whonix.org/t/kernel-hardening/7296/406 reverts "Restrict the userfaultfd() syscall to root as it can make heap sprays easier." https://duasynt.com/blog/linux-kernel-heap-spray --- etc/sysctl.d/30_security-misc.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index e83df56..ed0bd49 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -134,8 +134,10 @@ kernel.sysrq=132 ## https://lkml.org/lkml/2019/4/15/890 dev.tty.ldisc_autoload=0 +## Disable for now. +## https://forums.whonix.org/t/kernel-hardening/7296/406 ## Restrict the userfaultfd() syscall to root as it can make heap sprays ## easier. ## ## https://duasynt.com/blog/linux-kernel-heap-spray -vm.unprivileged_userfaultfd=0 +#vm.unprivileged_userfaultfd=0 From 04a87f7029736e5ce66f18bb6c42cadf3500b26b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 8 Mar 2020 09:43:24 -0400 Subject: [PATCH 0275/1650] bumped changelog version --- changelog.upstream | 26 ++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 32 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 6cdac32..0738830 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,29 @@ +commit 284a49110030b21aa3136447217273337a12acaf +Author: Patrick Schleizer +Date: Sun Mar 8 08:07:10 2020 -0400 + + disable `vm.unprivileged_userfaultfd=0` for now + + because broken + + https://forums.whonix.org/t/kernel-hardening/7296/406 + + reverts "Restrict the userfaultfd() syscall to root as it can make heap sprays easier." + + https://duasynt.com/blog/linux-kernel-heap-spray + +commit 44351ec9b78d59aeeef44675e8e203c7ace243f0 +Author: Patrick Schleizer +Date: Sat Mar 7 21:44:19 2020 -0500 + + remove no longer needed code for installation of apparmor profiles + +commit 71ae6239168d829e25670ffa856ee0f011a168a9 +Author: Patrick Schleizer +Date: Thu Mar 5 08:36:27 2020 -0500 + + bumped changelog version + commit 76eb9579a3038982301fc622c84cd48fa3d88ffd Author: Patrick Schleizer Date: Thu Mar 5 08:33:00 2020 -0500 diff --git a/debian/changelog b/debian/changelog index e420169..8b93a49 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:16.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 08 Mar 2020 13:43:24 +0000 + security-misc (3:16.7-1) unstable; urgency=medium * New upstream version (local package). From efb2683cfc168c3b110c6664ee61eabcf85f3f30 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 8 Mar 2020 17:49:12 +0000 Subject: [PATCH 0276/1650] Hide unprivileged_userfaultfd error --- etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index 71e82f4..6912637 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -15,7 +15,8 @@ prereqs) ;; esac -sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null -sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null +sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2>${rootmnt}/var/log/sysctl-initramfs-error.log +sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>>${rootmnt}/var/log/sysctl-initramfs-error.log +grep -v "unprivileged_userfaultfd" /var/log/sysctl-initramfs-error.log true From 4d0de87f799d8032731140e9a5815d4773d91baa Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 8 Mar 2020 17:49:49 +0000 Subject: [PATCH 0277/1650] Disable unprivileged userfaultfd use again --- etc/sysctl.d/30_security-misc.conf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index ed0bd49..e83df56 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -134,10 +134,8 @@ kernel.sysrq=132 ## https://lkml.org/lkml/2019/4/15/890 dev.tty.ldisc_autoload=0 -## Disable for now. -## https://forums.whonix.org/t/kernel-hardening/7296/406 ## Restrict the userfaultfd() syscall to root as it can make heap sprays ## easier. ## ## https://duasynt.com/blog/linux-kernel-heap-spray -#vm.unprivileged_userfaultfd=0 +vm.unprivileged_userfaultfd=0 From e4118cb21eb8765bc8f4e7b5e05d464d72575824 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 12 Mar 2020 04:43:08 -0400 Subject: [PATCH 0278/1650] bumped changelog version --- changelog.upstream | 34 ++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 40 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0738830..88c15f4 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,37 @@ +commit e6e7886a6e3dca1a75943c5a04c4d29ab8682cec +Merge: 04a87f7 711e786 +Author: Patrick Schleizer +Date: Wed Mar 11 09:08:41 2020 -0400 + + Merge remote-tracking branch 'origin/master' + +commit 711e786be504179c832172acb39d567b323520e6 +Merge: 04a87f7 4d0de87 +Author: Patrick Schleizer +Date: Wed Mar 11 13:06:23 2020 +0000 + + Merge pull request #70 from madaidan/userfaultfd + + Fix unprivileged_userfaultfd + +commit 4d0de87f799d8032731140e9a5815d4773d91baa +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun Mar 8 17:49:49 2020 +0000 + + Disable unprivileged userfaultfd use again + +commit efb2683cfc168c3b110c6664ee61eabcf85f3f30 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun Mar 8 17:49:12 2020 +0000 + + Hide unprivileged_userfaultfd error + +commit 04a87f7029736e5ce66f18bb6c42cadf3500b26b +Author: Patrick Schleizer +Date: Sun Mar 8 09:43:24 2020 -0400 + + bumped changelog version + commit 284a49110030b21aa3136447217273337a12acaf Author: Patrick Schleizer Date: Sun Mar 8 08:07:10 2020 -0400 diff --git a/debian/changelog b/debian/changelog index 8b93a49..1f8d49b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:16.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 12 Mar 2020 08:43:08 +0000 + security-misc (3:16.8-1) unstable; urgency=medium * New upstream version (local package). From 8dfdec1d3b0fde7b2836b38e5aefab1b6b6df9f2 Mon Sep 17 00:00:00 2001 From: onions-knight <38859709+onions-knight@users.noreply.github.com> Date: Tue, 17 Mar 2020 16:38:53 +0000 Subject: [PATCH 0279/1650] Update thunar.xml Adding Delete option for thunar on right mouse click (removed in Debian 10). See https://forums.whonix.org/t/whonix-host-calamares-branding-suggestion/7772/26 --- etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml index f6909a3..06b5b64 100644 --- a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +++ b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml @@ -13,4 +13,5 @@ + From c8826d6702ebaf280994effb22aea39b4cfd2dac Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sat, 21 Mar 2020 17:15:25 +0000 Subject: [PATCH 0280/1650] Fix sysctl-initramfs logs --- etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index 6912637..31b7759 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -15,8 +15,11 @@ prereqs) ;; esac +## ${rootmnt} is mounted read-only in the initramfs so it needs to be remounted first. +mount -o remount,rw "${rootmnt}" sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2>${rootmnt}/var/log/sysctl-initramfs-error.log sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>>${rootmnt}/var/log/sysctl-initramfs-error.log -grep -v "unprivileged_userfaultfd" /var/log/sysctl-initramfs-error.log +mount -o remount,ro "${rootmnt}" +grep -v "unprivileged_userfaultfd" "${rootmnt}/var/log/sysctl-initramfs-error.log" true From 89ada11cf9a76cf02b3d5f92fd5c66194fe40ff0 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sat, 21 Mar 2020 17:49:07 +0000 Subject: [PATCH 0281/1650] Only remount if already mounted read-only --- .../scripts/init-bottom/sysctl-initramfs | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index 31b7759..e2987cc 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -16,10 +16,15 @@ prereqs) esac ## ${rootmnt} is mounted read-only in the initramfs so it needs to be remounted first. -mount -o remount,rw "${rootmnt}" +if mount | grep "${rootmnt}" | grep -q "(ro,"; then + remount="yes" + mount -o remount,rw "${rootmnt}" +fi sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2>${rootmnt}/var/log/sysctl-initramfs-error.log -sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>>${rootmnt}/var/log/sysctl-initramfs-error.log -mount -o remount,ro "${rootmnt}" +sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>>${rootmnt}/var/log/sysctl-initramfs-error.log +if [ "${remount}" = "yes" ]; then + mount -o remount,ro "${rootmnt}" +fi grep -v "unprivileged_userfaultfd" "${rootmnt}/var/log/sysctl-initramfs-error.log" true From 23bd7ead59c0bdd793a955aaa613552b37a38dab Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Mar 2020 14:12:42 -0400 Subject: [PATCH 0282/1650] remove trailing space --- etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index e2987cc..9b5827b 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -21,7 +21,7 @@ if mount | grep "${rootmnt}" | grep -q "(ro,"; then mount -o remount,rw "${rootmnt}" fi sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2>${rootmnt}/var/log/sysctl-initramfs-error.log -sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>>${rootmnt}/var/log/sysctl-initramfs-error.log +sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>>${rootmnt}/var/log/sysctl-initramfs-error.log if [ "${remount}" = "yes" ]; then mount -o remount,ro "${rootmnt}" fi From 66ea1a3a127642c5515ac6fd80952a56568620bc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Mar 2020 14:14:15 -0400 Subject: [PATCH 0283/1650] minor --- etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index 9b5827b..7bd0ff6 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -20,8 +20,8 @@ if mount | grep "${rootmnt}" | grep -q "(ro,"; then remount="yes" mount -o remount,rw "${rootmnt}" fi -sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2>${rootmnt}/var/log/sysctl-initramfs-error.log -sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>>${rootmnt}/var/log/sysctl-initramfs-error.log +sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2> ${rootmnt}/var/log/sysctl-initramfs-error.log +sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>> ${rootmnt}/var/log/sysctl-initramfs-error.log if [ "${remount}" = "yes" ]; then mount -o remount,ro "${rootmnt}" fi From 5f0dd8270ba6311018e654cca3b8b86818af5a82 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Mar 2020 14:14:35 -0400 Subject: [PATCH 0284/1650] consistent use of quotes --- etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index 7bd0ff6..8a35445 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -20,8 +20,8 @@ if mount | grep "${rootmnt}" | grep -q "(ro,"; then remount="yes" mount -o remount,rw "${rootmnt}" fi -sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2> ${rootmnt}/var/log/sysctl-initramfs-error.log -sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>> ${rootmnt}/var/log/sysctl-initramfs-error.log +sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2> "${rootmnt}/var/log/sysctl-initramfs-error.log" +sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>> "${rootmnt}/var/log/sysctl-initramfs-error.log" if [ "${remount}" = "yes" ]; then mount -o remount,ro "${rootmnt}" fi From d7a69628b1def631b04219da7aee764eebea37df Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Mar 2020 14:56:48 -0400 Subject: [PATCH 0285/1650] bumped changelog version --- changelog.upstream | 68 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 74 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 88c15f4..b36d0e0 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,71 @@ +commit 5f0dd8270ba6311018e654cca3b8b86818af5a82 +Author: Patrick Schleizer +Date: Sat Mar 21 14:14:35 2020 -0400 + + consistent use of quotes + +commit 66ea1a3a127642c5515ac6fd80952a56568620bc +Author: Patrick Schleizer +Date: Sat Mar 21 14:14:15 2020 -0400 + + minor + +commit 23bd7ead59c0bdd793a955aaa613552b37a38dab +Author: Patrick Schleizer +Date: Sat Mar 21 14:12:42 2020 -0400 + + remove trailing space + +commit 7c25fc517e6f42d4364a55407f6bf0c84d130c8e +Merge: 20f0c57 1cbc7f6 +Author: Patrick Schleizer +Date: Sat Mar 21 14:12:25 2020 -0400 + + Merge remote-tracking branch 'origin/master' + +commit 1cbc7f6bed8acc112b610e05f527cffc6e9e1e87 +Merge: 20f0c57 89ada11 +Author: Patrick Schleizer +Date: Sat Mar 21 18:11:57 2020 +0000 + + Merge pull request #73 from madaidan/sysctl-initramfs + + Only remount in sysctl-initramfs if already mounted read-only + +commit 89ada11cf9a76cf02b3d5f92fd5c66194fe40ff0 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sat Mar 21 17:49:07 2020 +0000 + + Only remount if already mounted read-only + +commit 20f0c574d5424c78ab6b4d3829a6662615967ba5 +Merge: e4118cb 2938182 +Author: Patrick Schleizer +Date: Sat Mar 21 13:28:43 2020 -0400 + + Merge remote-tracking branch 'origin/master' + +commit 2938182ce6303e6e55086e2e9e82f8263a3c8e76 +Merge: e4118cb c8826d6 +Author: Patrick Schleizer +Date: Sat Mar 21 17:26:37 2020 +0000 + + Merge pull request #72 from madaidan/master + + Fix sysctl-initramfs logs + +commit c8826d6702ebaf280994effb22aea39b4cfd2dac +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sat Mar 21 17:15:25 2020 +0000 + + Fix sysctl-initramfs logs + +commit e4118cb21eb8765bc8f4e7b5e05d464d72575824 +Author: Patrick Schleizer +Date: Thu Mar 12 04:43:08 2020 -0400 + + bumped changelog version + commit e6e7886a6e3dca1a75943c5a04c4d29ab8682cec Merge: 04a87f7 711e786 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 1f8d49b..773fb73 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:17.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Mar 2020 18:56:48 +0000 + security-misc (3:16.9-1) unstable; urgency=medium * New upstream version (local package). From bc22fc9fdba834d0a2d8fdc75b86934e56b317c9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 30 Mar 2020 17:12:43 -0400 Subject: [PATCH 0286/1650] skip check if any non-root user is a member of group sudo and console if file /var/lib/security-misc/skip_install_check exists --- debian/security-misc.preinst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 428bf82..edf6ee9 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -49,6 +49,9 @@ user_groups_modifications() { } sudo_users_check () { + if test -f /var/lib/security-misc/skip_install_check ; then + return 0 + fi if command -v "qubesdb-read" &>/dev/null; then ## Qubes users can use dom0 to get a root terminal emulator. ## For example: @@ -96,6 +99,9 @@ sudo_users_check () { } console_users_check() { + if test -f /var/lib/security-misc/skip_install_check ; then + return 0 + fi if command -v "qubesdb-read" &>/dev/null; then ## Qubes users can use dom0 to get a root terminal emulator. ## For example: From f663b5eff8a6f2fa406039ced4441c5a4a9c1477 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 30 Mar 2020 17:15:02 -0400 Subject: [PATCH 0287/1650] skip check if any non-root user is a member of group sudo and console if environment variable `SECURITY_MISC_INSTALL` is set to `force` --- debian/security-misc.preinst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index edf6ee9..e16996e 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -49,6 +49,9 @@ user_groups_modifications() { } sudo_users_check () { + if [ "$SECURITY_MISC_INSTALL" = "force" ]; then + return 0 + fi if test -f /var/lib/security-misc/skip_install_check ; then return 0 fi @@ -99,6 +102,9 @@ sudo_users_check () { } console_users_check() { + if [ "$SECURITY_MISC_INSTALL" = "force" ]; then + return 0 + fi if test -f /var/lib/security-misc/skip_install_check ; then return 0 fi From 7ee5fc1b760dff0f86d8cf07a77cbd42d40f7a53 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 30 Mar 2020 17:16:46 -0400 Subject: [PATCH 0288/1650] bumped changelog version --- changelog.upstream | 20 ++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 26 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b36d0e0..56fdd78 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,23 @@ +commit f663b5eff8a6f2fa406039ced4441c5a4a9c1477 +Author: Patrick Schleizer +Date: Mon Mar 30 17:15:02 2020 -0400 + + skip check if any non-root user is a member of group sudo and console if + environment variable `SECURITY_MISC_INSTALL` is set to `force` + +commit bc22fc9fdba834d0a2d8fdc75b86934e56b317c9 +Author: Patrick Schleizer +Date: Mon Mar 30 17:12:43 2020 -0400 + + skip check if any non-root user is a member of group sudo and console if file + /var/lib/security-misc/skip_install_check exists + +commit d7a69628b1def631b04219da7aee764eebea37df +Author: Patrick Schleizer +Date: Sat Mar 21 14:56:48 2020 -0400 + + bumped changelog version + commit 5f0dd8270ba6311018e654cca3b8b86818af5a82 Author: Patrick Schleizer Date: Sat Mar 21 14:14:35 2020 -0400 diff --git a/debian/changelog b/debian/changelog index 773fb73..9fea0fb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:17.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 30 Mar 2020 21:16:46 +0000 + security-misc (3:17.0-1) unstable; urgency=medium * New upstream version (local package). From c22adbd92fcab45fb3b1d3e98528c4790bb20a6a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 30 Mar 2020 18:39:23 -0400 Subject: [PATCH 0289/1650] notify if security-misc installation is forced --- debian/security-misc.preinst | 86 +++++++++++++++++++++++++----------- 1 file changed, 60 insertions(+), 26 deletions(-) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index e16996e..84bb506 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -48,13 +48,14 @@ user_groups_modifications() { addgroup root console } +output_skip_checks() { + echo "security-misc '$0' INFO: Allow installation of security-misc anyway." >&2 + echo "security-misc '$0' INFO: (technical reason: $@)" >&2 + echo "security-misc '$0' INFO: If this is a chroot this is probably OK." >&2 + echo "security-misc '$0' INFO: Otherwise you might not be able to login." >&2 +} + sudo_users_check () { - if [ "$SECURITY_MISC_INSTALL" = "force" ]; then - return 0 - fi - if test -f /var/lib/security-misc/skip_install_check ; then - return 0 - fi if command -v "qubesdb-read" &>/dev/null; then ## Qubes users can use dom0 to get a root terminal emulator. ## For example: @@ -86,26 +87,47 @@ sudo_users_check () { IFS="$OLD_IFS" export IFS + if [ "$are_there_any_sudo_users" = "yes" ]; then + return 0 + fi + + if [ "$SECURITY_MISC_INSTALL" = "force" ]; then + output_skip_checks "Environment variable SECURITY_MISC_INSTALL is set to 'force'." + return 0 + fi + if test -f "/var/lib/security-misc/skip_install_check" ; then + output_skip_checks "File '/var/lib/security-misc/skip_install_check' exists." + return 0 + fi + ## Prevent users from locking themselves out. ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 - if [ ! "$are_there_any_sudo_users" = "yes" ]; then - echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2 - echo "$0: ERROR: You probably want to run:" >&2 - echo "" >&2 - echo "sudo adduser user sudo" >&2 - echo "sudo adduser user console" >&2 - echo "" >&2 - echo "$0: ERROR: See also installation instructions:" >&2 - echo "https://www.whonix.org/wiki/security-misc#install" >&2 - exit 200 + echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2 + echo "$0: ERROR: You probably want to run:" >&2 + echo "" >&2 + echo "sudo adduser user sudo" >&2 + echo "sudo adduser user console" >&2 + echo "" >&2 + echo "$0: ERROR: See also installation instructions:" >&2 + echo "https://www.whonix.org/wiki/security-misc#install" >&2 + + if [ "$SECURITY_MISC_INSTALL" = "force" ]; then + output_skip_checks "Environment variable SECURITY_MISC_INSTALL is set to 'force'." + return 0 fi + if test -f "/var/lib/security-misc/skip_install_check" ; then + output_skip_checks "File '/var/lib/security-misc/skip_install_check' exists." + return 0 + fi + + exit 200 } console_users_check() { if [ "$SECURITY_MISC_INSTALL" = "force" ]; then return 0 fi - if test -f /var/lib/security-misc/skip_install_check ; then + if test -f "/var/lib/security-misc/skip_install_check" ; then return 0 fi if command -v "qubesdb-read" &>/dev/null; then @@ -142,16 +164,28 @@ console_users_check() { ## Prevent users from locking themselves out. ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 - if [ ! "$are_there_any_console_users" = "yes" ]; then - echo "$0: ERROR: No user is a member of group 'console'. Installation aborted." >&2 - echo "$0: ERROR: You probably want to run:" >&2 - echo "" >&2 - echo "sudo adduser user console" >&2 - echo "" >&2 - echo "$0: ERROR: See also installation instructions:" >&2 - echo "https://www.whonix.org/wiki/security-misc#install" >&2 - exit 201 + if [ "$are_there_any_console_users" = "yes" ]; then + return 0 fi + + echo "$0: ERROR: No user is a member of group 'console'. Installation aborted." >&2 + echo "$0: ERROR: You probably want to run:" >&2 + echo "" >&2 + echo "sudo adduser user console" >&2 + echo "" >&2 + echo "$0: ERROR: See also installation instructions:" >&2 + echo "https://www.whonix.org/wiki/security-misc#install" >&2 + + if [ "$SECURITY_MISC_INSTALL" = "force" ]; then + output_skip_checks "Environment variable SECURITY_MISC_INSTALL is set to 'force'." + return 0 + fi + if test -f "/var/lib/security-misc/skip_install_check" ; then + output_skip_checks "File '/var/lib/security-misc/skip_install_check' exists." + return 0 + fi + + exit 201 } legacy() { From a369a0a94dca7fff68234e4f75d74a4e9d63df5b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 30 Mar 2020 18:42:02 -0400 Subject: [PATCH 0290/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 56fdd78..3eb779a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit c22adbd92fcab45fb3b1d3e98528c4790bb20a6a +Author: Patrick Schleizer +Date: Mon Mar 30 18:39:23 2020 -0400 + + notify if security-misc installation is forced + +commit 7ee5fc1b760dff0f86d8cf07a77cbd42d40f7a53 +Author: Patrick Schleizer +Date: Mon Mar 30 17:16:46 2020 -0400 + + bumped changelog version + commit f663b5eff8a6f2fa406039ced4441c5a4a9c1477 Author: Patrick Schleizer Date: Mon Mar 30 17:15:02 2020 -0400 diff --git a/debian/changelog b/debian/changelog index 9fea0fb..ae6d88a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:17.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 30 Mar 2020 22:42:02 +0000 + security-misc (3:17.1-1) unstable; urgency=medium * New upstream version (local package). From 814f613a2fac12b892dfb6dcf53ee628e340c7b2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 31 Mar 2020 07:08:25 -0400 Subject: [PATCH 0291/1650] When using systemd-nspawn (chroot) then `login` requires console 'console' to be permitted. --- etc/security/access-security-misc.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index a081d33..a03a99f 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -18,7 +18,8 @@ ## Allow members of group 'console' to use tty1 to tty7 and pts/0 to pts/9 and hvc0 to hvc9. ## Qubes has 'pts/0' when for example running "sudo" from a terminal emulator. ## Qubes uses 'hvc0' when using in dom0 "sudo xl console vm-name". -+:console:tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 +## When using systemd-nspawn (chroot) then `login` requires console 'console' to be permitted. ++:console:console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ## Everyone else except members of group 'console-unrestricted' ## are restricted from everything else. From 354af7085be7e266913c3ae79701cd1abc729d06 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 31 Mar 2020 07:41:45 -0400 Subject: [PATCH 0292/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3eb779a..7498eea 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 814f613a2fac12b892dfb6dcf53ee628e340c7b2 +Author: Patrick Schleizer +Date: Tue Mar 31 07:08:25 2020 -0400 + + When using systemd-nspawn (chroot) then `login` requires console 'console' to be permitted. + +commit a369a0a94dca7fff68234e4f75d74a4e9d63df5b +Author: Patrick Schleizer +Date: Mon Mar 30 18:42:02 2020 -0400 + + bumped changelog version + commit c22adbd92fcab45fb3b1d3e98528c4790bb20a6a Author: Patrick Schleizer Date: Mon Mar 30 18:39:23 2020 -0400 diff --git a/debian/changelog b/debian/changelog index ae6d88a..a1378bb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:17.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 31 Mar 2020 11:41:45 +0000 + security-misc (3:17.2-1) unstable; urgency=medium * New upstream version (local package). From ad022fc0b703f28f24665d28b072f1a993978370 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 1 Apr 2020 08:21:06 -0400 Subject: [PATCH 0293/1650] fix --- debian/security-misc.preinst | 9 --------- 1 file changed, 9 deletions(-) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 84bb506..983c1fd 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -91,15 +91,6 @@ sudo_users_check () { return 0 fi - if [ "$SECURITY_MISC_INSTALL" = "force" ]; then - output_skip_checks "Environment variable SECURITY_MISC_INSTALL is set to 'force'." - return 0 - fi - if test -f "/var/lib/security-misc/skip_install_check" ; then - output_skip_checks "File '/var/lib/security-misc/skip_install_check' exists." - return 0 - fi - ## Prevent users from locking themselves out. ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2 From b6de867dec85efb03cf38aa85494607edb4500f4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 1 Apr 2020 08:26:44 -0400 Subject: [PATCH 0294/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7498eea..bc0d55b 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit ad022fc0b703f28f24665d28b072f1a993978370 +Author: Patrick Schleizer +Date: Wed Apr 1 08:21:06 2020 -0400 + + fix + +commit 354af7085be7e266913c3ae79701cd1abc729d06 +Author: Patrick Schleizer +Date: Tue Mar 31 07:41:45 2020 -0400 + + bumped changelog version + commit 814f613a2fac12b892dfb6dcf53ee628e340c7b2 Author: Patrick Schleizer Date: Tue Mar 31 07:08:25 2020 -0400 diff --git a/debian/changelog b/debian/changelog index a1378bb..0804f81 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:17.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 01 Apr 2020 12:26:44 +0000 + security-misc (3:17.3-1) unstable; urgency=medium * New upstream version (local package). From 2ceea8d1fe9f2425488c6696f75f2ecfd9ff2235 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 1 Apr 2020 08:49:59 -0400 Subject: [PATCH 0295/1650] update copyright year --- COPYING | 2 +- Makefile | 2 +- debian/control | 2 +- debian/copyright | 2 +- debian/rules | 2 +- debian/security-misc.displace | 2 +- debian/security-misc.maintscript | 2 +- debian/security-misc.postinst | 2 +- debian/security-misc.postrm | 2 +- debian/security-misc.preinst | 2 +- debian/security-misc.prerm | 2 +- debian/security-misc.triggers | 2 +- debian/security-misc.undisplace | 2 +- debian/watch | 2 +- etc/X11/Xsession.d/50panic_on_oops | 2 +- etc/X11/Xsession.d/50security-misc | 2 +- etc/apparmor.d/tunables/home.d/security-misc | 2 +- etc/apt/apt.conf.d/40sandbox | 2 +- etc/default/grub.d/40_cpu_mitigations.cfg | 2 +- etc/default/grub.d/40_distrust_cpu.cfg | 2 +- etc/default/grub.d/40_enable_iommu.cfg | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- etc/hide-hardware-info.d/30_default.conf | 2 +- etc/initramfs-tools/hooks/sysctl-initramfs | 2 +- etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs | 2 +- etc/modprobe.d/30_security-misc.conf | 2 +- etc/permission-hardening.d/30_default.conf | 2 +- etc/security/access-security-misc.conf | 2 +- etc/sudoers.d/pkexec-security-misc | 2 +- etc/sudoers.d/security-misc | 2 +- etc/sudoers.d/xfce-security-misc | 2 +- etc/sysctl.d/30_security-misc.conf | 2 +- lib/systemd/system-preset/50-security-misc.preset | 2 +- lib/systemd/system/hide-hardware-info.service | 2 +- lib/systemd/system/permission-hardening.service | 2 +- lib/systemd/system/proc-hidepid.service | 2 +- lib/systemd/system/remount-secure.service | 2 +- lib/systemd/system/remove-system-map.service | 2 +- usr/bin/pkexec.security-misc | 2 +- usr/lib/modules-load.d/30_security-misc.conf | 2 +- usr/lib/security-misc/apt-get-update | 2 +- usr/lib/security-misc/apt-get-update-sanity-test | 2 +- usr/lib/security-misc/apt-get-wrapper | 2 +- usr/lib/security-misc/askpass | 2 +- usr/lib/security-misc/echo-path | 2 +- usr/lib/security-misc/hide-hardware-info | 2 +- usr/lib/security-misc/pam_only_if_login | 2 +- usr/lib/security-misc/pam_tally2-info | 2 +- usr/lib/security-misc/panic-on-oops | 2 +- usr/lib/security-misc/permission-hardening | 2 +- usr/lib/security-misc/permission-hardening-undo | 2 +- usr/lib/security-misc/permission-lockdown | 2 +- usr/lib/security-misc/remount-secure | 2 +- usr/lib/security-misc/remove-system.map | 2 +- usr/lib/security-misc/virusforget | 2 +- usr/share/lintian/overrides/security-misc | 2 +- usr/share/security-misc/dolphinrc | 2 +- 57 files changed, 57 insertions(+), 57 deletions(-) diff --git a/COPYING b/COPYING index 513503a..c54f148 100644 --- a/COPYING +++ b/COPYING @@ -1,7 +1,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2019 ENCRYPTED SUPPORT LP +Copyright: 2012 - 2020 ENCRYPTED SUPPORT LP License: GPL-3+-with-additional-terms-1 This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/Makefile b/Makefile index c48a9e7..80c52f4 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ #!/usr/bin/make -f -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## genmkfile - Makefile - version 1.5 diff --git a/debian/control b/debian/control index 3c79730..29efff3 100644 --- a/debian/control +++ b/debian/control @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. Source: security-misc diff --git a/debian/copyright b/debian/copyright index 513503a..c54f148 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,7 +1,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2019 ENCRYPTED SUPPORT LP +Copyright: 2012 - 2020 ENCRYPTED SUPPORT LP License: GPL-3+-with-additional-terms-1 This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/debian/rules b/debian/rules index f200f9e..c771e0c 100755 --- a/debian/rules +++ b/debian/rules @@ -1,6 +1,6 @@ #!/usr/bin/make -f -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #export DH_VERBOSE=1 diff --git a/debian/security-misc.displace b/debian/security-misc.displace index ec8a20b..afc5957 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. /usr/bin/pkexec.security-misc diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 1423646..4e4c67a 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. rm_conffile /etc/sudoers.d/umask-security-misc diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index aabb3d5..11bc4c9 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/lib/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.postrm b/debian/security-misc.postrm index 4ff6c36..7c80735 100644 --- a/debian/security-misc.postrm +++ b/debian/security-misc.postrm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/lib/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 983c1fd..ae7cf18 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/lib/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.prerm b/debian/security-misc.prerm index f6ceea5..32498fe 100644 --- a/debian/security-misc.prerm +++ b/debian/security-misc.prerm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/lib/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index 4aa5743..a69ee42 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #### meta start diff --git a/debian/security-misc.undisplace b/debian/security-misc.undisplace index db0d1fd..55fd1f1 100644 --- a/debian/security-misc.undisplace +++ b/debian/security-misc.undisplace @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. /etc/login.defs.security-misc diff --git a/debian/watch b/debian/watch index 16e01a4..460c78f 100644 --- a/debian/watch +++ b/debian/watch @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. version=4 diff --git a/etc/X11/Xsession.d/50panic_on_oops b/etc/X11/Xsession.d/50panic_on_oops index ef21228..faca194 100644 --- a/etc/X11/Xsession.d/50panic_on_oops +++ b/etc/X11/Xsession.d/50panic_on_oops @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -x /usr/lib/security-misc/panic-on-oops ]; then diff --git a/etc/X11/Xsession.d/50security-misc b/etc/X11/Xsession.d/50security-misc index 9ec65bd..c9ffae8 100644 --- a/etc/X11/Xsession.d/50security-misc +++ b/etc/X11/Xsession.d/50security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -z "$XDG_CONFIG_DIRS" ]; then diff --git a/etc/apparmor.d/tunables/home.d/security-misc b/etc/apparmor.d/tunables/home.d/security-misc index 61735d3..4c943de 100644 --- a/etc/apparmor.d/tunables/home.d/security-misc +++ b/etc/apparmor.d/tunables/home.d/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. alias /etc/pam.d/common-session -> /etc/pam.d//etc/pam.d/common-session.security-misc, diff --git a/etc/apt/apt.conf.d/40sandbox b/etc/apt/apt.conf.d/40sandbox index e79194f..1f97f35 100644 --- a/etc/apt/apt.conf.d/40sandbox +++ b/etc/apt/apt.conf.d/40sandbox @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702 diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index c18d80c..d6e2182 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Enables all mitigations for CPU vulnerabilities. diff --git a/etc/default/grub.d/40_distrust_cpu.cfg b/etc/default/grub.d/40_distrust_cpu.cfg index f3f2fab..618b5e7 100644 --- a/etc/default/grub.d/40_distrust_cpu.cfg +++ b/etc/default/grub.d/40_distrust_cpu.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Distrusts the CPU for initial entropy at boot as it is not possible to diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg index 6e49d49..3d229b4 100644 --- a/etc/default/grub.d/40_enable_iommu.cfg +++ b/etc/default/grub.d/40_enable_iommu.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Enables IOMMU to prevent DMA attacks. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 6bdbff2..f8d4289 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. kpkg="linux-image-$(dpkg --print-architecture)" diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf index 8c9ee9a..252e0b6 100644 --- a/etc/hide-hardware-info.d/30_default.conf +++ b/etc/hide-hardware-info.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Disable the /sys whitelist. diff --git a/etc/initramfs-tools/hooks/sysctl-initramfs b/etc/initramfs-tools/hooks/sysctl-initramfs index d091ca8..a6d571f 100755 --- a/etc/initramfs-tools/hooks/sysctl-initramfs +++ b/etc/initramfs-tools/hooks/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index 8a35445..9a0b521 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. PREREQ="" diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index a43a60b..9cba41c 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://phabricator.whonix.org/T486 diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 1d0e0df..302603b 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index a03a99f..1d4e7cb 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Console Lockdown diff --git a/etc/sudoers.d/pkexec-security-misc b/etc/sudoers.d/pkexec-security-misc index 1572b03..c62c622 100644 --- a/etc/sudoers.d/pkexec-security-misc +++ b/etc/sudoers.d/pkexec-security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## REVIEW: is it ok that users can find out the PATH setting of root? diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index 3f98634..e235c4d 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. user ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops diff --git a/etc/sudoers.d/xfce-security-misc b/etc/sudoers.d/xfce-security-misc index 8e75102..1880152 100644 --- a/etc/sudoers.d/xfce-security-misc +++ b/etc/sudoers.d/xfce-security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index e83df56..0fed8d0 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. diff --git a/lib/systemd/system-preset/50-security-misc.preset b/lib/systemd/system-preset/50-security-misc.preset index 7debfe2..a9047d6 100644 --- a/lib/systemd/system-preset/50-security-misc.preset +++ b/lib/systemd/system-preset/50-security-misc.preset @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 diff --git a/lib/systemd/system/hide-hardware-info.service b/lib/systemd/system/hide-hardware-info.service index dafa531..0e5031e 100644 --- a/lib/systemd/system/hide-hardware-info.service +++ b/lib/systemd/system/hide-hardware-info.service @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardening.service index 31c5ac3..26a058d 100644 --- a/lib/systemd/system/permission-hardening.service +++ b/lib/systemd/system/permission-hardening.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/lib/systemd/system/proc-hidepid.service b/lib/systemd/system/proc-hidepid.service index f2e9e91..5896235 100644 --- a/lib/systemd/system/proc-hidepid.service +++ b/lib/systemd/system/proc-hidepid.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service index 9250912..d25a647 100644 --- a/lib/systemd/system/remount-secure.service +++ b/lib/systemd/system/remount-secure.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/lib/systemd/system/remove-system-map.service b/lib/systemd/system/remove-system-map.service index 562b195..ebc8bb5 100644 --- a/lib/systemd/system/remove-system-map.service +++ b/lib/systemd/system/remove-system-map.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc index 03d7f9a..812a4d5 100755 --- a/usr/bin/pkexec.security-misc +++ b/usr/bin/pkexec.security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with diff --git a/usr/lib/modules-load.d/30_security-misc.conf b/usr/lib/modules-load.d/30_security-misc.conf index 02dc5f0..4fed016 100644 --- a/usr/lib/modules-load.d/30_security-misc.conf +++ b/usr/lib/modules-load.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://www.whonix.org/wiki/Dev/Entropy diff --git a/usr/lib/security-misc/apt-get-update b/usr/lib/security-misc/apt-get-update index 03df63d..06ffe55 100755 --- a/usr/lib/security-misc/apt-get-update +++ b/usr/lib/security-misc/apt-get-update @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. sigterm_trap() { diff --git a/usr/lib/security-misc/apt-get-update-sanity-test b/usr/lib/security-misc/apt-get-update-sanity-test index 6e30381..58c1655 100755 --- a/usr/lib/security-misc/apt-get-update-sanity-test +++ b/usr/lib/security-misc/apt-get-update-sanity-test @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -x diff --git a/usr/lib/security-misc/apt-get-wrapper b/usr/lib/security-misc/apt-get-wrapper index b3b60ad..e7d56c7 100755 --- a/usr/lib/security-misc/apt-get-wrapper +++ b/usr/lib/security-misc/apt-get-wrapper @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/lib/security-misc/askpass b/usr/lib/security-misc/askpass index 0a7cb83..3d67ecd 100755 --- a/usr/lib/security-misc/askpass +++ b/usr/lib/security-misc/askpass @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/lib/security-misc/echo-path b/usr/lib/security-misc/echo-path index ba4cdf4..c2d1b60 100755 --- a/usr/lib/security-misc/echo-path +++ b/usr/lib/security-misc/echo-path @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/lib/security-misc/hide-hardware-info b/usr/lib/security-misc/hide-hardware-info index 2c8e075..36ddc29 100755 --- a/usr/lib/security-misc/hide-hardware-info +++ b/usr/lib/security-misc/hide-hardware-info @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/lib/security-misc/pam_only_if_login b/usr/lib/security-misc/pam_only_if_login index 51b6d80..05fc154 100755 --- a/usr/lib/security-misc/pam_only_if_login +++ b/usr/lib/security-misc/pam_only_if_login @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/lib/security-misc/pam_tally2-info b/usr/lib/security-misc/pam_tally2-info index b3e7f12..9fdfce8 100755 --- a/usr/lib/security-misc/pam_tally2-info +++ b/usr/lib/security-misc/pam_tally2-info @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" diff --git a/usr/lib/security-misc/panic-on-oops b/usr/lib/security-misc/panic-on-oops index ed59cf6..5636dc3 100755 --- a/usr/lib/security-misc/panic-on-oops +++ b/usr/lib/security-misc/panic-on-oops @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 3a1b2c4..530d975 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/disable-suid-binaries/7706 diff --git a/usr/lib/security-misc/permission-hardening-undo b/usr/lib/security-misc/permission-hardening-undo index 5f2324d..3d40b31 100755 --- a/usr/lib/security-misc/permission-hardening-undo +++ b/usr/lib/security-misc/permission-hardening-undo @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #set -x diff --git a/usr/lib/security-misc/permission-lockdown b/usr/lib/security-misc/permission-lockdown index 2b4e802..157056e 100755 --- a/usr/lib/security-misc/permission-lockdown +++ b/usr/lib/security-misc/permission-lockdown @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Doing this for all users would create many issues. diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index 84cd909..3eed8f9 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## noexec in /tmp and/or /home can break some malware but also legitimate diff --git a/usr/lib/security-misc/remove-system.map b/usr/lib/security-misc/remove-system.map index 72ce407..1c97205 100755 --- a/usr/lib/security-misc/remove-system.map +++ b/usr/lib/security-misc/remove-system.map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/lib/helper-scripts/pre.bsh ]; then diff --git a/usr/lib/security-misc/virusforget b/usr/lib/security-misc/virusforget index 7081737..f745971 100755 --- a/usr/lib/security-misc/virusforget +++ b/usr/lib/security-misc/virusforget @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## VirusForget is inspired by Christopher Laprise. diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index 3217d4b..cb24c53 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## The whole point of the package. diff --git a/usr/share/security-misc/dolphinrc b/usr/share/security-misc/dolphinrc index 8683121..c0f1dbc 100644 --- a/usr/share/security-misc/dolphinrc +++ b/usr/share/security-misc/dolphinrc @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions [PreviewSettings] From d4b2baa9b66d480d5e45c628f8bc4ff11fab765f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 1 Apr 2020 10:58:16 -0400 Subject: [PATCH 0296/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index bc0d55b..9720bf2 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 2ceea8d1fe9f2425488c6696f75f2ecfd9ff2235 +Author: Patrick Schleizer +Date: Wed Apr 1 08:49:59 2020 -0400 + + update copyright year + +commit b6de867dec85efb03cf38aa85494607edb4500f4 +Author: Patrick Schleizer +Date: Wed Apr 1 08:26:44 2020 -0400 + + bumped changelog version + commit ad022fc0b703f28f24665d28b072f1a993978370 Author: Patrick Schleizer Date: Wed Apr 1 08:21:06 2020 -0400 diff --git a/debian/changelog b/debian/changelog index 0804f81..d364071 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:17.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 01 Apr 2020 14:58:16 +0000 + security-misc (3:17.4-1) unstable; urgency=medium * New upstream version (local package). From 2609fe9c3efff611dc5bce20d62580dace02757b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 1 Apr 2020 16:33:29 -0400 Subject: [PATCH 0297/1650] add debian install file --- debian/security-misc.install | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 debian/security-misc.install diff --git a/debian/security-misc.install b/debian/security-misc.install new file mode 100644 index 0000000..0d11e6e --- /dev/null +++ b/debian/security-misc.install @@ -0,0 +1,9 @@ +## Copyright (C) 2020 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## This file was generated using genmkfile 'make debinstfile'. + +etc/* +lib/* +usr/* +var/* From eda9c57a628ebf1083f87789842d5403c6e05122 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 1 Apr 2020 16:57:33 -0400 Subject: [PATCH 0298/1650] remove genmkfile --- Makefile | 18 ------------------ debian/control | 2 +- 2 files changed, 1 insertion(+), 19 deletions(-) delete mode 100644 Makefile diff --git a/Makefile b/Makefile deleted file mode 100644 index 80c52f4..0000000 --- a/Makefile +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/make -f - -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## genmkfile - Makefile - version 1.5 - -## This is a copy. -## master location: -## https://github.com/Whonix/genmkfile/blob/master/usr/share/genmkfile/Makefile - -GENMKFILE_PATH ?= /usr/share/genmkfile -GENMKFILE_ROOT_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST)))) - -export GENMKFILE_PATH -export GENMKFILE_ROOT_DIR - -include $(GENMKFILE_PATH)/makefile-full diff --git a/debian/control b/debian/control index 29efff3..952dbc4 100644 --- a/debian/control +++ b/debian/control @@ -5,7 +5,7 @@ Source: security-misc Section: misc Priority: optional Maintainer: Patrick Schleizer -Build-Depends: debhelper (>= 12), genmkfile, config-package-dev, dh-apparmor, +Build-Depends: debhelper (>= 12), config-package-dev, dh-apparmor, ronn Homepage: https://github.com/Whonix/security-misc Vcs-Browser: https://github.com/Whonix/security-misc From d9f2a0e4a1837ef1604e4cd17ce8ae60996c9782 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 1 Apr 2020 17:34:59 -0400 Subject: [PATCH 0299/1650] remove 'Build-Depends: ronn' since no longer required --- debian/control | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/debian/control b/debian/control index 952dbc4..89d924e 100644 --- a/debian/control +++ b/debian/control @@ -5,8 +5,7 @@ Source: security-misc Section: misc Priority: optional Maintainer: Patrick Schleizer -Build-Depends: debhelper (>= 12), config-package-dev, dh-apparmor, - ronn +Build-Depends: debhelper (>= 12), config-package-dev, dh-apparmor Homepage: https://github.com/Whonix/security-misc Vcs-Browser: https://github.com/Whonix/security-misc Vcs-Git: https://github.com/Whonix/security-misc.git From 7764ee0d202193dc67f5805fc23be2b804962186 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 2 Apr 2020 05:58:16 -0400 Subject: [PATCH 0300/1650] comments --- etc/security/access-security-misc.conf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index 1d4e7cb..b4956b9 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -15,10 +15,15 @@ ## Usually tty7 is for X. ## Qubes uses tty1 for X. -## Allow members of group 'console' to use tty1 to tty7 and pts/0 to pts/9 and hvc0 to hvc9. ## Qubes has 'pts/0' when for example running "sudo" from a terminal emulator. ## Qubes uses 'hvc0' when using in dom0 "sudo xl console vm-name". ## When using systemd-nspawn (chroot) then `login` requires console 'console' to be permitted. + +## Allow members of group `console` to use: +## - 'console' +## - 'tty1' to 'tty7' +## - 'pts/0' to 'pts/9' +## - 'hvc0' to 'hvc9' +:console:console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ## Everyone else except members of group 'console-unrestricted' From a7f2a2a3b6b408a0545f55b8fed9cc17fbd8f843 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 2 Apr 2020 06:04:45 -0400 Subject: [PATCH 0301/1650] console lockdown: allow members of group `sudo` to use console https://forums.whonix.org/t/etc-security-hardening/8592 https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407 https://www.whonix.org/wiki/Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown --- etc/security/access-security-misc.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index b4956b9..b0e9974 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -26,6 +26,10 @@ ## - 'hvc0' to 'hvc9' +:console:console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 +## Same as above also for members of group `sudo`. +## https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407 ++:sudo:console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 + ## Everyone else except members of group 'console-unrestricted' ## are restricted from everything else. -:ALL EXCEPT console-unrestricted :ALL From ae8c5fff3c70c00931b95cd04b8729d2c1bd2a60 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 2 Apr 2020 07:22:47 -0400 Subject: [PATCH 0302/1650] readme --- README.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a15e3a1..4cc9e4f 100644 --- a/README.md +++ b/README.md @@ -358,9 +358,15 @@ sudo apt-get update sudo apt-get install security-misc ``` -## How to Build deb Package ## +## How to Build deb Package from Source Code ## -Replace `apparmor-profile-torbrowser` with the actual name of this package with `security-misc` and see [instructions](https://www.whonix.org/wiki/Dev/Build_Documentation/apparmor-profile-torbrowser). +Can be build using standard Debian package build tools such as: + +``` +dpkg-buildpackage -b +``` + +See [instructions](https://www.whonix.org/wiki/Dev/Build_Documentation/security-misc). (Replace `package-name` with the actual name of this package.) ## Contact ## From a2c932aa5a354798ce1383e988519f9a2cb69374 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 2 Apr 2020 07:58:51 -0400 Subject: [PATCH 0303/1650] bumped changelog version --- changelog.upstream | 48 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 54 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 9720bf2..fb05dc5 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,51 @@ +commit ae8c5fff3c70c00931b95cd04b8729d2c1bd2a60 +Author: Patrick Schleizer +Date: Thu Apr 2 07:22:47 2020 -0400 + + readme + +commit a7f2a2a3b6b408a0545f55b8fed9cc17fbd8f843 +Author: Patrick Schleizer +Date: Thu Apr 2 06:04:45 2020 -0400 + + console lockdown: allow members of group `sudo` to use console + + https://forums.whonix.org/t/etc-security-hardening/8592 + + https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407 + + https://www.whonix.org/wiki/Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown + +commit 7764ee0d202193dc67f5805fc23be2b804962186 +Author: Patrick Schleizer +Date: Thu Apr 2 05:58:16 2020 -0400 + + comments + +commit d9f2a0e4a1837ef1604e4cd17ce8ae60996c9782 +Author: Patrick Schleizer +Date: Wed Apr 1 17:34:59 2020 -0400 + + remove 'Build-Depends: ronn' since no longer required + +commit eda9c57a628ebf1083f87789842d5403c6e05122 +Author: Patrick Schleizer +Date: Wed Apr 1 16:57:33 2020 -0400 + + remove genmkfile + +commit 2609fe9c3efff611dc5bce20d62580dace02757b +Author: Patrick Schleizer +Date: Wed Apr 1 16:33:29 2020 -0400 + + add debian install file + +commit d4b2baa9b66d480d5e45c628f8bc4ff11fab765f +Author: Patrick Schleizer +Date: Wed Apr 1 10:58:16 2020 -0400 + + bumped changelog version + commit 2ceea8d1fe9f2425488c6696f75f2ecfd9ff2235 Author: Patrick Schleizer Date: Wed Apr 1 08:49:59 2020 -0400 diff --git a/debian/changelog b/debian/changelog index d364071..2d4fd3e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:17.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 02 Apr 2020 11:58:51 +0000 + security-misc (3:17.5-1) unstable; urgency=medium * New upstream version (local package). From 1188a44f47602248911d81f4dc3af08b830b65b9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 4 Apr 2020 16:49:30 -0400 Subject: [PATCH 0304/1650] port to python 3.7 --- usr/lib/security-misc/apt-get-wrapper | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/apt-get-wrapper b/usr/lib/security-misc/apt-get-wrapper index e7d56c7..9fcc2d9 100755 --- a/usr/lib/security-misc/apt-get-wrapper +++ b/usr/lib/security-misc/apt-get-wrapper @@ -25,7 +25,7 @@ apt_get_exit_code="0" ## http://stackoverflow.com/a/26263980/2605155 ## for the python way to create a pty. -python -c 'import pty, sys; pty.spawn(sys.argv[1:])' \ +python3.7 -c 'import pty, sys; pty.spawn(sys.argv[1:])' \ | apt-get "$@" 2>&1 \ | tee -a "$logfile" \ || { apt_get_exit_code="$?"; true; }; From 1b2a34ea80fa9efeb02acaa8595e3c38fd9d06ca Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 4 Apr 2020 16:51:42 -0400 Subject: [PATCH 0305/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index fb05dc5..3848fe7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 1188a44f47602248911d81f4dc3af08b830b65b9 +Author: Patrick Schleizer +Date: Sat Apr 4 16:49:30 2020 -0400 + + port to python 3.7 + +commit a2c932aa5a354798ce1383e988519f9a2cb69374 +Author: Patrick Schleizer +Date: Thu Apr 2 07:58:51 2020 -0400 + + bumped changelog version + commit ae8c5fff3c70c00931b95cd04b8729d2c1bd2a60 Author: Patrick Schleizer Date: Thu Apr 2 07:22:47 2020 -0400 diff --git a/debian/changelog b/debian/changelog index 2d4fd3e..88df55e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:17.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 04 Apr 2020 20:51:42 +0000 + security-misc (3:17.6-1) unstable; urgency=medium * New upstream version (local package). From 5c81e1f23fa07a0e3c96d15dc3cc24d41332fe3c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 6 Apr 2020 09:25:45 -0400 Subject: [PATCH 0306/1650] import from anon-gpg-conf --- debian/control | 6 +- debian/security-misc.postinst | 5 + etc/skel/.gnupg/gpg.conf | 348 ++++++++++++++++++++++ usr/share/lintian/overrides/security-misc | 2 +- 4 files changed, 359 insertions(+), 2 deletions(-) create mode 100644 etc/skel/.gnupg/gpg.conf diff --git a/debian/control b/debian/control index 89d924e..957443b 100644 --- a/debian/control +++ b/debian/control @@ -15,7 +15,7 @@ Package: security-misc Architecture: all Depends: python, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, apparmor-profile-anondist, helper-scripts, ${misc:Depends} -Replaces: tcp-timestamps-disable +Replaces: tcp-timestamps-disable, anon-gpg-tweaks Description: enhances misc security settings Inspired by Kernel Self Protection Project (KSPP) . @@ -321,6 +321,10 @@ Description: enhances misc security settings * Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird to make phishing attacks more difficult. Fixing URL not showing real Domain Name (Homograph attack). + * Security and privacy enhancements for gnupg's config file + `/etc/skel/.gnupg/gpg.conf`. See also: + https://raw.github.com/ioerror/torbirdy/master/gpg.conf + https://github.com/ioerror/torbirdy/pull/11 . Want more? Look into these: . diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 11bc4c9..13e0072 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -17,6 +17,11 @@ true " case "$1" in configure) + if [ -d /etc/skel/.gnupg ]; then + ## Lintian warns against use of chmod --recursive. + chmod 700 /etc/skel/.gnupg + fi + ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override glib-compile-schemas /usr/share/glib-2.0/schemas || true ;; diff --git a/etc/skel/.gnupg/gpg.conf b/etc/skel/.gnupg/gpg.conf new file mode 100644 index 0000000..dcc90e8 --- /dev/null +++ b/etc/skel/.gnupg/gpg.conf @@ -0,0 +1,348 @@ +# Options for GnuPG +# Copyright 1998, 1999, 2000, 2001, 2002, 2003, +# 2010 Free Software Foundation, Inc. +# +# This file is free software; as a special exception the author gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. +# +# This file is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the +# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# +# Unless you specify which option file to use (with the command line +# option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf +# by default. +# +# An options file can contain any long options which are available in +# GnuPG. If the first non white space character of a line is a '#', +# this line is ignored. Empty lines are also ignored. +# +# See the man page for a list of options. + +# Uncomment the following option to get rid of the copyright notice + +#no-greeting + +# If you have more than 1 secret key in your keyring, you may want to +# uncomment the following option and set your preferred keyid. + +#default-key 621CC013 + +# If you do not pass a recipient to gpg, it will ask for one. Using +# this option you can encrypt to a default key. Key validation will +# not be done in this case. The second form uses the default key as +# default recipient. + +#default-recipient some-user-id +#default-recipient-self + +# Use --encrypt-to to add the specified key as a recipient to all +# messages. This is useful, for example, when sending mail through a +# mail client that does not automatically encrypt mail to your key. +# In the example, this option allows you to read your local copy of +# encrypted mail that you've sent to others. + +#encrypt-to some-key-id + +# By default GnuPG creates version 4 signatures for data files as +# specified by OpenPGP. Some earlier (PGP 6, PGP 7) versions of PGP +# require the older version 3 signatures. Setting this option forces +# GnuPG to create version 3 signatures. + +#force-v3-sigs + +# Because some mailers change lines starting with "From " to ">From " +# it is good to handle such lines in a special way when creating +# cleartext signatures; all other PGP versions do it this way too. + +#no-escape-from-lines + +# If you do not use the Latin-1 (ISO-8859-1) charset, you should tell +# GnuPG which is the native character set. Please check the man page +# for supported character sets. This character set is only used for +# metadata and not for the actual message which does not undergo any +# translation. Note that future version of GnuPG will change to UTF-8 +# as default character set. In most cases this option is not required +# as GnuPG is able to figure out the correct charset at runtime. + +#charset utf-8 + +# Group names may be defined like this: +# group mynames = paige 0x12345678 joe patti +# +# Any time "mynames" is a recipient (-r or --recipient), it will be +# expanded to the names "paige", "joe", and "patti", and the key ID +# "0x12345678". Note that there is only one level of expansion - you +# cannot make a group that points to another group. Note also that +# if there are spaces in the recipient name, this will appear as two +# recipients. In these cases it is better to use the key ID. + +#group mynames = paige 0x12345678 joe patti + +# Lock the file only once for the lifetime of a process. If you do +# not define this, the lock will be obtained and released every time +# it is needed, which is usually preferable. + +#lock-once + +# GnuPG can send and receive keys to and from a keyserver. These +# servers can be HKP, email, or LDAP (if GnuPG is built with LDAP +# support). +# +# Example HKP keyserver: +# hkp://keys.gnupg.net +# hkp://subkeys.pgp.net +# +# Example email keyserver: +# mailto:pgp-public-keys@keys.pgp.net +# +# Example LDAP keyservers: +# ldap://keyserver.pgp.com +# +# Regular URL syntax applies, and you can set an alternate port +# through the usual method: +# hkp://keyserver.example.net:22742 +# +# Most users just set the name and type of their preferred keyserver. +# Note that most servers (with the notable exception of +# ldap://keyserver.pgp.com) synchronize changes with each other. Note +# also that a single server name may actually point to multiple +# servers via DNS round-robin. hkp://keys.gnupg.net is an example of +# such a "server", which spreads the load over a number of physical +# servers. To see the IP address of the server actually used, you may use +# the "--keyserver-options debug". +# +#keyserver hkp://qdigse2yzvuglcix.onion +#keyserver hkp://2eghzlv2wwcq7u7y.onion +#keyserver mailto:pgp-public-keys@keys.nl.pgp.net +#keyserver ldap://keyserver.pgp.com + +# Common options for keyserver functions: +# +# include-disabled : when searching, include keys marked as "disabled" +# on the keyserver (not all keyservers support this). +# +# no-include-revoked : when searching, do not include keys marked as +# "revoked" on the keyserver. +# +# verbose : show more information as the keys are fetched. +# Can be used more than once to increase the amount +# of information shown. +# +# use-temp-files : use temporary files instead of a pipe to talk to the +# keyserver. Some platforms (Win32 for one) always +# have this on. +# +# keep-temp-files : do not delete temporary files after using them +# (really only useful for debugging) +# +# http-proxy="proxy" : set the proxy to use for HTTP and HKP keyservers. +# This overrides the "http_proxy" environment variable, +# if any. +# +# auto-key-retrieve : automatically fetch keys as needed from the keyserver +# when verifying signatures or when importing keys that +# have been revoked by a revocation key that is not +# present on the keyring. +# +# no-include-attributes : do not include attribute IDs (aka "photo IDs") +# when sending keys to the keyserver. + +#keyserver-options auto-key-retrieve + +# Display photo user IDs in key listings + +# list-options show-photos + +# Display photo user IDs when a signature from a key with a photo is +# verified + +# verify-options show-photos + +# Use this program to display photo user IDs +# +# %i is expanded to a temporary file that contains the photo. +# %I is the same as %i, but the file isn't deleted afterwards by GnuPG. +# %k is expanded to the key ID of the key. +# %K is expanded to the long OpenPGP key ID of the key. +# %t is expanded to the extension of the image (e.g. "jpg"). +# %T is expanded to the MIME type of the image (e.g. "image/jpeg"). +# %f is expanded to the fingerprint of the key. +# %% is %, of course. +# +# If %i or %I are not present, then the photo is supplied to the +# viewer on standard input. If your platform supports it, standard +# input is the best way to do this as it avoids the time and effort in +# generating and then cleaning up a secure temp file. +# +# If no photo-viewer is provided, GnuPG will look for xloadimage, eog, +# or display (ImageMagick). On Mac OS X and Windows, the default is +# to use your regular JPEG image viewer. +# +# Some other viewers: +# photo-viewer "qiv %i" +# photo-viewer "ee %i" +# +# This one saves a copy of the photo ID in your home directory: +# photo-viewer "cat > ~/photoid-for-key-%k.%t" +# +# Use your MIME handler to view photos: +# photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG" + +# Passphrase agent +# +# We support the old experimental passphrase agent protocol as well as +# the new Assuan based one (currently available in the "newpg" package +# at ftp.gnupg.org/gcrypt/alpha/aegypten/). To make use of the agent, +# you have to run an agent as daemon and use the option +# +# For Ubuntu we now use-agent by default to support more automatic +# use of GPG and S/MIME encryption by GUI programs. Depending on the +# program, users may still have to manually decide to install gnupg-agent. + +#use-agent + +# which tries to use the agent but will fallback to the regular mode +# if there is a problem connecting to the agent. The normal way to +# locate the agent is by looking at the environment variable +# GPG_AGENT_INFO which should have been set during gpg-agent startup. +# In certain situations the use of this variable is not possible, thus +# the option +# +# --gpg-agent-info=::1 +# +# may be used to override it. + +# Automatic key location +# +# GnuPG can automatically locate and retrieve keys as needed using the +# auto-key-locate option. This happens when encrypting to an email +# address (in the "user@example.com" form), and there are no +# user@example.com keys on the local keyring. This option takes the +# following arguments, in the order they are to be tried: +# +# cert = locate a key using DNS CERT, as specified in RFC-4398. +# GnuPG can handle both the PGP (key) and IPGP (URL + fingerprint) +# CERT methods. +# +# pka = locate a key using DNS PKA. +# +# ldap = locate a key using the PGP Universal method of checking +# "ldap://keys.(thedomain)". For example, encrypting to +# user@example.com will check ldap://keys.example.com. +# +# keyserver = locate a key using whatever keyserver is defined using +# the keyserver option. +# +# You may also list arbitrary keyservers here by URL. +# +# Try CERT, then PKA, then LDAP, then hkp://subkeys.net: +#auto-key-locate cert pka ldap hkp://subkeys.pgp.net + +## Begin Anonymity Distribution /home/user/.gnupg/gpg.conf changes. + +#### meta start +#### project Whonix +#### category networking and apps +#### description GnuPG gpg configuration +#### meta end + +## source: +## https://raw.github.com/ioerror/torbirdy/master/gpg.conf +## https://github.com/ioerror/torbirdy/commit/e6d7c9e6e103f0b3289675d04ed3f92e92d8d7b3 + +## Out commented proxy settings, because uwt wrapper keeps care of that. + +## gpg.conf optimized for privacy + +################################################################## +## BEGIN some suggestions from TorBirdy setting extensions.enigmail.agentAdditionalParam + +## Don't disclose the version +no-emit-version + +## Don't add additional comments (may leak language, etc) +no-comments + +## We want to force UTF-8 everywhere +display-charset utf-8 + +## Proxy settings +#keyserver-options http-proxy=socks5://TORIP:TORPORT + +## https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f +## https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html +## https://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607 +#keyserver hkps://keys.openpgp.org + +## END some suggestions from TorBirdy TorBirdy setting extensions.enigmail.agentAdditionalParam +################################################################## + +################################################################## +## BEGIN Some suggestions from Debian http://keyring.debian.org/creating-key.html + +personal-digest-preferences SHA512 +cert-digest-algo SHA512 +default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed + +## END Some suggestions from Debian http://keyring.debian.org/creating-key.html +################################################################## + +################################################################## +## BEGIN Some suggestions added from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices + +## When creating a key, individuals may designate a specific keyserver to use to pull their keys from. +## The above option will disregard this designation and use the pool, which is useful because (1) it +## prevents someone from designating an insecure method for pulling their key and (2) if the server +## designated uses hkps, the refresh will fail because the ca-cert will not match, so the keys will +## never be refreshed. +keyserver-options no-honor-keyserver-url + +## when outputting certificates, view user IDs distinctly from keys: +fixed-list-mode + +## long keyids are more collision-resistant than short keyids (it's trivial to make a key with any desired short keyid) +keyid-format 0xlong + +## when multiple digests are supported by all recipients, choose the strongest one: +## already defined above +#personal-digest-preferences SHA512 SHA384 SHA256 SHA224 + +## preferences chosen for new keys should prioritize stronger algorithms: +## already defined above +#default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed + +## If you use a graphical environment (and even if you don't) you should be using an agent: +## (similar arguments as https://www.debian-administration.org/users/dkg/weblog/64) +use-agent + +## You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring: +verify-options show-uid-validity +list-options show-uid-validity + +## include an unambiguous indicator of which key made a signature: +## (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234) +sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g + +## when making an OpenPGP certification, use a stronger digest than the default SHA1: +## already defined above +#cert-digest-algo SHA256 + +## END Some suggestions added from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices +################################################################## + +################################################################## +## BEGIN Some suggestions from TorBirdy opt-in's + +## Up to you whether you in comment it (remove the single # in front of +## it) or not. Disabled by default, because it causes too much complaints and +## confusion. + +## Don't include keyids that may disclose the sender or any other non-obvious keyids +#throw-keyids + +## END Some suggestions from TorBirdy opt-in's +################################################################## + +## End of Anonymity Distribution /home/user/.gnupg/gpg.conf changes. diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index cb24c53..f18194d 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -2,7 +2,7 @@ ## See the file COPYING for copying conditions. ## The whole point of the package. -security-misc: package-contains-file-in-etc-skel etc/skel/.config/* +security-misc: package-contains-file-in-etc-skel etc/skel/* ## Wrapper script. security-misc: binary-without-manpage usr/bin/pkexec.security-misc From 350a15dfbf9186c4bd81159b7656b5707a95c5db Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 6 Apr 2020 13:22:32 -0400 Subject: [PATCH 0307/1650] readme --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 4cc9e4f..70b3aec 100644 --- a/README.md +++ b/README.md @@ -304,6 +304,10 @@ Application specific hardening: * Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird to make phishing attacks more difficult. Fixing URL not showing real Domain Name (Homograph attack). +* Security and privacy enhancements for gnupg's config file +`/etc/skel/.gnupg/gpg.conf`. See also: +https://raw.github.com/ioerror/torbirdy/master/gpg.conf +https://github.com/ioerror/torbirdy/pull/11 Want more? Look into these: From cc8489df2ff655276be31073ec2fff57a9e8b448 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 6 Apr 2020 13:29:23 -0400 Subject: [PATCH 0308/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3848fe7..6138a6a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 350a15dfbf9186c4bd81159b7656b5707a95c5db +Author: Patrick Schleizer +Date: Mon Apr 6 13:22:32 2020 -0400 + + readme + +commit 5c81e1f23fa07a0e3c96d15dc3cc24d41332fe3c +Author: Patrick Schleizer +Date: Mon Apr 6 09:25:45 2020 -0400 + + import from anon-gpg-conf + +commit 1b2a34ea80fa9efeb02acaa8595e3c38fd9d06ca +Author: Patrick Schleizer +Date: Sat Apr 4 16:51:42 2020 -0400 + + bumped changelog version + commit 1188a44f47602248911d81f4dc3af08b830b65b9 Author: Patrick Schleizer Date: Sat Apr 4 16:49:30 2020 -0400 diff --git a/debian/changelog b/debian/changelog index 88df55e..9623daf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:17.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 06 Apr 2020 17:29:23 +0000 + security-misc (3:17.7-1) unstable; urgency=medium * New upstream version (local package). From 663811a8192d7d08769eaf5e9c057b9dcca34562 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 8 Apr 2020 12:04:13 +0000 Subject: [PATCH 0309/1650] anon-base-files -> dist-base-files --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 957443b..0f1a300 100644 --- a/debian/control +++ b/debian/control @@ -266,7 +266,7 @@ Description: enhances misc security settings It is not clear that would be sane in such a package. It is recommended to lock and expire the root account. In new Whonix builds, root account will be locked by package - anon-base-files. + dist-base-files. https://www.whonix.org/wiki/Root https://www.whonix.org/wiki/Dev/Permissions https://forums.whonix.org/t/restrict-root-access/7658 From 0441f2ed7ad01585c11c9fb6a05cd3884408c9d6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 8 Apr 2020 12:30:05 +0000 Subject: [PATCH 0310/1650] readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 70b3aec..8433c81 100644 --- a/README.md +++ b/README.md @@ -249,7 +249,7 @@ This package does (not yet) automatically lock the root account password. It is not clear that would be sane in such a package. It is recommended to lock and expire the root account. In new Whonix builds, root account will be locked by package -anon-base-files. +dist-base-files. https://www.whonix.org/wiki/Root https://www.whonix.org/wiki/Dev/Permissions https://forums.whonix.org/t/restrict-root-access/7658 From bfd6018d8d108ee8691556529121fe2a679de1d2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 8 Apr 2020 12:51:11 +0000 Subject: [PATCH 0311/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 6138a6a..ac82da0 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 0441f2ed7ad01585c11c9fb6a05cd3884408c9d6 +Author: Patrick Schleizer +Date: Wed Apr 8 12:30:05 2020 +0000 + + readme + +commit 663811a8192d7d08769eaf5e9c057b9dcca34562 +Author: Patrick Schleizer +Date: Wed Apr 8 12:04:13 2020 +0000 + + anon-base-files -> dist-base-files + +commit cc8489df2ff655276be31073ec2fff57a9e8b448 +Author: Patrick Schleizer +Date: Mon Apr 6 13:29:23 2020 -0400 + + bumped changelog version + commit 350a15dfbf9186c4bd81159b7656b5707a95c5db Author: Patrick Schleizer Date: Mon Apr 6 13:22:32 2020 -0400 diff --git a/debian/changelog b/debian/changelog index 9623daf..bce4b3f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:17.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 08 Apr 2020 12:51:11 +0000 + security-misc (3:17.8-1) unstable; urgency=medium * New upstream version (local package). From 72228946dca93b5c8257ac5a6ad59e54b7b14d11 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 8 Apr 2020 16:46:11 +0000 Subject: [PATCH 0312/1650] fix etc/default/grub.d/40_kernel_hardening.cfg in Qubes if no kernel package is installed --- etc/default/grub.d/40_kernel_hardening.cfg | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index f8d4289..346ea88 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -1,8 +1,8 @@ ## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -kpkg="linux-image-$(dpkg --print-architecture)" -kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" +kpkg="linux-image-$(dpkg --print-architecture)" || true +kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true #echo "## kver: $kver" ## Disables the merging of slabs of similar sizes. From 4153d8d08874256647d3200333d6754baac2ea63 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 8 Apr 2020 16:51:22 +0000 Subject: [PATCH 0313/1650] apparmor-profile-anondist -> apparmor-profile-dist --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 0f1a300..d504b72 100644 --- a/debian/control +++ b/debian/control @@ -14,7 +14,7 @@ Standards-Version: 4.3.0 Package: security-misc Architecture: all Depends: python, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, - apparmor-profile-anondist, helper-scripts, ${misc:Depends} + apparmor-profile-dist, helper-scripts, ${misc:Depends} Replaces: tcp-timestamps-disable, anon-gpg-tweaks Description: enhances misc security settings Inspired by Kernel Self Protection Project (KSPP) From a9d0baffe600b9ac5bb7d6ee4e7c5c5830bc60ba Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 8 Apr 2020 16:57:32 +0000 Subject: [PATCH 0314/1650] python -> python3 --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index d504b72..d5b9b0d 100644 --- a/debian/control +++ b/debian/control @@ -13,7 +13,7 @@ Standards-Version: 4.3.0 Package: security-misc Architecture: all -Depends: python, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, +Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, apparmor-profile-dist, helper-scripts, ${misc:Depends} Replaces: tcp-timestamps-disable, anon-gpg-tweaks Description: enhances misc security settings From 642d4d8d939f33c19564dcc5a0ed46d85feb80aa Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 8 Apr 2020 17:13:21 +0000 Subject: [PATCH 0315/1650] bumped changelog version --- changelog.upstream | 26 ++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 32 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index ac82da0..7b7bb7f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,29 @@ +commit a9d0baffe600b9ac5bb7d6ee4e7c5c5830bc60ba +Author: Patrick Schleizer +Date: Wed Apr 8 16:57:32 2020 +0000 + + python -> python3 + +commit 4153d8d08874256647d3200333d6754baac2ea63 +Author: Patrick Schleizer +Date: Wed Apr 8 16:51:22 2020 +0000 + + apparmor-profile-anondist -> apparmor-profile-dist + +commit 72228946dca93b5c8257ac5a6ad59e54b7b14d11 +Author: Patrick Schleizer +Date: Wed Apr 8 16:46:11 2020 +0000 + + fix etc/default/grub.d/40_kernel_hardening.cfg + + in Qubes if no kernel package is installed + +commit bfd6018d8d108ee8691556529121fe2a679de1d2 +Author: Patrick Schleizer +Date: Wed Apr 8 12:51:11 2020 +0000 + + bumped changelog version + commit 0441f2ed7ad01585c11c9fb6a05cd3884408c9d6 Author: Patrick Schleizer Date: Wed Apr 8 12:30:05 2020 +0000 diff --git a/debian/changelog b/debian/changelog index bce4b3f..f12e3b6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:18.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 08 Apr 2020 17:13:21 +0000 + security-misc (3:17.9-1) unstable; urgency=medium * New upstream version (local package). From 565ff136e5f1e714b4094fcd9cfdf99a0fb99850 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 8 Apr 2020 21:04:02 +0000 Subject: [PATCH 0316/1650] vm.swappiness=1 import from swappiness-lowest https://forums.whonix.org/t/vm-swappiness-1-set-swapiness-to-lowest-setting-still-useful-swappiness-lowest/9278 --- debian/control | 5 ++++- etc/sysctl.d/30_security-misc.conf | 7 +++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/debian/control b/debian/control index d5b9b0d..bd82bae 100644 --- a/debian/control +++ b/debian/control @@ -15,7 +15,7 @@ Package: security-misc Architecture: all Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, apparmor-profile-dist, helper-scripts, ${misc:Depends} -Replaces: tcp-timestamps-disable, anon-gpg-tweaks +Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest Description: enhances misc security settings Inspired by Kernel Self Protection Project (KSPP) . @@ -280,6 +280,9 @@ Description: enhances misc security settings `/etc/systemd/system/emergency.service.d/override.conf` `/etc/systemd/system/rescue.service.d/override.conf` . + Let the kernel only swap if it is absolutely necessary. + `/etc/sysctl.d/30_security-misc.conf` + . Disables TCP Time Stamps: . TCP time stamps (RFC 1323) allow for tracking clock diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 0fed8d0..1ebd116 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -139,3 +139,10 @@ dev.tty.ldisc_autoload=0 ## ## https://duasynt.com/blog/linux-kernel-heap-spray vm.unprivileged_userfaultfd=0 + +## Let the kernel only swap if it is absolutely necessary. +## Better not be set to zero: +## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html +## - https://en.wikipedia.org/wiki/Swappiness +vm.swappiness=1 + From 67b9d06b25a651b89e35abdd227a1740871395cd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 9 Apr 2020 09:45:29 +0000 Subject: [PATCH 0317/1650] readme --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 8433c81..b9ca009 100644 --- a/README.md +++ b/README.md @@ -263,6 +263,9 @@ protection, grub password protection and/or full disk encryption. `/etc/systemd/system/emergency.service.d/override.conf` `/etc/systemd/system/rescue.service.d/override.conf` +Let the kernel only swap if it is absolutely necessary. +`/etc/sysctl.d/30_security-misc.conf` + Disables TCP Time Stamps: TCP time stamps (RFC 1323) allow for tracking clock From 695ad5b83d0e89b1c3b8a5f09f2d7d0a17d8e72f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 9 Apr 2020 09:45:30 +0000 Subject: [PATCH 0318/1650] bumped changelog version --- changelog.upstream | 22 ++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 28 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7b7bb7f..a1e1a0e 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit 67b9d06b25a651b89e35abdd227a1740871395cd +Author: Patrick Schleizer +Date: Thu Apr 9 09:45:29 2020 +0000 + + readme + +commit 565ff136e5f1e714b4094fcd9cfdf99a0fb99850 +Author: Patrick Schleizer +Date: Wed Apr 8 21:04:02 2020 +0000 + + vm.swappiness=1 + + import from swappiness-lowest + + https://forums.whonix.org/t/vm-swappiness-1-set-swapiness-to-lowest-setting-still-useful-swappiness-lowest/9278 + +commit 642d4d8d939f33c19564dcc5a0ed46d85feb80aa +Author: Patrick Schleizer +Date: Wed Apr 8 17:13:21 2020 +0000 + + bumped changelog version + commit a9d0baffe600b9ac5bb7d6ee4e7c5c5830bc60ba Author: Patrick Schleizer Date: Wed Apr 8 16:57:32 2020 +0000 diff --git a/debian/changelog b/debian/changelog index f12e3b6..f633d3a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:18.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 09 Apr 2020 09:45:30 +0000 + security-misc (3:18.0-1) unstable; urgency=medium * New upstream version (local package). From 938e929f39ff68296ab01a4b619f963ad3bdf535 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 12 Apr 2020 16:37:51 -0400 Subject: [PATCH 0319/1650] add pkexec to suid default whitelist /usr/bin/pkexec exactwhitelist /usr/bin/pkexec.security-misc-orig exactwhitelist --- etc/permission-hardening.d/30_default.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 302603b..a4547d0 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -41,6 +41,9 @@ /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist /usr/lib/chromium/chrome-sandbox exactwhitelist +/usr/bin/pkexec exactwhitelist +/usr/bin/pkexec.security-misc-orig exactwhitelist + ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 ## Protect from 'chmod -x' (and SUID removal). ## SUID will be removed below in separate step. From 72be31e870057b035651c1b5a7e9a9db149e9d25 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 12 Apr 2020 16:48:13 -0400 Subject: [PATCH 0320/1650] disable proc-hidepid by default because incompatible with pkexec and undo pkexec wrapper --- debian/control | 5 +++-- debian/security-misc.displace | 1 - debian/security-misc.undisplace | 1 + lib/systemd/system-preset/50-security-misc.preset | 3 +++ 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/debian/control b/debian/control index bd82bae..0d6871a 100644 --- a/debian/control +++ b/debian/control @@ -175,8 +175,9 @@ Description: enhances misc security settings `/lib/systemd/system/remount-secure.service` `/usr/lib/security-misc/remount-secure` . - * A systemd service mounts `/proc` with `hidepid=2` at boot to prevent users - from seeing each other's processes. + * An optional systemd service mounts `/proc` with `hidepid=2` at boot to + prevent users from seeing each other's processes. Not enabled because not + compatible with pkexec. . * The kernel logs are restricted to root only. . diff --git a/debian/security-misc.displace b/debian/security-misc.displace index afc5957..52bb261 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -1,5 +1,4 @@ ## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -/usr/bin/pkexec.security-misc /etc/securetty.security-misc diff --git a/debian/security-misc.undisplace b/debian/security-misc.undisplace index 55fd1f1..3c56ba4 100644 --- a/debian/security-misc.undisplace +++ b/debian/security-misc.undisplace @@ -2,3 +2,4 @@ ## See the file COPYING for copying conditions. /etc/login.defs.security-misc +/usr/bin/pkexec.security-misc diff --git a/lib/systemd/system-preset/50-security-misc.preset b/lib/systemd/system-preset/50-security-misc.preset index a9047d6..f534279 100644 --- a/lib/systemd/system-preset/50-security-misc.preset +++ b/lib/systemd/system-preset/50-security-misc.preset @@ -9,3 +9,6 @@ disable permission-hardening.service ## Disable for now until development finished / tested. disable remount-secure.service + +## Disable due to pkexec issues. +proc-hidepid.service From 442931529121e9e402e7ac56e27df3dcec43167b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 12 Apr 2020 16:52:55 -0400 Subject: [PATCH 0321/1650] disable proc-hidepid by default because incompatible with pkexec and undo pkexec wrapper --- etc/sudoers.d/pkexec-security-misc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/sudoers.d/pkexec-security-misc b/etc/sudoers.d/pkexec-security-misc index c62c622..2e089be 100644 --- a/etc/sudoers.d/pkexec-security-misc +++ b/etc/sudoers.d/pkexec-security-misc @@ -2,10 +2,10 @@ ## See the file COPYING for copying conditions. ## REVIEW: is it ok that users can find out the PATH setting of root? -%sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path +#%sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path ## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be ## set. Would otherwise error out with the following error message: ## "This program must only be run through pkexec" ## REVIEW: Can bad things be done by spoofing PKEXEC_UID? -Defaults:ALL env_keep += "PKEXEC_UID" +#Defaults:ALL env_keep += "PKEXEC_UID" From b3ce18f0f9f1da0552a4a1bd882a5b5dda13626e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 12 Apr 2020 16:54:10 -0400 Subject: [PATCH 0322/1650] disable proc-hidepid by default because incompatible with pkexec and undo pkexec wrapper --- etc/sudoers.d/xfce-security-misc | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/etc/sudoers.d/xfce-security-misc b/etc/sudoers.d/xfce-security-misc index 1880152..bd0ae80 100644 --- a/etc/sudoers.d/xfce-security-misc +++ b/etc/sudoers.d/xfce-security-misc @@ -6,13 +6,13 @@ ## Feel free to out comment this if you are not using xfce4-power-manager or XFCE. -%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]] -%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]] -%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]][[\:digit\:]] +#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]] +#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]] +#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]][[\:digit\:]] -%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]] -%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]] -%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]][[\:digit\:]] +#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]] +#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]] +#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]][[\:digit\:]] ## XXX: Should we allow this? #%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --suspend From 253578afdf9a4aeb8c5495ca815d0326086dc986 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 13 Apr 2020 06:50:32 -0400 Subject: [PATCH 0323/1650] /etc/security/access-security-misc.conf white list ttyS0 etc. ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 Thanks to @subpar_marlin for the bug report and helping to fix this! https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43 https://forums.whonix.org/t/etc-security-hardening/8592 --- etc/security/access-security-misc.conf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index b0e9974..bcbdba3 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -24,11 +24,14 @@ ## - 'tty1' to 'tty7' ## - 'pts/0' to 'pts/9' ## - 'hvc0' to 'hvc9' -+:console:console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 +## serial console +## https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43 +## - 'ttyS0' to 'ttyS9' ++:console:console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 ## Same as above also for members of group `sudo`. ## https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407 -+:sudo:console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ++:sudo:console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 ## Everyone else except members of group 'console-unrestricted' ## are restricted from everything else. From e0b8640fb9d03feb6b01fed4469d901e3f9a5dc0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 13 Apr 2020 06:56:34 -0400 Subject: [PATCH 0324/1650] readme --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b9ca009..582e445 100644 --- a/README.md +++ b/README.md @@ -158,8 +158,9 @@ Alternatively file `/usr/local/etc/remount-disable` or file `/lib/systemd/system/remount-secure.service` `/usr/lib/security-misc/remount-secure` -* A systemd service mounts `/proc` with `hidepid=2` at boot to prevent users -from seeing each other's processes. +* An optional systemd service mounts `/proc` with `hidepid=2` at boot to +prevent users from seeing each other's processes. Not enabled because not +compatible with pkexec. * The kernel logs are restricted to root only. From b6dde34bfb696218cc14ac89d169ec0e37814bff Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 13 Apr 2020 06:56:34 -0400 Subject: [PATCH 0325/1650] bumped changelog version --- changelog.upstream | 59 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 65 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index a1e1a0e..6bf4086 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,62 @@ +commit e0b8640fb9d03feb6b01fed4469d901e3f9a5dc0 +Author: Patrick Schleizer +Date: Mon Apr 13 06:56:34 2020 -0400 + + readme + +commit 253578afdf9a4aeb8c5495ca815d0326086dc986 +Author: Patrick Schleizer +Date: Mon Apr 13 06:50:32 2020 -0400 + + /etc/security/access-security-misc.conf white list ttyS0 etc. + + ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 + + Thanks to @subpar_marlin for the bug report and helping to fix this! + + https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43 + + https://forums.whonix.org/t/etc-security-hardening/8592 + +commit b3ce18f0f9f1da0552a4a1bd882a5b5dda13626e +Author: Patrick Schleizer +Date: Sun Apr 12 16:54:10 2020 -0400 + + disable proc-hidepid by default because incompatible with pkexec + + and undo pkexec wrapper + +commit 442931529121e9e402e7ac56e27df3dcec43167b +Author: Patrick Schleizer +Date: Sun Apr 12 16:52:55 2020 -0400 + + disable proc-hidepid by default because incompatible with pkexec + + and undo pkexec wrapper + +commit 72be31e870057b035651c1b5a7e9a9db149e9d25 +Author: Patrick Schleizer +Date: Sun Apr 12 16:48:13 2020 -0400 + + disable proc-hidepid by default because incompatible with pkexec + + and undo pkexec wrapper + +commit 938e929f39ff68296ab01a4b619f963ad3bdf535 +Author: Patrick Schleizer +Date: Sun Apr 12 16:37:51 2020 -0400 + + add pkexec to suid default whitelist + + /usr/bin/pkexec exactwhitelist + /usr/bin/pkexec.security-misc-orig exactwhitelist + +commit 695ad5b83d0e89b1c3b8a5f09f2d7d0a17d8e72f +Author: Patrick Schleizer +Date: Thu Apr 9 09:45:30 2020 +0000 + + bumped changelog version + commit 67b9d06b25a651b89e35abdd227a1740871395cd Author: Patrick Schleizer Date: Thu Apr 9 09:45:29 2020 +0000 diff --git a/debian/changelog b/debian/changelog index f633d3a..08f943e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:18.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 13 Apr 2020 10:56:34 +0000 + security-misc (3:18.1-1) unstable; urgency=medium * New upstream version (local package). From 8851c9ed29e79d2ef5df9c7b7086878e69b90bd4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Apr 2020 12:39:34 -0400 Subject: [PATCH 0326/1650] fix: disable proc-hidepid.service --- lib/systemd/system-preset/50-security-misc.preset | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/systemd/system-preset/50-security-misc.preset b/lib/systemd/system-preset/50-security-misc.preset index f534279..544ba5a 100644 --- a/lib/systemd/system-preset/50-security-misc.preset +++ b/lib/systemd/system-preset/50-security-misc.preset @@ -11,4 +11,4 @@ disable permission-hardening.service disable remount-secure.service ## Disable due to pkexec issues. -proc-hidepid.service +disable proc-hidepid.service From df218ad6582ab88be16e66cf13951d0a5271411b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Apr 2020 12:40:31 -0400 Subject: [PATCH 0327/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 6bf4086..ef1599f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 8851c9ed29e79d2ef5df9c7b7086878e69b90bd4 +Author: Patrick Schleizer +Date: Tue Apr 14 12:39:34 2020 -0400 + + fix: disable proc-hidepid.service + +commit b6dde34bfb696218cc14ac89d169ec0e37814bff +Author: Patrick Schleizer +Date: Mon Apr 13 06:56:34 2020 -0400 + + bumped changelog version + commit e0b8640fb9d03feb6b01fed4469d901e3f9a5dc0 Author: Patrick Schleizer Date: Mon Apr 13 06:56:34 2020 -0400 diff --git a/debian/changelog b/debian/changelog index 08f943e..36aed5f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:18.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Apr 2020 16:40:31 +0000 + security-misc (3:18.2-1) unstable; urgency=medium * New upstream version (local package). From cb51847085c1b62c99ab160373c52a388bdfe300 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 15 Apr 2020 14:05:37 -0400 Subject: [PATCH 0328/1650] readme --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 582e445..e10ab06 100644 --- a/README.md +++ b/README.md @@ -374,7 +374,10 @@ Can be build using standard Debian package build tools such as: dpkg-buildpackage -b ``` -See [instructions](https://www.whonix.org/wiki/Dev/Build_Documentation/security-misc). (Replace `package-name` with the actual name of this package.) +See instructions. (Replace `generic-package` with the actual name of this package `security-misc`.) + +* **A)** [easy](https://www.whonix.org/wiki/Dev/Build_Documentation/generic-package/easy), _OR_ +* **B)** [including verifying software signatures](https://www.whonix.org/wiki/Dev/Build_Documentation/generic-package) ## Contact ## From 701da5f6cc911e3946904c152078dc6c637e5070 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 16 Apr 2020 07:24:44 -0400 Subject: [PATCH 0329/1650] formatting --- etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index 9a0b521..1de700d 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -20,11 +20,14 @@ if mount | grep "${rootmnt}" | grep -q "(ro,"; then remount="yes" mount -o remount,rw "${rootmnt}" fi + sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2> "${rootmnt}/var/log/sysctl-initramfs-error.log" sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>> "${rootmnt}/var/log/sysctl-initramfs-error.log" + if [ "${remount}" = "yes" ]; then mount -o remount,ro "${rootmnt}" fi + grep -v "unprivileged_userfaultfd" "${rootmnt}/var/log/sysctl-initramfs-error.log" true From 4898a9e753e9399e83e4a39d8fa340e1ad9d4f6d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 16 Apr 2020 07:54:33 -0400 Subject: [PATCH 0330/1650] fix, sysctl-initramfs: switch log to /run/initramfs/sysctl-initramfs-error.log since ephemeral, in RAM, not written to disk, no conflict with grub-live https://forums.whonix.org/t/kernel-hardening/7296/435 --- .../scripts/init-bottom/sysctl-initramfs | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index 1de700d..58558fd 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -15,19 +15,12 @@ prereqs) ;; esac -## ${rootmnt} is mounted read-only in the initramfs so it needs to be remounted first. -if mount | grep "${rootmnt}" | grep -q "(ro,"; then - remount="yes" - mount -o remount,rw "${rootmnt}" -fi +## Write to '/run/initramfs' folder. +## https://forums.whonix.org/t/kernel-hardening/7296/435 -sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2> "${rootmnt}/var/log/sysctl-initramfs-error.log" -sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>> "${rootmnt}/var/log/sysctl-initramfs-error.log" +sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2> "/run/initramfs/sysctl-initramfs-error.log" +sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>> "/run/initramfs/sysctl-initramfs-error.log" -if [ "${remount}" = "yes" ]; then - mount -o remount,ro "${rootmnt}" -fi - -grep -v "unprivileged_userfaultfd" "${rootmnt}/var/log/sysctl-initramfs-error.log" +grep -v "unprivileged_userfaultfd" "/run/initramfs/sysctl-initramfs-error.log" true From 8d2e4b68dcae87b27f519196488e0ed7e8b95ef2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 16 Apr 2020 08:00:31 -0400 Subject: [PATCH 0331/1650] Prevent kernel info leaks in console during boot. By setting `kernel.printk = 3 3 3 3`. https://phabricator.whonix.org/T950 Thanks to @madaidan for the suggestion! --- etc/sysctl.d/30_security-misc.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 1ebd116..d66566f 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -8,6 +8,10 @@ kernel.core_pattern=|/bin/false ## Restricts the kernel log to root only. kernel.dmesg_restrict=1 +## Prevent kernel info leaks in console during boot. +## https://phabricator.whonix.org/T950 +kernel.printk = 3 3 3 3 + ## Don't allow writes to files that we don't own ## in world writable sticky directories, unless ## they are owned by the owner of the directory. From aa5631b02b0127b4681ae08c973b08b23befd701 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 16 Apr 2020 08:43:40 -0400 Subject: [PATCH 0332/1650] bumped changelog version --- changelog.upstream | 40 ++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 46 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index ef1599f..70b5a14 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,43 @@ +commit 8d2e4b68dcae87b27f519196488e0ed7e8b95ef2 +Author: Patrick Schleizer +Date: Thu Apr 16 08:00:31 2020 -0400 + + Prevent kernel info leaks in console during boot. + + By setting `kernel.printk = 3 3 3 3`. + + https://phabricator.whonix.org/T950 + + Thanks to @madaidan for the suggestion! + +commit 4898a9e753e9399e83e4a39d8fa340e1ad9d4f6d +Author: Patrick Schleizer +Date: Thu Apr 16 07:54:33 2020 -0400 + + fix, sysctl-initramfs: switch log to /run/initramfs/sysctl-initramfs-error.log + + since ephemeral, in RAM, not written to disk, no conflict with grub-live + + https://forums.whonix.org/t/kernel-hardening/7296/435 + +commit 701da5f6cc911e3946904c152078dc6c637e5070 +Author: Patrick Schleizer +Date: Thu Apr 16 07:24:44 2020 -0400 + + formatting + +commit cb51847085c1b62c99ab160373c52a388bdfe300 +Author: Patrick Schleizer +Date: Wed Apr 15 14:05:37 2020 -0400 + + readme + +commit df218ad6582ab88be16e66cf13951d0a5271411b +Author: Patrick Schleizer +Date: Tue Apr 14 12:40:31 2020 -0400 + + bumped changelog version + commit 8851c9ed29e79d2ef5df9c7b7086878e69b90bd4 Author: Patrick Schleizer Date: Tue Apr 14 12:39:34 2020 -0400 diff --git a/debian/changelog b/debian/changelog index 36aed5f..12dc924 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:18.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 16 Apr 2020 12:43:40 +0000 + security-misc (3:18.3-1) unstable; urgency=medium * New upstream version (local package). From 6485df8126b52a2072824fa442e8d1dd5cb18981 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 23 Apr 2020 12:26:31 -0400 Subject: [PATCH 0333/1650] Prevent kernel info leaks in console during boot. add kernel parameter `quiet loglevel=0` https://phabricator.whonix.org/T950 --- etc/default/grub.d/40_kernel_hardening.cfg | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 346ea88..6104280 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -59,3 +59,10 @@ fi ## Requires linux-hardened kernel patch. ## https://github.com/anthraxx/linux-hardened GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" + +## Prevent kernel info leaks in console during boot. +## https://phabricator.whonix.org/T950 +## str_replace is provided by package helper-scripts. +## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. +GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "quiet" "")" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet loglevel=0" From 81cb6ad2462a900f9c5193278de70ada62a5585b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 23 Apr 2020 12:27:25 -0400 Subject: [PATCH 0334/1650] bumped changelog version --- changelog.upstream | 16 ++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 22 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 70b5a14..4e6b19b 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,19 @@ +commit 6485df8126b52a2072824fa442e8d1dd5cb18981 +Author: Patrick Schleizer +Date: Thu Apr 23 12:26:31 2020 -0400 + + Prevent kernel info leaks in console during boot. + + add kernel parameter `quiet loglevel=0` + + https://phabricator.whonix.org/T950 + +commit aa5631b02b0127b4681ae08c973b08b23befd701 +Author: Patrick Schleizer +Date: Thu Apr 16 08:43:40 2020 -0400 + + bumped changelog version + commit 8d2e4b68dcae87b27f519196488e0ed7e8b95ef2 Author: Patrick Schleizer Date: Thu Apr 16 08:00:31 2020 -0400 diff --git a/debian/changelog b/debian/changelog index 12dc924..5788b62 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:18.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 23 Apr 2020 16:27:25 +0000 + security-misc (3:18.4-1) unstable; urgency=medium * New upstream version (local package). From 3cd7b144bba1a92ca771b16fc5215073c7561a1a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 14 May 2020 13:47:58 -0400 Subject: [PATCH 0335/1650] move "kernel.printk = 3 3 3 3" to separate file /etc/sysctl.d/30_silent-kernel-printk.conf so package debug-misc can easily disable it https://phabricator.whonix.org/T950 --- etc/sysctl.d/30_security-misc.conf | 5 ----- etc/sysctl.d/30_silent-kernel-printk.conf | 6 ++++++ 2 files changed, 6 insertions(+), 5 deletions(-) create mode 100644 etc/sysctl.d/30_silent-kernel-printk.conf diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index d66566f..18902ef 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -8,10 +8,6 @@ kernel.core_pattern=|/bin/false ## Restricts the kernel log to root only. kernel.dmesg_restrict=1 -## Prevent kernel info leaks in console during boot. -## https://phabricator.whonix.org/T950 -kernel.printk = 3 3 3 3 - ## Don't allow writes to files that we don't own ## in world writable sticky directories, unless ## they are owned by the owner of the directory. @@ -149,4 +145,3 @@ vm.unprivileged_userfaultfd=0 ## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html ## - https://en.wikipedia.org/wiki/Swappiness vm.swappiness=1 - diff --git a/etc/sysctl.d/30_silent-kernel-printk.conf b/etc/sysctl.d/30_silent-kernel-printk.conf new file mode 100644 index 0000000..69db9a6 --- /dev/null +++ b/etc/sysctl.d/30_silent-kernel-printk.conf @@ -0,0 +1,6 @@ +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Prevent kernel info leaks in console during boot. +## https://phabricator.whonix.org/T950 +kernel.printk = 3 3 3 3 From 861f9d1022e61766c7474d9eb79489ba64ac2055 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 14 May 2020 13:57:32 -0400 Subject: [PATCH 0336/1650] bumped changelog version --- changelog.upstream | 16 ++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 22 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 4e6b19b..483680e 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,19 @@ +commit 3cd7b144bba1a92ca771b16fc5215073c7561a1a +Author: Patrick Schleizer +Date: Thu May 14 13:47:58 2020 -0400 + + move "kernel.printk = 3 3 3 3" to separate file /etc/sysctl.d/30_silent-kernel-printk.conf + + so package debug-misc can easily disable it + + https://phabricator.whonix.org/T950 + +commit 81cb6ad2462a900f9c5193278de70ada62a5585b +Author: Patrick Schleizer +Date: Thu Apr 23 12:27:25 2020 -0400 + + bumped changelog version + commit 6485df8126b52a2072824fa442e8d1dd5cb18981 Author: Patrick Schleizer Date: Thu Apr 23 12:26:31 2020 -0400 diff --git a/debian/changelog b/debian/changelog index 5788b62..daa054d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:18.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 14 May 2020 17:57:32 +0000 + security-misc (3:18.5-1) unstable; urgency=medium * New upstream version (local package). From ac8bc4f006dbc1583e35ba033e38dac8392127e9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jul 2020 06:30:07 -0400 Subject: [PATCH 0337/1650] readme --- README.md | 34 ++-------------------------------- 1 file changed, 2 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index e10ab06..ae2f52d 100644 --- a/README.md +++ b/README.md @@ -332,39 +332,9 @@ Discussion: Happening primarily in Whonix forums. https://forums.whonix.org/t/kernel-hardening/7296 -## How to install `security-misc` using apt-get ## +## How to install `security-misc` ## -1\. Download [Whonix's Signing Key](). - -``` -wget https://www.whonix.org/patrick.asc -``` - -Users can [check Whonix Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key) for better security. - -2\. Add Whonix's signing key. - -``` -sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc -``` - -3\. Add Whonix's APT repository. - -``` -echo "deb https://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list -``` - -4\. Update your package lists. - -``` -sudo apt-get update -``` - -5\. Install `security-misc`. - -``` -sudo apt-get install security-misc -``` +See https://www.whonix.org/wiki/Security-misc#install ## How to Build deb Package from Source Code ## From b09f5ddc154d6561fd97b436feeb6a6225f89206 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jul 2020 08:33:07 -0400 Subject: [PATCH 0338/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 483680e..90d0bd7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit ac8bc4f006dbc1583e35ba033e38dac8392127e9 +Author: Patrick Schleizer +Date: Wed Jul 29 06:30:07 2020 -0400 + + readme + +commit 861f9d1022e61766c7474d9eb79489ba64ac2055 +Author: Patrick Schleizer +Date: Thu May 14 13:57:32 2020 -0400 + + bumped changelog version + commit 3cd7b144bba1a92ca771b16fc5215073c7561a1a Author: Patrick Schleizer Date: Thu May 14 13:47:58 2020 -0400 diff --git a/debian/changelog b/debian/changelog index daa054d..d87ddd8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:18.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jul 2020 12:33:07 +0000 + security-misc (3:18.6-1) unstable; urgency=medium * New upstream version (local package). From 7e267ab49850362c02374a15fdba2409a5487a0f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 3 Aug 2020 08:12:19 -0400 Subject: [PATCH 0339/1650] fix, allow group `sudo` and `console` to use consoles fix /etc/security/access-security-misc.conf syntax error Thanks to @81a989 for the bug report! https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/31 --- etc/security/access-security-misc.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index bcbdba3..cc0cb3e 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -27,12 +27,12 @@ ## serial console ## https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43 ## - 'ttyS0' to 'ttyS9' -+:console:console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 ++:(console):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 ## Same as above also for members of group `sudo`. ## https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407 -+:sudo:console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 ++:(sudo):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 ## Everyone else except members of group 'console-unrestricted' ## are restricted from everything else. --:ALL EXCEPT console-unrestricted :ALL +-:ALL EXCEPT (console-unrestricted):ALL From 98c0decaa46c6fb839062ff9af0556d821c254e6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 3 Aug 2020 09:43:43 -0400 Subject: [PATCH 0340/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 90d0bd7..1871ec4 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 7e267ab49850362c02374a15fdba2409a5487a0f +Author: Patrick Schleizer +Date: Mon Aug 3 08:12:19 2020 -0400 + + fix, allow group `sudo` and `console` to use consoles + + fix /etc/security/access-security-misc.conf syntax error + + Thanks to @81a989 for the bug report! + + https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/31 + +commit b09f5ddc154d6561fd97b436feeb6a6225f89206 +Author: Patrick Schleizer +Date: Wed Jul 29 08:33:07 2020 -0400 + + bumped changelog version + commit ac8bc4f006dbc1583e35ba033e38dac8392127e9 Author: Patrick Schleizer Date: Wed Jul 29 06:30:07 2020 -0400 diff --git a/debian/changelog b/debian/changelog index d87ddd8..09a4c78 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:18.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 03 Aug 2020 13:43:43 +0000 + security-misc (3:18.7-1) unstable; urgency=medium * New upstream version (local package). From 944fed3c459dd55820cb1eca68f86816bdf8469f Mon Sep 17 00:00:00 2001 From: flawedworld <38294951+flawedworld@users.noreply.github.com> Date: Fri, 18 Sep 2020 23:29:04 +0100 Subject: [PATCH 0341/1650] Disallow kernel profiling by users without CAP_SYS_ADMIN It's the default on a lot of stuff, but still nice to have. --- etc/sysctl.d/30_security-misc.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 18902ef..cb53834 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -145,3 +145,7 @@ vm.unprivileged_userfaultfd=0 ## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html ## - https://en.wikipedia.org/wiki/Swappiness vm.swappiness=1 + +## Disallow kernel profiling by users without CAP_SYS_ADMIN +## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt +kernel.perf_event_paranoid=3 From 8f7727e823a86a1826686d5c95d0070721c7acba Mon Sep 17 00:00:00 2001 From: flawedworld <38294951+flawedworld@users.noreply.github.com> Date: Fri, 18 Sep 2020 23:36:30 +0100 Subject: [PATCH 0342/1650] Add some IPv6 options --- etc/sysctl.d/30_security-misc.conf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index cb53834..e7b7706 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -82,6 +82,8 @@ net.ipv6.conf.default.accept_redirects=0 ## Disables ICMP redirect sending. net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.default.accept_redirects=0 ## Ignores ICMP requests. net.ipv4.icmp_echo_ignore_all=1 @@ -92,6 +94,8 @@ net.ipv4.tcp_syncookies=1 ## Disable source routing. net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 +net.ipv6.conf.all.accept_source_route=0 +net.ipv6.conf.default.accept_source_route=0 ## Enable reverse path filtering to prevent IP spoofing and ## mitigate vulnerabilities such as CVE-2019-14899. @@ -149,3 +153,8 @@ vm.swappiness=1 ## Disallow kernel profiling by users without CAP_SYS_ADMIN ## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt kernel.perf_event_paranoid=3 + +# Do not accept router advertisments +net.ipv6.conf.all.accept_ra=0 +net.ipv6.conf.default.accept_ra=0 + From 5fc7b791db473c22ea43ff899e2dbe232c42a2b7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Sep 2020 09:28:27 -0400 Subject: [PATCH 0343/1650] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1871ec4..b324ec9 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit bff6ce7abb920d55edc49b19340a1e9251a4cd8c +Merge: 98c0dec 9239c8b +Author: Patrick Schleizer +Date: Sat Sep 19 06:54:50 2020 -0400 + + Merge remote-tracking branch 'github/master' + +commit 9239c8b8074018090d4fa1381aa06e66a99359cc +Merge: 98c0dec 8dfdec1 +Author: Patrick Schleizer +Date: Sat Sep 19 10:54:21 2020 +0000 + + Merge pull request #71 from onions-knight/patch-1 + + Update thunar.xml + +commit 98c0decaa46c6fb839062ff9af0556d821c254e6 +Author: Patrick Schleizer +Date: Mon Aug 3 09:43:43 2020 -0400 + + bumped changelog version + commit 7e267ab49850362c02374a15fdba2409a5487a0f Author: Patrick Schleizer Date: Mon Aug 3 08:12:19 2020 -0400 @@ -445,6 +467,14 @@ Date: Sat Mar 21 17:15:25 2020 +0000 Fix sysctl-initramfs logs +commit 8dfdec1d3b0fde7b2836b38e5aefab1b6b6df9f2 +Author: onions-knight <38859709+onions-knight@users.noreply.github.com> +Date: Tue Mar 17 16:38:53 2020 +0000 + + Update thunar.xml + + Adding Delete option for thunar on right mouse click (removed in Debian 10). See https://forums.whonix.org/t/whonix-host-calamares-branding-suggestion/7772/26 + commit e4118cb21eb8765bc8f4e7b5e05d464d72575824 Author: Patrick Schleizer Date: Thu Mar 12 04:43:08 2020 -0400 diff --git a/debian/changelog b/debian/changelog index 09a4c78..8e22b99 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:18.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 19 Sep 2020 13:28:27 +0000 + security-misc (3:18.8-1) unstable; urgency=medium * New upstream version (local package). From a813e7da07a39e96e0cd7937aee7568307a00287 Mon Sep 17 00:00:00 2001 From: flawedworld <38294951+flawedworld@users.noreply.github.com> Date: Sat, 19 Sep 2020 20:46:19 +0100 Subject: [PATCH 0344/1650] Blacklist more modules --- etc/modprobe.d/30_security-misc.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 9cba41c..9bb0c18 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -44,6 +44,14 @@ install appletalk /bin/false install psnap /bin/false install p8023 /bin/false install p8022 /bin/false +install can /bin/false +install atm /bin/false + +# Disable uncommon filesystems to reduce attack surface +install cramfs /bin/false +install vfat /bin/false +install squashfs /bin/false +install udf /bin/false ## Blacklists the vivid kernel module as it's only required for ## testing and has been the cause of multiple vulnerabilities. From 4070133ed65af409adeb6f8c7970d3bc7074b02b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 28 Sep 2020 10:25:57 -0400 Subject: [PATCH 0345/1650] unblacklist vfat https://github.com/Whonix/security-misc/pull/75#issuecomment-695201068 --- etc/modprobe.d/30_security-misc.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 9bb0c18..e91dd20 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -49,7 +49,6 @@ install atm /bin/false # Disable uncommon filesystems to reduce attack surface install cramfs /bin/false -install vfat /bin/false install squashfs /bin/false install udf /bin/false From da1ac48cde8ea5057d1606a2fba42ea179677378 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 28 Sep 2020 10:29:50 -0400 Subject: [PATCH 0346/1650] unblacklist squashfs as this would likely break Whonix-Host ISO https://github.com/Whonix/security-misc/pull/75#issuecomment-700044182 --- etc/modprobe.d/30_security-misc.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index e91dd20..0cb5c6c 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -49,7 +49,6 @@ install atm /bin/false # Disable uncommon filesystems to reduce attack surface install cramfs /bin/false -install squashfs /bin/false install udf /bin/false ## Blacklists the vivid kernel module as it's only required for From feb7cea4c508a94d1140bc08856d0fe586da694e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 28 Sep 2020 10:30:42 -0400 Subject: [PATCH 0347/1650] bumped changelog version --- changelog.upstream | 67 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 73 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b324ec9..7dea06f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,56 @@ +commit da1ac48cde8ea5057d1606a2fba42ea179677378 +Author: Patrick Schleizer +Date: Mon Sep 28 10:29:50 2020 -0400 + + unblacklist squashfs as this would likely break Whonix-Host ISO + + https://github.com/Whonix/security-misc/pull/75#issuecomment-700044182 + +commit 4070133ed65af409adeb6f8c7970d3bc7074b02b +Author: Patrick Schleizer +Date: Mon Sep 28 10:25:57 2020 -0400 + + unblacklist vfat + + https://github.com/Whonix/security-misc/pull/75#issuecomment-695201068 + +commit 77d461ec08ffdf0eb6a5d124927d9f9748c0dd3c +Merge: 5fc7b79 3684ab5 +Author: Patrick Schleizer +Date: Mon Sep 28 10:24:59 2020 -0400 + + Merge remote-tracking branch 'github/master' + +commit 3684ab585eeab46ff17a1d410ce1bcff1a63968c +Merge: ae90107 a813e7d +Author: Patrick Schleizer +Date: Mon Sep 28 14:24:15 2020 +0000 + + Merge pull request #75 from flawedworld/patch-1 + + Blacklist more modules (based on OpenSCAP for RHEL 8) + +commit ae90107e6df4d312a6734985df38b8533d1283c8 +Merge: 5fc7b79 8f7727e +Author: Patrick Schleizer +Date: Mon Sep 28 14:23:42 2020 +0000 + + Merge pull request #76 from flawedworld/patch-2 + + Add IPv6 sysctl options and enforce kernel.perf_event_paranoid=3 + +commit a813e7da07a39e96e0cd7937aee7568307a00287 +Author: flawedworld <38294951+flawedworld@users.noreply.github.com> +Date: Sat Sep 19 20:46:19 2020 +0100 + + Blacklist more modules + +commit 5fc7b791db473c22ea43ff899e2dbe232c42a2b7 +Author: Patrick Schleizer +Date: Sat Sep 19 09:28:27 2020 -0400 + + bumped changelog version + commit bff6ce7abb920d55edc49b19340a1e9251a4cd8c Merge: 98c0dec 9239c8b Author: Patrick Schleizer @@ -14,6 +67,20 @@ Date: Sat Sep 19 10:54:21 2020 +0000 Update thunar.xml +commit 8f7727e823a86a1826686d5c95d0070721c7acba +Author: flawedworld <38294951+flawedworld@users.noreply.github.com> +Date: Fri Sep 18 23:36:30 2020 +0100 + + Add some IPv6 options + +commit 944fed3c459dd55820cb1eca68f86816bdf8469f +Author: flawedworld <38294951+flawedworld@users.noreply.github.com> +Date: Fri Sep 18 23:29:04 2020 +0100 + + Disallow kernel profiling by users without CAP_SYS_ADMIN + + It's the default on a lot of stuff, but still nice to have. + commit 98c0decaa46c6fb839062ff9af0556d821c254e6 Author: Patrick Schleizer Date: Mon Aug 3 09:43:43 2020 -0400 diff --git a/debian/changelog b/debian/changelog index 8e22b99..403eee2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:19.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 28 Sep 2020 14:30:42 +0000 + security-misc (3:18.9-1) unstable; urgency=medium * New upstream version (local package). From 06ffd5d2201152c60eb4309860b8c42be386dccb Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Mon, 28 Sep 2020 19:21:20 +0000 Subject: [PATCH 0348/1650] Restrict access to debugfs --- debian/control | 3 +++ etc/default/grub.d/40_kernel_hardening.cfg | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/debian/control b/debian/control index 0d6871a..3480c39 100644 --- a/debian/control +++ b/debian/control @@ -126,6 +126,9 @@ Description: enhances misc security settings * Restricts loading line disciplines to `CAP_SYS_MODULE`. . * Restricts the `userfaultfd()` syscall to root. + . + * Access to debugfs is restricted as it can contain a lot of sensitive + information. . Improve Entropy Collection . diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 6104280..dc12cb2 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -66,3 +66,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" ## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "quiet" "")" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet loglevel=0" + +## Restrict access to debugfs since it can contain a lot of sensitive information. +## https://lkml.org/lkml/2020/7/16/122 +## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" From 881d695bff7d65c66bbf8e0973f883c75a3d1ebb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 5 Oct 2020 07:03:37 -0400 Subject: [PATCH 0349/1650] bumped changelog version --- changelog.upstream | 28 ++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7dea06f..8c16f13 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,31 @@ +commit 3adb2c92d9551f649b177753fede18da3cc4b0eb +Merge: feb7cea 5856013 +Author: Patrick Schleizer +Date: Sat Oct 3 14:10:32 2020 -0400 + + Merge remote-tracking branch 'github/master' + +commit 58560138cdc36fa5f6142f75f0fed53bcad96363 +Merge: feb7cea 06ffd5d +Author: Patrick Schleizer +Date: Sat Oct 3 18:09:07 2020 +0000 + + Merge pull request #77 from madaidan/debugfs + + Restrict access to debugfs + +commit 06ffd5d2201152c60eb4309860b8c42be386dccb +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Mon Sep 28 19:21:20 2020 +0000 + + Restrict access to debugfs + +commit feb7cea4c508a94d1140bc08856d0fe586da694e +Author: Patrick Schleizer +Date: Mon Sep 28 10:30:42 2020 -0400 + + bumped changelog version + commit da1ac48cde8ea5057d1606a2fba42ea179677378 Author: Patrick Schleizer Date: Mon Sep 28 10:29:50 2020 -0400 diff --git a/debian/changelog b/debian/changelog index 403eee2..3cdf27a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:19.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 05 Oct 2020 11:03:37 +0000 + security-misc (3:19.0-1) unstable; urgency=medium * New upstream version (local package). From 3f656be5746ec4d219371fb0d67c222df7fe52d1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 31 Oct 2020 05:48:10 -0400 Subject: [PATCH 0350/1650] chmod +x /etc/X11/Xsession.d/50panic_on_oops chmod +x /etc/X11/Xsession.d/50security-misc --- etc/X11/Xsession.d/50panic_on_oops | 0 etc/X11/Xsession.d/50security-misc | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 etc/X11/Xsession.d/50panic_on_oops mode change 100644 => 100755 etc/X11/Xsession.d/50security-misc diff --git a/etc/X11/Xsession.d/50panic_on_oops b/etc/X11/Xsession.d/50panic_on_oops old mode 100644 new mode 100755 diff --git a/etc/X11/Xsession.d/50security-misc b/etc/X11/Xsession.d/50security-misc old mode 100644 new mode 100755 From b06d4ca29983938fa81acfc379366e6c1516c69a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 31 Oct 2020 06:09:22 -0400 Subject: [PATCH 0351/1650] bumped changelog version --- changelog.upstream | 13 +++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 19 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 8c16f13..749b702 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,16 @@ +commit 3f656be5746ec4d219371fb0d67c222df7fe52d1 +Author: Patrick Schleizer +Date: Sat Oct 31 05:48:10 2020 -0400 + + chmod +x /etc/X11/Xsession.d/50panic_on_oops + chmod +x /etc/X11/Xsession.d/50security-misc + +commit 881d695bff7d65c66bbf8e0973f883c75a3d1ebb +Author: Patrick Schleizer +Date: Mon Oct 5 07:03:37 2020 -0400 + + bumped changelog version + commit 3adb2c92d9551f649b177753fede18da3cc4b0eb Merge: feb7cea 5856013 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 3cdf27a..4b7200c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:19.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 31 Oct 2020 10:09:22 +0000 + security-misc (3:19.1-1) unstable; urgency=medium * New upstream version (local package). From c1e0bb831025854afbd88e5c353a000c4dadaede Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 31 Oct 2020 06:11:49 -0400 Subject: [PATCH 0352/1650] shebang --- etc/X11/Xsession.d/50security-misc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/X11/Xsession.d/50security-misc b/etc/X11/Xsession.d/50security-misc index c9ffae8..31d77c0 100755 --- a/etc/X11/Xsession.d/50security-misc +++ b/etc/X11/Xsession.d/50security-misc @@ -1,3 +1,5 @@ +#!/bin/sh + ## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. From f4843b1deb95948f9fe2a2870ecbe61c1cab798a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 31 Oct 2020 06:29:25 -0400 Subject: [PATCH 0353/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 749b702..d685476 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit c1e0bb831025854afbd88e5c353a000c4dadaede +Author: Patrick Schleizer +Date: Sat Oct 31 06:11:49 2020 -0400 + + shebang + +commit b06d4ca29983938fa81acfc379366e6c1516c69a +Author: Patrick Schleizer +Date: Sat Oct 31 06:09:22 2020 -0400 + + bumped changelog version + commit 3f656be5746ec4d219371fb0d67c222df7fe52d1 Author: Patrick Schleizer Date: Sat Oct 31 05:48:10 2020 -0400 diff --git a/debian/changelog b/debian/changelog index 4b7200c..5a81b54 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:19.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 31 Oct 2020 10:29:25 +0000 + security-misc (3:19.2-1) unstable; urgency=medium * New upstream version (local package). From bb72c1278dd02a48a631d8e798cd78100576a1a8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 5 Nov 2020 06:36:39 -0500 Subject: [PATCH 0354/1650] copyright --- etc/kernel/postinst.d/30_remove-system-map | 3 +++ etc/security/limits.d/30_security-misc.conf | 5 ++++- etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml | 3 +++ etc/thunderbird/pref/40_security-mic.js | 3 +++ usr/lib/security-misc/pam-abort-on-locked-password | 3 +++ 5 files changed, 16 insertions(+), 1 deletion(-) diff --git a/etc/kernel/postinst.d/30_remove-system-map b/etc/kernel/postinst.d/30_remove-system-map index fc4a604..ffffa39 100755 --- a/etc/kernel/postinst.d/30_remove-system-map +++ b/etc/kernel/postinst.d/30_remove-system-map @@ -1,5 +1,8 @@ #!/bin/bash +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + if test -x /usr/lib/security-misc/remove-system.map ; then /usr/lib/security-misc/remove-system.map fi diff --git a/etc/security/limits.d/30_security-misc.conf b/etc/security/limits.d/30_security-misc.conf index ea7c414..d074d94 100644 --- a/etc/security/limits.d/30_security-misc.conf +++ b/etc/security/limits.d/30_security-misc.conf @@ -1,2 +1,5 @@ -# Disable coredumps. +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Disable coredumps. * hard core 0 diff --git a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml index 06b5b64..09db5fb 100644 --- a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +++ b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml @@ -1,5 +1,8 @@ + + + diff --git a/etc/thunderbird/pref/40_security-mic.js b/etc/thunderbird/pref/40_security-mic.js index fe36be2..91a8023 100644 --- a/etc/thunderbird/pref/40_security-mic.js +++ b/etc/thunderbird/pref/40_security-mic.js @@ -1,3 +1,6 @@ +//#### Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +//#### See the file COPYING for copying conditions. + //#### meta start //#### project Whonix and Kicksecure //#### category security and apps diff --git a/usr/lib/security-misc/pam-abort-on-locked-password b/usr/lib/security-misc/pam-abort-on-locked-password index 71b432c..8ea4cc5 100755 --- a/usr/lib/security-misc/pam-abort-on-locked-password +++ b/usr/lib/security-misc/pam-abort-on-locked-password @@ -1,5 +1,8 @@ #!/bin/bash +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + if ! passwd_output="$(passwd -S "$PAM_USER" 2>/dev/null)" ; then echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2 exit 1 From 79521397310f5e4e200291b2e2380e8e58953f18 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 5 Nov 2020 06:39:32 -0500 Subject: [PATCH 0355/1650] comment --- usr/lib/security-misc/pam-abort-on-locked-password | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/lib/security-misc/pam-abort-on-locked-password b/usr/lib/security-misc/pam-abort-on-locked-password index 8ea4cc5..38f1797 100755 --- a/usr/lib/security-misc/pam-abort-on-locked-password +++ b/usr/lib/security-misc/pam-abort-on-locked-password @@ -3,6 +3,10 @@ ## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## This is only a usability feature to avoid needlessly bumping pam_tally2 +## counter. This is not a security feature. +## https://forums.whonix.org/t/restrict-root-access/7658/1 + if ! passwd_output="$(passwd -S "$PAM_USER" 2>/dev/null)" ; then echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2 exit 1 From 211769dc65a5c98cbdb55ce62e83c9e2a9fa1540 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 5 Nov 2020 06:41:51 -0500 Subject: [PATCH 0356/1650] comment --- usr/lib/security-misc/pam-abort-on-locked-password | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/security-misc/pam-abort-on-locked-password b/usr/lib/security-misc/pam-abort-on-locked-password index 38f1797..a3fa773 100755 --- a/usr/lib/security-misc/pam-abort-on-locked-password +++ b/usr/lib/security-misc/pam-abort-on-locked-password @@ -25,6 +25,9 @@ else fi fi + ## Should not unconditionally 'exit 1' here. + ## Locked user accounts might have valid sudoers exceptions. + ## https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521 exit 1 fi From dfe9b0f6c7364e4d3cc3bf13ad7c0fccc2cb7e10 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 5 Nov 2020 06:42:47 -0500 Subject: [PATCH 0357/1650] fix, no longer unconditionally abort pam for user accounts with locked passwords as locked user accounts might have valid sudoers exceptions Thanks to @mimp for the bug report! https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521 --- usr/lib/security-misc/pam-abort-on-locked-password | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/security-misc/pam-abort-on-locked-password b/usr/lib/security-misc/pam-abort-on-locked-password index a3fa773..2b07006 100755 --- a/usr/lib/security-misc/pam-abort-on-locked-password +++ b/usr/lib/security-misc/pam-abort-on-locked-password @@ -15,7 +15,7 @@ fi if [ "$(echo "$passwd_output" | cut -d ' ' -f 2)" = "P" ]; then true "INFO: Password not locked." else - echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2 + echo "$0: INFO: Password for user \"$PAM_USER\" is locked." if [ -f /usr/share/whonix/marker ] || [ -f /usr/share/kicksecure/marker ]; then if [ "$PAM_USER" = "root" ]; then @@ -28,7 +28,7 @@ else ## Should not unconditionally 'exit 1' here. ## Locked user accounts might have valid sudoers exceptions. ## https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521 - exit 1 + exit 0 fi exit 0 From 581e31af81015fb85ee1bdd81586dbea13804955 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 5 Nov 2020 06:46:57 -0500 Subject: [PATCH 0358/1650] comment --- usr/lib/security-misc/pam-abort-on-locked-password | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/security-misc/pam-abort-on-locked-password b/usr/lib/security-misc/pam-abort-on-locked-password index 2b07006..20b793d 100755 --- a/usr/lib/security-misc/pam-abort-on-locked-password +++ b/usr/lib/security-misc/pam-abort-on-locked-password @@ -28,6 +28,8 @@ else ## Should not unconditionally 'exit 1' here. ## Locked user accounts might have valid sudoers exceptions. ## https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521 + ## 'exit 1' would be good for usability here because then the user would get + ## faster feedback. A new login attempt would not be needlessly delayed. exit 0 fi From abae787186d48b2cccf220cbf7b553f8478e60be Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 5 Nov 2020 06:47:16 -0500 Subject: [PATCH 0359/1650] usability: pam abort when attempting to login to root when root password is locked --- usr/lib/security-misc/pam-abort-on-locked-password | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/security-misc/pam-abort-on-locked-password b/usr/lib/security-misc/pam-abort-on-locked-password index 20b793d..b7136c4 100755 --- a/usr/lib/security-misc/pam-abort-on-locked-password +++ b/usr/lib/security-misc/pam-abort-on-locked-password @@ -22,6 +22,7 @@ else echo "$0: ERROR: root account is locked by default. See:" >&2 echo "https://www.whonix.org/wiki/root" >&2 echo "" >&2 + exit 1 fi fi From 0ef35f877066ddac21737e707829c4571bb76abd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 6 Nov 2020 10:18:09 -0500 Subject: [PATCH 0360/1650] bumped changelog version --- changelog.upstream | 48 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 54 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d685476..b80bd6f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,51 @@ +commit abae787186d48b2cccf220cbf7b553f8478e60be +Author: Patrick Schleizer +Date: Thu Nov 5 06:47:16 2020 -0500 + + usability: pam abort when attempting to login to root when root password is locked + +commit 581e31af81015fb85ee1bdd81586dbea13804955 +Author: Patrick Schleizer +Date: Thu Nov 5 06:46:57 2020 -0500 + + comment + +commit dfe9b0f6c7364e4d3cc3bf13ad7c0fccc2cb7e10 +Author: Patrick Schleizer +Date: Thu Nov 5 06:42:47 2020 -0500 + + fix, no longer unconditionally abort pam for user accounts with locked passwords + + as locked user accounts might have valid sudoers exceptions + + Thanks to @mimp for the bug report! + + https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521 + +commit 211769dc65a5c98cbdb55ce62e83c9e2a9fa1540 +Author: Patrick Schleizer +Date: Thu Nov 5 06:41:51 2020 -0500 + + comment + +commit 79521397310f5e4e200291b2e2380e8e58953f18 +Author: Patrick Schleizer +Date: Thu Nov 5 06:39:32 2020 -0500 + + comment + +commit bb72c1278dd02a48a631d8e798cd78100576a1a8 +Author: Patrick Schleizer +Date: Thu Nov 5 06:36:39 2020 -0500 + + copyright + +commit f4843b1deb95948f9fe2a2870ecbe61c1cab798a +Author: Patrick Schleizer +Date: Sat Oct 31 06:29:25 2020 -0400 + + bumped changelog version + commit c1e0bb831025854afbd88e5c353a000c4dadaede Author: Patrick Schleizer Date: Sat Oct 31 06:11:49 2020 -0400 diff --git a/debian/changelog b/debian/changelog index 5a81b54..4068742 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:19.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 06 Nov 2020 15:18:09 +0000 + security-misc (3:19.3-1) unstable; urgency=medium * New upstream version (local package). From 28a326a8a14f56d588ed6f2b4d7d748d53120109 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 28 Nov 2020 05:31:12 -0500 Subject: [PATCH 0361/1650] add feature `/usr/lib/security-misc/permission-hardening-undo /path/to/filename` to allow removing 1 SUID fix, show INFO message if file does not exist during removal rather than ERROR --- .../security-misc/permission-hardening-undo | 96 +++++++++++++++++-- 1 file changed, 90 insertions(+), 6 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening-undo b/usr/lib/security-misc/permission-hardening-undo index 3d40b31..ab47404 100755 --- a/usr/lib/security-misc/permission-hardening-undo +++ b/usr/lib/security-misc/permission-hardening-undo @@ -7,12 +7,27 @@ set -e set -o pipefail +if [ "$1" = "all" ]; then + remove_file="all" +elif [ ! "$1" = "" ]; then + remove_file="$1" +else + echo "ERROR: need to give parameter 'all' or a filename. + +examples: + +$0 all + +$0 /usr/bin/newgrp + " >&2 +fi + exit_code=0 dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode" dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode" -undo_all() { +undo_permission_hardening() { if [ ! -f /var/lib/permission-hardening/existing_mode/statoverride ]; then return 0 fi @@ -31,19 +46,88 @@ undo_all() { fi true "owner: '$owner' group: '$group' mode: '$mode' file_name: '$file_name'" - chown "${owner}:${group}" "$file_name" || exit_code=202 - ## chmod need to be run after chown since chown removes suid. - ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature - chmod "$mode" "$file_name" || exit_code=203 + if [ "$remove_file" = "all" ]; then + do_proceed=true + verbose_maybe="" + else + if [ "$remove_file" = "$file_name" ]; then + do_proceed=true + verbose_maybe="--verbose" + remove_one=true + else + do_proceed=false + verbose_maybe="" + fi + fi + + if [ "$do_proceed" = "false" ]; then + continue + fi + + if [ "$remove_one" = "true" ]; then + set -x + fi + + if test -e "$file_name" ; then + chown $verbose_maybe "${owner}:${group}" "$file_name" || exit_code=202 + ## chmod need to be run after chown since chown removes suid. + ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature + chmod $verbose_maybe "$mode" "$file_name" || exit_code=203 + else + echo "INFO: file_name: '$file_name' - does not exist. This is likely normal." + fi dpkg-statoverride --remove "$file_name" &>/dev/null || true dpkg-statoverride $dpkg_admindir_parameter_existing_mode --remove "$file_name" &>/dev/null || true dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" &>/dev/null || true + if [ "$remove_one" = "true" ]; then + set +x + break + fi + done < "/var/lib/permission-hardening/existing_mode/statoverride" } -undo_all +undo_permission_hardening + +if [ ! "$remove_file" = "all" ]; then + if [ ! "$remove_one" = "true" ]; then + echo "INFO: none removed. + +File '$remove_file' has not removed from SUID Disabler and Permission Hardener during this invocation of this program. + +Note: This is expected if already done earlier. + +Note: This program expects the full path to the file. Example: + +$0 /usr/bin/newgrp + +The following syntax will not work: + +$0 program-name + +The following example will not work: + +$0 newgrp + +To remove all: + +$0 all + +This change might not be permanent (because of the permission-hardening.service systemd unit). For full instructions, see: +https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener + +To view list of changed by SUID Disabler and Permission Hardener: +https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener + +For re-enabling any specific SUID binary: +https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries + +For completely disabling SUID Disabler and Permission Hardener: +https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" + fi +fi if [ ! "$exit_code" = "0" ]; then echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2 From fe274838861ada125eccdca11ba044123fdae663 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 28 Nov 2020 06:08:10 -0500 Subject: [PATCH 0362/1650] bumped changelog version --- changelog.upstream | 16 ++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 22 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b80bd6f..0f2dc0f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,19 @@ +commit 28a326a8a14f56d588ed6f2b4d7d748d53120109 +Author: Patrick Schleizer +Date: Sat Nov 28 05:31:12 2020 -0500 + + add feature `/usr/lib/security-misc/permission-hardening-undo /path/to/filename` + + to allow removing 1 SUID + + fix, show INFO message if file does not exist during removal rather than ERROR + +commit 0ef35f877066ddac21737e707829c4571bb76abd +Author: Patrick Schleizer +Date: Fri Nov 6 10:18:09 2020 -0500 + + bumped changelog version + commit abae787186d48b2cccf220cbf7b553f8478e60be Author: Patrick Schleizer Date: Thu Nov 5 06:47:16 2020 -0500 diff --git a/debian/changelog b/debian/changelog index 4068742..40bf4c5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:19.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 28 Nov 2020 11:08:10 +0000 + security-misc (3:19.4-1) unstable; urgency=medium * New upstream version (local package). From cf07e977bd6697af7a4326d7705447d500d35593 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 29 Nov 2020 09:09:42 -0500 Subject: [PATCH 0363/1650] add `/bin/pkexec exactwhitelist` for consistency since there is already `/usr/bin/pkexec exactwhitelist` --- etc/permission-hardening.d/30_default.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index a4547d0..7684cc9 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -42,7 +42,9 @@ /usr/lib/chromium/chrome-sandbox exactwhitelist /usr/bin/pkexec exactwhitelist +/bin/pkexec exactwhitelist /usr/bin/pkexec.security-misc-orig exactwhitelist +/bin/pkexec.security-misc-orig exactwhitelist ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 ## Protect from 'chmod -x' (and SUID removal). From 318ab570aacd48b7f163331dc2ba8b012e0d2336 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 1 Dec 2020 04:28:15 -0500 Subject: [PATCH 0364/1650] simplify disabling of SUID Disabler and Permission Hardener whitelist split `/etc/permission-hardening.d/30_default.conf` into multiple files `/etc/permission-hardening.d/40_default_whitelist_[...].conf` therefore make it easier to delete any whitelisted SUID binaries --- etc/permission-hardening.d/30_default.conf | 50 +------------------ .../40_default_whitelist_bubblewrap.conf | 9 ++++ .../40_default_whitelist_chromium.conf | 8 +++ .../40_default_whitelist_dbus.conf | 8 +++ .../40_default_whitelist_firejail.conf | 11 ++++ .../40_default_whitelist_fuse.conf | 10 ++++ .../40_default_whitelist_mount.conf | 17 +++++++ .../40_default_whitelist_policykit.conf | 17 +++++++ .../40_default_whitelist_qubes.conf | 13 +++++ .../40_default_whitelist_selinux.conf | 8 +++ .../40_default_whitelist_spice.conf | 8 +++ .../40_default_whitelist_sudo.conf | 9 ++++ .../40_default_whitelist_virtualbox.conf | 9 ++++ 13 files changed, 128 insertions(+), 49 deletions(-) create mode 100644 etc/permission-hardening.d/40_default_whitelist_bubblewrap.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_chromium.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_dbus.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_firejail.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_fuse.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_mount.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_policykit.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_qubes.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_selinux.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_spice.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_sudo.conf create mode 100644 etc/permission-hardening.d/40_default_whitelist_virtualbox.conf diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 7684cc9..4e86fc1 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -34,29 +34,6 @@ # SUID exact match whitelist ###################################################################### -/usr/bin/sudo exactwhitelist -/bin/sudo exactwhitelist -/usr/bin/bwrap exactwhitelist -/bin/bwrap exactwhitelist -/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist -/usr/lib/chromium/chrome-sandbox exactwhitelist - -/usr/bin/pkexec exactwhitelist -/bin/pkexec exactwhitelist -/usr/bin/pkexec.security-misc-orig exactwhitelist -/bin/pkexec.security-misc-orig exactwhitelist - -## https://forums.whonix.org/t/disable-suid-binaries/7706/61 -## Protect from 'chmod -x' (and SUID removal). -## SUID will be removed below in separate step. -/bin/mount exactwhitelist -/usr/bin/mount exactwhitelist - -## There is a controversy about firejail but those who choose to install it -## should be able to use it. -## https://www.whonix.org/wiki/Dev/Firejail#Security -/usr/bin/firejail exactwhitelist - ## In case you need to use 'su'. See also: ## https://www.whonix.org/wiki/root#su #/bin/su exactwhitelist @@ -72,42 +49,17 @@ #/usr/lib/xorg/Xorg.wrap whitelist ###################################################################### -# SUID regex match whitelist - research required +# SUID regex match whitelist ###################################################################### -/usr/lib/virtualbox/ matchwhitelist - -## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c -## match both: -#/usr/lib/qubes/qfile-unpacker whitelist -#/lib/qubes/qfile-unpacker -/qubes/qfile-unpacker matchwhitelist - -## match both: -#/usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist -#/lib/policykit-1/polkit-agent-helper-1 -polkit-agent-helper-1 matchwhitelist - ###################################################################### # SUID regex match whitelist ###################################################################### -dbus-daemon-launch-helper matchwhitelist -/utempter/utempter matchwhitelist - -## required for AppImages such as electrum Bitcoin wallet -## https://forums.whonix.org/t/disable-suid-binaries/7706/57 -/fusermount matchwhitelist - ###################################################################### # Permission Hardening ###################################################################### -## Remove SUID from 'mount' but keep executable. -## https://forums.whonix.org/t/disable-suid-binaries/7706/61 -/bin/mount 745 root root -/usr/bin/mount 745 root root - /home/ 0755 root root /home/user/ 0700 user user /root/ 0700 root root diff --git a/etc/permission-hardening.d/40_default_whitelist_bubblewrap.conf b/etc/permission-hardening.d/40_default_whitelist_bubblewrap.conf new file mode 100644 index 0000000..af2a214 --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_bubblewrap.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/bin/bwrap exactwhitelist +/bin/bwrap exactwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_chromium.conf b/etc/permission-hardening.d/40_default_whitelist_chromium.conf new file mode 100644 index 0000000..3ba68e2 --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_chromium.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/lib/chromium/chrome-sandbox exactwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_dbus.conf b/etc/permission-hardening.d/40_default_whitelist_dbus.conf new file mode 100644 index 0000000..85290e7 --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_dbus.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +dbus-daemon-launch-helper matchwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_firejail.conf b/etc/permission-hardening.d/40_default_whitelist_firejail.conf new file mode 100644 index 0000000..2fcb272 --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_firejail.conf @@ -0,0 +1,11 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## There is a controversy about firejail but those who choose to install it +## should be able to use it. +## https://www.whonix.org/wiki/Dev/Firejail#Security +/usr/bin/firejail exactwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_fuse.conf b/etc/permission-hardening.d/40_default_whitelist_fuse.conf new file mode 100644 index 0000000..b0cffa9 --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_fuse.conf @@ -0,0 +1,10 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## required for AppImages such as electrum Bitcoin wallet +## https://forums.whonix.org/t/disable-suid-binaries/7706/57 +/fusermount matchwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_mount.conf b/etc/permission-hardening.d/40_default_whitelist_mount.conf new file mode 100644 index 0000000..5ab606a --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_mount.conf @@ -0,0 +1,17 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## https://forums.whonix.org/t/disable-suid-binaries/7706/61 +## Protect from 'chmod -x' (and SUID removal). +## SUID will be removed below in separate step. +/bin/mount exactwhitelist +/usr/bin/mount exactwhitelist + +## Remove SUID from 'mount' but keep executable. +## https://forums.whonix.org/t/disable-suid-binaries/7706/61 +/bin/mount 745 root root +/usr/bin/mount 745 root root diff --git a/etc/permission-hardening.d/40_default_whitelist_policykit.conf b/etc/permission-hardening.d/40_default_whitelist_policykit.conf new file mode 100644 index 0000000..a188c98 --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_policykit.conf @@ -0,0 +1,17 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/bin/pkexec exactwhitelist +/bin/pkexec exactwhitelist +/usr/bin/pkexec.security-misc-orig exactwhitelist +/bin/pkexec.security-misc-orig exactwhitelist + +## TODO: research +## match both: +#/usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist +#/lib/policykit-1/polkit-agent-helper-1 +polkit-agent-helper-1 matchwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_qubes.conf b/etc/permission-hardening.d/40_default_whitelist_qubes.conf new file mode 100644 index 0000000..bb2dddc --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_qubes.conf @@ -0,0 +1,13 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## TODO: research +## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c +## match both: +#/usr/lib/qubes/qfile-unpacker whitelist +#/lib/qubes/qfile-unpacker +/qubes/qfile-unpacker matchwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_selinux.conf b/etc/permission-hardening.d/40_default_whitelist_selinux.conf new file mode 100644 index 0000000..0e844c1 --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_selinux.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/utempter/utempter matchwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_spice.conf b/etc/permission-hardening.d/40_default_whitelist_spice.conf new file mode 100644 index 0000000..27a0922 --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_spice.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_sudo.conf b/etc/permission-hardening.d/40_default_whitelist_sudo.conf new file mode 100644 index 0000000..30b5a07 --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_sudo.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/bin/sudo exactwhitelist +/bin/sudo exactwhitelist diff --git a/etc/permission-hardening.d/40_default_whitelist_virtualbox.conf b/etc/permission-hardening.d/40_default_whitelist_virtualbox.conf new file mode 100644 index 0000000..2c9adba --- /dev/null +++ b/etc/permission-hardening.d/40_default_whitelist_virtualbox.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## TODO: research +/usr/lib/virtualbox/ matchwhitelist From 36a471ebce883f7a1660977f486b21ece320d0c2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 1 Dec 2020 05:02:34 -0500 Subject: [PATCH 0365/1650] SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists `whitelists_disable_all=true` --- etc/permission-hardening.d/30_default.conf | 6 ++++++ usr/lib/security-misc/permission-hardening | 22 ++++++++++++++++++---- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 4e86fc1..2557b2d 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -15,6 +15,12 @@ ## TODO: white spaces inside file name untested and probably will not work. +###################################################################### +# Global Settings +###################################################################### + +#whitelists_disable_all=true + ###################################################################### # SUID disablewhitelist ###################################################################### diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 530d975..cc9acfc 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -252,6 +252,12 @@ set_file_perms() { exit "$exit_code" fi + if [ "$line" = 'whitelists_disable_all=true' ]; then + whitelists_disable_all=true + echo "INFO: whitelists_disable_all=true - all whitelists disabled." + continue + fi + #global fso local mode_from_config owner_from_config group_from_config capability_from_config if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then @@ -275,14 +281,22 @@ set_file_perms() { fi if [ "$mode_from_config" = "exactwhitelist" ]; then - ## TODO: test/add white spaces inside file name support - exact_white_list+="$fso " + if [ "$whitelists_disable_all" = "true" ]; then + true "INFO: Not adding fso '$fso' to exact_white_list because whitelists_disable_all=true" + else + ## TODO: test/add white spaces inside file name support + exact_white_list+="$fso " + fi continue fi if [ "$mode_from_config" = "matchwhitelist" ]; then - ## TODO: test/add white spaces inside file name support - match_white_list+="$fso " + if [ "$whitelists_disable_all" = "true" ]; then + true "INFO: Not adding fso '$fso' to matchwhitelist because whitelists_disable_all=true" + else + ## TODO: test/add white spaces inside file name support + match_white_list+="$fso " + fi continue fi From 704f0500ba4e23a1e5b33688db02e03b1169046d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 1 Dec 2020 05:03:16 -0500 Subject: [PATCH 0366/1650] fix, rename 40_default_whitelist_[...].conf to 25_default_whitelist_[...].conf since whitelist needs to be defined before SUID removal commands --- ...elist_bubblewrap.conf => 25_default_whitelist_bubblewrap.conf} | 0 ...whitelist_chromium.conf => 25_default_whitelist_chromium.conf} | 0 ...default_whitelist_dbus.conf => 25_default_whitelist_dbus.conf} | 0 ...whitelist_firejail.conf => 25_default_whitelist_firejail.conf} | 0 ...default_whitelist_fuse.conf => 25_default_whitelist_fuse.conf} | 0 ...fault_whitelist_mount.conf => 25_default_whitelist_mount.conf} | 0 ...itelist_policykit.conf => 25_default_whitelist_policykit.conf} | 0 ...fault_whitelist_qubes.conf => 25_default_whitelist_qubes.conf} | 0 ...t_whitelist_selinux.conf => 25_default_whitelist_selinux.conf} | 0 ...fault_whitelist_spice.conf => 25_default_whitelist_spice.conf} | 0 ...default_whitelist_sudo.conf => 25_default_whitelist_sudo.conf} | 0 ...elist_virtualbox.conf => 25_default_whitelist_virtualbox.conf} | 0 12 files changed, 0 insertions(+), 0 deletions(-) rename etc/permission-hardening.d/{40_default_whitelist_bubblewrap.conf => 25_default_whitelist_bubblewrap.conf} (100%) rename etc/permission-hardening.d/{40_default_whitelist_chromium.conf => 25_default_whitelist_chromium.conf} (100%) rename etc/permission-hardening.d/{40_default_whitelist_dbus.conf => 25_default_whitelist_dbus.conf} (100%) rename etc/permission-hardening.d/{40_default_whitelist_firejail.conf => 25_default_whitelist_firejail.conf} (100%) rename etc/permission-hardening.d/{40_default_whitelist_fuse.conf => 25_default_whitelist_fuse.conf} (100%) rename etc/permission-hardening.d/{40_default_whitelist_mount.conf => 25_default_whitelist_mount.conf} (100%) rename etc/permission-hardening.d/{40_default_whitelist_policykit.conf => 25_default_whitelist_policykit.conf} (100%) rename etc/permission-hardening.d/{40_default_whitelist_qubes.conf => 25_default_whitelist_qubes.conf} (100%) rename etc/permission-hardening.d/{40_default_whitelist_selinux.conf => 25_default_whitelist_selinux.conf} (100%) rename etc/permission-hardening.d/{40_default_whitelist_spice.conf => 25_default_whitelist_spice.conf} (100%) rename etc/permission-hardening.d/{40_default_whitelist_sudo.conf => 25_default_whitelist_sudo.conf} (100%) rename etc/permission-hardening.d/{40_default_whitelist_virtualbox.conf => 25_default_whitelist_virtualbox.conf} (100%) diff --git a/etc/permission-hardening.d/40_default_whitelist_bubblewrap.conf b/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf similarity index 100% rename from etc/permission-hardening.d/40_default_whitelist_bubblewrap.conf rename to etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf diff --git a/etc/permission-hardening.d/40_default_whitelist_chromium.conf b/etc/permission-hardening.d/25_default_whitelist_chromium.conf similarity index 100% rename from etc/permission-hardening.d/40_default_whitelist_chromium.conf rename to etc/permission-hardening.d/25_default_whitelist_chromium.conf diff --git a/etc/permission-hardening.d/40_default_whitelist_dbus.conf b/etc/permission-hardening.d/25_default_whitelist_dbus.conf similarity index 100% rename from etc/permission-hardening.d/40_default_whitelist_dbus.conf rename to etc/permission-hardening.d/25_default_whitelist_dbus.conf diff --git a/etc/permission-hardening.d/40_default_whitelist_firejail.conf b/etc/permission-hardening.d/25_default_whitelist_firejail.conf similarity index 100% rename from etc/permission-hardening.d/40_default_whitelist_firejail.conf rename to etc/permission-hardening.d/25_default_whitelist_firejail.conf diff --git a/etc/permission-hardening.d/40_default_whitelist_fuse.conf b/etc/permission-hardening.d/25_default_whitelist_fuse.conf similarity index 100% rename from etc/permission-hardening.d/40_default_whitelist_fuse.conf rename to etc/permission-hardening.d/25_default_whitelist_fuse.conf diff --git a/etc/permission-hardening.d/40_default_whitelist_mount.conf b/etc/permission-hardening.d/25_default_whitelist_mount.conf similarity index 100% rename from etc/permission-hardening.d/40_default_whitelist_mount.conf rename to etc/permission-hardening.d/25_default_whitelist_mount.conf diff --git a/etc/permission-hardening.d/40_default_whitelist_policykit.conf b/etc/permission-hardening.d/25_default_whitelist_policykit.conf similarity index 100% rename from etc/permission-hardening.d/40_default_whitelist_policykit.conf rename to etc/permission-hardening.d/25_default_whitelist_policykit.conf diff --git a/etc/permission-hardening.d/40_default_whitelist_qubes.conf b/etc/permission-hardening.d/25_default_whitelist_qubes.conf similarity index 100% rename from etc/permission-hardening.d/40_default_whitelist_qubes.conf rename to etc/permission-hardening.d/25_default_whitelist_qubes.conf diff --git a/etc/permission-hardening.d/40_default_whitelist_selinux.conf b/etc/permission-hardening.d/25_default_whitelist_selinux.conf similarity index 100% rename from etc/permission-hardening.d/40_default_whitelist_selinux.conf rename to etc/permission-hardening.d/25_default_whitelist_selinux.conf diff --git a/etc/permission-hardening.d/40_default_whitelist_spice.conf b/etc/permission-hardening.d/25_default_whitelist_spice.conf similarity index 100% rename from etc/permission-hardening.d/40_default_whitelist_spice.conf rename to etc/permission-hardening.d/25_default_whitelist_spice.conf diff --git a/etc/permission-hardening.d/40_default_whitelist_sudo.conf b/etc/permission-hardening.d/25_default_whitelist_sudo.conf similarity index 100% rename from etc/permission-hardening.d/40_default_whitelist_sudo.conf rename to etc/permission-hardening.d/25_default_whitelist_sudo.conf diff --git a/etc/permission-hardening.d/40_default_whitelist_virtualbox.conf b/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf similarity index 100% rename from etc/permission-hardening.d/40_default_whitelist_virtualbox.conf rename to etc/permission-hardening.d/25_default_whitelist_virtualbox.conf From b09cc0de6af2d7e12110a0f3030234539288abad Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 1 Dec 2020 05:10:26 -0500 Subject: [PATCH 0367/1650] Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists" This reverts commit 36a471ebce883f7a1660977f486b21ece320d0c2. --- etc/permission-hardening.d/30_default.conf | 6 ------ usr/lib/security-misc/permission-hardening | 22 ++++------------------ 2 files changed, 4 insertions(+), 24 deletions(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 2557b2d..4e86fc1 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -15,12 +15,6 @@ ## TODO: white spaces inside file name untested and probably will not work. -###################################################################### -# Global Settings -###################################################################### - -#whitelists_disable_all=true - ###################################################################### # SUID disablewhitelist ###################################################################### diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index cc9acfc..530d975 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -252,12 +252,6 @@ set_file_perms() { exit "$exit_code" fi - if [ "$line" = 'whitelists_disable_all=true' ]; then - whitelists_disable_all=true - echo "INFO: whitelists_disable_all=true - all whitelists disabled." - continue - fi - #global fso local mode_from_config owner_from_config group_from_config capability_from_config if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then @@ -281,22 +275,14 @@ set_file_perms() { fi if [ "$mode_from_config" = "exactwhitelist" ]; then - if [ "$whitelists_disable_all" = "true" ]; then - true "INFO: Not adding fso '$fso' to exact_white_list because whitelists_disable_all=true" - else - ## TODO: test/add white spaces inside file name support - exact_white_list+="$fso " - fi + ## TODO: test/add white spaces inside file name support + exact_white_list+="$fso " continue fi if [ "$mode_from_config" = "matchwhitelist" ]; then - if [ "$whitelists_disable_all" = "true" ]; then - true "INFO: Not adding fso '$fso' to matchwhitelist because whitelists_disable_all=true" - else - ## TODO: test/add white spaces inside file name support - match_white_list+="$fso " - fi + ## TODO: test/add white spaces inside file name support + match_white_list+="$fso " continue fi From c031f22995a1e073bd81189ee97a3de32a2b278f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 1 Dec 2020 05:14:48 -0500 Subject: [PATCH 0368/1650] SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists `whitelists_disable_all=true` --- etc/permission-hardening.d/30_default.conf | 6 ++++++ usr/lib/security-misc/permission-hardening | 10 +++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 4e86fc1..2557b2d 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -15,6 +15,12 @@ ## TODO: white spaces inside file name untested and probably will not work. +###################################################################### +# Global Settings +###################################################################### + +#whitelists_disable_all=true + ###################################################################### # SUID disablewhitelist ###################################################################### diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index 530d975..cc4403c 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -177,7 +177,9 @@ add_nosuid_statoverride_entry() { fi done - if [ "$is_disable_whitelisted" = "true" ]; then + if [ "$whitelists_disable_all" = "true" ]; then + true "INFO: whitelists_disable_all=true - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" + elif [ "$is_disable_whitelisted" = "true" ]; then echo "INFO: white list disabled - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" else if [ "$is_exact_whitelisted" = "true" ]; then @@ -252,6 +254,12 @@ set_file_perms() { exit "$exit_code" fi + if [ "$line" = 'whitelists_disable_all=true' ]; then + whitelists_disable_all=true + echo "INFO: whitelists_disable_all=true - all whitelists disabled." + continue + fi + #global fso local mode_from_config owner_from_config group_from_config capability_from_config if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then From 261ef85c14ff9c13d3d7734d8c9eba5a54497187 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 1 Dec 2020 05:53:06 -0500 Subject: [PATCH 0369/1650] bumped changelog version --- changelog.upstream | 58 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 64 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0f2dc0f..645a943 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,61 @@ +commit c031f22995a1e073bd81189ee97a3de32a2b278f +Author: Patrick Schleizer +Date: Tue Dec 1 05:14:48 2020 -0500 + + SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists + + `whitelists_disable_all=true` + +commit b09cc0de6af2d7e12110a0f3030234539288abad +Author: Patrick Schleizer +Date: Tue Dec 1 05:10:26 2020 -0500 + + Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists" + + This reverts commit 36a471ebce883f7a1660977f486b21ece320d0c2. + +commit 704f0500ba4e23a1e5b33688db02e03b1169046d +Author: Patrick Schleizer +Date: Tue Dec 1 05:03:16 2020 -0500 + + fix, rename 40_default_whitelist_[...].conf to 25_default_whitelist_[...].conf + + since whitelist needs to be defined before SUID removal commands + +commit 36a471ebce883f7a1660977f486b21ece320d0c2 +Author: Patrick Schleizer +Date: Tue Dec 1 05:02:34 2020 -0500 + + SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists + + `whitelists_disable_all=true` + +commit 318ab570aacd48b7f163331dc2ba8b012e0d2336 +Author: Patrick Schleizer +Date: Tue Dec 1 04:28:15 2020 -0500 + + simplify disabling of SUID Disabler and Permission Hardener whitelist + + split `/etc/permission-hardening.d/30_default.conf` into multiple files + + `/etc/permission-hardening.d/40_default_whitelist_[...].conf` + + therefore make it easier to delete any whitelisted SUID binaries + +commit cf07e977bd6697af7a4326d7705447d500d35593 +Author: Patrick Schleizer +Date: Sun Nov 29 09:09:42 2020 -0500 + + add `/bin/pkexec exactwhitelist` for consistency + + since there is already `/usr/bin/pkexec exactwhitelist` + +commit fe274838861ada125eccdca11ba044123fdae663 +Author: Patrick Schleizer +Date: Sat Nov 28 06:08:10 2020 -0500 + + bumped changelog version + commit 28a326a8a14f56d588ed6f2b4d7d748d53120109 Author: Patrick Schleizer Date: Sat Nov 28 05:31:12 2020 -0500 diff --git a/debian/changelog b/debian/changelog index 40bf4c5..1aecbfa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:19.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 01 Dec 2020 10:53:06 +0000 + security-misc (3:19.5-1) unstable; urgency=medium * New upstream version (local package). From f73c55f16c10ee2cd0532f4032cec56c484bd4d5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 6 Dec 2020 04:08:58 -0500 Subject: [PATCH 0370/1650] /opt https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68 --- etc/permission-hardening.d/30_default.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 2557b2d..b190672 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -96,6 +96,10 @@ /usr/local/lib32/ nosuid /usr/local/lib64/ nosuid +## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68 +/opt/ nosuid +/usr/local/opt/ nosuid + ###################################################################### # Capability Removal ###################################################################### From 11cdce02a048b323c6f56cb15f98e6060aab8346 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 6 Dec 2020 04:10:10 -0500 Subject: [PATCH 0371/1650] refactoring --- etc/permission-hardening.d/30_default.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index b190672..059fe38 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -81,17 +81,23 @@ ## Remove all SUID/SGID binaries/libraries. /bin/ nosuid + /usr/bin/ nosuid /usr/local/bin/ nosuid + /sbin/ nosuid + /usr/sbin/ nosuid /usr/local/sbin/ nosuid + /lib/ nosuid /lib32/ nosuid /lib64/ nosuid + /usr/lib/ nosuid /usr/lib32/ nosuid /usr/lib64/ nosuid + /usr/local/lib/ nosuid /usr/local/lib32/ nosuid /usr/local/lib64/ nosuid From 5bd267d7747521fa5bb053da19dc79991e2c4bb5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 6 Dec 2020 04:10:50 -0500 Subject: [PATCH 0372/1650] refactoring --- etc/permission-hardening.d/30_default.conf | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 059fe38..732b601 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -95,11 +95,12 @@ /lib64/ nosuid /usr/lib/ nosuid -/usr/lib32/ nosuid -/usr/lib64/ nosuid - /usr/local/lib/ nosuid + +/usr/lib32/ nosuid /usr/local/lib32/ nosuid + +/usr/lib64/ nosuid /usr/local/lib64/ nosuid ## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68 From b2b614ed2a1a62ff4c917aba80eeef505810dbf8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 6 Dec 2020 04:15:52 -0500 Subject: [PATCH 0373/1650] cover more folders in /usr/local --- etc/permission-hardening.d/30_default.conf | 27 ++++++++++++++-------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 732b601..c447f93 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -81,28 +81,35 @@ ## Remove all SUID/SGID binaries/libraries. /bin/ nosuid - -/usr/bin/ nosuid /usr/local/bin/ nosuid -/sbin/ nosuid +/usr/bin/ nosuid +/usr/local/usr/bin/ nosuid -/usr/sbin/ nosuid +/sbin/ nosuid /usr/local/sbin/ nosuid -/lib/ nosuid -/lib32/ nosuid -/lib64/ nosuid +/usr/sbin/ nosuid +/usr/local/usr/sbin/ nosuid -/usr/lib/ nosuid +/lib/ nosuid /usr/local/lib/ nosuid -/usr/lib32/ nosuid +/lib32/ nosuid /usr/local/lib32/ nosuid -/usr/lib64/ nosuid +/lib64/ nosuid /usr/local/lib64/ nosuid +/usr/lib/ nosuid +/usr/local/usr/lib/ nosuid + +/usr/lib32/ nosuid +/usr/local/usr/lib32/ nosuid + +/usr/lib64/ nosuid +/usr/local/usr/lib64/ nosuid + ## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68 /opt/ nosuid /usr/local/opt/ nosuid From c5097ed599078091aef1fcb63b237d9835040c34 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 6 Dec 2020 04:23:09 -0500 Subject: [PATCH 0374/1650] comment --- usr/lib/security-misc/permission-hardening | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index cc4403c..c0c5e32 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -453,6 +453,8 @@ set_file_perms() { continue fi + ## feature request: dpkg-statoverride: support for capabilities + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 echo_wrapper_audit setcap "${capability_from_config}+ep" "$fso" fi done < "$config_file" From a4d7e4614174e6f0357a068af0b7fd46e963a89f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 10 Dec 2020 05:20:57 -0500 Subject: [PATCH 0375/1650] bumped changelog version --- changelog.upstream | 38 ++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 44 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 645a943..569fa2a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,41 @@ +commit c5097ed599078091aef1fcb63b237d9835040c34 +Author: Patrick Schleizer +Date: Sun Dec 6 04:23:09 2020 -0500 + + comment + +commit b2b614ed2a1a62ff4c917aba80eeef505810dbf8 +Author: Patrick Schleizer +Date: Sun Dec 6 04:15:52 2020 -0500 + + cover more folders in /usr/local + +commit 5bd267d7747521fa5bb053da19dc79991e2c4bb5 +Author: Patrick Schleizer +Date: Sun Dec 6 04:10:50 2020 -0500 + + refactoring + +commit 11cdce02a048b323c6f56cb15f98e6060aab8346 +Author: Patrick Schleizer +Date: Sun Dec 6 04:10:10 2020 -0500 + + refactoring + +commit f73c55f16c10ee2cd0532f4032cec56c484bd4d5 +Author: Patrick Schleizer +Date: Sun Dec 6 04:08:58 2020 -0500 + + /opt + + https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68 + +commit 261ef85c14ff9c13d3d7734d8c9eba5a54497187 +Author: Patrick Schleizer +Date: Tue Dec 1 05:53:06 2020 -0500 + + bumped changelog version + commit c031f22995a1e073bd81189ee97a3de32a2b278f Author: Patrick Schleizer Date: Tue Dec 1 05:14:48 2020 -0500 diff --git a/debian/changelog b/debian/changelog index 1aecbfa..4be528e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:19.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 10 Dec 2020 10:20:57 +0000 + security-misc (3:19.6-1) unstable; urgency=medium * New upstream version (local package). From a258f35f385aff7b6fef71e23b94c4681e52bed2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 5 Jan 2021 02:11:08 -0500 Subject: [PATCH 0376/1650] comment --- etc/security/access-security-misc.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index cc0cb3e..ef85d58 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -1,6 +1,9 @@ ## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## To enable root login, see: +## https://www.whonix.org/wiki/Root#Root_Login + ## Console Lockdown ## https://forums.whonix.org/t/etc-security-hardening/8592 From 353e74fb5f0c150b9de3554b88619480c338ef59 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 5 Jan 2021 08:30:37 -0500 Subject: [PATCH 0377/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 569fa2a..9f9816c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit a258f35f385aff7b6fef71e23b94c4681e52bed2 +Author: Patrick Schleizer +Date: Tue Jan 5 02:11:08 2021 -0500 + + comment + +commit a4d7e4614174e6f0357a068af0b7fd46e963a89f +Author: Patrick Schleizer +Date: Thu Dec 10 05:20:57 2020 -0500 + + bumped changelog version + commit c5097ed599078091aef1fcb63b237d9835040c34 Author: Patrick Schleizer Date: Sun Dec 6 04:23:09 2020 -0500 diff --git a/debian/changelog b/debian/changelog index 4be528e..f82d639 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:19.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 05 Jan 2021 13:30:37 +0000 + security-misc (3:19.7-1) unstable; urgency=medium * New upstream version (local package). From 3066b5ad972f16069361999afbca0978986db862 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Tue, 12 Jan 2021 02:17:13 +0000 Subject: [PATCH 0378/1650] Overhaul documentation --- README.md | 525 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 295 insertions(+), 230 deletions(-) diff --git a/README.md b/README.md index ae2f52d..d1adc3a 100644 --- a/README.md +++ b/README.md @@ -1,48 +1,76 @@ -# enhances misc security settings # +# Enhances miscellaneous security settings -Inspired by Kernel Self Protection Project (KSPP) +## Kernel hardening -* Implements most if not all recommended Linux kernel settings (sysctl) and -kernel parameters by KSPP. +This section is inspired by the Kernel Self Protection Project (KSPP). It +implements all recommended Linux kernel settings by the KSPP and many +more. * https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project -kernel hardening: +### sysctl -* deactivates Netfilter's connection tracking helper -Netfilter's connection tracking helper module increases kernel attack -surface by enabling superfluous functionality such as IRC parsing in -the kernel. (!) Hence, this package disables this feature by shipping the -`/etc/modprobe.d/30_security-misc.conf` configuration file. +sysctl settings are configured via the `/etc/sysctl.d/30_security-misc.conf` +configuration file. -* Kernel symbols in various files in `/proc` are hidden as they can be -very useful for kernel exploits. +* A kernel pointer points to a specific location in kernel memory. These +can be very useful in exploiting the kernel so they are restricted to `CAP_SYSLOG`. -* Kexec is disabled as it can be used to load a malicious kernel. -`/etc/modprobe.d/30_security-misc.conf` +* The kernel logs are restricted to `CAP_SYSLOG` as they can often leak sensitive +information such as kernel pointers. -* ASLR effectiveness for mmap is increased. +* The `ptrace()` system call is restricted to `CAP_SYS_PTRACE`. -* The TCP/IP stack is hardened by disabling ICMP redirect acceptance, -ICMP redirect sending and source routing to prevent man-in-the-middle attacks, -ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood -attacks, enabling RFC1337 to protect against time-wait assassination -attacks and enabling reverse path filtering to prevent IP spoofing and -mitigate vulnerabilities such as CVE-2019-14899. +* eBPF is restricted to `CAP_BPF` (`CAP_SYS_ADMIN` on kernel versions prior +to 5.8) and JIT hardening techniques such as constant blinding are enabled. -* Avoids unintentional writes to attacker-controlled files. +* Restricts performance events to `CAP_PERFMON` (`CAP_SYS_ADMIN` on kernel +versions prior to 5.8). -* Prevents symlink/hardlink TOCTOU races. +* Restricts loading line disciplines to `CAP_SYS_MODULE` to prevent unprivileged +attackers from loading vulnerable line disciplines with the `TIOCSETD` ioctl which +has been abused in a number of exploits before. -* SACK can be disabled as it is commonly exploited and is rarely used by -uncommenting settings in file `/etc/sysctl.d/30_security-misc.conf`. +* Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` as `userfaultfd()` is +often abused to exploit use-after-free flaws. -* Slab merging is disabled as sometimes a slab can be used in a vulnerable -way which an attacker can exploit. +* Kexec is disabled as it can be used to load a malicious kernel and gain +arbitrary code execution in kernel mode. -* Sanity checks and redzoning are enabled. +* The bits of entropy used for mmap ASLR are increased, therefore improving +its effectiveness. -* Memory zeroing at allocation and free time is enabled. +* Prevents unintentional writes to attacker-controlled files. + +* Prevents common symlink and hardlink TOCTOU races. + +* Restricts the SysRq key so it can only be used for shutdowns and the +Secure Attention Key. + +* The kernel is only allowed to swap if it is absolutely necessary. This +prevents writing potentially sensitive contents of memory to disk. + +* TCP timestamps are disabled as it can allow detecting the system time. + +### Boot parameters + +Boot parameters are configured via the `/etc/modprobe.d/30_security-misc.conf` +configuration file. + +* Slab merging is disabled which significantly increases the difficulty of +heap exploitation by preventing overwriting objects from merged caches and +by making it harder to influence slab cache layout. + +* Sanity checks are enabled which add various checks to prevent corruption +in certain slab operations. + +* Redzoning is enabled which adds extra areas around slabs that detect when +a slab is overwritten past its real size which can help detect overflows. + +* Memory zeroing at allocation and free time is enabled to mitigate some +use-after-free vulnerabilities and erase sensitive information in memory. + +* Page allocator freelist randomization is enabled. * The machine check tolerance level is decreased which makes the kernel panic on uncorrectable errors in ECC memory that could be exploited. @@ -50,293 +78,330 @@ on uncorrectable errors in ECC memory that could be exploited. * Kernel Page Table Isolation is enabled to mitigate Meltdown and increase KASLR effectiveness. -* Enables all mitigations for CPU vulnerabilities and disables SMT. +* vsyscalls are disabled as they are obsolete, are at fixed addresses and thus, +are a potential target for ROP. -* A systemd service clears System.map on boot as these contain kernel symbols -that could be useful to an attacker. -`/etc/kernel/postinst.d/30_remove-system-map` -`/lib/systemd/system/remove-system-map.service` -`/usr/lib/security-misc/remove-system.map` +* The kernel panics on oopses to thwart certain kernel exploits. -* Coredumps are disabled as they may contain important information such as -encryption keys or passwords. -`/etc/security/limits.d/30_security-misc.conf` -`/etc/sysctl.d/30_security-misc.conf` -`/lib/systemd/coredump.conf.d/30_security-misc.conf` +* All mitigations for known CPU vulnerabilities are enabled and SMT is +disabled. -* The thunderbolt and firewire kernel modules are blacklisted as they can be -used for DMA (Direct Memory Access) attacks. +* IOMMU is enabled to prevent DMA attacks. -* IOMMU is enabled with a boot parameter to prevent DMA attacks. +### Blacklisted kernel modules -* Bluetooth is blacklisted to reduce attack surface. Bluetooth also has +Certain kernel modules are blacklisted to reduce attack surface via the +`/etc/modprobe.d/30_security-misc.conf` configuration file. + +* Deactivates Netfilter's connection tracking helper — this module +increases kernel attack surface by enabling superfluous functionality +such as IRC parsing in the kernel. Hence, this feature is disabled. + +* Uncommon network protocols are blacklisted. This includes: + + DCCP - Datagram Congestion Control Protocol + + SCTP - Stream Control Transmission Protocol + + RDS - Reliable Datagram Sockets + + TIPC - Transparent Inter-process Communication + + HDLC - High-Level Data Link Control + + AX25 - Amateur X.25 + + NetRom + + X25 + + ROSE + + DECnet + + Econet + + af_802154 - IEEE 802.15.4 + + IPX - Internetwork Packet Exchange + + AppleTalk + + PSNAP - Subnetwork Access Protocol + + p8023 - Novell raw IEEE 802.3 + + p8022 - IEEE 802.2 + + CAN — Controller Area Network + + ATM + +* Bluetooth is also blacklisted to reduce attack surface. Bluetooth has a history of security concerns. -https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -`/etc/modprobe.d/30_security-misc.conf` -* A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and -`/sys` to the root user only. This hides a lot of hardware identifiers from -unprivileged users and increases security as `/sys` exposes a lot of -information that shouldn't be accessible to unprivileged users. As this will -break many things, it is disabled by default and can optionally be enabled by -running `systemctl enable hide-hardware-info.service` as root. -`/usr/lib/security-misc/hide-hardware-info` -`/lib/systemd/system/hide-hardware-info.service` -`/lib/systemd/system/user@.service.d/sysfs.conf` -`/etc/hide-hardware-info.d/30_default.conf` +* The Thunderbolt and FireWire kernel modules are blacklisted as they are +often vulnerable to DMA attacks. + +* The vivid kernel module is only required for testing and has been the cause +of multiple vulnerabilities so it is blacklisted. * The MSR kernel module is blacklisted to prevent CPU MSRs from being abused to write to arbitrary memory. -* Vsyscalls are disabled as they are obsolete, are at fixed addresses and are -a target for ROP. +### Other -* Page allocator freelist randomization is enabled. +* A systemd service clears the System.map file on boot as these contain kernel +pointers. The file is completely overwritten with zeroes to ensure it cannot +be recovered. See: -* The vivid kernel module is blacklisted as it's only required for testing -and has been the cause of multiple vulnerabilities. +`/etc/kernel/postinst.d/30_remove-system-map` + +`/lib/systemd/system/remove-system-map.service` + +`/usr/lib/security-misc/remove-system.map` + +* Coredumps are disabled as they may contain important information such as +encryption keys or passwords. See: + +`/etc/security/limits.d/30_security-misc.conf` + +`/etc/sysctl.d/30_security-misc.conf` + +`/lib/systemd/coredump.conf.d/30_security-misc.conf` * An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as early as possible. -* The kernel panics on oopses to prevent it from continuing to run a flawed -process and to deter brute forcing. +## Network hardening -* Restricts the SysRq key so it can only be used for shutdowns and the -Secure Attention Key. +* TCP syncookies are enabled to prevent SYN flood attacks. -* Restricts loading line disciplines to `CAP_SYS_MODULE`. +* ICMP redirect acceptance, ICMP redirect sending, source routing and +IPv6 router advertisements are disabled to prevent man-in-the-middle attacks. -* Restricts the `userfaultfd()` syscall to root. +* The kernel is configured to ignore all ICMP requests to avoid Smurf attacks, +make the device more difficult to enumerate on the network and prevent clock +fingerprinting through ICMP timestamps. -Improve Entropy Collection +* RFC1337 is enabled to protect against time-wait assassination attacks by +dropping RST packets for sockets in the time-wait state. -* Load `jitterentropy_rng` kernel module. -`/usr/lib/modules-load.d/30_security-misc.conf` +* Reverse path filtering is enabled to prevent IP spoofing and mitigate +vulnerabilities such as CVE-2019-14899. + +## Entropy collection improvements + +* The `jitterentropy_rng` kernel module is loaded as early as possible +during boot to gather more entropy via the +`/usr/lib/modules-load.d/30_security-misc.conf` configuration file. * Distrusts the CPU for initial entropy at boot as it is not possible to -audit, may contain weaknesses or a backdoor. -* https://en.wikipedia.org/wiki/RDRAND#Reception -* https://twitter.com/pid_eins/status/1149649806056280069 -* For more references, see: -* `/etc/default/grub.d/40_distrust_cpu.cfg` +audit, may contain weaknesses or a backdoor. For references, see: +`/etc/default/grub.d/40_distrust_cpu.cfg` * Gathers more entropy during boot if using the linux-hardened kernel patch. -Uncommon network protocols are blacklisted: -These are rarely used and may have unknown vulnerabilities. -`/etc/modprobe.d/30_security-misc.conf` -The network protocols that are blacklisted are: +## Restrictive mount options -* DCCP - Datagram Congestion Control Protocol -* SCTP - Stream Control Transmission Protocol -* RDS - Reliable Datagram Sockets -* TIPC - Transparent Inter-process Communication -* HDLC - High-Level Data Link Control -* AX25 - Amateur X.25 -* NetRom -* X25 -* ROSE -* DECnet -* Econet -* af_802154 - IEEE 802.15.4 -* IPX - Internetwork Packet Exchange -* AppleTalk -* PSNAP - Subnetwork Access Protocol -* p8023 - Novell raw IEEE 802.3 -* p8022 - IEEE 802.2 +`/home`, `/tmp`, `/dev/shm` and `/run` are remounted with the `nosuid` and `nodev` +mount options to prevent execution of setuid or setgid binaries and creation of +devices on those filesystems. -user restrictions: +Optionally, they can also be mounted with `noexec` to prevent execution of any +binary. To opt-in to applying `noexec`, execute `touch /etc/noexec` as root +and reboot. -* remount `/home`, `/tmp`, `/dev/shm` and `/run` with `nosuid,nodev` -(default) and `noexec` (opt-in). To disable this, run -`sudo touch /etc/remount-disable`. To opt-in `noexec`, run -`sudo touch /etc/noexec` and reboot (easiest). -Alternatively file `/usr/local/etc/remount-disable` or file -`/usr/local/etc/noexec` could be used. -`/lib/systemd/system/remount-secure.service` -`/usr/lib/security-misc/remount-secure` +To disable this, execute `touch /etc/remount-disable` as root. -* An optional systemd service mounts `/proc` with `hidepid=2` at boot to -prevent users from seeing each other's processes. Not enabled because not -compatible with pkexec. +Alternatively, file `/usr/local/etc/remount-disable` or `/usr/local/etc/noexec` +could be used. -* The kernel logs are restricted to root only. - -* The BPF JIT compiler is restricted to the root user and is hardened. - -* The ptrace system call is restricted to the root user only. - -restricts access to the root account: +## Root access restrictions * `su` is restricted to only users within the group `sudo` which prevents -users from using `su` to gain root access or to switch user accounts. +users from using `su` to gain root access or to switch user accounts — `/usr/share/pam-configs/wheel-security-misc` -(Which results in a change in file `/etc/pam.d/common-auth`.) +(which results in a change in file `/etc/pam.d/common-auth`). -* Add user `root` to group `sudo`. This is required to make above work so -login as a user in a virtual console is still possible. -`debian/security-misc.postinst` +* Add user `root` to group `sudo`. This is required due to the above restriction so +that logging in from a virtual console is still possible — `debian/security-misc.postinst` -* Abort login for users with locked passwords. -`/usr/lib/security-misc/pam-abort-on-locked-password` +* Abort login for users with locked passwords — +`/usr/lib/security-misc/pam-abort-on-locked-password`. * Logging into the root account from a virtual, serial, whatnot console is -prevented by shipping an existing and empty `/etc/securetty`. -(Deletion of `/etc/securetty` has a different effect.) -`/etc/securetty.security-misc` +prevented by shipping an existing and empty `/etc/securetty` file +(deletion of `/etc/securetty` has a different effect). -* Console Lockdown. -Allow members of group 'console' to use console. -Everyone else except members of group -'console-unrestricted' are restricted from using console using ancient, -unpopular login methods such as using `/bin/login` over networks, which might -be exploitable. (CVE-2001-0797) Using pam_access. -Not enabled by default in this package since this package does not know which -users shall be added to group 'console' and would break console. -`/usr/share/pam-configs/console-lockdown-security-misc` -`/etc/security/access-security-misc.conf` +This package does not yet automatically lock the root account password. It +is not clear if this would be sane in such a package although, it is recommended +to lock and expire the root account. -Protect Linux user accounts against brute force attacks. -Lock user accounts after 50 failed login attempts using `pam_tally2`. -`/usr/share/pam-configs/tally2-security-misc` +In new Whonix builds, root account will be locked by package +dist-base-files. -informational output during Linux PAM: +See: + +* https://www.whonix.org/wiki/Root +* https://www.whonix.org/wiki/Dev/Permissions +* https://forums.whonix.org/t/restrict-root-access/7658 + +However, a locked root password will break rescue and emergency shell. +Therefore, this package enables passwordless rescue and emergency shell. +This is the same solution that Debian will likely adapt for Debian +installer: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 + +See: + +* `/etc/systemd/system/emergency.service.d/override.conf` +* `/etc/systemd/system/rescue.service.d/override.conf` + +Adverse security effects can be prevented by setting up BIOS password +protection, GRUB password protection and/or full disk encryption. + +## Console lockdown + +This uses pam_access to allow members of group `console` to use console but +restrict everyone else (except members of group `console-unrestricted`) from +using console with ancient, unpopular login methods such as `/bin/login` +over networks as this might be exploitable. (CVE-2001-0797) + +This is not enabled by default in this package since this package does not +know which users shall be added to group 'console' and thus, would break console. + +See: + +* `/usr/share/pam-configs/console-lockdown-security-misc` +* `/etc/security/access-security-misc.conf` + +## Brute force attack protection + +User accounts are locked after 50 failed login attempts using `pam_tally2`. + +Informational output during Linux PAM: * Show failed and remaining password attempts. * Document unlock procedure if Linux user account got locked. -* Point out, that there is no password feedback for `su`. -* Explain locked (root) account if locked. +* Point out that there is no password feedback for `su`. +* Explain locked root account if locked. + +See: + * `/usr/share/pam-configs/tally2-security-misc` * `/usr/lib/security-misc/pam_tally2-info` * `/usr/lib/security-misc/pam-abort-on-locked-password` -access rights restrictions: +## Access rights restrictions -* Strong Linux User Account Separation. -Removes read, write and execute access for others for all users who have -home folders under folder `/home` by running for example -"chmod o-rwx /home/user" -during package installation, upgrade or pam `mkhomedir`. This will be done -only once per folder in folder `/home` so users who wish to relax file -permissions are free to -do so. This is to protect previously created files in user home folder which -were previously created with lax file permissions prior installation of this -package. -`debian/security-misc.postinst` -`/usr/lib/security-misc/permission-lockdown` -`/usr/share/pam-configs/mkhomedir-security-misc` +### Strong user account separation -* SUID / GUID removal and permission hardening. -A systemd service removed SUID / GUID from non-essential binaries as these are -often used in privilege escalation attacks. -It is disabled by default for now during testing and can optionally be enabled -by running `systemctl enable permission-hardening.service` as root. -https://forums.whonix.org/t/disable-suid-binaries/7706 -`/usr/lib/security-misc/permission-hardening` -`/lib/systemd/system/permission-hardening.service` -`/etc/permission-hardening.d/30_default.conf` +Read, write and execute access for "others" are removed during package +installation, upgrade or PAM `mkhomedir` for all users who have home +folders in `/home` by running, for example: -access rights relaxations: +``` +chmod o-rwx /home/user +``` -Redirect calls for `pkexec` to `lxqt-sudo` because `pkexec` is incompatible -with `hidepid`. -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 -https://forums.whonix.org/t/cannot-use-pkexec/8129 -`/usr/bin/pkexec.security-misc` +This will be done only once per folder in `/home` so users who wish to +relax file permissions are free to do so. This is to protect files in a +home folder that were previously created with lax file permissions prior +to the installation of this package. -This package does (not yet) automatically lock the root account password. -It is not clear that would be sane in such a package. -It is recommended to lock and expire the root account. -In new Whonix builds, root account will be locked by package -dist-base-files. -https://www.whonix.org/wiki/Root -https://www.whonix.org/wiki/Dev/Permissions -https://forums.whonix.org/t/restrict-root-access/7658 -However, a locked root password will break rescue and emergency shell. -Therefore this package enables passwordless rescue and emergency shell. -This is the same solution that Debian will likely adapt for Debian -installer. -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 -Adverse security effects can be prevented by setting up BIOS password -protection, grub password protection and/or full disk encryption. -`/etc/systemd/system/emergency.service.d/override.conf` -`/etc/systemd/system/rescue.service.d/override.conf` +See: -Let the kernel only swap if it is absolutely necessary. -`/etc/sysctl.d/30_security-misc.conf` +* `debian/security-misc.postinst` +* `/usr/lib/security-misc/permission-lockdown` +* `/usr/share/pam-configs/mkhomedir-security-misc` -Disables TCP Time Stamps: +### SUID / SGID removal and permission hardening -TCP time stamps (RFC 1323) allow for tracking clock -information with millisecond resolution. This may or may not allow an -attacker to learn information about the system clock at such -a resolution, depending on various issues such as network lag. -This information is available to anyone who monitors the network -somewhere between the attacked system and the destination server. -It may allow an attacker to find out how long a given -system has been running, and to distinguish several -systems running behind NAT and using the same IP address. It might -also allow one to look for clocks that match an expected value to find the -public IP used by a user. +A systemd service removes SUID / SGID bits from non-essential binaries as +these are often used in privilege escalation attacks. It is disabled by +default for now during testing and can optionally be enabled by running +`systemctl enable permission-hardening.service` as root. -Hence, this package disables this feature by shipping the -`/etc/sysctl.d/30_security-misc.conf` configuration file. +See: -Note that TCP time stamps normally have some usefulness. They are -needed for: +* `/usr/lib/security-misc/permission-hardening` +* `/lib/systemd/system/permission-hardening.service` +* `/etc/permission-hardening.d` +* https://forums.whonix.org/t/disable-suid-binaries/7706 -* the TCP protection against wrapped sequence numbers; however, to -trigger a wrap, one needs to send roughly 2^32 packets in one -minute: as said in RFC 1700, "The current recommended default -time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". -So, this probably won't be a practical problem in the context -of Anonymity Distributions. -* "Round-Trip Time Measurement", which is only useful when the user -manages to saturate their connection. When using Anonymity Distributions, -probably the limiting factor for transmission speed is rarely the capacity -of the user connection. +### Access rights relaxations -Application specific hardening: +Calls to `pkexec` are redirected to `lxqt-sudo` because `pkexec` is +incompatible with `hidepid=2`. -* Enables APT seccomp-BPF sandboxing. `/etc/apt/apt.conf.d/40sandbox` +See: + +* `/usr/bin/pkexec.security-misc` +* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 +* https://forums.whonix.org/t/cannot-use-pkexec/8129 + +## Application-specific hardening + +* Enables APT seccomp-BPF sandboxing — `/etc/apt/apt.conf.d/40sandbox`. * Deactivates previews in Dolphin. -* Deactivates previews in Nautilus. -`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override` +* Deactivates previews in Nautilus — +`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. * Deactivates thumbnails in Thunar. -* Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird -to make phishing attacks more difficult. Fixing URL not showing real Domain -Name (Homograph attack). +* Displays domain names in punycode (`network.IDN_show_punycode`) in +Thunderbird to prevent IDN homograph attacks (a form of phishing). * Security and privacy enhancements for gnupg's config file `/etc/skel/.gnupg/gpg.conf`. See also: + https://raw.github.com/ioerror/torbirdy/master/gpg.conf + https://github.com/ioerror/torbirdy/pull/11 -Want more? Look into these: +## Opt-in hardening + +Some hardening is opt-in as it causes too much breakage to be enabled by +default. + +* TCP SACK can be disabled as it is commonly exploited and is rarely used by +uncommenting settings in the `/etc/sysctl.d/30_security-misc.conf` +configuration file. + +* An optional systemd service mounts `/proc` with `hidepid=2` at boot to +prevent users from seeing another user's processes. This is disabled by +default because it is incompatible with `pkexec`. It can be enabled by +executing `systemctl enable proc-hidepid.service` as root. + +* A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and +`/sys` to the root user. This hides a lot of hardware identifiers from +unprivileged users and increases security as `/sys` exposes a lot of +information that shouldn't be accessible to unprivileged users. As this will +break many things, it is disabled by default and can optionally be enabled by +executing `systemctl enable hide-hardware-info.service` as root. + +## Related * Linux Kernel Runtime Guard (LKRG) * tirdad - TCP ISN CPU Information Leak Protection. * Whonix ™ - Anonymous Operating System * Kicksecure ™ - A Security-hardened, Non-anonymous Linux Distribution -* SecBrowser ™ - A Security-hardened, Non-anonymous Browser * And more. * https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG * https://github.com/Whonix/tirdad * https://www.whonix.org * https://www.whonix.org/wiki/Kicksecure -* https://www.whonix.org/wiki/SecBrowser * https://github.com/Whonix -Discussion: +## Discussion Happening primarily in Whonix forums. + https://forums.whonix.org/t/kernel-hardening/7296 -## How to install `security-misc` ## + +## How to install `security-misc` See https://www.whonix.org/wiki/Security-misc#install -## How to Build deb Package from Source Code ## +## How to Build deb Package from Source Code Can be build using standard Debian package build tools such as: @@ -349,11 +414,11 @@ See instructions. (Replace `generic-package` with the actual name of this packag * **A)** [easy](https://www.whonix.org/wiki/Dev/Build_Documentation/generic-package/easy), _OR_ * **B)** [including verifying software signatures](https://www.whonix.org/wiki/Dev/Build_Documentation/generic-package) -## Contact ## +## Contact * [Free Forum Support](https://forums.whonix.org) * [Professional Support](https://www.whonix.org/wiki/Professional_Support) -## Donate ## +## Donate `security-misc` requires [donations](https://www.whonix.org/wiki/Donate) to stay alive! From b5cee63999a7277b32f3850a5d8821c73ed05933 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 12 Jan 2021 03:19:31 -0500 Subject: [PATCH 0379/1650] new file: README_generic.md --- README_generic.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 README_generic.md diff --git a/README_generic.md b/README_generic.md new file mode 100644 index 0000000..e69de29 From 468d8b600dda7cce87bbdf972244ef2f610935d5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 12 Jan 2021 03:20:58 -0500 Subject: [PATCH 0380/1650] readme --- README_generic.md | 392 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 392 insertions(+) diff --git a/README_generic.md b/README_generic.md index e69de29..58e54fd 100644 --- a/README_generic.md +++ b/README_generic.md @@ -0,0 +1,392 @@ +# enhances misc security settings # + +Inspired by Kernel Self Protection Project (KSPP) + +* Implements most if not all recommended Linux kernel settings (sysctl) and +kernel parameters by KSPP. + +* https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project + +kernel hardening: + +* deactivates Netfilter's connection tracking helper +Netfilter's connection tracking helper module increases kernel attack +surface by enabling superfluous functionality such as IRC parsing in +the kernel. (!) Hence, this package disables this feature by shipping the +`/etc/modprobe.d/30_security-misc.conf` configuration file. + +* Kernel symbols in various files in `/proc` are hidden as they can be +very useful for kernel exploits. + +* Kexec is disabled as it can be used to load a malicious kernel. +`/etc/modprobe.d/30_security-misc.conf` + +* ASLR effectiveness for mmap is increased. + +* The TCP/IP stack is hardened by disabling ICMP redirect acceptance, +ICMP redirect sending and source routing to prevent man-in-the-middle attacks, +ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood +attacks, enabling RFC1337 to protect against time-wait assassination +attacks and enabling reverse path filtering to prevent IP spoofing and +mitigate vulnerabilities such as CVE-2019-14899. + +* Avoids unintentional writes to attacker-controlled files. + +* Prevents symlink/hardlink TOCTOU races. + +* SACK can be disabled as it is commonly exploited and is rarely used by +uncommenting settings in file `/etc/sysctl.d/30_security-misc.conf`. + +* Slab merging is disabled as sometimes a slab can be used in a vulnerable +way which an attacker can exploit. + +* Sanity checks and redzoning are enabled. + +* Memory zeroing at allocation and free time is enabled. + +* The machine check tolerance level is decreased which makes the kernel panic +on uncorrectable errors in ECC memory that could be exploited. + +* Kernel Page Table Isolation is enabled to mitigate Meltdown and increase +KASLR effectiveness. + +* Enables all mitigations for CPU vulnerabilities and disables SMT. + +* A systemd service clears System.map on boot as these contain kernel symbols +that could be useful to an attacker. +`/etc/kernel/postinst.d/30_remove-system-map` +`/lib/systemd/system/remove-system-map.service` +`/usr/lib/security-misc/remove-system.map` + +* Coredumps are disabled as they may contain important information such as +encryption keys or passwords. +`/etc/security/limits.d/30_security-misc.conf` +`/etc/sysctl.d/30_security-misc.conf` +`/lib/systemd/coredump.conf.d/30_security-misc.conf` + +* The thunderbolt and firewire kernel modules are blacklisted as they can be +used for DMA (Direct Memory Access) attacks. + +* IOMMU is enabled with a boot parameter to prevent DMA attacks. + +* Bluetooth is blacklisted to reduce attack surface. Bluetooth also has +a history of security concerns. +https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns +`/etc/modprobe.d/30_security-misc.conf` + +* A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and +`/sys` to the root user only. This hides a lot of hardware identifiers from +unprivileged users and increases security as `/sys` exposes a lot of +information that shouldn't be accessible to unprivileged users. As this will +break many things, it is disabled by default and can optionally be enabled by +running `systemctl enable hide-hardware-info.service` as root. +`/usr/lib/security-misc/hide-hardware-info` +`/lib/systemd/system/hide-hardware-info.service` +`/lib/systemd/system/user@.service.d/sysfs.conf` +`/etc/hide-hardware-info.d/30_default.conf` + +* The MSR kernel module is blacklisted to prevent CPU MSRs from being +abused to write to arbitrary memory. + +* Vsyscalls are disabled as they are obsolete, are at fixed addresses and are +a target for ROP. + +* Page allocator freelist randomization is enabled. + +* The vivid kernel module is blacklisted as it's only required for testing +and has been the cause of multiple vulnerabilities. + +* An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and +`/etc/sysctl.d` before init is executed so sysctl hardening is enabled +as early as possible. + +* The kernel panics on oopses to prevent it from continuing to run a flawed +process and to deter brute forcing. + +* Restricts the SysRq key so it can only be used for shutdowns and the +Secure Attention Key. + +* Restricts loading line disciplines to `CAP_SYS_MODULE`. + +* Restricts the `userfaultfd()` syscall to root. + +* Access to debugfs is restricted as it can contain a lot of sensitive +information. + +Improve Entropy Collection + +* Load `jitterentropy_rng` kernel module. +`/usr/lib/modules-load.d/30_security-misc.conf` + +* Distrusts the CPU for initial entropy at boot as it is not possible to +audit, may contain weaknesses or a backdoor. +* https://en.wikipedia.org/wiki/RDRAND#Reception +* https://twitter.com/pid_eins/status/1149649806056280069 +* For more references, see: +* `/etc/default/grub.d/40_distrust_cpu.cfg` + +* Gathers more entropy during boot if using the linux-hardened kernel patch. + +Uncommon network protocols are blacklisted: +These are rarely used and may have unknown vulnerabilities. +`/etc/modprobe.d/30_security-misc.conf` +The network protocols that are blacklisted are: + +* DCCP - Datagram Congestion Control Protocol +* SCTP - Stream Control Transmission Protocol +* RDS - Reliable Datagram Sockets +* TIPC - Transparent Inter-process Communication +* HDLC - High-Level Data Link Control +* AX25 - Amateur X.25 +* NetRom +* X25 +* ROSE +* DECnet +* Econet +* af_802154 - IEEE 802.15.4 +* IPX - Internetwork Packet Exchange +* AppleTalk +* PSNAP - Subnetwork Access Protocol +* p8023 - Novell raw IEEE 802.3 +* p8022 - IEEE 802.2 + +user restrictions: + +* remount `/home`, `/tmp`, `/dev/shm` and `/run` with `nosuid,nodev` +(default) and `noexec` (opt-in). To disable this, run +`sudo touch /etc/remount-disable`. To opt-in `noexec`, run +`sudo touch /etc/noexec` and reboot (easiest). +Alternatively file `/usr/local/etc/remount-disable` or file +`/usr/local/etc/noexec` could be used. +`/lib/systemd/system/remount-secure.service` +`/usr/lib/security-misc/remount-secure` + +* An optional systemd service mounts `/proc` with `hidepid=2` at boot to +prevent users from seeing each other's processes. Not enabled because not +compatible with pkexec. + +* The kernel logs are restricted to root only. + +* The BPF JIT compiler is restricted to the root user and is hardened. + +* The ptrace system call is restricted to the root user only. + +restricts access to the root account: + +* `su` is restricted to only users within the group `sudo` which prevents +users from using `su` to gain root access or to switch user accounts. +`/usr/share/pam-configs/wheel-security-misc` +(Which results in a change in file `/etc/pam.d/common-auth`.) + +* Add user `root` to group `sudo`. This is required to make above work so +login as a user in a virtual console is still possible. +`debian/security-misc.postinst` + +* Abort login for users with locked passwords. +`/usr/lib/security-misc/pam-abort-on-locked-password` + +* Logging into the root account from a virtual, serial, whatnot console is +prevented by shipping an existing and empty `/etc/securetty`. +(Deletion of `/etc/securetty` has a different effect.) +`/etc/securetty.security-misc` + +* Console Lockdown. +Allow members of group 'console' to use console. +Everyone else except members of group +'console-unrestricted' are restricted from using console using ancient, +unpopular login methods such as using `/bin/login` over networks, which might +be exploitable. (CVE-2001-0797) Using pam_access. +Not enabled by default in this package since this package does not know which +users shall be added to group 'console' and would break console. +`/usr/share/pam-configs/console-lockdown-security-misc` +`/etc/security/access-security-misc.conf` + +Protect Linux user accounts against brute force attacks. +Lock user accounts after 50 failed login attempts using `pam_tally2`. +`/usr/share/pam-configs/tally2-security-misc` + +informational output during Linux PAM: + +* Show failed and remaining password attempts. +* Document unlock procedure if Linux user account got locked. +* Point out, that there is no password feedback for `su`. +* Explain locked (root) account if locked. +* `/usr/share/pam-configs/tally2-security-misc` +* `/usr/lib/security-misc/pam_tally2-info` +* `/usr/lib/security-misc/pam-abort-on-locked-password` + +access rights restrictions: + +* Strong Linux User Account Separation. +Removes read, write and execute access for others for all users who have +home folders under folder `/home` by running for example +"chmod o-rwx /home/user" +during package installation, upgrade or pam `mkhomedir`. This will be done +only once per folder in folder `/home` so users who wish to relax file +permissions are free to +do so. This is to protect previously created files in user home folder which +were previously created with lax file permissions prior installation of this +package. +`debian/security-misc.postinst` +`/usr/lib/security-misc/permission-lockdown` +`/usr/share/pam-configs/mkhomedir-security-misc` + +* SUID / GUID removal and permission hardening. +A systemd service removed SUID / GUID from non-essential binaries as these are +often used in privilege escalation attacks. +It is disabled by default for now during testing and can optionally be enabled +by running `systemctl enable permission-hardening.service` as root. +https://forums.whonix.org/t/disable-suid-binaries/7706 +`/usr/lib/security-misc/permission-hardening` +`/lib/systemd/system/permission-hardening.service` +`/etc/permission-hardening.d/30_default.conf` + +access rights relaxations: + +Redirect calls for `pkexec` to `lxqt-sudo` because `pkexec` is incompatible +with `hidepid`. +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 +https://forums.whonix.org/t/cannot-use-pkexec/8129 +`/usr/bin/pkexec.security-misc` + +This package does (not yet) automatically lock the root account password. +It is not clear that would be sane in such a package. +It is recommended to lock and expire the root account. +In new Whonix builds, root account will be locked by package +dist-base-files. +https://www.whonix.org/wiki/Root +https://www.whonix.org/wiki/Dev/Permissions +https://forums.whonix.org/t/restrict-root-access/7658 +However, a locked root password will break rescue and emergency shell. +Therefore this package enables passwordless rescue and emergency shell. +This is the same solution that Debian will likely adapt for Debian +installer. +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 +Adverse security effects can be prevented by setting up BIOS password +protection, grub password protection and/or full disk encryption. +`/etc/systemd/system/emergency.service.d/override.conf` +`/etc/systemd/system/rescue.service.d/override.conf` + +Let the kernel only swap if it is absolutely necessary. +`/etc/sysctl.d/30_security-misc.conf` + +Disables TCP Time Stamps: + +TCP time stamps (RFC 1323) allow for tracking clock +information with millisecond resolution. This may or may not allow an +attacker to learn information about the system clock at such +a resolution, depending on various issues such as network lag. +This information is available to anyone who monitors the network +somewhere between the attacked system and the destination server. +It may allow an attacker to find out how long a given +system has been running, and to distinguish several +systems running behind NAT and using the same IP address. It might +also allow one to look for clocks that match an expected value to find the +public IP used by a user. + +Hence, this package disables this feature by shipping the +`/etc/sysctl.d/30_security-misc.conf` configuration file. + +Note that TCP time stamps normally have some usefulness. They are +needed for: + +* the TCP protection against wrapped sequence numbers; however, to +trigger a wrap, one needs to send roughly 2^32 packets in one +minute: as said in RFC 1700, "The current recommended default +time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". +So, this probably won't be a practical problem in the context +of Anonymity Distributions. +* "Round-Trip Time Measurement", which is only useful when the user +manages to saturate their connection. When using Anonymity Distributions, +probably the limiting factor for transmission speed is rarely the capacity +of the user connection. + +Application specific hardening: + +* Enables APT seccomp-BPF sandboxing. `/etc/apt/apt.conf.d/40sandbox` +* Deactivates previews in Dolphin. +* Deactivates previews in Nautilus. +`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override` +* Deactivates thumbnails in Thunar. +* Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird +to make phishing attacks more difficult. Fixing URL not showing real Domain +Name (Homograph attack). +* Security and privacy enhancements for gnupg's config file +`/etc/skel/.gnupg/gpg.conf`. See also: +https://raw.github.com/ioerror/torbirdy/master/gpg.conf +https://github.com/ioerror/torbirdy/pull/11 + +Want more? Look into these: + +* Linux Kernel Runtime Guard (LKRG) +* tirdad - TCP ISN CPU Information Leak Protection. +* Whonix ™ - Anonymous Operating System +* Kicksecure ™ - A Security-hardened, Non-anonymous Linux Distribution +* SecBrowser ™ - A Security-hardened, Non-anonymous Browser +* And more. +* https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG +* https://github.com/Whonix/tirdad +* https://www.whonix.org +* https://www.whonix.org/wiki/Kicksecure +* https://www.whonix.org/wiki/SecBrowser +* https://github.com/Whonix + +Discussion: + +Happening primarily in Whonix forums. +https://forums.whonix.org/t/kernel-hardening/7296 +## How to install `security-misc` using apt-get ## + +1\. Download Whonix's Signing Key. + +``` +wget https://www.whonix.org/patrick.asc +``` + +Users can [check Whonix Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key) for better security. + +2\. Add Whonix's signing key. + +``` +sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc +``` + +3\. Add Whonix's APT repository. + +``` +echo "deb https://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list +``` + +4\. Update your package lists. + +``` +sudo apt-get update +``` + +5\. Install `security-misc`. + +``` +sudo apt-get install security-misc +``` + +## How to Build deb Package from Source Code ## + +Can be build using standard Debian package build tools such as: + +``` +dpkg-buildpackage -b +``` + +See instructions. (Replace `generic-package` with the actual name of this package `security-misc`.) + +* **A)** [easy](https://www.whonix.org/wiki/Dev/Build_Documentation/generic-package/easy), _OR_ +* **B)** [including verifying software signatures](https://www.whonix.org/wiki/Dev/Build_Documentation/generic-package) + +## Contact ## + +* [Free Forum Support](https://forums.whonix.org) +* [Professional Support](https://www.whonix.org/wiki/Professional_Support) + +## Donate ## + +`security-misc` requires [donations](https://www.whonix.org/wiki/Donate) to stay alive! From ddd62c1eef031c2befc626acbe4d48d8cdbea1d0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 12 Jan 2021 03:24:11 -0500 Subject: [PATCH 0381/1650] readme --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index d1adc3a..9ab625e 100644 --- a/README.md +++ b/README.md @@ -205,6 +205,10 @@ audit, may contain weaknesses or a backdoor. For references, see: ## Restrictive mount options +Not enabled by default yet. In development. Help welcome. + +https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ + `/home`, `/tmp`, `/dev/shm` and `/run` are remounted with the `nosuid` and `nodev` mount options to prevent execution of setuid or setgid binaries and creation of devices on those filesystems. @@ -318,6 +322,8 @@ See: ### SUID / SGID removal and permission hardening +Not enabled by default yet. + A systemd service removes SUID / SGID bits from non-essential binaries as these are often used in privilege escalation attacks. It is disabled by default for now during testing and can optionally be enabled by running @@ -329,9 +335,12 @@ See: * `/lib/systemd/system/permission-hardening.service` * `/etc/permission-hardening.d` * https://forums.whonix.org/t/disable-suid-binaries/7706 +* https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener ### Access rights relaxations +This is not enabled yet because hidepid is not enabled by default. + Calls to `pkexec` are redirected to `lxqt-sudo` because `pkexec` is incompatible with `hidepid=2`. From 0e8ea5eb727d609d70e8f639dde62583a3ff47f3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 14 Jan 2021 02:36:49 -0500 Subject: [PATCH 0382/1650] bumped changelog version --- changelog.upstream | 46 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 52 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 9f9816c..d547350 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,49 @@ +commit ddd62c1eef031c2befc626acbe4d48d8cdbea1d0 +Author: Patrick Schleizer +Date: Tue Jan 12 03:24:11 2021 -0500 + + readme + +commit 468d8b600dda7cce87bbdf972244ef2f610935d5 +Author: Patrick Schleizer +Date: Tue Jan 12 03:20:58 2021 -0500 + + readme + +commit b5cee63999a7277b32f3850a5d8821c73ed05933 +Author: Patrick Schleizer +Date: Tue Jan 12 03:19:31 2021 -0500 + + new file: README_generic.md + +commit 94627f0875e69c9314faab8b0dc2dbe22af5c88f +Merge: 353e74f 79876f7 +Author: Patrick Schleizer +Date: Tue Jan 12 03:18:41 2021 -0500 + + Merge remote-tracking branch 'github/master' + +commit 79876f7b1261006885a713dbfda97609c8e81f3f +Merge: 353e74f 3066b5a +Author: Patrick Schleizer +Date: Tue Jan 12 08:17:04 2021 +0000 + + Merge pull request #99 from madaidan/docs + + Overhaul documentation + +commit 3066b5ad972f16069361999afbca0978986db862 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Tue Jan 12 02:17:13 2021 +0000 + + Overhaul documentation + +commit 353e74fb5f0c150b9de3554b88619480c338ef59 +Author: Patrick Schleizer +Date: Tue Jan 5 08:30:37 2021 -0500 + + bumped changelog version + commit a258f35f385aff7b6fef71e23b94c4681e52bed2 Author: Patrick Schleizer Date: Tue Jan 5 02:11:08 2021 -0500 diff --git a/debian/changelog b/debian/changelog index f82d639..6b1f300 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:19.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 14 Jan 2021 07:36:49 +0000 + security-misc (3:19.8-1) unstable; urgency=medium * New upstream version (local package). From 611fbe2c619d9b5fab748faf2b0f59274a914187 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 18 Jan 2021 05:39:34 -0500 Subject: [PATCH 0383/1650] description --- debian/control | 333 +------------------------------------------------ 1 file changed, 3 insertions(+), 330 deletions(-) diff --git a/debian/control b/debian/control index 3480c39..b86201e 100644 --- a/debian/control +++ b/debian/control @@ -16,337 +16,10 @@ Architecture: all Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, apparmor-profile-dist, helper-scripts, ${misc:Depends} Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest -Description: enhances misc security settings - Inspired by Kernel Self Protection Project (KSPP) +Description: Enhances Miscellaneous Security Settings + https://github.com/Whonix/security-misc/blob/master/README.md . - * Implements most if not all recommended Linux kernel settings (sysctl) and - kernel parameters by KSPP. - . - * https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project - . - kernel hardening: - . - * deactivates Netfilter's connection tracking helper - Netfilter's connection tracking helper module increases kernel attack - surface by enabling superfluous functionality such as IRC parsing in - the kernel. (!) Hence, this package disables this feature by shipping the - `/etc/modprobe.d/30_security-misc.conf` configuration file. - . - * Kernel symbols in various files in `/proc` are hidden as they can be - very useful for kernel exploits. - . - * Kexec is disabled as it can be used to load a malicious kernel. - `/etc/modprobe.d/30_security-misc.conf` - . - * ASLR effectiveness for mmap is increased. - . - * The TCP/IP stack is hardened by disabling ICMP redirect acceptance, - ICMP redirect sending and source routing to prevent man-in-the-middle attacks, - ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood - attacks, enabling RFC1337 to protect against time-wait assassination - attacks and enabling reverse path filtering to prevent IP spoofing and - mitigate vulnerabilities such as CVE-2019-14899. - . - * Avoids unintentional writes to attacker-controlled files. - . - * Prevents symlink/hardlink TOCTOU races. - . - * SACK can be disabled as it is commonly exploited and is rarely used by - uncommenting settings in file `/etc/sysctl.d/30_security-misc.conf`. - . - * Slab merging is disabled as sometimes a slab can be used in a vulnerable - way which an attacker can exploit. - . - * Sanity checks and redzoning are enabled. - . - * Memory zeroing at allocation and free time is enabled. - . - * The machine check tolerance level is decreased which makes the kernel panic - on uncorrectable errors in ECC memory that could be exploited. - . - * Kernel Page Table Isolation is enabled to mitigate Meltdown and increase - KASLR effectiveness. - . - * Enables all mitigations for CPU vulnerabilities and disables SMT. - . - * A systemd service clears System.map on boot as these contain kernel symbols - that could be useful to an attacker. - `/etc/kernel/postinst.d/30_remove-system-map` - `/lib/systemd/system/remove-system-map.service` - `/usr/lib/security-misc/remove-system.map` - . - * Coredumps are disabled as they may contain important information such as - encryption keys or passwords. - `/etc/security/limits.d/30_security-misc.conf` - `/etc/sysctl.d/30_security-misc.conf` - `/lib/systemd/coredump.conf.d/30_security-misc.conf` - . - * The thunderbolt and firewire kernel modules are blacklisted as they can be - used for DMA (Direct Memory Access) attacks. - . - * IOMMU is enabled with a boot parameter to prevent DMA attacks. - . - * Bluetooth is blacklisted to reduce attack surface. Bluetooth also has - a history of security concerns. - https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns - `/etc/modprobe.d/30_security-misc.conf` - . - * A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and - `/sys` to the root user only. This hides a lot of hardware identifiers from - unprivileged users and increases security as `/sys` exposes a lot of - information that shouldn't be accessible to unprivileged users. As this will - break many things, it is disabled by default and can optionally be enabled by - running `systemctl enable hide-hardware-info.service` as root. - `/usr/lib/security-misc/hide-hardware-info` - `/lib/systemd/system/hide-hardware-info.service` - `/lib/systemd/system/user@.service.d/sysfs.conf` - `/etc/hide-hardware-info.d/30_default.conf` - . - * The MSR kernel module is blacklisted to prevent CPU MSRs from being - abused to write to arbitrary memory. - . - * Vsyscalls are disabled as they are obsolete, are at fixed addresses and are - a target for ROP. - . - * Page allocator freelist randomization is enabled. - . - * The vivid kernel module is blacklisted as it's only required for testing - and has been the cause of multiple vulnerabilities. - . - * An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and - `/etc/sysctl.d` before init is executed so sysctl hardening is enabled - as early as possible. - . - * The kernel panics on oopses to prevent it from continuing to run a flawed - process and to deter brute forcing. - . - * Restricts the SysRq key so it can only be used for shutdowns and the - Secure Attention Key. - . - * Restricts loading line disciplines to `CAP_SYS_MODULE`. - . - * Restricts the `userfaultfd()` syscall to root. - . - * Access to debugfs is restricted as it can contain a lot of sensitive - information. - . - Improve Entropy Collection - . - * Load `jitterentropy_rng` kernel module. - `/usr/lib/modules-load.d/30_security-misc.conf` - . - * Distrusts the CPU for initial entropy at boot as it is not possible to - audit, may contain weaknesses or a backdoor. - * https://en.wikipedia.org/wiki/RDRAND#Reception - * https://twitter.com/pid_eins/status/1149649806056280069 - * For more references, see: - * `/etc/default/grub.d/40_distrust_cpu.cfg` - . - * Gathers more entropy during boot if using the linux-hardened kernel patch. - . - Uncommon network protocols are blacklisted: - These are rarely used and may have unknown vulnerabilities. - `/etc/modprobe.d/30_security-misc.conf` - The network protocols that are blacklisted are: - . - * DCCP - Datagram Congestion Control Protocol - * SCTP - Stream Control Transmission Protocol - * RDS - Reliable Datagram Sockets - * TIPC - Transparent Inter-process Communication - * HDLC - High-Level Data Link Control - * AX25 - Amateur X.25 - * NetRom - * X25 - * ROSE - * DECnet - * Econet - * af_802154 - IEEE 802.15.4 - * IPX - Internetwork Packet Exchange - * AppleTalk - * PSNAP - Subnetwork Access Protocol - * p8023 - Novell raw IEEE 802.3 - * p8022 - IEEE 802.2 - . - user restrictions: - . - * remount `/home`, `/tmp`, `/dev/shm` and `/run` with `nosuid,nodev` - (default) and `noexec` (opt-in). To disable this, run - `sudo touch /etc/remount-disable`. To opt-in `noexec`, run - `sudo touch /etc/noexec` and reboot (easiest). - Alternatively file `/usr/local/etc/remount-disable` or file - `/usr/local/etc/noexec` could be used. - `/lib/systemd/system/remount-secure.service` - `/usr/lib/security-misc/remount-secure` - . - * An optional systemd service mounts `/proc` with `hidepid=2` at boot to - prevent users from seeing each other's processes. Not enabled because not - compatible with pkexec. - . - * The kernel logs are restricted to root only. - . - * The BPF JIT compiler is restricted to the root user and is hardened. - . - * The ptrace system call is restricted to the root user only. - . - restricts access to the root account: - . - * `su` is restricted to only users within the group `sudo` which prevents - users from using `su` to gain root access or to switch user accounts. - `/usr/share/pam-configs/wheel-security-misc` - (Which results in a change in file `/etc/pam.d/common-auth`.) - . - * Add user `root` to group `sudo`. This is required to make above work so - login as a user in a virtual console is still possible. - `debian/security-misc.postinst` - . - * Abort login for users with locked passwords. - `/usr/lib/security-misc/pam-abort-on-locked-password` - . - * Logging into the root account from a virtual, serial, whatnot console is - prevented by shipping an existing and empty `/etc/securetty`. - (Deletion of `/etc/securetty` has a different effect.) - `/etc/securetty.security-misc` - . - * Console Lockdown. - Allow members of group 'console' to use console. - Everyone else except members of group - 'console-unrestricted' are restricted from using console using ancient, - unpopular login methods such as using `/bin/login` over networks, which might - be exploitable. (CVE-2001-0797) Using pam_access. - Not enabled by default in this package since this package does not know which - users shall be added to group 'console' and would break console. - `/usr/share/pam-configs/console-lockdown-security-misc` - `/etc/security/access-security-misc.conf` - . - Protect Linux user accounts against brute force attacks. - Lock user accounts after 50 failed login attempts using `pam_tally2`. - `/usr/share/pam-configs/tally2-security-misc` - . - informational output during Linux PAM: - . - * Show failed and remaining password attempts. - * Document unlock procedure if Linux user account got locked. - * Point out, that there is no password feedback for `su`. - * Explain locked (root) account if locked. - * `/usr/share/pam-configs/tally2-security-misc` - * `/usr/lib/security-misc/pam_tally2-info` - * `/usr/lib/security-misc/pam-abort-on-locked-password` - . - access rights restrictions: - . - * Strong Linux User Account Separation. - Removes read, write and execute access for others for all users who have - home folders under folder `/home` by running for example - "chmod o-rwx /home/user" - during package installation, upgrade or pam `mkhomedir`. This will be done - only once per folder in folder `/home` so users who wish to relax file - permissions are free to - do so. This is to protect previously created files in user home folder which - were previously created with lax file permissions prior installation of this - package. - `debian/security-misc.postinst` - `/usr/lib/security-misc/permission-lockdown` - `/usr/share/pam-configs/mkhomedir-security-misc` - . - * SUID / GUID removal and permission hardening. - A systemd service removed SUID / GUID from non-essential binaries as these are - often used in privilege escalation attacks. - It is disabled by default for now during testing and can optionally be enabled - by running `systemctl enable permission-hardening.service` as root. - https://forums.whonix.org/t/disable-suid-binaries/7706 - `/usr/lib/security-misc/permission-hardening` - `/lib/systemd/system/permission-hardening.service` - `/etc/permission-hardening.d/30_default.conf` - . - access rights relaxations: - . - Redirect calls for `pkexec` to `lxqt-sudo` because `pkexec` is incompatible - with `hidepid`. - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 - https://forums.whonix.org/t/cannot-use-pkexec/8129 - `/usr/bin/pkexec.security-misc` - . - This package does (not yet) automatically lock the root account password. - It is not clear that would be sane in such a package. - It is recommended to lock and expire the root account. - In new Whonix builds, root account will be locked by package - dist-base-files. - https://www.whonix.org/wiki/Root - https://www.whonix.org/wiki/Dev/Permissions - https://forums.whonix.org/t/restrict-root-access/7658 - However, a locked root password will break rescue and emergency shell. - Therefore this package enables passwordless rescue and emergency shell. - This is the same solution that Debian will likely adapt for Debian - installer. - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 - Adverse security effects can be prevented by setting up BIOS password - protection, grub password protection and/or full disk encryption. - `/etc/systemd/system/emergency.service.d/override.conf` - `/etc/systemd/system/rescue.service.d/override.conf` - . - Let the kernel only swap if it is absolutely necessary. - `/etc/sysctl.d/30_security-misc.conf` - . - Disables TCP Time Stamps: - . - TCP time stamps (RFC 1323) allow for tracking clock - information with millisecond resolution. This may or may not allow an - attacker to learn information about the system clock at such - a resolution, depending on various issues such as network lag. - This information is available to anyone who monitors the network - somewhere between the attacked system and the destination server. - It may allow an attacker to find out how long a given - system has been running, and to distinguish several - systems running behind NAT and using the same IP address. It might - also allow one to look for clocks that match an expected value to find the - public IP used by a user. - . - Hence, this package disables this feature by shipping the - `/etc/sysctl.d/30_security-misc.conf` configuration file. - . - Note that TCP time stamps normally have some usefulness. They are - needed for: - . - * the TCP protection against wrapped sequence numbers; however, to - trigger a wrap, one needs to send roughly 2^32 packets in one - minute: as said in RFC 1700, "The current recommended default - time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". - So, this probably won't be a practical problem in the context - of Anonymity Distributions. - * "Round-Trip Time Measurement", which is only useful when the user - manages to saturate their connection. When using Anonymity Distributions, - probably the limiting factor for transmission speed is rarely the capacity - of the user connection. - . - Application specific hardening: - . - * Enables APT seccomp-BPF sandboxing. `/etc/apt/apt.conf.d/40sandbox` - * Deactivates previews in Dolphin. - * Deactivates previews in Nautilus. - `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override` - * Deactivates thumbnails in Thunar. - * Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird - to make phishing attacks more difficult. Fixing URL not showing real Domain - Name (Homograph attack). - * Security and privacy enhancements for gnupg's config file - `/etc/skel/.gnupg/gpg.conf`. See also: - https://raw.github.com/ioerror/torbirdy/master/gpg.conf - https://github.com/ioerror/torbirdy/pull/11 - . - Want more? Look into these: - . - * Linux Kernel Runtime Guard (LKRG) - * tirdad - TCP ISN CPU Information Leak Protection. - * Whonix ™ - Anonymous Operating System - * Kicksecure ™ - A Security-hardened, Non-anonymous Linux Distribution - * SecBrowser ™ - A Security-hardened, Non-anonymous Browser - * And more. - * https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG - * https://github.com/Whonix/tirdad - * https://www.whonix.org - * https://www.whonix.org/wiki/Kicksecure - * https://www.whonix.org/wiki/SecBrowser - * https://github.com/Whonix + https://www.whonix.org/wiki/Security-misc . Discussion: . From 14d13fb03ed627cfb378873ad46f4d3ac795a9f6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 19 Jan 2021 19:41:42 -0500 Subject: [PATCH 0384/1650] readme --- README_generic.md | 333 +--------------------------------------------- 1 file changed, 3 insertions(+), 330 deletions(-) diff --git a/README_generic.md b/README_generic.md index 58e54fd..b046222 100644 --- a/README_generic.md +++ b/README_generic.md @@ -1,335 +1,8 @@ -# enhances misc security settings # +# Enhances Miscellaneous Security Settings # -Inspired by Kernel Self Protection Project (KSPP) +https://github.com/Whonix/security-misc/blob/master/README.md -* Implements most if not all recommended Linux kernel settings (sysctl) and -kernel parameters by KSPP. - -* https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project - -kernel hardening: - -* deactivates Netfilter's connection tracking helper -Netfilter's connection tracking helper module increases kernel attack -surface by enabling superfluous functionality such as IRC parsing in -the kernel. (!) Hence, this package disables this feature by shipping the -`/etc/modprobe.d/30_security-misc.conf` configuration file. - -* Kernel symbols in various files in `/proc` are hidden as they can be -very useful for kernel exploits. - -* Kexec is disabled as it can be used to load a malicious kernel. -`/etc/modprobe.d/30_security-misc.conf` - -* ASLR effectiveness for mmap is increased. - -* The TCP/IP stack is hardened by disabling ICMP redirect acceptance, -ICMP redirect sending and source routing to prevent man-in-the-middle attacks, -ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood -attacks, enabling RFC1337 to protect against time-wait assassination -attacks and enabling reverse path filtering to prevent IP spoofing and -mitigate vulnerabilities such as CVE-2019-14899. - -* Avoids unintentional writes to attacker-controlled files. - -* Prevents symlink/hardlink TOCTOU races. - -* SACK can be disabled as it is commonly exploited and is rarely used by -uncommenting settings in file `/etc/sysctl.d/30_security-misc.conf`. - -* Slab merging is disabled as sometimes a slab can be used in a vulnerable -way which an attacker can exploit. - -* Sanity checks and redzoning are enabled. - -* Memory zeroing at allocation and free time is enabled. - -* The machine check tolerance level is decreased which makes the kernel panic -on uncorrectable errors in ECC memory that could be exploited. - -* Kernel Page Table Isolation is enabled to mitigate Meltdown and increase -KASLR effectiveness. - -* Enables all mitigations for CPU vulnerabilities and disables SMT. - -* A systemd service clears System.map on boot as these contain kernel symbols -that could be useful to an attacker. -`/etc/kernel/postinst.d/30_remove-system-map` -`/lib/systemd/system/remove-system-map.service` -`/usr/lib/security-misc/remove-system.map` - -* Coredumps are disabled as they may contain important information such as -encryption keys or passwords. -`/etc/security/limits.d/30_security-misc.conf` -`/etc/sysctl.d/30_security-misc.conf` -`/lib/systemd/coredump.conf.d/30_security-misc.conf` - -* The thunderbolt and firewire kernel modules are blacklisted as they can be -used for DMA (Direct Memory Access) attacks. - -* IOMMU is enabled with a boot parameter to prevent DMA attacks. - -* Bluetooth is blacklisted to reduce attack surface. Bluetooth also has -a history of security concerns. -https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -`/etc/modprobe.d/30_security-misc.conf` - -* A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and -`/sys` to the root user only. This hides a lot of hardware identifiers from -unprivileged users and increases security as `/sys` exposes a lot of -information that shouldn't be accessible to unprivileged users. As this will -break many things, it is disabled by default and can optionally be enabled by -running `systemctl enable hide-hardware-info.service` as root. -`/usr/lib/security-misc/hide-hardware-info` -`/lib/systemd/system/hide-hardware-info.service` -`/lib/systemd/system/user@.service.d/sysfs.conf` -`/etc/hide-hardware-info.d/30_default.conf` - -* The MSR kernel module is blacklisted to prevent CPU MSRs from being -abused to write to arbitrary memory. - -* Vsyscalls are disabled as they are obsolete, are at fixed addresses and are -a target for ROP. - -* Page allocator freelist randomization is enabled. - -* The vivid kernel module is blacklisted as it's only required for testing -and has been the cause of multiple vulnerabilities. - -* An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and -`/etc/sysctl.d` before init is executed so sysctl hardening is enabled -as early as possible. - -* The kernel panics on oopses to prevent it from continuing to run a flawed -process and to deter brute forcing. - -* Restricts the SysRq key so it can only be used for shutdowns and the -Secure Attention Key. - -* Restricts loading line disciplines to `CAP_SYS_MODULE`. - -* Restricts the `userfaultfd()` syscall to root. - -* Access to debugfs is restricted as it can contain a lot of sensitive -information. - -Improve Entropy Collection - -* Load `jitterentropy_rng` kernel module. -`/usr/lib/modules-load.d/30_security-misc.conf` - -* Distrusts the CPU for initial entropy at boot as it is not possible to -audit, may contain weaknesses or a backdoor. -* https://en.wikipedia.org/wiki/RDRAND#Reception -* https://twitter.com/pid_eins/status/1149649806056280069 -* For more references, see: -* `/etc/default/grub.d/40_distrust_cpu.cfg` - -* Gathers more entropy during boot if using the linux-hardened kernel patch. - -Uncommon network protocols are blacklisted: -These are rarely used and may have unknown vulnerabilities. -`/etc/modprobe.d/30_security-misc.conf` -The network protocols that are blacklisted are: - -* DCCP - Datagram Congestion Control Protocol -* SCTP - Stream Control Transmission Protocol -* RDS - Reliable Datagram Sockets -* TIPC - Transparent Inter-process Communication -* HDLC - High-Level Data Link Control -* AX25 - Amateur X.25 -* NetRom -* X25 -* ROSE -* DECnet -* Econet -* af_802154 - IEEE 802.15.4 -* IPX - Internetwork Packet Exchange -* AppleTalk -* PSNAP - Subnetwork Access Protocol -* p8023 - Novell raw IEEE 802.3 -* p8022 - IEEE 802.2 - -user restrictions: - -* remount `/home`, `/tmp`, `/dev/shm` and `/run` with `nosuid,nodev` -(default) and `noexec` (opt-in). To disable this, run -`sudo touch /etc/remount-disable`. To opt-in `noexec`, run -`sudo touch /etc/noexec` and reboot (easiest). -Alternatively file `/usr/local/etc/remount-disable` or file -`/usr/local/etc/noexec` could be used. -`/lib/systemd/system/remount-secure.service` -`/usr/lib/security-misc/remount-secure` - -* An optional systemd service mounts `/proc` with `hidepid=2` at boot to -prevent users from seeing each other's processes. Not enabled because not -compatible with pkexec. - -* The kernel logs are restricted to root only. - -* The BPF JIT compiler is restricted to the root user and is hardened. - -* The ptrace system call is restricted to the root user only. - -restricts access to the root account: - -* `su` is restricted to only users within the group `sudo` which prevents -users from using `su` to gain root access or to switch user accounts. -`/usr/share/pam-configs/wheel-security-misc` -(Which results in a change in file `/etc/pam.d/common-auth`.) - -* Add user `root` to group `sudo`. This is required to make above work so -login as a user in a virtual console is still possible. -`debian/security-misc.postinst` - -* Abort login for users with locked passwords. -`/usr/lib/security-misc/pam-abort-on-locked-password` - -* Logging into the root account from a virtual, serial, whatnot console is -prevented by shipping an existing and empty `/etc/securetty`. -(Deletion of `/etc/securetty` has a different effect.) -`/etc/securetty.security-misc` - -* Console Lockdown. -Allow members of group 'console' to use console. -Everyone else except members of group -'console-unrestricted' are restricted from using console using ancient, -unpopular login methods such as using `/bin/login` over networks, which might -be exploitable. (CVE-2001-0797) Using pam_access. -Not enabled by default in this package since this package does not know which -users shall be added to group 'console' and would break console. -`/usr/share/pam-configs/console-lockdown-security-misc` -`/etc/security/access-security-misc.conf` - -Protect Linux user accounts against brute force attacks. -Lock user accounts after 50 failed login attempts using `pam_tally2`. -`/usr/share/pam-configs/tally2-security-misc` - -informational output during Linux PAM: - -* Show failed and remaining password attempts. -* Document unlock procedure if Linux user account got locked. -* Point out, that there is no password feedback for `su`. -* Explain locked (root) account if locked. -* `/usr/share/pam-configs/tally2-security-misc` -* `/usr/lib/security-misc/pam_tally2-info` -* `/usr/lib/security-misc/pam-abort-on-locked-password` - -access rights restrictions: - -* Strong Linux User Account Separation. -Removes read, write and execute access for others for all users who have -home folders under folder `/home` by running for example -"chmod o-rwx /home/user" -during package installation, upgrade or pam `mkhomedir`. This will be done -only once per folder in folder `/home` so users who wish to relax file -permissions are free to -do so. This is to protect previously created files in user home folder which -were previously created with lax file permissions prior installation of this -package. -`debian/security-misc.postinst` -`/usr/lib/security-misc/permission-lockdown` -`/usr/share/pam-configs/mkhomedir-security-misc` - -* SUID / GUID removal and permission hardening. -A systemd service removed SUID / GUID from non-essential binaries as these are -often used in privilege escalation attacks. -It is disabled by default for now during testing and can optionally be enabled -by running `systemctl enable permission-hardening.service` as root. -https://forums.whonix.org/t/disable-suid-binaries/7706 -`/usr/lib/security-misc/permission-hardening` -`/lib/systemd/system/permission-hardening.service` -`/etc/permission-hardening.d/30_default.conf` - -access rights relaxations: - -Redirect calls for `pkexec` to `lxqt-sudo` because `pkexec` is incompatible -with `hidepid`. -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 -https://forums.whonix.org/t/cannot-use-pkexec/8129 -`/usr/bin/pkexec.security-misc` - -This package does (not yet) automatically lock the root account password. -It is not clear that would be sane in such a package. -It is recommended to lock and expire the root account. -In new Whonix builds, root account will be locked by package -dist-base-files. -https://www.whonix.org/wiki/Root -https://www.whonix.org/wiki/Dev/Permissions -https://forums.whonix.org/t/restrict-root-access/7658 -However, a locked root password will break rescue and emergency shell. -Therefore this package enables passwordless rescue and emergency shell. -This is the same solution that Debian will likely adapt for Debian -installer. -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 -Adverse security effects can be prevented by setting up BIOS password -protection, grub password protection and/or full disk encryption. -`/etc/systemd/system/emergency.service.d/override.conf` -`/etc/systemd/system/rescue.service.d/override.conf` - -Let the kernel only swap if it is absolutely necessary. -`/etc/sysctl.d/30_security-misc.conf` - -Disables TCP Time Stamps: - -TCP time stamps (RFC 1323) allow for tracking clock -information with millisecond resolution. This may or may not allow an -attacker to learn information about the system clock at such -a resolution, depending on various issues such as network lag. -This information is available to anyone who monitors the network -somewhere between the attacked system and the destination server. -It may allow an attacker to find out how long a given -system has been running, and to distinguish several -systems running behind NAT and using the same IP address. It might -also allow one to look for clocks that match an expected value to find the -public IP used by a user. - -Hence, this package disables this feature by shipping the -`/etc/sysctl.d/30_security-misc.conf` configuration file. - -Note that TCP time stamps normally have some usefulness. They are -needed for: - -* the TCP protection against wrapped sequence numbers; however, to -trigger a wrap, one needs to send roughly 2^32 packets in one -minute: as said in RFC 1700, "The current recommended default -time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". -So, this probably won't be a practical problem in the context -of Anonymity Distributions. -* "Round-Trip Time Measurement", which is only useful when the user -manages to saturate their connection. When using Anonymity Distributions, -probably the limiting factor for transmission speed is rarely the capacity -of the user connection. - -Application specific hardening: - -* Enables APT seccomp-BPF sandboxing. `/etc/apt/apt.conf.d/40sandbox` -* Deactivates previews in Dolphin. -* Deactivates previews in Nautilus. -`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override` -* Deactivates thumbnails in Thunar. -* Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird -to make phishing attacks more difficult. Fixing URL not showing real Domain -Name (Homograph attack). -* Security and privacy enhancements for gnupg's config file -`/etc/skel/.gnupg/gpg.conf`. See also: -https://raw.github.com/ioerror/torbirdy/master/gpg.conf -https://github.com/ioerror/torbirdy/pull/11 - -Want more? Look into these: - -* Linux Kernel Runtime Guard (LKRG) -* tirdad - TCP ISN CPU Information Leak Protection. -* Whonix ™ - Anonymous Operating System -* Kicksecure ™ - A Security-hardened, Non-anonymous Linux Distribution -* SecBrowser ™ - A Security-hardened, Non-anonymous Browser -* And more. -* https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG -* https://github.com/Whonix/tirdad -* https://www.whonix.org -* https://www.whonix.org/wiki/Kicksecure -* https://www.whonix.org/wiki/SecBrowser -* https://github.com/Whonix +https://www.whonix.org/wiki/Security-misc Discussion: From 126c31c37d17a55b0980dcae8c546aeed4282a99 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 19 Jan 2021 19:41:43 -0500 Subject: [PATCH 0385/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d547350..bafce9d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 14d13fb03ed627cfb378873ad46f4d3ac795a9f6 +Author: Patrick Schleizer +Date: Tue Jan 19 19:41:42 2021 -0500 + + readme + +commit 611fbe2c619d9b5fab748faf2b0f59274a914187 +Author: Patrick Schleizer +Date: Mon Jan 18 05:39:34 2021 -0500 + + description + +commit 0e8ea5eb727d609d70e8f639dde62583a3ff47f3 +Author: Patrick Schleizer +Date: Thu Jan 14 02:36:49 2021 -0500 + + bumped changelog version + commit ddd62c1eef031c2befc626acbe4d48d8cdbea1d0 Author: Patrick Schleizer Date: Tue Jan 12 03:24:11 2021 -0500 diff --git a/debian/changelog b/debian/changelog index 6b1f300..db11844 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:20.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 20 Jan 2021 00:41:43 +0000 + security-misc (3:19.9-1) unstable; urgency=medium * New upstream version (local package). From 6757104aa4d1e661b046e71f7bda511d73e83d61 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 24 Jan 2021 05:04:48 -0500 Subject: [PATCH 0386/1650] use pam_tally2 only for login to skip counting failed login attempts over ssh and mail login --- usr/share/pam-configs/tally2-security-misc | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/share/pam-configs/tally2-security-misc b/usr/share/pam-configs/tally2-security-misc index 9638d26..6d8dd7e 100644 --- a/usr/share/pam-configs/tally2-security-misc +++ b/usr/share/pam-configs/tally2-security-misc @@ -4,6 +4,7 @@ Priority: 290 Auth-Type: Primary Auth: optional pam_exec.so debug stdout seteuid /usr/lib/security-misc/pam_tally2-info + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/lib/security-misc/pam_only_if_login requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug Account-Type: Primary Account: From 480f74cab6d79886fe29eeecc5b7ebc1f138f8dd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 24 Jan 2021 05:10:36 -0500 Subject: [PATCH 0387/1650] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index bafce9d..1190f49 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit 6757104aa4d1e661b046e71f7bda511d73e83d61 +Author: Patrick Schleizer +Date: Sun Jan 24 05:04:48 2021 -0500 + + use pam_tally2 only for login + + to skip counting failed login attempts over ssh and mail login + +commit 126c31c37d17a55b0980dcae8c546aeed4282a99 +Author: Patrick Schleizer +Date: Tue Jan 19 19:41:43 2021 -0500 + + bumped changelog version + commit 14d13fb03ed627cfb378873ad46f4d3ac795a9f6 Author: Patrick Schleizer Date: Tue Jan 19 19:41:42 2021 -0500 diff --git a/debian/changelog b/debian/changelog index db11844..2648739 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:20.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 24 Jan 2021 10:10:36 +0000 + security-misc (3:20.0-1) unstable; urgency=medium * New upstream version (local package). From 9622f28e255a101ee7239e3ffd42d8d80637654a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 27 Jan 2021 05:49:34 -0500 Subject: [PATCH 0388/1650] skip counting failed login attempts from dovecot Failed dovecot logins should not result in account getting locked. revert "use pam_tally2 only for login" --- usr/lib/security-misc/pam_tally2_not_if_x | 38 ++++++++++++++++++++++ usr/share/pam-configs/tally2-security-misc | 2 +- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100755 usr/lib/security-misc/pam_tally2_not_if_x diff --git a/usr/lib/security-misc/pam_tally2_not_if_x b/usr/lib/security-misc/pam_tally2_not_if_x new file mode 100755 index 0000000..88e56f3 --- /dev/null +++ b/usr/lib/security-misc/pam_tally2_not_if_x @@ -0,0 +1,38 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files + +set -x + +true "PAM_SERVICE: $PAM_SERVICE" + +## PAM configuration notes +## +## success=$num +## "will specify how many rules to skip when successful." +## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files +## +## ignore +## "when used with a stack of modules, the module's return status will not contribute to the return code the application obtains." +## http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html + +## - Failed dovecot logins should not result in account getting locked. +## - Failed SSH public key authentication attempts do not increase pam_tally2 +## counter for some reason. +## This list can later be extended as needed. +pam_service_exclusion_list="dovecot" + +for pam_service_exclusion_item in $pam_service_exclusion_list ; do + if [ "$PAM_SERVICE" = "$pam_service_exclusion_item" ]; then + ## exit success so [success=1 default=ignore] will result in skipping the + ## next PAM module (the pam_tally2 module). + exit 0 + fi +done + +## exit failure so [success=1 default=ignore] will result in running the +## next PAM module (the pam_tally2 module). +exit 1 diff --git a/usr/share/pam-configs/tally2-security-misc b/usr/share/pam-configs/tally2-security-misc index 6d8dd7e..0b23744 100644 --- a/usr/share/pam-configs/tally2-security-misc +++ b/usr/share/pam-configs/tally2-security-misc @@ -4,7 +4,7 @@ Priority: 290 Auth-Type: Primary Auth: optional pam_exec.so debug stdout seteuid /usr/lib/security-misc/pam_tally2-info - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/lib/security-misc/pam_only_if_login + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/lib/security-misc/pam_tally2_not_if_x requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug Account-Type: Primary Account: From f2595cc2542b326a74d4c651897160c04bd1e162 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 27 Jan 2021 05:50:16 -0500 Subject: [PATCH 0389/1650] bumped changelog version --- changelog.upstream | 16 ++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 22 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1190f49..e4e1a63 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,19 @@ +commit 9622f28e255a101ee7239e3ffd42d8d80637654a +Author: Patrick Schleizer +Date: Wed Jan 27 05:49:34 2021 -0500 + + skip counting failed login attempts from dovecot + + Failed dovecot logins should not result in account getting locked. + + revert "use pam_tally2 only for login" + +commit 480f74cab6d79886fe29eeecc5b7ebc1f138f8dd +Author: Patrick Schleizer +Date: Sun Jan 24 05:10:36 2021 -0500 + + bumped changelog version + commit 6757104aa4d1e661b046e71f7bda511d73e83d61 Author: Patrick Schleizer Date: Sun Jan 24 05:04:48 2021 -0500 diff --git a/debian/changelog b/debian/changelog index 2648739..31c1073 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:20.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 27 Jan 2021 10:50:16 +0000 + security-misc (3:20.1-1) unstable; urgency=medium * New upstream version (local package). From b0b7f569ee7da1101c9100c1b053b910f8660436 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 28 Jan 2021 02:11:54 -0500 Subject: [PATCH 0390/1650] comment --- usr/lib/security-misc/pam_tally2_not_if_x | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/lib/security-misc/pam_tally2_not_if_x b/usr/lib/security-misc/pam_tally2_not_if_x index 88e56f3..14fafd3 100755 --- a/usr/lib/security-misc/pam_tally2_not_if_x +++ b/usr/lib/security-misc/pam_tally2_not_if_x @@ -35,4 +35,8 @@ done ## exit failure so [success=1 default=ignore] will result in running the ## next PAM module (the pam_tally2 module). +## +## Causes confusing error message: +## pam_exec(sudo:auth): /usr/lib/security-misc/pam_tally2_not_if_x failed: exit code 1 +## https://github.com/linux-pam/linux-pam/issues/329 exit 1 From d9aaf5910553b04b965ea729476b586d72043aea Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 28 Jan 2021 02:15:46 -0500 Subject: [PATCH 0391/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index e4e1a63..1315379 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit b0b7f569ee7da1101c9100c1b053b910f8660436 +Author: Patrick Schleizer +Date: Thu Jan 28 02:11:54 2021 -0500 + + comment + +commit f2595cc2542b326a74d4c651897160c04bd1e162 +Author: Patrick Schleizer +Date: Wed Jan 27 05:50:16 2021 -0500 + + bumped changelog version + commit 9622f28e255a101ee7239e3ffd42d8d80637654a Author: Patrick Schleizer Date: Wed Jan 27 05:49:34 2021 -0500 diff --git a/debian/changelog b/debian/changelog index 31c1073..fc753a9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:20.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 28 Jan 2021 07:15:46 +0000 + security-misc (3:20.2-1) unstable; urgency=medium * New upstream version (local package). From af3244741dba7425148378aacf853e82deddee1f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 29 Jan 2021 23:15:52 -0500 Subject: [PATCH 0392/1650] comment --- usr/lib/security-misc/permission-hardening | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index c0c5e32..c310556 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -436,8 +436,8 @@ set_file_perms() { if [ "$capability_from_config" = "none" ]; then ## https://forums.whonix.org/t/disable-suid-binaries/7706/45 - # sudo setcap -r /usr/bin/ping 2>/dev/null - # Failed to set capabilities on file `/usr/bin/ping' (No data available) + # sudo setcap -r /bin/ping 2>/dev/null + # Failed to set capabilities on file `/bin/ping' (No data available) # The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file ## Therefore use echo_wrapper_ignore. echo_wrapper_ignore setcap -r "$fso" From 3120ff3ec98edecdc2855261d3ba26cad8803c74 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 29 Jan 2021 23:37:03 -0500 Subject: [PATCH 0393/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1315379..8ee902f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit af3244741dba7425148378aacf853e82deddee1f +Author: Patrick Schleizer +Date: Fri Jan 29 23:15:52 2021 -0500 + + comment + +commit d9aaf5910553b04b965ea729476b586d72043aea +Author: Patrick Schleizer +Date: Thu Jan 28 02:15:46 2021 -0500 + + bumped changelog version + commit b0b7f569ee7da1101c9100c1b053b910f8660436 Author: Patrick Schleizer Date: Thu Jan 28 02:11:54 2021 -0500 diff --git a/debian/changelog b/debian/changelog index fc753a9..edc0a3b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:20.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 30 Jan 2021 04:37:03 +0000 + security-misc (3:20.3-1) unstable; urgency=medium * New upstream version (local package). From 4db7d6be643f9e7c9c3b81d3945b8d2c3e4c5269 Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Sat, 6 Feb 2021 03:02:08 -0500 Subject: [PATCH 0394/1650] hide-hardware-info: allow unrestricting selinuxfs On SELinux systems, the /sys/fs/selinux directory must be visible to userspace utilities in order to function properly. --- etc/hide-hardware-info.d/30_default.conf | 3 +++ usr/lib/security-misc/hide-hardware-info | 14 ++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf index 252e0b6..88344bc 100644 --- a/etc/hide-hardware-info.d/30_default.conf +++ b/etc/hide-hardware-info.d/30_default.conf @@ -6,3 +6,6 @@ ## Disable the /proc/cpuinfo whitelist. #cpuinfo_whitelist=0 + +## Disable selinux mode. +#selinux=0 diff --git a/usr/lib/security-misc/hide-hardware-info b/usr/lib/security-misc/hide-hardware-info index 36ddc29..78f3f9b 100755 --- a/usr/lib/security-misc/hide-hardware-info +++ b/usr/lib/security-misc/hide-hardware-info @@ -7,6 +7,7 @@ set -e sysfs_whitelist=1 cpuinfo_whitelist=1 +selinux=1 shopt -s nullglob @@ -76,3 +77,16 @@ do fi fi done + +## on SELinux systems, at least /sys/fs/selinux +## must be visible to unprivileged users, else +## SELinux userspace utilities will not function +## properly +if [ -d /sys/fs/selinux ]; then + if [ "${selinux}" = "1" ]; then + chmod o+rx /sys /sys/fs /sys/fs/selinux + echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." + else + echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." + fi +fi From 83c0be5177929b67e3c9eba18c02904498d378cb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 6 Feb 2021 06:27:54 -0500 Subject: [PATCH 0395/1650] readme --- README_generic.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README_generic.md b/README_generic.md index b046222..443cb11 100644 --- a/README_generic.md +++ b/README_generic.md @@ -21,13 +21,13 @@ Users can [check Whonix Signing Key](https://www.whonix.org/wiki/Whonix_Signing_ 2\. Add Whonix's signing key. ``` -sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc +sudo apt-key --keyring /etc/apt/trusted.gpg.d/derivative.gpg add ~/patrick.asc ``` 3\. Add Whonix's APT repository. ``` -echo "deb https://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list +echo "deb https://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list ``` 4\. Update your package lists. From 7f30d702953b2e46255e3e8e71ee47af3f5a5725 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 6 Feb 2021 06:31:45 -0500 Subject: [PATCH 0396/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 8ee902f..e1de5d9 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 83c0be5177929b67e3c9eba18c02904498d378cb +Author: Patrick Schleizer +Date: Sat Feb 6 06:27:54 2021 -0500 + + readme + +commit 3120ff3ec98edecdc2855261d3ba26cad8803c74 +Author: Patrick Schleizer +Date: Fri Jan 29 23:37:03 2021 -0500 + + bumped changelog version + commit af3244741dba7425148378aacf853e82deddee1f Author: Patrick Schleizer Date: Fri Jan 29 23:15:52 2021 -0500 diff --git a/debian/changelog b/debian/changelog index edc0a3b..9a388da 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:20.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 06 Feb 2021 11:31:45 +0000 + security-misc (3:20.4-1) unstable; urgency=medium * New upstream version (local package). From a1819e8cabc45ea197da7e3a4a94ffbab1376423 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 1 Mar 2021 09:15:44 -0500 Subject: [PATCH 0397/1650] comment --- etc/hide-hardware-info.d/30_default.conf | 1 + usr/lib/security-misc/hide-hardware-info | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf index 88344bc..2b01ffe 100644 --- a/etc/hide-hardware-info.d/30_default.conf +++ b/etc/hide-hardware-info.d/30_default.conf @@ -8,4 +8,5 @@ #cpuinfo_whitelist=0 ## Disable selinux mode. +## https://www.whonix.org/wiki/Security-misc#selinux #selinux=0 diff --git a/usr/lib/security-misc/hide-hardware-info b/usr/lib/security-misc/hide-hardware-info index 78f3f9b..447f8d6 100755 --- a/usr/lib/security-misc/hide-hardware-info +++ b/usr/lib/security-misc/hide-hardware-info @@ -7,6 +7,8 @@ set -e sysfs_whitelist=1 cpuinfo_whitelist=1 + +## https://www.whonix.org/wiki/Security-misc#selinux selinux=1 shopt -s nullglob @@ -78,6 +80,8 @@ do fi done +## https://www.whonix.org/wiki/Security-misc#selinux +## ## on SELinux systems, at least /sys/fs/selinux ## must be visible to unprivileged users, else ## SELinux userspace utilities will not function From 0c4a7207e46933a504badfb9c1ce26a9ef82d370 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 4 Mar 2021 07:09:01 -0500 Subject: [PATCH 0398/1650] bumped changelog version --- changelog.upstream | 37 +++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 43 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index e1de5d9..f85e50f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,9 +1,46 @@ +commit a1819e8cabc45ea197da7e3a4a94ffbab1376423 +Author: Patrick Schleizer +Date: Mon Mar 1 09:15:44 2021 -0500 + + comment + +commit 3382192b89de3891d45261f138652bdb48c5674b +Merge: 7f30d70 2e8e3c0 +Author: Patrick Schleizer +Date: Mon Mar 1 09:12:18 2021 -0500 + + Merge remote-tracking branch 'github/master' + +commit 2e8e3c07c4dda7f8500237dfa7a1d2bc7aecef5d +Merge: 7f30d70 4db7d6b +Author: Patrick Schleizer +Date: Mon Mar 1 14:11:28 2021 +0000 + + Merge pull request #100 from 0xC0ncord/bugfix/selinuxfs_restrictions + + hide-hardware-info: allow unrestricting selinuxfs + +commit 7f30d702953b2e46255e3e8e71ee47af3f5a5725 +Author: Patrick Schleizer +Date: Sat Feb 6 06:31:45 2021 -0500 + + bumped changelog version + commit 83c0be5177929b67e3c9eba18c02904498d378cb Author: Patrick Schleizer Date: Sat Feb 6 06:27:54 2021 -0500 readme +commit 4db7d6be643f9e7c9c3b81d3945b8d2c3e4c5269 +Author: Kenton Groombridge +Date: Sat Feb 6 03:02:08 2021 -0500 + + hide-hardware-info: allow unrestricting selinuxfs + + On SELinux systems, the /sys/fs/selinux directory must be visible to + userspace utilities in order to function properly. + commit 3120ff3ec98edecdc2855261d3ba26cad8803c74 Author: Patrick Schleizer Date: Fri Jan 29 23:37:03 2021 -0500 diff --git a/debian/changelog b/debian/changelog index 9a388da..a89afd5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:20.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 04 Mar 2021 12:09:01 +0000 + security-misc (3:20.5-1) unstable; urgency=medium * New upstream version (local package). From a67007f4b7b7763a0b131acb246cfe84ac65540f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Mar 2021 09:45:21 -0400 Subject: [PATCH 0399/1650] copyright --- COPYING | 2 +- debian/changelog | 418 +++++++++--------- debian/control | 4 +- debian/copyright | 2 +- debian/rules | 2 +- debian/security-misc.displace | 2 +- debian/security-misc.install | 2 +- debian/security-misc.maintscript | 2 +- debian/security-misc.postinst | 2 +- debian/security-misc.postrm | 2 +- debian/security-misc.preinst | 2 +- debian/security-misc.prerm | 2 +- debian/security-misc.triggers | 2 +- debian/security-misc.undisplace | 2 +- debian/watch | 2 +- etc/X11/Xsession.d/50panic_on_oops | 2 +- etc/X11/Xsession.d/50security-misc | 2 +- etc/apparmor.d/tunables/home.d/security-misc | 2 +- etc/apt/apt.conf.d/40sandbox | 2 +- etc/default/grub.d/40_cpu_mitigations.cfg | 2 +- etc/default/grub.d/40_distrust_cpu.cfg | 2 +- etc/default/grub.d/40_enable_iommu.cfg | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- etc/hide-hardware-info.d/30_default.conf | 2 +- etc/initramfs-tools/hooks/sysctl-initramfs | 2 +- .../scripts/init-bottom/sysctl-initramfs | 2 +- etc/kernel/postinst.d/30_remove-system-map | 2 +- etc/modprobe.d/30_security-misc.conf | 2 +- .../25_default_whitelist_bubblewrap.conf | 2 +- .../25_default_whitelist_chromium.conf | 2 +- .../25_default_whitelist_dbus.conf | 2 +- .../25_default_whitelist_firejail.conf | 2 +- .../25_default_whitelist_fuse.conf | 2 +- .../25_default_whitelist_mount.conf | 2 +- .../25_default_whitelist_policykit.conf | 2 +- .../25_default_whitelist_qubes.conf | 2 +- .../25_default_whitelist_selinux.conf | 2 +- .../25_default_whitelist_spice.conf | 2 +- .../25_default_whitelist_sudo.conf | 2 +- .../25_default_whitelist_virtualbox.conf | 2 +- etc/permission-hardening.d/30_default.conf | 2 +- etc/security/access-security-misc.conf | 2 +- etc/security/limits.d/30_security-misc.conf | 2 +- .../xfconf/xfce-perchannel-xml/thunar.xml | 2 +- etc/sudoers.d/pkexec-security-misc | 2 +- etc/sudoers.d/security-misc | 2 +- etc/sudoers.d/xfce-security-misc | 2 +- etc/sysctl.d/30_security-misc.conf | 2 +- etc/sysctl.d/30_silent-kernel-printk.conf | 2 +- etc/thunderbird/pref/40_security-mic.js | 2 +- .../system-preset/50-security-misc.preset | 2 +- lib/systemd/system/hide-hardware-info.service | 2 +- .../system/permission-hardening.service | 2 +- lib/systemd/system/proc-hidepid.service | 2 +- lib/systemd/system/remount-secure.service | 2 +- lib/systemd/system/remove-system-map.service | 2 +- usr/bin/pkexec.security-misc | 2 +- usr/lib/modules-load.d/30_security-misc.conf | 2 +- usr/lib/security-misc/apt-get-update | 2 +- .../security-misc/apt-get-update-sanity-test | 2 +- usr/lib/security-misc/apt-get-wrapper | 2 +- usr/lib/security-misc/askpass | 2 +- usr/lib/security-misc/echo-path | 2 +- usr/lib/security-misc/hide-hardware-info | 2 +- .../pam-abort-on-locked-password | 2 +- usr/lib/security-misc/pam_only_if_login | 2 +- usr/lib/security-misc/pam_tally2-info | 2 +- usr/lib/security-misc/pam_tally2_not_if_x | 2 +- usr/lib/security-misc/panic-on-oops | 2 +- usr/lib/security-misc/permission-hardening | 2 +- .../security-misc/permission-hardening-undo | 2 +- usr/lib/security-misc/permission-lockdown | 2 +- usr/lib/security-misc/remount-secure | 2 +- usr/lib/security-misc/remove-system.map | 2 +- usr/lib/security-misc/virusforget | 2 +- usr/share/lintian/overrides/security-misc | 2 +- usr/share/security-misc/dolphinrc | 2 +- 77 files changed, 286 insertions(+), 286 deletions(-) diff --git a/COPYING b/COPYING index c54f148..3b0825d 100644 --- a/COPYING +++ b/COPYING @@ -1,7 +1,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2020 ENCRYPTED SUPPORT LP +Copyright: 2012 - 2021 ENCRYPTED SUPPORT LP License: GPL-3+-with-additional-terms-1 This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/debian/changelog b/debian/changelog index a89afd5..89aab2d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,1252 +2,1252 @@ security-misc (3:20.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 04 Mar 2021 12:09:01 +0000 + -- Patrick Schleizer Thu, 04 Mar 2021 12:09:01 +0000 security-misc (3:20.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 06 Feb 2021 11:31:45 +0000 + -- Patrick Schleizer Sat, 06 Feb 2021 11:31:45 +0000 security-misc (3:20.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 30 Jan 2021 04:37:03 +0000 + -- Patrick Schleizer Sat, 30 Jan 2021 04:37:03 +0000 security-misc (3:20.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 28 Jan 2021 07:15:46 +0000 + -- Patrick Schleizer Thu, 28 Jan 2021 07:15:46 +0000 security-misc (3:20.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 27 Jan 2021 10:50:16 +0000 + -- Patrick Schleizer Wed, 27 Jan 2021 10:50:16 +0000 security-misc (3:20.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 24 Jan 2021 10:10:36 +0000 + -- Patrick Schleizer Sun, 24 Jan 2021 10:10:36 +0000 security-misc (3:20.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 20 Jan 2021 00:41:43 +0000 + -- Patrick Schleizer Wed, 20 Jan 2021 00:41:43 +0000 security-misc (3:19.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 14 Jan 2021 07:36:49 +0000 + -- Patrick Schleizer Thu, 14 Jan 2021 07:36:49 +0000 security-misc (3:19.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 05 Jan 2021 13:30:37 +0000 + -- Patrick Schleizer Tue, 05 Jan 2021 13:30:37 +0000 security-misc (3:19.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 10 Dec 2020 10:20:57 +0000 + -- Patrick Schleizer Thu, 10 Dec 2020 10:20:57 +0000 security-misc (3:19.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 01 Dec 2020 10:53:06 +0000 + -- Patrick Schleizer Tue, 01 Dec 2020 10:53:06 +0000 security-misc (3:19.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 28 Nov 2020 11:08:10 +0000 + -- Patrick Schleizer Sat, 28 Nov 2020 11:08:10 +0000 security-misc (3:19.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 06 Nov 2020 15:18:09 +0000 + -- Patrick Schleizer Fri, 06 Nov 2020 15:18:09 +0000 security-misc (3:19.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 31 Oct 2020 10:29:25 +0000 + -- Patrick Schleizer Sat, 31 Oct 2020 10:29:25 +0000 security-misc (3:19.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 31 Oct 2020 10:09:22 +0000 + -- Patrick Schleizer Sat, 31 Oct 2020 10:09:22 +0000 security-misc (3:19.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 05 Oct 2020 11:03:37 +0000 + -- Patrick Schleizer Mon, 05 Oct 2020 11:03:37 +0000 security-misc (3:19.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 28 Sep 2020 14:30:42 +0000 + -- Patrick Schleizer Mon, 28 Sep 2020 14:30:42 +0000 security-misc (3:18.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 19 Sep 2020 13:28:27 +0000 + -- Patrick Schleizer Sat, 19 Sep 2020 13:28:27 +0000 security-misc (3:18.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 03 Aug 2020 13:43:43 +0000 + -- Patrick Schleizer Mon, 03 Aug 2020 13:43:43 +0000 security-misc (3:18.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 29 Jul 2020 12:33:07 +0000 + -- Patrick Schleizer Wed, 29 Jul 2020 12:33:07 +0000 security-misc (3:18.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 14 May 2020 17:57:32 +0000 + -- Patrick Schleizer Thu, 14 May 2020 17:57:32 +0000 security-misc (3:18.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 23 Apr 2020 16:27:25 +0000 + -- Patrick Schleizer Thu, 23 Apr 2020 16:27:25 +0000 security-misc (3:18.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 16 Apr 2020 12:43:40 +0000 + -- Patrick Schleizer Thu, 16 Apr 2020 12:43:40 +0000 security-misc (3:18.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 14 Apr 2020 16:40:31 +0000 + -- Patrick Schleizer Tue, 14 Apr 2020 16:40:31 +0000 security-misc (3:18.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 13 Apr 2020 10:56:34 +0000 + -- Patrick Schleizer Mon, 13 Apr 2020 10:56:34 +0000 security-misc (3:18.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 09 Apr 2020 09:45:30 +0000 + -- Patrick Schleizer Thu, 09 Apr 2020 09:45:30 +0000 security-misc (3:18.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 08 Apr 2020 17:13:21 +0000 + -- Patrick Schleizer Wed, 08 Apr 2020 17:13:21 +0000 security-misc (3:17.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 08 Apr 2020 12:51:11 +0000 + -- Patrick Schleizer Wed, 08 Apr 2020 12:51:11 +0000 security-misc (3:17.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 06 Apr 2020 17:29:23 +0000 + -- Patrick Schleizer Mon, 06 Apr 2020 17:29:23 +0000 security-misc (3:17.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 04 Apr 2020 20:51:42 +0000 + -- Patrick Schleizer Sat, 04 Apr 2020 20:51:42 +0000 security-misc (3:17.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 02 Apr 2020 11:58:51 +0000 + -- Patrick Schleizer Thu, 02 Apr 2020 11:58:51 +0000 security-misc (3:17.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 01 Apr 2020 14:58:16 +0000 + -- Patrick Schleizer Wed, 01 Apr 2020 14:58:16 +0000 security-misc (3:17.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 01 Apr 2020 12:26:44 +0000 + -- Patrick Schleizer Wed, 01 Apr 2020 12:26:44 +0000 security-misc (3:17.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 31 Mar 2020 11:41:45 +0000 + -- Patrick Schleizer Tue, 31 Mar 2020 11:41:45 +0000 security-misc (3:17.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 30 Mar 2020 22:42:02 +0000 + -- Patrick Schleizer Mon, 30 Mar 2020 22:42:02 +0000 security-misc (3:17.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 30 Mar 2020 21:16:46 +0000 + -- Patrick Schleizer Mon, 30 Mar 2020 21:16:46 +0000 security-misc (3:17.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 21 Mar 2020 18:56:48 +0000 + -- Patrick Schleizer Sat, 21 Mar 2020 18:56:48 +0000 security-misc (3:16.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 12 Mar 2020 08:43:08 +0000 + -- Patrick Schleizer Thu, 12 Mar 2020 08:43:08 +0000 security-misc (3:16.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 08 Mar 2020 13:43:24 +0000 + -- Patrick Schleizer Sun, 08 Mar 2020 13:43:24 +0000 security-misc (3:16.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 05 Mar 2020 13:36:27 +0000 + -- Patrick Schleizer Thu, 05 Mar 2020 13:36:27 +0000 security-misc (3:16.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 03 Mar 2020 14:19:49 +0000 + -- Patrick Schleizer Tue, 03 Mar 2020 14:19:49 +0000 security-misc (3:16.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 03 Mar 2020 14:12:50 +0000 + -- Patrick Schleizer Tue, 03 Mar 2020 14:12:50 +0000 security-misc (3:16.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 15 Feb 2020 20:35:44 +0000 + -- Patrick Schleizer Sat, 15 Feb 2020 20:35:44 +0000 security-misc (3:16.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 15 Feb 2020 20:29:38 +0000 + -- Patrick Schleizer Sat, 15 Feb 2020 20:29:38 +0000 security-misc (3:16.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 13 Feb 2020 18:39:45 +0000 + -- Patrick Schleizer Thu, 13 Feb 2020 18:39:45 +0000 security-misc (3:16.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 05 Feb 2020 11:31:48 +0000 + -- Patrick Schleizer Wed, 05 Feb 2020 11:31:48 +0000 security-misc (3:16.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 03 Feb 2020 14:23:13 +0000 + -- Patrick Schleizer Mon, 03 Feb 2020 14:23:13 +0000 security-misc (3:15.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 03 Feb 2020 13:43:31 +0000 + -- Patrick Schleizer Mon, 03 Feb 2020 13:43:31 +0000 security-misc (3:15.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 30 Jan 2020 11:14:34 +0000 + -- Patrick Schleizer Thu, 30 Jan 2020 11:14:34 +0000 security-misc (3:15.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 30 Jan 2020 11:02:26 +0000 + -- Patrick Schleizer Thu, 30 Jan 2020 11:02:26 +0000 security-misc (3:15.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 30 Jan 2020 06:22:32 +0000 + -- Patrick Schleizer Thu, 30 Jan 2020 06:22:32 +0000 security-misc (3:15.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 24 Jan 2020 17:02:27 +0000 + -- Patrick Schleizer Fri, 24 Jan 2020 17:02:27 +0000 security-misc (3:15.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 24 Jan 2020 09:41:16 +0000 + -- Patrick Schleizer Fri, 24 Jan 2020 09:41:16 +0000 security-misc (3:15.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 24 Jan 2020 09:34:18 +0000 + -- Patrick Schleizer Fri, 24 Jan 2020 09:34:18 +0000 security-misc (3:15.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 24 Jan 2020 08:49:02 +0000 + -- Patrick Schleizer Fri, 24 Jan 2020 08:49:02 +0000 security-misc (3:15.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 22 Jan 2020 12:10:47 +0000 + -- Patrick Schleizer Wed, 22 Jan 2020 12:10:47 +0000 security-misc (3:15.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 21 Jan 2020 15:12:32 +0000 + -- Patrick Schleizer Tue, 21 Jan 2020 15:12:32 +0000 security-misc (3:14.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 20 Jan 2020 13:51:25 +0000 + -- Patrick Schleizer Mon, 20 Jan 2020 13:51:25 +0000 security-misc (3:14.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 17 Jan 2020 08:32:57 +0000 + -- Patrick Schleizer Fri, 17 Jan 2020 08:32:57 +0000 security-misc (3:14.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 15 Jan 2020 16:37:52 +0000 + -- Patrick Schleizer Wed, 15 Jan 2020 16:37:52 +0000 security-misc (3:14.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 15 Jan 2020 16:05:54 +0000 + -- Patrick Schleizer Wed, 15 Jan 2020 16:05:54 +0000 security-misc (3:14.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 14 Jan 2020 14:28:28 +0000 + -- Patrick Schleizer Tue, 14 Jan 2020 14:28:28 +0000 security-misc (3:14.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 14 Jan 2020 14:20:36 +0000 + -- Patrick Schleizer Tue, 14 Jan 2020 14:20:36 +0000 security-misc (3:14.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 11 Jan 2020 20:19:28 +0000 + -- Patrick Schleizer Sat, 11 Jan 2020 20:19:28 +0000 security-misc (3:14.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 01 Jan 2020 10:59:58 +0000 + -- Patrick Schleizer Wed, 01 Jan 2020 10:59:58 +0000 security-misc (3:14.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 31 Dec 2019 11:08:32 +0000 + -- Patrick Schleizer Tue, 31 Dec 2019 11:08:32 +0000 security-misc (3:14.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 31 Dec 2019 11:03:48 +0000 + -- Patrick Schleizer Tue, 31 Dec 2019 11:03:48 +0000 security-misc (3:13.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 31 Dec 2019 07:54:58 +0000 + -- Patrick Schleizer Tue, 31 Dec 2019 07:54:58 +0000 security-misc (3:13.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 30 Dec 2019 11:42:14 +0000 + -- Patrick Schleizer Mon, 30 Dec 2019 11:42:14 +0000 security-misc (3:13.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 30 Dec 2019 10:59:43 +0000 + -- Patrick Schleizer Mon, 30 Dec 2019 10:59:43 +0000 security-misc (3:13.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 27 Dec 2019 10:30:12 +0000 + -- Patrick Schleizer Fri, 27 Dec 2019 10:30:12 +0000 security-misc (3:13.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 24 Dec 2019 23:35:49 +0000 + -- Patrick Schleizer Tue, 24 Dec 2019 23:35:49 +0000 security-misc (3:13.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 24 Dec 2019 13:07:55 +0000 + -- Patrick Schleizer Tue, 24 Dec 2019 13:07:55 +0000 security-misc (3:13.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 23 Dec 2019 13:48:04 +0000 + -- Patrick Schleizer Mon, 23 Dec 2019 13:48:04 +0000 security-misc (3:13.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 23 Dec 2019 08:58:00 +0000 + -- Patrick Schleizer Mon, 23 Dec 2019 08:58:00 +0000 security-misc (3:13.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 23 Dec 2019 07:42:07 +0000 + -- Patrick Schleizer Mon, 23 Dec 2019 07:42:07 +0000 security-misc (3:13.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 23 Dec 2019 07:13:13 +0000 + -- Patrick Schleizer Mon, 23 Dec 2019 07:13:13 +0000 security-misc (3:12.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 21 Dec 2019 19:55:03 +0000 + -- Patrick Schleizer Sat, 21 Dec 2019 19:55:03 +0000 security-misc (3:12.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 21 Dec 2019 19:23:35 +0000 + -- Patrick Schleizer Sat, 21 Dec 2019 19:23:35 +0000 security-misc (3:12.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 21 Dec 2019 12:49:55 +0000 + -- Patrick Schleizer Sat, 21 Dec 2019 12:49:55 +0000 security-misc (3:12.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 21 Dec 2019 12:38:25 +0000 + -- Patrick Schleizer Sat, 21 Dec 2019 12:38:25 +0000 security-misc (3:12.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 21 Dec 2019 11:28:19 +0000 + -- Patrick Schleizer Sat, 21 Dec 2019 11:28:19 +0000 security-misc (3:12.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 21 Dec 2019 11:12:20 +0000 + -- Patrick Schleizer Sat, 21 Dec 2019 11:12:20 +0000 security-misc (3:12.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 21 Dec 2019 11:00:17 +0000 + -- Patrick Schleizer Sat, 21 Dec 2019 11:00:17 +0000 security-misc (3:12.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 21 Dec 2019 10:38:39 +0000 + -- Patrick Schleizer Sat, 21 Dec 2019 10:38:39 +0000 security-misc (3:12.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 21 Dec 2019 10:31:55 +0000 + -- Patrick Schleizer Sat, 21 Dec 2019 10:31:55 +0000 security-misc (3:12.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 21 Dec 2019 07:05:39 +0000 + -- Patrick Schleizer Sat, 21 Dec 2019 07:05:39 +0000 security-misc (3:11.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 20 Dec 2019 16:50:25 +0000 + -- Patrick Schleizer Fri, 20 Dec 2019 16:50:25 +0000 security-misc (3:11.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 20 Dec 2019 16:09:22 +0000 + -- Patrick Schleizer Fri, 20 Dec 2019 16:09:22 +0000 security-misc (3:11.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 20 Dec 2019 15:50:51 +0000 + -- Patrick Schleizer Fri, 20 Dec 2019 15:50:51 +0000 security-misc (3:11.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 20 Dec 2019 13:15:00 +0000 + -- Patrick Schleizer Fri, 20 Dec 2019 13:15:00 +0000 security-misc (3:11.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 20 Dec 2019 12:12:36 +0000 + -- Patrick Schleizer Fri, 20 Dec 2019 12:12:36 +0000 security-misc (3:11.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 16 Dec 2019 11:27:51 +0000 + -- Patrick Schleizer Mon, 16 Dec 2019 11:27:51 +0000 security-misc (3:11.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 12 Dec 2019 14:04:15 +0000 + -- Patrick Schleizer Thu, 12 Dec 2019 14:04:15 +0000 security-misc (3:11.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 10 Dec 2019 16:44:02 +0000 + -- Patrick Schleizer Tue, 10 Dec 2019 16:44:02 +0000 security-misc (3:11.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 09 Dec 2019 13:25:30 +0000 + -- Patrick Schleizer Mon, 09 Dec 2019 13:25:30 +0000 security-misc (3:11.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 08 Dec 2019 10:26:29 +0000 + -- Patrick Schleizer Sun, 08 Dec 2019 10:26:29 +0000 security-misc (3:10.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 08 Dec 2019 09:38:33 +0000 + -- Patrick Schleizer Sun, 08 Dec 2019 09:38:33 +0000 security-misc (3:10.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 08 Dec 2019 09:27:01 +0000 + -- Patrick Schleizer Sun, 08 Dec 2019 09:27:01 +0000 security-misc (3:10.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 08 Dec 2019 09:05:29 +0000 + -- Patrick Schleizer Sun, 08 Dec 2019 09:05:29 +0000 security-misc (3:10.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 07 Dec 2019 07:02:32 +0000 + -- Patrick Schleizer Sat, 07 Dec 2019 07:02:32 +0000 security-misc (3:10.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 06 Dec 2019 17:43:21 +0000 + -- Patrick Schleizer Fri, 06 Dec 2019 17:43:21 +0000 security-misc (3:10.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 06 Dec 2019 16:18:20 +0000 + -- Patrick Schleizer Fri, 06 Dec 2019 16:18:20 +0000 security-misc (3:10.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 06 Dec 2019 14:32:18 +0000 + -- Patrick Schleizer Fri, 06 Dec 2019 14:32:18 +0000 security-misc (3:10.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 28 Nov 2019 15:22:41 +0000 + -- Patrick Schleizer Thu, 28 Nov 2019 15:22:41 +0000 security-misc (3:10.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 25 Nov 2019 08:51:36 +0000 + -- Patrick Schleizer Mon, 25 Nov 2019 08:51:36 +0000 security-misc (3:10.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 25 Nov 2019 08:49:15 +0000 + -- Patrick Schleizer Mon, 25 Nov 2019 08:49:15 +0000 security-misc (3:9.12-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 23 Nov 2019 14:07:45 +0000 + -- Patrick Schleizer Sat, 23 Nov 2019 14:07:45 +0000 security-misc (3:9.11-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 19 Nov 2019 15:31:55 +0000 + -- Patrick Schleizer Tue, 19 Nov 2019 15:31:55 +0000 security-misc (3:9.10-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 18 Nov 2019 19:16:16 +0000 + -- Patrick Schleizer Mon, 18 Nov 2019 19:16:16 +0000 security-misc (3:9.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 09 Nov 2019 18:44:50 +0000 + -- Patrick Schleizer Sat, 09 Nov 2019 18:44:50 +0000 security-misc (3:9.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 09 Nov 2019 12:57:45 +0000 + -- Patrick Schleizer Sat, 09 Nov 2019 12:57:45 +0000 security-misc (3:9.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 09 Nov 2019 12:23:15 +0000 + -- Patrick Schleizer Sat, 09 Nov 2019 12:23:15 +0000 security-misc (3:9.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 31 Oct 2019 16:34:35 +0000 + -- Patrick Schleizer Thu, 31 Oct 2019 16:34:35 +0000 security-misc (3:9.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 31 Oct 2019 16:06:51 +0000 + -- Patrick Schleizer Thu, 31 Oct 2019 16:06:51 +0000 security-misc (3:9.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 23 Oct 2019 10:22:03 +0000 + -- Patrick Schleizer Wed, 23 Oct 2019 10:22:03 +0000 security-misc (3:9.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 21 Oct 2019 09:55:41 +0000 + -- Patrick Schleizer Mon, 21 Oct 2019 09:55:41 +0000 security-misc (3:9.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 21 Oct 2019 09:51:36 +0000 + -- Patrick Schleizer Mon, 21 Oct 2019 09:51:36 +0000 security-misc (3:9.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 18 Oct 2019 10:39:43 +0000 + -- Patrick Schleizer Fri, 18 Oct 2019 10:39:43 +0000 security-misc (3:9.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 18 Oct 2019 08:55:07 +0000 + -- Patrick Schleizer Fri, 18 Oct 2019 08:55:07 +0000 security-misc (3:8.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 14 Oct 2019 10:23:01 +0000 + -- Patrick Schleizer Mon, 14 Oct 2019 10:23:01 +0000 security-misc (3:8.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 05 Oct 2019 11:33:15 +0000 + -- Patrick Schleizer Sat, 05 Oct 2019 11:33:15 +0000 security-misc (3:8.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 05 Oct 2019 09:40:26 +0000 + -- Patrick Schleizer Sat, 05 Oct 2019 09:40:26 +0000 security-misc (3:8.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 16 Sep 2019 13:34:11 +0000 + -- Patrick Schleizer Mon, 16 Sep 2019 13:34:11 +0000 security-misc (3:8.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 15 Sep 2019 14:08:13 +0000 + -- Patrick Schleizer Sun, 15 Sep 2019 14:08:13 +0000 security-misc (3:8.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 12 Sep 2019 12:50:42 +0000 + -- Patrick Schleizer Thu, 12 Sep 2019 12:50:42 +0000 security-misc (3:8.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 09 Sep 2019 12:10:24 +0000 + -- Patrick Schleizer Mon, 09 Sep 2019 12:10:24 +0000 security-misc (3:8.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 07 Sep 2019 06:11:32 +0000 + -- Patrick Schleizer Sat, 07 Sep 2019 06:11:32 +0000 security-misc (3:8.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 06 Sep 2019 13:04:57 +0000 + -- Patrick Schleizer Fri, 06 Sep 2019 13:04:57 +0000 security-misc (3:8.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 06 Sep 2019 11:47:40 +0000 + -- Patrick Schleizer Fri, 06 Sep 2019 11:47:40 +0000 security-misc (3:7.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 06 Sep 2019 09:33:06 +0000 + -- Patrick Schleizer Fri, 06 Sep 2019 09:33:06 +0000 security-misc (3:7.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 31 Aug 2019 13:44:37 +0000 + -- Patrick Schleizer Sat, 31 Aug 2019 13:44:37 +0000 security-misc (3:7.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 24 Aug 2019 16:41:27 +0000 + -- Patrick Schleizer Sat, 24 Aug 2019 16:41:27 +0000 security-misc (3:7.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 23 Aug 2019 16:57:12 +0000 + -- Patrick Schleizer Fri, 23 Aug 2019 16:57:12 +0000 security-misc (3:7.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 17 Aug 2019 10:54:08 +0000 + -- Patrick Schleizer Sat, 17 Aug 2019 10:54:08 +0000 security-misc (3:7.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 17 Aug 2019 09:57:48 +0000 + -- Patrick Schleizer Sat, 17 Aug 2019 09:57:48 +0000 security-misc (3:7.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 16 Aug 2019 16:05:51 +0000 + -- Patrick Schleizer Fri, 16 Aug 2019 16:05:51 +0000 security-misc (3:7.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 16 Aug 2019 15:59:14 +0000 + -- Patrick Schleizer Fri, 16 Aug 2019 15:59:14 +0000 security-misc (3:7.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 15 Aug 2019 15:18:02 +0000 + -- Patrick Schleizer Thu, 15 Aug 2019 15:18:02 +0000 security-misc (3:7.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 14 Aug 2019 11:52:26 +0000 + -- Patrick Schleizer Wed, 14 Aug 2019 11:52:26 +0000 security-misc (3:6.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 14 Aug 2019 11:13:25 +0000 + -- Patrick Schleizer Wed, 14 Aug 2019 11:13:25 +0000 security-misc (3:6.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 14 Aug 2019 10:08:18 +0000 + -- Patrick Schleizer Wed, 14 Aug 2019 10:08:18 +0000 security-misc (3:6.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 14 Aug 2019 07:02:09 +0000 + -- Patrick Schleizer Wed, 14 Aug 2019 07:02:09 +0000 security-misc (3:6.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 11 Aug 2019 12:07:07 +0000 + -- Patrick Schleizer Sun, 11 Aug 2019 12:07:07 +0000 security-misc (3:6.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 10 Aug 2019 11:37:02 +0000 + -- Patrick Schleizer Sat, 10 Aug 2019 11:37:02 +0000 security-misc (3:6.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 01 Aug 2019 12:02:41 +0000 + -- Patrick Schleizer Thu, 01 Aug 2019 12:02:41 +0000 security-misc (3:6.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 31 Jul 2019 19:12:27 +0000 + -- Patrick Schleizer Wed, 31 Jul 2019 19:12:27 +0000 security-misc (3:6.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 31 Jul 2019 15:17:50 +0000 + -- Patrick Schleizer Wed, 31 Jul 2019 15:17:50 +0000 security-misc (3:6.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 31 Jul 2019 07:44:50 +0000 + -- Patrick Schleizer Wed, 31 Jul 2019 07:44:50 +0000 security-misc (3:6.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 22 Jul 2019 01:16:18 +0000 + -- Patrick Schleizer Mon, 22 Jul 2019 01:16:18 +0000 security-misc (3:5.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 17 Jul 2019 21:38:26 +0000 + -- Patrick Schleizer Wed, 17 Jul 2019 21:38:26 +0000 security-misc (3:5.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 17 Jul 2019 21:08:23 +0000 + -- Patrick Schleizer Wed, 17 Jul 2019 21:08:23 +0000 security-misc (3:5.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 17 Jul 2019 19:13:57 +0000 + -- Patrick Schleizer Wed, 17 Jul 2019 19:13:57 +0000 security-misc (3:5.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 16 Jul 2019 19:45:52 +0000 + -- Patrick Schleizer Tue, 16 Jul 2019 19:45:52 +0000 security-misc (3:5.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 15 Jul 2019 13:26:47 +0000 + -- Patrick Schleizer Mon, 15 Jul 2019 13:26:47 +0000 security-misc (3:5.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 13 Jul 2019 18:51:32 +0000 + -- Patrick Schleizer Sat, 13 Jul 2019 18:51:32 +0000 security-misc (3:5.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 13 Jul 2019 16:30:39 +0000 + -- Patrick Schleizer Sat, 13 Jul 2019 16:30:39 +0000 security-misc (3:5.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 13 Jul 2019 15:17:16 +0000 + -- Patrick Schleizer Sat, 13 Jul 2019 15:17:16 +0000 security-misc (3:5.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 13 Jul 2019 14:58:47 +0000 + -- Patrick Schleizer Sat, 13 Jul 2019 14:58:47 +0000 security-misc (3:5.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 13 Jul 2019 14:55:31 +0000 + -- Patrick Schleizer Sat, 13 Jul 2019 14:55:31 +0000 security-misc (3:4.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 11 Jul 2019 18:28:04 +0000 + -- Patrick Schleizer Thu, 11 Jul 2019 18:28:04 +0000 security-misc (3:4.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 11 Jul 2019 07:16:38 +0000 + -- Patrick Schleizer Thu, 11 Jul 2019 07:16:38 +0000 security-misc (3:4.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 08 Jul 2019 00:23:52 +0000 + -- Patrick Schleizer Mon, 08 Jul 2019 00:23:52 +0000 security-misc (3:4.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 07 Jul 2019 23:00:27 +0000 + -- Patrick Schleizer Sun, 07 Jul 2019 23:00:27 +0000 security-misc (3:4.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 07 Jul 2019 21:11:08 +0000 + -- Patrick Schleizer Sun, 07 Jul 2019 21:11:08 +0000 security-misc (3:4.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 07 Jul 2019 09:39:12 +0000 + -- Patrick Schleizer Sun, 07 Jul 2019 09:39:12 +0000 security-misc (3:4.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 06 Jul 2019 13:56:28 +0000 + -- Patrick Schleizer Sat, 06 Jul 2019 13:56:28 +0000 security-misc (3:4.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 06 Jul 2019 13:53:10 +0000 + -- Patrick Schleizer Sat, 06 Jul 2019 13:53:10 +0000 security-misc (3:4.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 01 Jul 2019 15:23:49 +0000 + -- Patrick Schleizer Mon, 01 Jul 2019 15:23:49 +0000 security-misc (3:4.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 30 Jun 2019 11:21:58 +0000 + -- Patrick Schleizer Sun, 30 Jun 2019 11:21:58 +0000 security-misc (3:3.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 30 Jun 2019 08:23:51 +0000 + -- Patrick Schleizer Sun, 30 Jun 2019 08:23:51 +0000 security-misc (3:3.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 29 Jun 2019 10:35:13 +0000 + -- Patrick Schleizer Sat, 29 Jun 2019 10:35:13 +0000 security-misc (3:3.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 28 Jun 2019 07:20:53 +0000 + -- Patrick Schleizer Fri, 28 Jun 2019 07:20:53 +0000 security-misc (3:3.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 28 Jun 2019 07:09:35 +0000 + -- Patrick Schleizer Fri, 28 Jun 2019 07:09:35 +0000 security-misc (3:3.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 23 Jun 2019 19:57:42 +0000 + -- Patrick Schleizer Sun, 23 Jun 2019 19:57:42 +0000 security-misc (3:3.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 23 Jun 2019 12:22:13 +0000 + -- Patrick Schleizer Sun, 23 Jun 2019 12:22:13 +0000 security-misc (3:3.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 23 Jun 2019 08:38:01 +0000 + -- Patrick Schleizer Sun, 23 Jun 2019 08:38:01 +0000 security-misc (3:3.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 21 Jun 2019 05:40:04 +0000 + -- Patrick Schleizer Fri, 21 Jun 2019 05:40:04 +0000 security-misc (3:3.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 10 Jun 2019 15:42:58 +0000 + -- Patrick Schleizer Mon, 10 Jun 2019 15:42:58 +0000 security-misc (3:3.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 08 Jun 2019 11:32:12 +0000 + -- Patrick Schleizer Sat, 08 Jun 2019 11:32:12 +0000 security-misc (3:2.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 24 May 2019 20:48:59 +0000 + -- Patrick Schleizer Fri, 24 May 2019 20:48:59 +0000 security-misc (3:2.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 23 May 2019 22:38:13 +0000 + -- Patrick Schleizer Thu, 23 May 2019 22:38:13 +0000 security-misc (3:2.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 16 May 2019 20:25:46 +0000 + -- Patrick Schleizer Thu, 16 May 2019 20:25:46 +0000 security-misc (3:2.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 12 May 2019 11:08:32 +0000 + -- Patrick Schleizer Sun, 12 May 2019 11:08:32 +0000 security-misc (3:2.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 12 May 2019 10:48:27 +0000 + -- Patrick Schleizer Sun, 12 May 2019 10:48:27 +0000 security-misc (3:2.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 06 May 2019 09:58:44 +0000 + -- Patrick Schleizer Mon, 06 May 2019 09:58:44 +0000 security-misc (3:2.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 03 May 2019 11:34:25 +0000 + -- Patrick Schleizer Fri, 03 May 2019 11:34:25 +0000 security-misc (3:2.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 06 Apr 2019 12:13:43 +0000 + -- Patrick Schleizer Sat, 06 Apr 2019 12:13:43 +0000 security-misc (3:2.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 29 Mar 2019 10:02:51 +0000 + -- Patrick Schleizer Fri, 29 Mar 2019 10:02:51 +0000 security-misc (3:2.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 12 Mar 2019 11:36:25 +0000 + -- Patrick Schleizer Tue, 12 Mar 2019 11:36:25 +0000 security-misc (3:1.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 28 Nov 2018 06:33:14 +0000 + -- Patrick Schleizer Wed, 28 Nov 2018 06:33:14 +0000 security-misc (3:1.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 08 Nov 2018 09:55:41 +0000 + -- Patrick Schleizer Thu, 08 Nov 2018 09:55:41 +0000 security-misc (3:1.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 01 Nov 2018 07:42:29 +0000 + -- Patrick Schleizer Thu, 01 Nov 2018 07:42:29 +0000 security-misc (3:1.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 14 Sep 2018 13:20:11 +0000 + -- Patrick Schleizer Fri, 14 Sep 2018 13:20:11 +0000 security-misc (3:1.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 27 Aug 2018 16:49:44 +0000 + -- Patrick Schleizer Mon, 27 Aug 2018 16:49:44 +0000 security-misc (3:1.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 01 Feb 2018 15:18:55 +0000 + -- Patrick Schleizer Thu, 01 Feb 2018 15:18:55 +0000 security-misc (3:1.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 21 Dec 2017 20:35:29 +0000 + -- Patrick Schleizer Thu, 21 Dec 2017 20:35:29 +0000 security-misc (3:1.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 26 Jul 2017 14:37:34 +0000 + -- Patrick Schleizer Wed, 26 Jul 2017 14:37:34 +0000 security-misc (3:1.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 06 Mar 2017 16:16:31 +0000 + -- Patrick Schleizer Mon, 06 Mar 2017 16:16:31 +0000 security-misc (3:1.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 27 Feb 2017 02:04:00 +0000 + -- Patrick Schleizer Mon, 27 Feb 2017 02:04:00 +0000 security-misc (3:0.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 17 Feb 2017 14:08:56 +0000 + -- Patrick Schleizer Fri, 17 Feb 2017 14:08:56 +0000 security-misc (3:0.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 15 Jan 2017 15:35:31 +0000 + -- Patrick Schleizer Sun, 15 Jan 2017 15:35:31 +0000 security-misc (3:0.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 12 Jan 2017 02:56:55 +0000 + -- Patrick Schleizer Thu, 12 Jan 2017 02:56:55 +0000 security-misc (3:0.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 10 Dec 2016 02:30:50 +0000 + -- Patrick Schleizer Sat, 10 Dec 2016 02:30:50 +0000 security-misc (3:0.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 25 Apr 2016 23:27:58 +0000 + -- Patrick Schleizer Mon, 25 Apr 2016 23:27:58 +0000 security-misc (3:0.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 07 Apr 2016 22:54:45 +0000 + -- Patrick Schleizer Thu, 07 Apr 2016 22:54:45 +0000 security-misc (3:0.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 15 Dec 2015 04:16:07 +0000 + -- Patrick Schleizer Tue, 15 Dec 2015 04:16:07 +0000 security-misc (3:0.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 15 Dec 2015 02:00:33 +0000 + -- Patrick Schleizer Tue, 15 Dec 2015 02:00:33 +0000 security-misc (3:0.1-2) unstable; urgency=low * Initial release. - -- Patrick Schleizer Sun, 17 Aug 2014 17:56:36 +0000 + -- Patrick Schleizer Sun, 17 Aug 2014 17:56:36 +0000 diff --git a/debian/control b/debian/control index b86201e..9d04533 100644 --- a/debian/control +++ b/debian/control @@ -1,10 +1,10 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. Source: security-misc Section: misc Priority: optional -Maintainer: Patrick Schleizer +Maintainer: Patrick Schleizer Build-Depends: debhelper (>= 12), config-package-dev, dh-apparmor Homepage: https://github.com/Whonix/security-misc Vcs-Browser: https://github.com/Whonix/security-misc diff --git a/debian/copyright b/debian/copyright index c54f148..3b0825d 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,7 +1,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2020 ENCRYPTED SUPPORT LP +Copyright: 2012 - 2021 ENCRYPTED SUPPORT LP License: GPL-3+-with-additional-terms-1 This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/debian/rules b/debian/rules index c771e0c..54cbfde 100755 --- a/debian/rules +++ b/debian/rules @@ -1,6 +1,6 @@ #!/usr/bin/make -f -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #export DH_VERBOSE=1 diff --git a/debian/security-misc.displace b/debian/security-misc.displace index 52bb261..9cd0669 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. /etc/securetty.security-misc diff --git a/debian/security-misc.install b/debian/security-misc.install index 0d11e6e..2748341 100644 --- a/debian/security-misc.install +++ b/debian/security-misc.install @@ -1,4 +1,4 @@ -## Copyright (C) 2020 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2020 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This file was generated using genmkfile 'make debinstfile'. diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 4e4c67a..dce7414 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. rm_conffile /etc/sudoers.d/umask-security-misc diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 13e0072..f2c3404 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/lib/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.postrm b/debian/security-misc.postrm index 7c80735..01c9cbb 100644 --- a/debian/security-misc.postrm +++ b/debian/security-misc.postrm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/lib/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index ae7cf18..dccd8b8 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/lib/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.prerm b/debian/security-misc.prerm index 32498fe..9a1a0ae 100644 --- a/debian/security-misc.prerm +++ b/debian/security-misc.prerm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/lib/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index a69ee42..cf92b83 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #### meta start diff --git a/debian/security-misc.undisplace b/debian/security-misc.undisplace index 3c56ba4..ef0fd76 100644 --- a/debian/security-misc.undisplace +++ b/debian/security-misc.undisplace @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. /etc/login.defs.security-misc diff --git a/debian/watch b/debian/watch index 460c78f..af1173f 100644 --- a/debian/watch +++ b/debian/watch @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. version=4 diff --git a/etc/X11/Xsession.d/50panic_on_oops b/etc/X11/Xsession.d/50panic_on_oops index faca194..a43ea39 100755 --- a/etc/X11/Xsession.d/50panic_on_oops +++ b/etc/X11/Xsession.d/50panic_on_oops @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -x /usr/lib/security-misc/panic-on-oops ]; then diff --git a/etc/X11/Xsession.d/50security-misc b/etc/X11/Xsession.d/50security-misc index 31d77c0..829fe74 100755 --- a/etc/X11/Xsession.d/50security-misc +++ b/etc/X11/Xsession.d/50security-misc @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -z "$XDG_CONFIG_DIRS" ]; then diff --git a/etc/apparmor.d/tunables/home.d/security-misc b/etc/apparmor.d/tunables/home.d/security-misc index 4c943de..8795ef4 100644 --- a/etc/apparmor.d/tunables/home.d/security-misc +++ b/etc/apparmor.d/tunables/home.d/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. alias /etc/pam.d/common-session -> /etc/pam.d//etc/pam.d/common-session.security-misc, diff --git a/etc/apt/apt.conf.d/40sandbox b/etc/apt/apt.conf.d/40sandbox index 1f97f35..2a66799 100644 --- a/etc/apt/apt.conf.d/40sandbox +++ b/etc/apt/apt.conf.d/40sandbox @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702 diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index d6e2182..5bd25f7 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Enables all mitigations for CPU vulnerabilities. diff --git a/etc/default/grub.d/40_distrust_cpu.cfg b/etc/default/grub.d/40_distrust_cpu.cfg index 618b5e7..40a759a 100644 --- a/etc/default/grub.d/40_distrust_cpu.cfg +++ b/etc/default/grub.d/40_distrust_cpu.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Distrusts the CPU for initial entropy at boot as it is not possible to diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg index 3d229b4..14d1869 100644 --- a/etc/default/grub.d/40_enable_iommu.cfg +++ b/etc/default/grub.d/40_enable_iommu.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Enables IOMMU to prevent DMA attacks. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index dc12cb2..da609a4 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. kpkg="linux-image-$(dpkg --print-architecture)" || true diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf index 2b01ffe..cb2de9b 100644 --- a/etc/hide-hardware-info.d/30_default.conf +++ b/etc/hide-hardware-info.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Disable the /sys whitelist. diff --git a/etc/initramfs-tools/hooks/sysctl-initramfs b/etc/initramfs-tools/hooks/sysctl-initramfs index a6d571f..944618a 100755 --- a/etc/initramfs-tools/hooks/sysctl-initramfs +++ b/etc/initramfs-tools/hooks/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index 58558fd..89e1377 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. PREREQ="" diff --git a/etc/kernel/postinst.d/30_remove-system-map b/etc/kernel/postinst.d/30_remove-system-map index ffffa39..c192b80 100755 --- a/etc/kernel/postinst.d/30_remove-system-map +++ b/etc/kernel/postinst.d/30_remove-system-map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if test -x /usr/lib/security-misc/remove-system.map ; then diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 0cb5c6c..ffa2b33 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://phabricator.whonix.org/T486 diff --git a/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf b/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf index af2a214..cec7ec1 100644 --- a/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf +++ b/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_chromium.conf b/etc/permission-hardening.d/25_default_whitelist_chromium.conf index 3ba68e2..399a005 100644 --- a/etc/permission-hardening.d/25_default_whitelist_chromium.conf +++ b/etc/permission-hardening.d/25_default_whitelist_chromium.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_dbus.conf b/etc/permission-hardening.d/25_default_whitelist_dbus.conf index 85290e7..bdb1a03 100644 --- a/etc/permission-hardening.d/25_default_whitelist_dbus.conf +++ b/etc/permission-hardening.d/25_default_whitelist_dbus.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_firejail.conf b/etc/permission-hardening.d/25_default_whitelist_firejail.conf index 2fcb272..5e6abef 100644 --- a/etc/permission-hardening.d/25_default_whitelist_firejail.conf +++ b/etc/permission-hardening.d/25_default_whitelist_firejail.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_fuse.conf b/etc/permission-hardening.d/25_default_whitelist_fuse.conf index b0cffa9..8d591cc 100644 --- a/etc/permission-hardening.d/25_default_whitelist_fuse.conf +++ b/etc/permission-hardening.d/25_default_whitelist_fuse.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_mount.conf b/etc/permission-hardening.d/25_default_whitelist_mount.conf index 5ab606a..8f8bc51 100644 --- a/etc/permission-hardening.d/25_default_whitelist_mount.conf +++ b/etc/permission-hardening.d/25_default_whitelist_mount.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_policykit.conf b/etc/permission-hardening.d/25_default_whitelist_policykit.conf index a188c98..be606a5 100644 --- a/etc/permission-hardening.d/25_default_whitelist_policykit.conf +++ b/etc/permission-hardening.d/25_default_whitelist_policykit.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_qubes.conf b/etc/permission-hardening.d/25_default_whitelist_qubes.conf index bb2dddc..1a934b0 100644 --- a/etc/permission-hardening.d/25_default_whitelist_qubes.conf +++ b/etc/permission-hardening.d/25_default_whitelist_qubes.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_selinux.conf b/etc/permission-hardening.d/25_default_whitelist_selinux.conf index 0e844c1..076b996 100644 --- a/etc/permission-hardening.d/25_default_whitelist_selinux.conf +++ b/etc/permission-hardening.d/25_default_whitelist_selinux.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_spice.conf b/etc/permission-hardening.d/25_default_whitelist_spice.conf index 27a0922..aa261f9 100644 --- a/etc/permission-hardening.d/25_default_whitelist_spice.conf +++ b/etc/permission-hardening.d/25_default_whitelist_spice.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_sudo.conf b/etc/permission-hardening.d/25_default_whitelist_sudo.conf index 30b5a07..1b8b69a 100644 --- a/etc/permission-hardening.d/25_default_whitelist_sudo.conf +++ b/etc/permission-hardening.d/25_default_whitelist_sudo.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf b/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf index 2c9adba..0f78927 100644 --- a/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf +++ b/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index c447f93..11fa978 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index ef85d58..6b409a5 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## To enable root login, see: diff --git a/etc/security/limits.d/30_security-misc.conf b/etc/security/limits.d/30_security-misc.conf index d074d94..c3f5bbf 100644 --- a/etc/security/limits.d/30_security-misc.conf +++ b/etc/security/limits.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Disable coredumps. diff --git a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml index 09db5fb..391680d 100644 --- a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +++ b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml @@ -1,6 +1,6 @@ - + diff --git a/etc/sudoers.d/pkexec-security-misc b/etc/sudoers.d/pkexec-security-misc index 2e089be..b45c2a1 100644 --- a/etc/sudoers.d/pkexec-security-misc +++ b/etc/sudoers.d/pkexec-security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## REVIEW: is it ok that users can find out the PATH setting of root? diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index e235c4d..d1e41dc 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. user ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops diff --git a/etc/sudoers.d/xfce-security-misc b/etc/sudoers.d/xfce-security-misc index bd0ae80..909a30a 100644 --- a/etc/sudoers.d/xfce-security-misc +++ b/etc/sudoers.d/xfce-security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index e7b7706..6ee134a 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. diff --git a/etc/sysctl.d/30_silent-kernel-printk.conf b/etc/sysctl.d/30_silent-kernel-printk.conf index 69db9a6..9a34d9a 100644 --- a/etc/sysctl.d/30_silent-kernel-printk.conf +++ b/etc/sysctl.d/30_silent-kernel-printk.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Prevent kernel info leaks in console during boot. diff --git a/etc/thunderbird/pref/40_security-mic.js b/etc/thunderbird/pref/40_security-mic.js index 91a8023..06276f6 100644 --- a/etc/thunderbird/pref/40_security-mic.js +++ b/etc/thunderbird/pref/40_security-mic.js @@ -1,4 +1,4 @@ -//#### Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +//#### Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP //#### See the file COPYING for copying conditions. //#### meta start diff --git a/lib/systemd/system-preset/50-security-misc.preset b/lib/systemd/system-preset/50-security-misc.preset index 544ba5a..2d83b83 100644 --- a/lib/systemd/system-preset/50-security-misc.preset +++ b/lib/systemd/system-preset/50-security-misc.preset @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 diff --git a/lib/systemd/system/hide-hardware-info.service b/lib/systemd/system/hide-hardware-info.service index 0e5031e..f411a56 100644 --- a/lib/systemd/system/hide-hardware-info.service +++ b/lib/systemd/system/hide-hardware-info.service @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardening.service index 26a058d..62680f1 100644 --- a/lib/systemd/system/permission-hardening.service +++ b/lib/systemd/system/permission-hardening.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/lib/systemd/system/proc-hidepid.service b/lib/systemd/system/proc-hidepid.service index 5896235..470e4bc 100644 --- a/lib/systemd/system/proc-hidepid.service +++ b/lib/systemd/system/proc-hidepid.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service index d25a647..8540376 100644 --- a/lib/systemd/system/remount-secure.service +++ b/lib/systemd/system/remount-secure.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/lib/systemd/system/remove-system-map.service b/lib/systemd/system/remove-system-map.service index ebc8bb5..1ccdd4e 100644 --- a/lib/systemd/system/remove-system-map.service +++ b/lib/systemd/system/remove-system-map.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc index 812a4d5..6d0f956 100755 --- a/usr/bin/pkexec.security-misc +++ b/usr/bin/pkexec.security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with diff --git a/usr/lib/modules-load.d/30_security-misc.conf b/usr/lib/modules-load.d/30_security-misc.conf index 4fed016..32dfdf3 100644 --- a/usr/lib/modules-load.d/30_security-misc.conf +++ b/usr/lib/modules-load.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://www.whonix.org/wiki/Dev/Entropy diff --git a/usr/lib/security-misc/apt-get-update b/usr/lib/security-misc/apt-get-update index 06ffe55..a61f760 100755 --- a/usr/lib/security-misc/apt-get-update +++ b/usr/lib/security-misc/apt-get-update @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. sigterm_trap() { diff --git a/usr/lib/security-misc/apt-get-update-sanity-test b/usr/lib/security-misc/apt-get-update-sanity-test index 58c1655..1fab62b 100755 --- a/usr/lib/security-misc/apt-get-update-sanity-test +++ b/usr/lib/security-misc/apt-get-update-sanity-test @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -x diff --git a/usr/lib/security-misc/apt-get-wrapper b/usr/lib/security-misc/apt-get-wrapper index 9fcc2d9..9992e05 100755 --- a/usr/lib/security-misc/apt-get-wrapper +++ b/usr/lib/security-misc/apt-get-wrapper @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/lib/security-misc/askpass b/usr/lib/security-misc/askpass index 3d67ecd..0c24b25 100755 --- a/usr/lib/security-misc/askpass +++ b/usr/lib/security-misc/askpass @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/lib/security-misc/echo-path b/usr/lib/security-misc/echo-path index c2d1b60..9420ff5 100755 --- a/usr/lib/security-misc/echo-path +++ b/usr/lib/security-misc/echo-path @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/lib/security-misc/hide-hardware-info b/usr/lib/security-misc/hide-hardware-info index 447f8d6..59850ae 100755 --- a/usr/lib/security-misc/hide-hardware-info +++ b/usr/lib/security-misc/hide-hardware-info @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/lib/security-misc/pam-abort-on-locked-password b/usr/lib/security-misc/pam-abort-on-locked-password index b7136c4..afbfcb1 100755 --- a/usr/lib/security-misc/pam-abort-on-locked-password +++ b/usr/lib/security-misc/pam-abort-on-locked-password @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This is only a usability feature to avoid needlessly bumping pam_tally2 diff --git a/usr/lib/security-misc/pam_only_if_login b/usr/lib/security-misc/pam_only_if_login index 05fc154..55f3d1d 100755 --- a/usr/lib/security-misc/pam_only_if_login +++ b/usr/lib/security-misc/pam_only_if_login @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/lib/security-misc/pam_tally2-info b/usr/lib/security-misc/pam_tally2-info index 9fdfce8..75f65ad 100755 --- a/usr/lib/security-misc/pam_tally2-info +++ b/usr/lib/security-misc/pam_tally2-info @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" diff --git a/usr/lib/security-misc/pam_tally2_not_if_x b/usr/lib/security-misc/pam_tally2_not_if_x index 14fafd3..1afc024 100755 --- a/usr/lib/security-misc/pam_tally2_not_if_x +++ b/usr/lib/security-misc/pam_tally2_not_if_x @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/lib/security-misc/panic-on-oops b/usr/lib/security-misc/panic-on-oops index 5636dc3..472a1d1 100755 --- a/usr/lib/security-misc/panic-on-oops +++ b/usr/lib/security-misc/panic-on-oops @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index c310556..e326c02 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/disable-suid-binaries/7706 diff --git a/usr/lib/security-misc/permission-hardening-undo b/usr/lib/security-misc/permission-hardening-undo index ab47404..365490f 100755 --- a/usr/lib/security-misc/permission-hardening-undo +++ b/usr/lib/security-misc/permission-hardening-undo @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #set -x diff --git a/usr/lib/security-misc/permission-lockdown b/usr/lib/security-misc/permission-lockdown index 157056e..607bc83 100755 --- a/usr/lib/security-misc/permission-lockdown +++ b/usr/lib/security-misc/permission-lockdown @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Doing this for all users would create many issues. diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index 3eed8f9..2f3316b 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## noexec in /tmp and/or /home can break some malware but also legitimate diff --git a/usr/lib/security-misc/remove-system.map b/usr/lib/security-misc/remove-system.map index 1c97205..e7a437b 100755 --- a/usr/lib/security-misc/remove-system.map +++ b/usr/lib/security-misc/remove-system.map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/lib/helper-scripts/pre.bsh ]; then diff --git a/usr/lib/security-misc/virusforget b/usr/lib/security-misc/virusforget index f745971..ea010b8 100755 --- a/usr/lib/security-misc/virusforget +++ b/usr/lib/security-misc/virusforget @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## VirusForget is inspired by Christopher Laprise. diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index f18194d..ca46853 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## The whole point of the package. diff --git a/usr/share/security-misc/dolphinrc b/usr/share/security-misc/dolphinrc index c0f1dbc..28bdc11 100644 --- a/usr/share/security-misc/dolphinrc +++ b/usr/share/security-misc/dolphinrc @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions [PreviewSettings] From e8ea94325b1df7bc0c47eabdfbd7c24b2fe51539 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Mar 2021 12:31:34 -0400 Subject: [PATCH 0400/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f85e50f..c0fff74 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit a67007f4b7b7763a0b131acb246cfe84ac65540f +Author: Patrick Schleizer +Date: Wed Mar 17 09:45:21 2021 -0400 + + copyright + +commit 0c4a7207e46933a504badfb9c1ce26a9ef82d370 +Author: Patrick Schleizer +Date: Thu Mar 4 07:09:01 2021 -0500 + + bumped changelog version + commit a1819e8cabc45ea197da7e3a4a94ffbab1376423 Author: Patrick Schleizer Date: Mon Mar 1 09:15:44 2021 -0500 diff --git a/debian/changelog b/debian/changelog index 89aab2d..e159aa6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:20.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 17 Mar 2021 16:31:34 +0000 + security-misc (3:20.6-1) unstable; urgency=medium * New upstream version (local package). From 41734ec523eb3cd233fe4651b9807222c8ccb1d5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 3 Apr 2021 11:44:13 -0400 Subject: [PATCH 0401/1650] systemd RemainAfterExit=yes for better usability https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618/33 --- lib/systemd/system/hide-hardware-info.service | 1 + lib/systemd/system/permission-hardening.service | 1 + lib/systemd/system/proc-hidepid.service | 1 + lib/systemd/system/remount-secure.service | 1 + lib/systemd/system/remove-system-map.service | 1 + 5 files changed, 5 insertions(+) diff --git a/lib/systemd/system/hide-hardware-info.service b/lib/systemd/system/hide-hardware-info.service index f411a56..8720c98 100644 --- a/lib/systemd/system/hide-hardware-info.service +++ b/lib/systemd/system/hide-hardware-info.service @@ -12,6 +12,7 @@ After=local-fs.target [Service] Type=oneshot ExecStart=/usr/lib/security-misc/hide-hardware-info +RemainAfterExit=yes [Install] WantedBy=sysinit.target diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardening.service index 62680f1..607e542 100644 --- a/lib/systemd/system/permission-hardening.service +++ b/lib/systemd/system/permission-hardening.service @@ -14,6 +14,7 @@ After=local-fs.target Type=oneshot RemainAfterExit=yes ExecStart=/usr/lib/security-misc/permission-hardening +RemainAfterExit=yes [Install] WantedBy=sysinit.target diff --git a/lib/systemd/system/proc-hidepid.service b/lib/systemd/system/proc-hidepid.service index 470e4bc..3952c86 100644 --- a/lib/systemd/system/proc-hidepid.service +++ b/lib/systemd/system/proc-hidepid.service @@ -12,6 +12,7 @@ After=local-fs.target [Service] Type=oneshot ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2 /proc +RemainAfterExit=yes [Install] WantedBy=sysinit.target diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service index 8540376..83a60ad 100644 --- a/lib/systemd/system/remount-secure.service +++ b/lib/systemd/system/remount-secure.service @@ -16,6 +16,7 @@ After=qubes-sysinit.service Type=oneshot RemainAfterExit=yes ExecStart=/usr/lib/security-misc/remount-secure +RemainAfterExit=yes [Install] WantedBy=sysinit.target diff --git a/lib/systemd/system/remove-system-map.service b/lib/systemd/system/remove-system-map.service index 1ccdd4e..3d0f44c 100644 --- a/lib/systemd/system/remove-system-map.service +++ b/lib/systemd/system/remove-system-map.service @@ -12,6 +12,7 @@ After=local-fs.target [Service] Type=oneshot ExecStart=/usr/lib/security-misc/remove-system.map +RemainAfterExit=yes [Install] WantedBy=sysinit.target From 1d35bdf2912d1dfd0b49ce727338f86d17decd72 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 5 Apr 2021 11:58:47 -0400 Subject: [PATCH 0402/1650] bumped changelog version --- changelog.upstream | 16 ++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 22 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c0fff74..4246d95 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,19 @@ +commit 41734ec523eb3cd233fe4651b9807222c8ccb1d5 +Author: Patrick Schleizer +Date: Sat Apr 3 11:44:13 2021 -0400 + + systemd RemainAfterExit=yes + + for better usability + + https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618/33 + +commit e8ea94325b1df7bc0c47eabdfbd7c24b2fe51539 +Author: Patrick Schleizer +Date: Wed Mar 17 12:31:34 2021 -0400 + + bumped changelog version + commit a67007f4b7b7763a0b131acb246cfe84ac65540f Author: Patrick Schleizer Date: Wed Mar 17 09:45:21 2021 -0400 diff --git a/debian/changelog b/debian/changelog index e159aa6..ea9c74c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:20.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 05 Apr 2021 15:58:47 +0000 + security-misc (3:20.7-1) unstable; urgency=medium * New upstream version (local package). From 3ba3b371873d221db6845fb0fe52191b8b349b0a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 29 Apr 2021 11:08:30 -0400 Subject: [PATCH 0403/1650] add `/etc/dkms/framework.conf.security-misc` original, from - https://github.com/dell/dkms/blob/master/dkms_framework.conf - https://raw.githubusercontent.com/dell/dkms/master/dkms_framework.conf https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58 --- etc/dkms/framework.conf.security-misc | 32 +++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 etc/dkms/framework.conf.security-misc diff --git a/etc/dkms/framework.conf.security-misc b/etc/dkms/framework.conf.security-misc new file mode 100644 index 0000000..896ee93 --- /dev/null +++ b/etc/dkms/framework.conf.security-misc @@ -0,0 +1,32 @@ +## This configuration file modifies the behavior of +## DKMS (Dynamic Kernel Module Support) and is sourced +## in by DKMS every time it is run. + +## Source Tree Location (default: /usr/src) +# source_tree="/usr/src" + +## DKMS Tree Location (default: /var/lib/dkms) +# dkms_tree="/var/lib/dkms" + +## Install Tree Location (default: /lib/modules) +# install_tree="/lib/modules" + +## tmp Location (default: /tmp) +# tmp_location="/tmp" + +## verbosity setting (verbose will be active if you set it to a non-null value) +# verbose="" + +## symlink kernel modules (will be active if you set it to a non-null value) +## This creates symlinks from the install_tree into the dkms_tree instead of +## copying the modules. This preserves some space on the costs of being less +## safe. +# symlink_modules="" + +## Automatic installation and upgrade for all installed kernels (if set to a +## non-null value) +# autoinstall_all_kernels="" + +## Script to sign modules during build, script is called with kernel version +## and module name +# sign_tool="/etc/dkms/sign_helper.sh" From e2afd00627b097f75467cd0e2fe7e15977141026 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 29 Apr 2021 11:14:30 -0400 Subject: [PATCH 0404/1650] modify DKMS configuration file `/etc/dkms/framework.conf` Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines. `parallel_jobs=1` This does not necessarily belong into security-misc, however likely security-misc will need to modify `/etc/dkms/framework.conf` in the future to enable kernel module signing. https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26 https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58 --- etc/dkms/framework.conf.security-misc | 32 +++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/etc/dkms/framework.conf.security-misc b/etc/dkms/framework.conf.security-misc index 896ee93..f9a643d 100644 --- a/etc/dkms/framework.conf.security-misc +++ b/etc/dkms/framework.conf.security-misc @@ -30,3 +30,35 @@ ## Script to sign modules during build, script is called with kernel version ## and module name # sign_tool="/etc/dkms/sign_helper.sh" + +### BEGIN modifications by package security-misc ### + +## original: +## https://github.com/dell/dkms/blob/master/dkms_framework.conf + +## DKMS feature request: +## add /etc/dkms/framework.conf.d configuration file drop-in folder +## https://github.com/dell/dkms/issues/116 + +## Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing +## of virtual machines. +## +## This does not necessarily belong into security-misc, however likely +## security-misc will need to modify /etc/dkms/framework.conf in the future to +## enable kernel module signing. See below. +## +## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26 +ENOUGH_RAM="1950" +total_ram="$(free -m | sed -n -e '/^Mem:/s/^[^0-9]*\([0-9]*\) .*/\1/p')" +if [ "$total_ram" -ge "$ENOUGH_RAM" ]; then + true "INFO: Enough RAM available. Not lowering compilation cores." +else + true "INFO: Not enough RAM available. Lowering compilation cores to 1." + parallel_jobs=1 +fi + +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58 +## https://github.com/dell/dkms/blob/master/sign_helper.sh +#sign_tool="/etc/dkms/sign_helper.sh" + +### END modifications by package security-misc ### From 6e759f9196412b1742db1e4c68a70867e1ad8629 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 29 Apr 2021 11:17:30 -0400 Subject: [PATCH 0405/1650] config-package-dev displace /etc/dkms/framework.conf https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58 --- debian/security-misc.displace | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/security-misc.displace b/debian/security-misc.displace index 9cd0669..06b6187 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -2,3 +2,4 @@ ## See the file COPYING for copying conditions. /etc/securetty.security-misc +/etc/dkms/framework.conf.security-misc From 5bd59991cbf72ba9ebd8feadd4da397bbcd9d469 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 5 May 2021 08:37:56 -0400 Subject: [PATCH 0406/1650] bumped changelog version --- changelog.upstream | 44 ++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 50 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 4246d95..ef25894 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,47 @@ +commit 6e759f9196412b1742db1e4c68a70867e1ad8629 +Author: Patrick Schleizer +Date: Thu Apr 29 11:17:30 2021 -0400 + + config-package-dev displace /etc/dkms/framework.conf + + https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58 + +commit e2afd00627b097f75467cd0e2fe7e15977141026 +Author: Patrick Schleizer +Date: Thu Apr 29 11:14:30 2021 -0400 + + modify DKMS configuration file `/etc/dkms/framework.conf` + + Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines. + + `parallel_jobs=1` + + This does not necessarily belong into security-misc, however likely + security-misc will need to modify `/etc/dkms/framework.conf` in the future to + enable kernel module signing. + + https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26 + + https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58 + +commit 3ba3b371873d221db6845fb0fe52191b8b349b0a +Author: Patrick Schleizer +Date: Thu Apr 29 11:08:30 2021 -0400 + + add `/etc/dkms/framework.conf.security-misc` + + original, from + - https://github.com/dell/dkms/blob/master/dkms_framework.conf + - https://raw.githubusercontent.com/dell/dkms/master/dkms_framework.conf + + https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58 + +commit 1d35bdf2912d1dfd0b49ce727338f86d17decd72 +Author: Patrick Schleizer +Date: Mon Apr 5 11:58:47 2021 -0400 + + bumped changelog version + commit 41734ec523eb3cd233fe4651b9807222c8ccb1d5 Author: Patrick Schleizer Date: Sat Apr 3 11:44:13 2021 -0400 diff --git a/debian/changelog b/debian/changelog index ea9c74c..5bc85a8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:20.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 05 May 2021 12:37:56 +0000 + security-misc (3:20.8-1) unstable; urgency=medium * New upstream version (local package). From 809930c0212aa41d60b1a498bd4ce85f06668bae Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 1 Jun 2021 05:36:01 -0400 Subject: [PATCH 0407/1650] comment --- etc/skel/.gnupg/gpg.conf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/etc/skel/.gnupg/gpg.conf b/etc/skel/.gnupg/gpg.conf index dcc90e8..1ae4ff7 100644 --- a/etc/skel/.gnupg/gpg.conf +++ b/etc/skel/.gnupg/gpg.conf @@ -113,8 +113,7 @@ # servers. To see the IP address of the server actually used, you may use # the "--keyserver-options debug". # -#keyserver hkp://qdigse2yzvuglcix.onion -#keyserver hkp://2eghzlv2wwcq7u7y.onion +#keyserver hkp://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.onion #keyserver mailto:pgp-public-keys@keys.nl.pgp.net #keyserver ldap://keyserver.pgp.com From d87bee37f788fb7605626cd4a8d61ed9e6fee252 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 1 Jun 2021 07:21:18 -0400 Subject: [PATCH 0408/1650] comment --- etc/skel/.gnupg/gpg.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/skel/.gnupg/gpg.conf b/etc/skel/.gnupg/gpg.conf index 1ae4ff7..f8004fe 100644 --- a/etc/skel/.gnupg/gpg.conf +++ b/etc/skel/.gnupg/gpg.conf @@ -90,6 +90,9 @@ # servers can be HKP, email, or LDAP (if GnuPG is built with LDAP # support). # +# High-risk users should stop using the keyserver network immediately. +# https://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607/8 +# # Example HKP keyserver: # hkp://keys.gnupg.net # hkp://subkeys.pgp.net From 0305baf21173f0ee292986200f1242ca0395c74d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 1 Jun 2021 07:36:59 -0400 Subject: [PATCH 0409/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index ef25894..cb903b6 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit d87bee37f788fb7605626cd4a8d61ed9e6fee252 +Author: Patrick Schleizer +Date: Tue Jun 1 07:21:18 2021 -0400 + + comment + +commit 809930c0212aa41d60b1a498bd4ce85f06668bae +Author: Patrick Schleizer +Date: Tue Jun 1 05:36:01 2021 -0400 + + comment + +commit 5bd59991cbf72ba9ebd8feadd4da397bbcd9d469 +Author: Patrick Schleizer +Date: Wed May 5 08:37:56 2021 -0400 + + bumped changelog version + commit 6e759f9196412b1742db1e4c68a70867e1ad8629 Author: Patrick Schleizer Date: Thu Apr 29 11:17:30 2021 -0400 diff --git a/debian/changelog b/debian/changelog index 5bc85a8..1d877e4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:21.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 01 Jun 2021 11:36:59 +0000 + security-misc (3:20.9-1) unstable; urgency=medium * New upstream version (local package). From 97d8db3f74b9fc00c8f4416cb72966e62c7de88e Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sat, 5 Jun 2021 19:16:42 +0000 Subject: [PATCH 0410/1650] Restrict sudo's file permissions --- .../25_default_sudo.conf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 etc/permission-hardening.d/25_default_sudo.conf diff --git a/etc/permission-hardening.d/25_default_sudo.conf b/etc/permission-hardening.d/25_default_sudo.conf new file mode 100644 index 0000000..fe92af1 --- /dev/null +++ b/etc/permission-hardening.d/25_default_sudo.conf @@ -0,0 +1,19 @@ +## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## This restricts the file permissions of the sudo executable so that a vulnerability +## in the program will not be exploitable by any users not in the "sudo" group. sudo +## is a very complex program and is setuid so vulnerabilities in it can allow privilege +## escalation, regardless of other root access restrictions. For example, the following +## buffer overflow vulnerability could have been exploited by any user on the system: +## https://www.openwall.com/lists/oss-security/2021/01/26/3 +## With this restriction, only users explicitly permitted to use sudo by being added to +## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a +## compromised network-facing daemon (such as web servers, time synchronization daemons, +## etc.) running as its own user from exploiting sudo to escalate privileges. +/usr/bin/sudo 4750 root sudo +/bin/sudo 4750 root sudo From 419f1d89c25ca833ac63f2e174beeb9afb0cce00 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 7 Jun 2021 12:13:37 -0400 Subject: [PATCH 0411/1650] bumped changelog version --- changelog.upstream | 28 ++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index cb903b6..7b14a02 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,31 @@ +commit 30d1ce36af7835d47e0b53af475f3a7e99617b77 +Merge: 0305baf 70a1eb2 +Author: Patrick Schleizer +Date: Mon Jun 7 12:11:58 2021 -0400 + + Merge remote-tracking branch 'github-whonix/master' + +commit 70a1eb25a5976e0461056ff2c56bd82ab5df6c2c +Merge: 0305baf 97d8db3 +Author: Patrick Schleizer +Date: Sat Jun 5 15:55:41 2021 -0400 + + Merge pull request #101 from madaidan/sudo + + Restrict sudo's file permissions + +commit 97d8db3f74b9fc00c8f4416cb72966e62c7de88e +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sat Jun 5 19:16:42 2021 +0000 + + Restrict sudo's file permissions + +commit 0305baf21173f0ee292986200f1242ca0395c74d +Author: Patrick Schleizer +Date: Tue Jun 1 07:36:59 2021 -0400 + + bumped changelog version + commit d87bee37f788fb7605626cd4a8d61ed9e6fee252 Author: Patrick Schleizer Date: Tue Jun 1 07:21:18 2021 -0400 diff --git a/debian/changelog b/debian/changelog index 1d877e4..1cf7db6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:21.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 07 Jun 2021 16:13:37 +0000 + security-misc (3:21.0-1) unstable; urgency=medium * New upstream version (local package). From eff5af03184f52181894884b90a8d867a1f10956 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 20 Jun 2021 10:16:33 -0400 Subject: [PATCH 0412/1650] https://forums.whonix.org/t/restrict-root-access/7658/116 --- etc/permission-hardening.d/25_default_sudo.conf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/permission-hardening.d/25_default_sudo.conf b/etc/permission-hardening.d/25_default_sudo.conf index fe92af1..3087ad4 100644 --- a/etc/permission-hardening.d/25_default_sudo.conf +++ b/etc/permission-hardening.d/25_default_sudo.conf @@ -5,6 +5,7 @@ ## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. +## https://forums.whonix.org/t/restrict-root-access/7658/116 ## This restricts the file permissions of the sudo executable so that a vulnerability ## in the program will not be exploitable by any users not in the "sudo" group. sudo ## is a very complex program and is setuid so vulnerabilities in it can allow privilege @@ -15,5 +16,5 @@ ## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a ## compromised network-facing daemon (such as web servers, time synchronization daemons, ## etc.) running as its own user from exploiting sudo to escalate privileges. -/usr/bin/sudo 4750 root sudo -/bin/sudo 4750 root sudo +#/usr/bin/sudo 4750 root sudo +#/bin/sudo 4750 root sudo From 0f3dbfc4a1fb08b5542e265dfbeab4e7f401549d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 20 Jun 2021 10:16:57 -0400 Subject: [PATCH 0413/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7b14a02..b227cb5 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit eff5af03184f52181894884b90a8d867a1f10956 +Author: Patrick Schleizer +Date: Sun Jun 20 10:16:33 2021 -0400 + + https://forums.whonix.org/t/restrict-root-access/7658/116 + +commit 419f1d89c25ca833ac63f2e174beeb9afb0cce00 +Author: Patrick Schleizer +Date: Mon Jun 7 12:13:37 2021 -0400 + + bumped changelog version + commit 30d1ce36af7835d47e0b53af475f3a7e99617b77 Merge: 0305baf 70a1eb2 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 1cf7db6..32a9688 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:21.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 20 Jun 2021 14:16:57 +0000 + security-misc (3:21.1-1) unstable; urgency=medium * New upstream version (local package). From 74e39cbf690dae2bf72bd9f152ea91c364f5feff Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 20 Jun 2021 11:18:56 -0400 Subject: [PATCH 0414/1650] pam-abort-on-locked-password: more descriptive error handling https://forums.whonix.org/t/restrict-root-access/7658/1 --- .../security-misc/pam-abort-on-locked-password | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/usr/lib/security-misc/pam-abort-on-locked-password b/usr/lib/security-misc/pam-abort-on-locked-password index afbfcb1..9f08e77 100755 --- a/usr/lib/security-misc/pam-abort-on-locked-password +++ b/usr/lib/security-misc/pam-abort-on-locked-password @@ -7,9 +7,19 @@ ## counter. This is not a security feature. ## https://forums.whonix.org/t/restrict-root-access/7658/1 -if ! passwd_output="$(passwd -S "$PAM_USER" 2>/dev/null)" ; then +passwd_bin="$(type -P "passwd")" + +if ! test -x "$passwd_bin" ; then + echo "\ +$0: ERROR: passwd_bin \"$passwd_bin\" is not executable. +See https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2 + ## Identifiable exit codes in case stdout / stderr is not logged in journal. + exit 2 +fi + +if ! passwd_output="$("$passwd_bin" -S "$PAM_USER" 2>/dev/null)" ; then echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2 - exit 1 + exit 3 fi if [ "$(echo "$passwd_output" | cut -d ' ' -f 2)" = "P" ]; then @@ -22,7 +32,7 @@ else echo "$0: ERROR: root account is locked by default. See:" >&2 echo "https://www.whonix.org/wiki/root" >&2 echo "" >&2 - exit 1 + exit 4 fi fi From 0f86ffef04e533be1c88584b6419c276d176fc05 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 23 Jun 2021 11:20:39 -0400 Subject: [PATCH 0415/1650] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b227cb5..cb4ef04 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit 74e39cbf690dae2bf72bd9f152ea91c364f5feff +Author: Patrick Schleizer +Date: Sun Jun 20 11:18:56 2021 -0400 + + pam-abort-on-locked-password: more descriptive error handling + + https://forums.whonix.org/t/restrict-root-access/7658/1 + +commit 0f3dbfc4a1fb08b5542e265dfbeab4e7f401549d +Author: Patrick Schleizer +Date: Sun Jun 20 10:16:57 2021 -0400 + + bumped changelog version + commit eff5af03184f52181894884b90a8d867a1f10956 Author: Patrick Schleizer Date: Sun Jun 20 10:16:33 2021 -0400 diff --git a/debian/changelog b/debian/changelog index 32a9688..664d6aa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:21.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 23 Jun 2021 15:20:39 +0000 + security-misc (3:21.2-1) unstable; urgency=medium * New upstream version (local package). From 257cef24baa038b21ef511e9d95c4229a5e16f68 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 24 Jul 2021 18:03:40 -0400 Subject: [PATCH 0416/1650] add LKRG compatibility settings automation for VirtualBox hosts https://github.com/openwall/lkrg/issues/82 --- .../system/lkrg.service.d/40-virtualbox.conf | 5 +++ .../lkrg/30-lkrg-virtualbox.conf | 31 +++++++++++++++++++ usr/share/security-misc/lkrg/lkrg-virtualbox | 24 ++++++++++++++ 3 files changed, 60 insertions(+) create mode 100644 lib/systemd/system/lkrg.service.d/40-virtualbox.conf create mode 100644 usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf create mode 100755 usr/share/security-misc/lkrg/lkrg-virtualbox diff --git a/lib/systemd/system/lkrg.service.d/40-virtualbox.conf b/lib/systemd/system/lkrg.service.d/40-virtualbox.conf new file mode 100644 index 0000000..346f861 --- /dev/null +++ b/lib/systemd/system/lkrg.service.d/40-virtualbox.conf @@ -0,0 +1,5 @@ +## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +[Service] +ExecStartPre=/usr/share/security-misc/lkrg/lkrg-virtualbox diff --git a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf new file mode 100644 index 0000000..c5d72b1 --- /dev/null +++ b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf @@ -0,0 +1,31 @@ +## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## DO NOT EDIT THIS FILE /etc/sysctl.d/30-lkrg-dkms.conf AS EDITS WILL BE LOST! +## This is an auto generated file. + +## Please use "/etc/sysctl.d/50-user.conf" for your custom +## configuration, which will override the defaults found here. + +## gets copied from: +## /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf +## to: +## /etc/sysctl.d/30-lkrg-virtualbox.conf +## by package security-misc, files: +## /usr/share/security-misc/lkrg/lkrg-virtualbox +## /lib/systemd/system/lkrg.service.d/40-virtualbox.conf + +## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/32 +## https://www.openwall.com/lists/lkrg-users/2020/01/24/2 +## https://www.openwall.com/lists/lkrg-users/2020/01/25/2 +## https://github.com/openwall/lkrg/issues/82 +## https://github.com/openwall/lkrg/blob/main/scripts/bootup/lkrg.conf +## https://github.com/openwall/lkrg/blob/main/scripts/bootup/systemd/lkrg.service +## /etc/sysctl.d/30-lkrg-dkms.conf +## /lib/systemd/system/lkrg.service + +## Already LKRG upstream default. +#lkrg.msr_validate = 0 + +lkrg.pcfi_validate = 1 +lkrg.profile_validate = 2 diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox b/usr/share/security-misc/lkrg/lkrg-virtualbox new file mode 100755 index 0000000..30a114a --- /dev/null +++ b/usr/share/security-misc/lkrg/lkrg-virtualbox @@ -0,0 +1,24 @@ +#!/bin/bash + +## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -x +set -e + +if ! command -v vboxmanage &>/dev/null ; then + if test -f /etc/sysctl.d/30-lkrg-virtualbox.conf ; then + rm --force --verbose /etc/sysctl.d/30-lkrg-virtualbox.conf + fi + exit 0 +fi + +if ! test -d /etc/sysctl.d ; then + exit 0 +fi + +if ! test -f /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf ; then + exit 0 +fi + +cp --verbose /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf /etc/sysctl.d/30-lkrg-virtualbox.conf From 3ebe9e7c530b39f1b0429a97eab2627f2bbd1635 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 24 Jul 2021 18:10:06 -0400 Subject: [PATCH 0417/1650] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index cb4ef04..091b395 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit 257cef24baa038b21ef511e9d95c4229a5e16f68 +Author: Patrick Schleizer +Date: Sat Jul 24 18:03:40 2021 -0400 + + add LKRG compatibility settings automation for VirtualBox hosts + + https://github.com/openwall/lkrg/issues/82 + +commit 0f86ffef04e533be1c88584b6419c276d176fc05 +Author: Patrick Schleizer +Date: Wed Jun 23 11:20:39 2021 -0400 + + bumped changelog version + commit 74e39cbf690dae2bf72bd9f152ea91c364f5feff Author: Patrick Schleizer Date: Sun Jun 20 11:18:56 2021 -0400 diff --git a/debian/changelog b/debian/changelog index 664d6aa..6552976 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:21.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 24 Jul 2021 22:10:05 +0000 + security-misc (3:21.3-1) unstable; urgency=medium * New upstream version (local package). From 7e128636b3a4ea7fe5dfa12018685ab7b5dda706 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 25 Jul 2021 11:26:20 -0400 Subject: [PATCH 0418/1650] improve LKRG VirtualBox host configuration as per https://github.com/openwall/lkrg/issues/82#issuecomment-886188999 --- usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf index c5d72b1..bece80d 100644 --- a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf +++ b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf @@ -24,8 +24,5 @@ ## /etc/sysctl.d/30-lkrg-dkms.conf ## /lib/systemd/system/lkrg.service -## Already LKRG upstream default. -#lkrg.msr_validate = 0 - +## https://github.com/openwall/lkrg/issues/82#issuecomment-886188999 lkrg.pcfi_validate = 1 -lkrg.profile_validate = 2 From b3e34f7f43346c123d20e9a1606b1023b535f669 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 25 Jul 2021 11:27:07 -0400 Subject: [PATCH 0419/1650] comment --- usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf index bece80d..ca327fc 100644 --- a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf +++ b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf @@ -1,6 +1,8 @@ ## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## LKRG VirtualBox host configuration + ## DO NOT EDIT THIS FILE /etc/sysctl.d/30-lkrg-dkms.conf AS EDITS WILL BE LOST! ## This is an auto generated file. From f03c7978c7c12eb0efed1d9298f52149a8149cb3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 25 Jul 2021 11:31:45 -0400 Subject: [PATCH 0420/1650] bumped changelog version --- changelog.upstream | 20 ++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 26 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 091b395..b94f562 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,23 @@ +commit b3e34f7f43346c123d20e9a1606b1023b535f669 +Author: Patrick Schleizer +Date: Sun Jul 25 11:27:07 2021 -0400 + + comment + +commit 7e128636b3a4ea7fe5dfa12018685ab7b5dda706 +Author: Patrick Schleizer +Date: Sun Jul 25 11:26:20 2021 -0400 + + improve LKRG VirtualBox host configuration + + as per https://github.com/openwall/lkrg/issues/82#issuecomment-886188999 + +commit 3ebe9e7c530b39f1b0429a97eab2627f2bbd1635 +Author: Patrick Schleizer +Date: Sat Jul 24 18:10:06 2021 -0400 + + bumped changelog version + commit 257cef24baa038b21ef511e9d95c4229a5e16f68 Author: Patrick Schleizer Date: Sat Jul 24 18:03:40 2021 -0400 diff --git a/debian/changelog b/debian/changelog index 6552976..ee8ca2f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:21.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 25 Jul 2021 15:31:45 +0000 + security-misc (3:21.4-1) unstable; urgency=medium * New upstream version (local package). From 5a65c35479f267b026c03e195658ef9d98ee519c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 1 Aug 2021 13:11:18 -0400 Subject: [PATCH 0421/1650] port LKRG compatibility settings automation for VirtualBox hosts from systemd to dpkg trigger --- debian/security-misc.postinst | 6 ++++++ debian/security-misc.triggers | 3 +++ lib/systemd/system/lkrg.service.d/40-virtualbox.conf | 5 ----- 3 files changed, 9 insertions(+), 5 deletions(-) delete mode 100644 lib/systemd/system/lkrg.service.d/40-virtualbox.conf diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index f2c3404..7cc831b 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -29,6 +29,12 @@ case "$1" in abort-upgrade|abort-remove|abort-deconfigure) ;; + triggered) + echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'" + /usr/share/security-misc/lkrg/lkrg-virtualbox || true + exit 0 + ;; + *) echo "$DPKG_MAINTSCRIPT_NAME called with unknown argument \`$1'" >&2 exit 1 diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index cf92b83..3c09f14 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -9,4 +9,7 @@ ## Activate initramfs hook that sets the sysctl values before init is executed. activate-noawait update-initramfs +## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox +interest-noawait /usr/bin/vboxmanage + #### meta end diff --git a/lib/systemd/system/lkrg.service.d/40-virtualbox.conf b/lib/systemd/system/lkrg.service.d/40-virtualbox.conf deleted file mode 100644 index 346f861..0000000 --- a/lib/systemd/system/lkrg.service.d/40-virtualbox.conf +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -[Service] -ExecStartPre=/usr/share/security-misc/lkrg/lkrg-virtualbox From 82f3961a7165cc1e778be785950f1a255af43b4f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 1 Aug 2021 13:12:08 -0400 Subject: [PATCH 0422/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b94f562..c25b60c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 5a65c35479f267b026c03e195658ef9d98ee519c +Author: Patrick Schleizer +Date: Sun Aug 1 13:11:18 2021 -0400 + + port LKRG compatibility settings automation for VirtualBox hosts from systemd to dpkg trigger + +commit f03c7978c7c12eb0efed1d9298f52149a8149cb3 +Author: Patrick Schleizer +Date: Sun Jul 25 11:31:45 2021 -0400 + + bumped changelog version + commit b3e34f7f43346c123d20e9a1606b1023b535f669 Author: Patrick Schleizer Date: Sun Jul 25 11:27:07 2021 -0400 diff --git a/debian/changelog b/debian/changelog index ee8ca2f..07a1971 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:21.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 01 Aug 2021 17:12:08 +0000 + security-misc (3:21.5-1) unstable; urgency=medium * New upstream version (local package). From 3599e8e2dabf13ad76901a9c282469f23d4d1308 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 1 Aug 2021 16:24:41 -0400 Subject: [PATCH 0423/1650] readme --- README_generic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README_generic.md b/README_generic.md index 443cb11..3c3ac48 100644 --- a/README_generic.md +++ b/README_generic.md @@ -27,7 +27,7 @@ sudo apt-key --keyring /etc/apt/trusted.gpg.d/derivative.gpg add ~/patrick.asc 3\. Add Whonix's APT repository. ``` -echo "deb https://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list +echo "deb https://deb.whonix.org bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list ``` 4\. Update your package lists. From c94281121e20289b718f24c13e399e5e8cac0ebd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 1 Aug 2021 16:37:02 -0400 Subject: [PATCH 0424/1650] comment --- etc/permission-hardening.d/30_default.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 11fa978..a46abcc 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -49,7 +49,7 @@ # SUID exact match whitelist ###################################################################### -## https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html +## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html ## https://lwn.net/Articles/590315/ ## http://forums.whonix.org/t/permission-hardening/8655/25 #/usr/lib/xorg/Xorg.wrap whitelist From bb3e65f7a80770238bda3733bed89c15a9c76852 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 3 Aug 2021 03:25:35 -0400 Subject: [PATCH 0425/1650] bullseye --- usr/lib/security-misc/apt-get-wrapper | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/apt-get-wrapper b/usr/lib/security-misc/apt-get-wrapper index 9992e05..81a2381 100755 --- a/usr/lib/security-misc/apt-get-wrapper +++ b/usr/lib/security-misc/apt-get-wrapper @@ -25,7 +25,7 @@ apt_get_exit_code="0" ## http://stackoverflow.com/a/26263980/2605155 ## for the python way to create a pty. -python3.7 -c 'import pty, sys; pty.spawn(sys.argv[1:])' \ +python3.9 -c 'import pty, sys; pty.spawn(sys.argv[1:])' \ | apt-get "$@" 2>&1 \ | tee -a "$logfile" \ || { apt_get_exit_code="$?"; true; }; From 5e3338f8d3ff799a2da4257e24b57bd55541187f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 3 Aug 2021 05:48:25 -0400 Subject: [PATCH 0426/1650] bullseye --- debian/compat | 1 - debian/control | 5 +++-- 2 files changed, 3 insertions(+), 3 deletions(-) delete mode 100644 debian/compat diff --git a/debian/compat b/debian/compat deleted file mode 100644 index 48082f7..0000000 --- a/debian/compat +++ /dev/null @@ -1 +0,0 @@ -12 diff --git a/debian/control b/debian/control index 9d04533..07744a7 100644 --- a/debian/control +++ b/debian/control @@ -5,11 +5,12 @@ Source: security-misc Section: misc Priority: optional Maintainer: Patrick Schleizer -Build-Depends: debhelper (>= 12), config-package-dev, dh-apparmor +Build-Depends: debhelper (>= 13), debhelper-compat (= 13), config-package-dev, dh-apparmor Homepage: https://github.com/Whonix/security-misc Vcs-Browser: https://github.com/Whonix/security-misc Vcs-Git: https://github.com/Whonix/security-misc.git -Standards-Version: 4.3.0 +Standards-Version: 4.5.1 +Rules-Requires-Root: no Package: security-misc Architecture: all From 8eae6356684052415f8bc494db077e033653d971 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 3 Aug 2021 11:51:31 -0400 Subject: [PATCH 0427/1650] update lintian tag name --- usr/share/lintian/overrides/security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index ca46853..ecc709d 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -5,7 +5,7 @@ security-misc: package-contains-file-in-etc-skel etc/skel/* ## Wrapper script. -security-misc: binary-without-manpage usr/bin/pkexec.security-misc +security-misc: no-manual-page usr/bin/pkexec.security-misc ## Non-ideal but still a good solution. security-misc: file-in-unusual-dir var/cache/security-misc/state-files/placeholder From 240ec7672a4d513e7e6cca280aca3d67c265d1cc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 3 Aug 2021 12:19:26 -0400 Subject: [PATCH 0428/1650] replace no longer required `/usr/lib/security-misc/apt-get-wrapper` with `apt-get --error-on=any` --- rpm_spec/security-misc.spec.in | 1 - usr/lib/security-misc/apt-get-update | 2 +- usr/lib/security-misc/apt-get-wrapper | 50 --------------------------- 3 files changed, 1 insertion(+), 52 deletions(-) delete mode 100755 usr/lib/security-misc/apt-get-wrapper diff --git a/rpm_spec/security-misc.spec.in b/rpm_spec/security-misc.spec.in index a2cfca6..63b6b91 100644 --- a/rpm_spec/security-misc.spec.in +++ b/rpm_spec/security-misc.spec.in @@ -106,7 +106,6 @@ make %{?_smp_mflags} /lib/systemd/system/remove-system-map.service /usr/lib/security-misc/apt-get-update /usr/lib/security-misc/apt-get-update-sanity-test -/usr/lib/security-misc/apt-get-wrapper /usr/lib/security-misc/panic-on-oops /usr/lib/security-misc/remove-system.map /usr/share/glib-2.0/schemas/30_security-misc.gschema.override diff --git a/usr/lib/security-misc/apt-get-update b/usr/lib/security-misc/apt-get-update index a61f760..ff58900 100755 --- a/usr/lib/security-misc/apt-get-update +++ b/usr/lib/security-misc/apt-get-update @@ -24,7 +24,7 @@ trap "sigterm_trap" SIGTERM SIGINT timeout \ --kill-after="$kill_after" \ "$timeout_after" \ - /usr/lib/security-misc/apt-get-wrapper update "$@" & + apt-get update --error-on=any "$@" & lastpid="$!" wait "$lastpid" diff --git a/usr/lib/security-misc/apt-get-wrapper b/usr/lib/security-misc/apt-get-wrapper deleted file mode 100755 index 81a2381..0000000 --- a/usr/lib/security-misc/apt-get-wrapper +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -set -e -set -o pipefail -set -o errtrace - -cleanup() { - if [ -d "$temp_dir" ]; then - rm --recursive --force "$temp_dir" - fi -} - -temp_dir="$(mktemp --directory)" -logfile="$temp_dir/log" - -trap "cleanup" EXIT - -apt_get_exit_code="0" - -## Thanks to: -## dmw -## http://stackoverflow.com/a/26263980/2605155 -## for the python way to create a pty. - -python3.9 -c 'import pty, sys; pty.spawn(sys.argv[1:])' \ - | apt-get "$@" 2>&1 \ - | tee -a "$logfile" \ - || { apt_get_exit_code="$?"; true; }; - -if [ ! "$apt_get_exit_code" = "0" ]; then - exit "$apt_get_exit_code" -fi - -log="$(cat "$logfile")" - -while read -r -d $'\n' line; do - line_lower_case="${line,,}" - first_two="${line_lower_case:0:2}" - if [ "$first_two" = "e:" ]; then - exit 125 - fi - if [ "$first_two" = "w:" ]; then - exit 125 - fi -done < <( echo "$log" ) - -exit "$apt_get_exit_code" From 0492f28aa10dc93063ff3b46107fa705c5ee0d7e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 3 Aug 2021 12:37:39 -0400 Subject: [PATCH 0429/1650] enable "`apt-get --error-on=any`" by default makes apt exit non-zero for transient failures `/etc/apt/apt.conf.d/40error-on-any` https://forums.whonix.org/t/debian-bullseye-apt-get-error-on-any/12068 --- README.md | 2 ++ etc/apt/apt.conf.d/40error-on-any | 9 +++++++++ 2 files changed, 11 insertions(+) create mode 100644 etc/apt/apt.conf.d/40error-on-any diff --git a/README.md b/README.md index 9ab625e..c14357c 100644 --- a/README.md +++ b/README.md @@ -352,6 +352,8 @@ See: ## Application-specific hardening +* Enables "`apt-get --error-on=any`" which makes apt exit non-zero for + transient failures. — `/etc/apt/apt.conf.d/40error-on-any`. * Enables APT seccomp-BPF sandboxing — `/etc/apt/apt.conf.d/40sandbox`. * Deactivates previews in Dolphin. * Deactivates previews in Nautilus — diff --git a/etc/apt/apt.conf.d/40error-on-any b/etc/apt/apt.conf.d/40error-on-any new file mode 100644 index 0000000..e9357e6 --- /dev/null +++ b/etc/apt/apt.conf.d/40error-on-any @@ -0,0 +1,9 @@ +## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Make "sudo apt-get update" exit non-zero for transient failures. +## Same as "apt-get --error-on=any". +## https://forums.whonix.org/t/debian-bullseye-apt-get-error-on-any/12068 +## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594813 +## https://salsa.debian.org/apt-team/apt/-/commit/c7123bea6a8dc2c9e327ce41ddfc25e29f1bb145 +APT::Update::Error-Mode any; From 6607c1e4bd085ee952952e6db17714326df4b7f6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 3 Aug 2021 12:48:57 -0400 Subject: [PATCH 0430/1650] move /usr/lib/helper-scripts and /usr/lib/curl-scripts to /usr/libexec/helper-scripts as per lintian FHS --- debian/security-misc.postinst | 4 ++-- debian/security-misc.postrm | 4 ++-- debian/security-misc.preinst | 4 ++-- debian/security-misc.prerm | 4 ++-- usr/lib/security-misc/panic-on-oops | 4 ++-- usr/lib/security-misc/remount-secure | 4 ++-- usr/lib/security-misc/remove-system.map | 4 ++-- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 7cc831b..616c93b 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -3,8 +3,8 @@ ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -if [ -f /usr/lib/helper-scripts/pre.bsh ]; then - source /usr/lib/helper-scripts/pre.bsh +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then + source /usr/libexec/helper-scripts/pre.bsh fi set -e diff --git a/debian/security-misc.postrm b/debian/security-misc.postrm index 01c9cbb..80a0726 100644 --- a/debian/security-misc.postrm +++ b/debian/security-misc.postrm @@ -3,8 +3,8 @@ ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -if [ -f /usr/lib/helper-scripts/pre.bsh ]; then - source /usr/lib/helper-scripts/pre.bsh +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then + source /usr/libexec/helper-scripts/pre.bsh fi set -e diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index dccd8b8..6baabd6 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -3,8 +3,8 @@ ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -if [ -f /usr/lib/helper-scripts/pre.bsh ]; then - source /usr/lib/helper-scripts/pre.bsh +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then + source /usr/libexec/helper-scripts/pre.bsh fi set -e diff --git a/debian/security-misc.prerm b/debian/security-misc.prerm index 9a1a0ae..d5a120c 100644 --- a/debian/security-misc.prerm +++ b/debian/security-misc.prerm @@ -3,8 +3,8 @@ ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -if [ -f /usr/lib/helper-scripts/pre.bsh ]; then - source /usr/lib/helper-scripts/pre.bsh +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then + source /usr/libexec/helper-scripts/pre.bsh fi set -e diff --git a/usr/lib/security-misc/panic-on-oops b/usr/lib/security-misc/panic-on-oops index 472a1d1..c0c001b 100755 --- a/usr/lib/security-misc/panic-on-oops +++ b/usr/lib/security-misc/panic-on-oops @@ -5,11 +5,11 @@ set -e -if [ -f /usr/lib/helper-scripts/pre.bsh ]; then +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then ## pre.bsh would `source` the following folders: ## /etc/panic-on-oops_pre.d/*.conf ## /usr/local/etc/panic-on-oops_pre.d/*.conf - source /usr/lib/helper-scripts/pre.bsh + source /usr/libexec/helper-scripts/pre.bsh fi ## Makes the kernel panic on oopses. This prevents the kernel diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index 2f3316b..8149148 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -11,11 +11,11 @@ set -x set -e -if [ -f /usr/lib/helper-scripts/pre.bsh ]; then +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then ## pre.bsh would `source` the following folders: ## /etc/remount-secure_pre.d/*.conf ## /usr/local/etc/remount-secure_pre.d/*.conf - source /usr/lib/helper-scripts/pre.bsh + source /usr/libexec/helper-scripts/pre.bsh fi if [ -e /etc/remount-disable ] || [ -e /usr/local/etc/remount-disable ]; then diff --git a/usr/lib/security-misc/remove-system.map b/usr/lib/security-misc/remove-system.map index e7a437b..ea33c8b 100755 --- a/usr/lib/security-misc/remove-system.map +++ b/usr/lib/security-misc/remove-system.map @@ -3,11 +3,11 @@ ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -if [ -f /usr/lib/helper-scripts/pre.bsh ]; then +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then ## pre.bsh would `source` the following folders: ## /etc/remove-system.map_pre.d/*.conf ## /usr/local/etc/remove-system.map_pre.d/*.conf - source /usr/lib/helper-scripts/pre.bsh + source /usr/libexec/helper-scripts/pre.bsh fi shopt -s nullglob From 4fadaad8c0a79df5996372c05db635d500e41fee Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 3 Aug 2021 12:52:10 -0400 Subject: [PATCH 0431/1650] lintian FHS --- usr/{lib => libexec}/security-misc/apt-get-update | 0 usr/{lib => libexec}/security-misc/apt-get-update-sanity-test | 0 usr/{lib => libexec}/security-misc/askpass | 0 usr/{lib => libexec}/security-misc/echo-path | 0 usr/{lib => libexec}/security-misc/hide-hardware-info | 0 usr/{lib => libexec}/security-misc/pam-abort-on-locked-password | 0 usr/{lib => libexec}/security-misc/pam_only_if_login | 0 usr/{lib => libexec}/security-misc/pam_tally2-info | 0 usr/{lib => libexec}/security-misc/pam_tally2_not_if_x | 0 usr/{lib => libexec}/security-misc/panic-on-oops | 0 usr/{lib => libexec}/security-misc/permission-hardening | 0 usr/{lib => libexec}/security-misc/permission-hardening-undo | 0 usr/{lib => libexec}/security-misc/permission-lockdown | 0 usr/{lib => libexec}/security-misc/remount-secure | 0 usr/{lib => libexec}/security-misc/remove-system.map | 0 usr/{lib => libexec}/security-misc/virusforget | 0 16 files changed, 0 insertions(+), 0 deletions(-) rename usr/{lib => libexec}/security-misc/apt-get-update (100%) rename usr/{lib => libexec}/security-misc/apt-get-update-sanity-test (100%) rename usr/{lib => libexec}/security-misc/askpass (100%) rename usr/{lib => libexec}/security-misc/echo-path (100%) rename usr/{lib => libexec}/security-misc/hide-hardware-info (100%) rename usr/{lib => libexec}/security-misc/pam-abort-on-locked-password (100%) rename usr/{lib => libexec}/security-misc/pam_only_if_login (100%) rename usr/{lib => libexec}/security-misc/pam_tally2-info (100%) rename usr/{lib => libexec}/security-misc/pam_tally2_not_if_x (100%) rename usr/{lib => libexec}/security-misc/panic-on-oops (100%) rename usr/{lib => libexec}/security-misc/permission-hardening (100%) rename usr/{lib => libexec}/security-misc/permission-hardening-undo (100%) rename usr/{lib => libexec}/security-misc/permission-lockdown (100%) rename usr/{lib => libexec}/security-misc/remount-secure (100%) rename usr/{lib => libexec}/security-misc/remove-system.map (100%) rename usr/{lib => libexec}/security-misc/virusforget (100%) diff --git a/usr/lib/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update similarity index 100% rename from usr/lib/security-misc/apt-get-update rename to usr/libexec/security-misc/apt-get-update diff --git a/usr/lib/security-misc/apt-get-update-sanity-test b/usr/libexec/security-misc/apt-get-update-sanity-test similarity index 100% rename from usr/lib/security-misc/apt-get-update-sanity-test rename to usr/libexec/security-misc/apt-get-update-sanity-test diff --git a/usr/lib/security-misc/askpass b/usr/libexec/security-misc/askpass similarity index 100% rename from usr/lib/security-misc/askpass rename to usr/libexec/security-misc/askpass diff --git a/usr/lib/security-misc/echo-path b/usr/libexec/security-misc/echo-path similarity index 100% rename from usr/lib/security-misc/echo-path rename to usr/libexec/security-misc/echo-path diff --git a/usr/lib/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info similarity index 100% rename from usr/lib/security-misc/hide-hardware-info rename to usr/libexec/security-misc/hide-hardware-info diff --git a/usr/lib/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password similarity index 100% rename from usr/lib/security-misc/pam-abort-on-locked-password rename to usr/libexec/security-misc/pam-abort-on-locked-password diff --git a/usr/lib/security-misc/pam_only_if_login b/usr/libexec/security-misc/pam_only_if_login similarity index 100% rename from usr/lib/security-misc/pam_only_if_login rename to usr/libexec/security-misc/pam_only_if_login diff --git a/usr/lib/security-misc/pam_tally2-info b/usr/libexec/security-misc/pam_tally2-info similarity index 100% rename from usr/lib/security-misc/pam_tally2-info rename to usr/libexec/security-misc/pam_tally2-info diff --git a/usr/lib/security-misc/pam_tally2_not_if_x b/usr/libexec/security-misc/pam_tally2_not_if_x similarity index 100% rename from usr/lib/security-misc/pam_tally2_not_if_x rename to usr/libexec/security-misc/pam_tally2_not_if_x diff --git a/usr/lib/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops similarity index 100% rename from usr/lib/security-misc/panic-on-oops rename to usr/libexec/security-misc/panic-on-oops diff --git a/usr/lib/security-misc/permission-hardening b/usr/libexec/security-misc/permission-hardening similarity index 100% rename from usr/lib/security-misc/permission-hardening rename to usr/libexec/security-misc/permission-hardening diff --git a/usr/lib/security-misc/permission-hardening-undo b/usr/libexec/security-misc/permission-hardening-undo similarity index 100% rename from usr/lib/security-misc/permission-hardening-undo rename to usr/libexec/security-misc/permission-hardening-undo diff --git a/usr/lib/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown similarity index 100% rename from usr/lib/security-misc/permission-lockdown rename to usr/libexec/security-misc/permission-lockdown diff --git a/usr/lib/security-misc/remount-secure b/usr/libexec/security-misc/remount-secure similarity index 100% rename from usr/lib/security-misc/remount-secure rename to usr/libexec/security-misc/remount-secure diff --git a/usr/lib/security-misc/remove-system.map b/usr/libexec/security-misc/remove-system.map similarity index 100% rename from usr/lib/security-misc/remove-system.map rename to usr/libexec/security-misc/remove-system.map diff --git a/usr/lib/security-misc/virusforget b/usr/libexec/security-misc/virusforget similarity index 100% rename from usr/lib/security-misc/virusforget rename to usr/libexec/security-misc/virusforget From 50bdd097df4c87cd4507311df9c0b14d237c534b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 3 Aug 2021 12:56:31 -0400 Subject: [PATCH 0432/1650] move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS --- README.md | 12 ++--- debian/security-misc.postinst | 2 +- debian/security-misc.preinst | 2 +- etc/X11/Xsession.d/50panic_on_oops | 4 +- etc/kernel/postinst.d/30_remove-system-map | 4 +- etc/sudoers.d/pkexec-security-misc | 2 +- etc/sudoers.d/security-misc | 4 +- lib/systemd/system/hide-hardware-info.service | 2 +- .../system/permission-hardening.service | 2 +- lib/systemd/system/remount-secure.service | 2 +- lib/systemd/system/remove-system-map.service | 2 +- rpm_spec/security-misc.spec.in | 8 +-- usr/bin/pkexec.security-misc | 2 +- usr/libexec/security-misc/pam_only_if_login | 2 +- usr/libexec/security-misc/pam_tally2_not_if_x | 2 +- .../security-misc/permission-hardening | 2 +- usr/libexec/security-misc/permission-lockdown | 52 +++++++++---------- .../console-lockdown-security-misc | 2 +- ...pam-abort-on-locked-password-security-misc | 2 +- usr/share/pam-configs/tally2-security-misc | 4 +- 20 files changed, 57 insertions(+), 57 deletions(-) diff --git a/README.md b/README.md index c14357c..e716c44 100644 --- a/README.md +++ b/README.md @@ -159,7 +159,7 @@ be recovered. See: `/lib/systemd/system/remove-system-map.service` -`/usr/lib/security-misc/remove-system.map` +`/usr/libexec/security-misc/remove-system.map` * Coredumps are disabled as they may contain important information such as encryption keys or passwords. See: @@ -233,7 +233,7 @@ users from using `su` to gain root access or to switch user accounts — that logging in from a virtual console is still possible — `debian/security-misc.postinst` * Abort login for users with locked passwords — -`/usr/lib/security-misc/pam-abort-on-locked-password`. +`/usr/libexec/security-misc/pam-abort-on-locked-password`. * Logging into the root account from a virtual, serial, whatnot console is prevented by shipping an existing and empty `/etc/securetty` file @@ -294,8 +294,8 @@ Informational output during Linux PAM: See: * `/usr/share/pam-configs/tally2-security-misc` -* `/usr/lib/security-misc/pam_tally2-info` -* `/usr/lib/security-misc/pam-abort-on-locked-password` +* `/usr/libexec/security-misc/pam_tally2-info` +* `/usr/libexec/security-misc/pam-abort-on-locked-password` ## Access rights restrictions @@ -317,7 +317,7 @@ to the installation of this package. See: * `debian/security-misc.postinst` -* `/usr/lib/security-misc/permission-lockdown` +* `/usr/libexec/security-misc/permission-lockdown` * `/usr/share/pam-configs/mkhomedir-security-misc` ### SUID / SGID removal and permission hardening @@ -331,7 +331,7 @@ default for now during testing and can optionally be enabled by running See: -* `/usr/lib/security-misc/permission-hardening` +* `/usr/libexec/security-misc/permission-hardening` * `/lib/systemd/system/permission-hardening.service` * `/etc/permission-hardening.d` * https://forums.whonix.org/t/disable-suid-binaries/7706 diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 616c93b..cd4bf19 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -43,7 +43,7 @@ esac pam-auth-update --package -/usr/lib/security-misc/permission-lockdown +/usr/libexec/security-misc/permission-lockdown ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 6baabd6..f8c516d 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -16,7 +16,7 @@ true " " user_groups_modifications() { - ## /usr/lib/security-misc/hide-hardware-info + ## /usr/libexec/security-misc/hide-hardware-info addgroup --system sysfs addgroup --system cpuinfo diff --git a/etc/X11/Xsession.d/50panic_on_oops b/etc/X11/Xsession.d/50panic_on_oops index a43ea39..81d9a9f 100755 --- a/etc/X11/Xsession.d/50panic_on_oops +++ b/etc/X11/Xsession.d/50panic_on_oops @@ -3,6 +3,6 @@ ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -if [ -x /usr/lib/security-misc/panic-on-oops ]; then - sudo --non-interactive /usr/lib/security-misc/panic-on-oops +if [ -x /usr/libexec/security-misc/panic-on-oops ]; then + sudo --non-interactive /usr/libexec/security-misc/panic-on-oops fi diff --git a/etc/kernel/postinst.d/30_remove-system-map b/etc/kernel/postinst.d/30_remove-system-map index c192b80..acb9786 100755 --- a/etc/kernel/postinst.d/30_remove-system-map +++ b/etc/kernel/postinst.d/30_remove-system-map @@ -3,6 +3,6 @@ ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -if test -x /usr/lib/security-misc/remove-system.map ; then - /usr/lib/security-misc/remove-system.map +if test -x /usr/libexec/security-misc/remove-system.map ; then + /usr/libexec/security-misc/remove-system.map fi diff --git a/etc/sudoers.d/pkexec-security-misc b/etc/sudoers.d/pkexec-security-misc index b45c2a1..d0d1d35 100644 --- a/etc/sudoers.d/pkexec-security-misc +++ b/etc/sudoers.d/pkexec-security-misc @@ -2,7 +2,7 @@ ## See the file COPYING for copying conditions. ## REVIEW: is it ok that users can find out the PATH setting of root? -#%sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path +#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/echo-path ## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be ## set. Would otherwise error out with the following error message: diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index d1e41dc..1e4e16b 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -1,5 +1,5 @@ ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -user ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops -%sudo ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops +user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops +%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops diff --git a/lib/systemd/system/hide-hardware-info.service b/lib/systemd/system/hide-hardware-info.service index 8720c98..edc0dc1 100644 --- a/lib/systemd/system/hide-hardware-info.service +++ b/lib/systemd/system/hide-hardware-info.service @@ -11,7 +11,7 @@ After=local-fs.target [Service] Type=oneshot -ExecStart=/usr/lib/security-misc/hide-hardware-info +ExecStart=/usr/libexec/security-misc/hide-hardware-info RemainAfterExit=yes [Install] diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardening.service index 607e542..bbe7eca 100644 --- a/lib/systemd/system/permission-hardening.service +++ b/lib/systemd/system/permission-hardening.service @@ -13,7 +13,7 @@ After=local-fs.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart=/usr/lib/security-misc/permission-hardening +ExecStart=/usr/libexec/security-misc/permission-hardening RemainAfterExit=yes [Install] diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service index 83a60ad..518c5ef 100644 --- a/lib/systemd/system/remount-secure.service +++ b/lib/systemd/system/remount-secure.service @@ -15,7 +15,7 @@ After=qubes-sysinit.service [Service] Type=oneshot RemainAfterExit=yes -ExecStart=/usr/lib/security-misc/remount-secure +ExecStart=/usr/libexec/security-misc/remount-secure RemainAfterExit=yes [Install] diff --git a/lib/systemd/system/remove-system-map.service b/lib/systemd/system/remove-system-map.service index 3d0f44c..a0285b4 100644 --- a/lib/systemd/system/remove-system-map.service +++ b/lib/systemd/system/remove-system-map.service @@ -11,7 +11,7 @@ After=local-fs.target [Service] Type=oneshot -ExecStart=/usr/lib/security-misc/remove-system.map +ExecStart=/usr/libexec/security-misc/remove-system.map RemainAfterExit=yes [Install] diff --git a/rpm_spec/security-misc.spec.in b/rpm_spec/security-misc.spec.in index 63b6b91..bdc4e61 100644 --- a/rpm_spec/security-misc.spec.in +++ b/rpm_spec/security-misc.spec.in @@ -104,10 +104,10 @@ make %{?_smp_mflags} /lib/systemd/coredump.conf.d/disable-coredumps.conf /lib/systemd/system/proc-hidepid.service /lib/systemd/system/remove-system-map.service -/usr/lib/security-misc/apt-get-update -/usr/lib/security-misc/apt-get-update-sanity-test -/usr/lib/security-misc/panic-on-oops -/usr/lib/security-misc/remove-system.map +/usr/libexec/security-misc/apt-get-update +/usr/libexec/security-misc/apt-get-update-sanity-test +/usr/libexec/security-misc/panic-on-oops +/usr/libexec/security-misc/remove-system.map /usr/share/glib-2.0/schemas/30_security-misc.gschema.override /usr/share/lintian/overrides/security-misc /usr/share/pam-configs/usergroups diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc index 6d0f956..d483f1c 100755 --- a/usr/bin/pkexec.security-misc +++ b/usr/bin/pkexec.security-misc @@ -122,7 +122,7 @@ else ## This is required for gdebi. ## REVIEW: is it ok that users can find out the PATH setting of root? ## lxqt-sudo does not clear environment variable PATH. - PATH="$(sudo --non-interactive /usr/lib/security-misc/echo-path)" + PATH="$(sudo --non-interactive /usr/libexec/security-misc/echo-path)" export PATH lxqt-sudo "$@" || { exit_code=$? ; true; }; fi diff --git a/usr/libexec/security-misc/pam_only_if_login b/usr/libexec/security-misc/pam_only_if_login index 55f3d1d..489e044 100755 --- a/usr/libexec/security-misc/pam_only_if_login +++ b/usr/libexec/security-misc/pam_only_if_login @@ -12,7 +12,7 @@ true "PAM_SERVICE: $PAM_SERVICE" if [ "$PAM_SERVICE" = "login" ]; then ## FIXME: ## Creates unwanted journal log entry. - ## pam_exec(login:account): /usr/lib/security-misc/pam_only_if_login failed: exit code 1 + ## pam_exec(login:account): /usr/libexec/security-misc/pam_only_if_login failed: exit code 1 exit 1 else ## exit success so [success=1 default=ignore] will result in skipping the diff --git a/usr/libexec/security-misc/pam_tally2_not_if_x b/usr/libexec/security-misc/pam_tally2_not_if_x index 1afc024..8534f5a 100755 --- a/usr/libexec/security-misc/pam_tally2_not_if_x +++ b/usr/libexec/security-misc/pam_tally2_not_if_x @@ -37,6 +37,6 @@ done ## next PAM module (the pam_tally2 module). ## ## Causes confusing error message: -## pam_exec(sudo:auth): /usr/lib/security-misc/pam_tally2_not_if_x failed: exit code 1 +## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_tally2_not_if_x failed: exit code 1 ## https://github.com/linux-pam/linux-pam/issues/329 exit 1 diff --git a/usr/libexec/security-misc/permission-hardening b/usr/libexec/security-misc/permission-hardening index e326c02..33b4f27 100755 --- a/usr/libexec/security-misc/permission-hardening +++ b/usr/libexec/security-misc/permission-hardening @@ -10,7 +10,7 @@ ## meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride ## To undo: -## sudo /usr/lib/security-misc/permission-hardening-undo +## sudo /usr/libexec/security-misc/permission-hardening-undo #set -x set -e diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 607bc83..c1dbaaa 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -4,32 +4,32 @@ ## See the file COPYING for copying conditions. ## Doing this for all users would create many issues. -# /usr/lib/security-misc/permission-lockdown: user: root | chmod o-rwx "/root" -# /usr/lib/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin" -# /usr/lib/security-misc/permission-lockdown: user: bin | chmod o-rwx "/bin" -# /usr/lib/security-misc/permission-lockdown: user: sys | chmod o-rwx "/dev" -# /usr/lib/security-misc/permission-lockdown: user: sync | chmod o-rwx "/bin" -# /usr/lib/security-misc/permission-lockdown: user: games | chmod o-rwx "/usr/games" -# /usr/lib/security-misc/permission-lockdown: user: man | chmod o-rwx "/var/cache/man" -# /usr/lib/security-misc/permission-lockdown: user: mail | chmod o-rwx "/var/mail" -# /usr/lib/security-misc/permission-lockdown: user: proxy | chmod o-rwx "/bin" -# /usr/lib/security-misc/permission-lockdown: user: backup | chmod o-rwx "/var/backups" -# /usr/lib/security-misc/permission-lockdown: user: systemd-timesync | chmod o-rwx "/run/systemd" -# /usr/lib/security-misc/permission-lockdown: user: systemd-network | chmod o-rwx "/run/systemd/netif" -# /usr/lib/security-misc/permission-lockdown: user: messagebus | chmod o-rwx "/var/run/dbus" -# /usr/lib/security-misc/permission-lockdown: user: tinyproxy | chmod o-rwx "/run/tinyproxy" -# /usr/lib/security-misc/permission-lockdown: user: rtkit | chmod o-rwx "/proc" -# /usr/lib/security-misc/permission-lockdown: user: colord | chmod o-rwx "/var/lib/colord" -# /usr/lib/security-misc/permission-lockdown: user: Debian-exim | chmod o-rwx "/var/spool/exim4" -# /usr/lib/security-misc/permission-lockdown: user: debian-tor | chmod o-rwx "/var/lib/tor" -# /usr/lib/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4" -# /usr/lib/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine" -# /usr/lib/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng" -# /usr/lib/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs" -# /usr/lib/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity" -# /usr/lib/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd" -# /usr/lib/security-misc/permission-lockdown: user: _rpc | chmod o-rwx "/run/rpcbind" -# /usr/lib/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue" +# /usr/libexec/security-misc/permission-lockdown: user: root | chmod o-rwx "/root" +# /usr/libexec/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin" +# /usr/libexec/security-misc/permission-lockdown: user: bin | chmod o-rwx "/bin" +# /usr/libexec/security-misc/permission-lockdown: user: sys | chmod o-rwx "/dev" +# /usr/libexec/security-misc/permission-lockdown: user: sync | chmod o-rwx "/bin" +# /usr/libexec/security-misc/permission-lockdown: user: games | chmod o-rwx "/usr/games" +# /usr/libexec/security-misc/permission-lockdown: user: man | chmod o-rwx "/var/cache/man" +# /usr/libexec/security-misc/permission-lockdown: user: mail | chmod o-rwx "/var/mail" +# /usr/libexec/security-misc/permission-lockdown: user: proxy | chmod o-rwx "/bin" +# /usr/libexec/security-misc/permission-lockdown: user: backup | chmod o-rwx "/var/backups" +# /usr/libexec/security-misc/permission-lockdown: user: systemd-timesync | chmod o-rwx "/run/systemd" +# /usr/libexec/security-misc/permission-lockdown: user: systemd-network | chmod o-rwx "/run/systemd/netif" +# /usr/libexec/security-misc/permission-lockdown: user: messagebus | chmod o-rwx "/var/run/dbus" +# /usr/libexec/security-misc/permission-lockdown: user: tinyproxy | chmod o-rwx "/run/tinyproxy" +# /usr/libexec/security-misc/permission-lockdown: user: rtkit | chmod o-rwx "/proc" +# /usr/libexec/security-misc/permission-lockdown: user: colord | chmod o-rwx "/var/lib/colord" +# /usr/libexec/security-misc/permission-lockdown: user: Debian-exim | chmod o-rwx "/var/spool/exim4" +# /usr/libexec/security-misc/permission-lockdown: user: debian-tor | chmod o-rwx "/var/lib/tor" +# /usr/libexec/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4" +# /usr/libexec/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine" +# /usr/libexec/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng" +# /usr/libexec/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs" +# /usr/libexec/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity" +# /usr/libexec/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd" +# /usr/libexec/security-misc/permission-lockdown: user: _rpc | chmod o-rwx "/run/rpcbind" +# /usr/libexec/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue" home_folder_access_rights_lockdown() { shopt -s nullglob diff --git a/usr/share/pam-configs/console-lockdown-security-misc b/usr/share/pam-configs/console-lockdown-security-misc index 61fec78..df57a85 100644 --- a/usr/share/pam-configs/console-lockdown-security-misc +++ b/usr/share/pam-configs/console-lockdown-security-misc @@ -3,5 +3,5 @@ Default: no Priority: 280 Account-Type: Primary Account: - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/lib/security-misc/pam_only_if_login + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_only_if_login required pam_access.so accessfile=/etc/security/access-security-misc.conf debug diff --git a/usr/share/pam-configs/pam-abort-on-locked-password-security-misc b/usr/share/pam-configs/pam-abort-on-locked-password-security-misc index 7298601..4d2ffa2 100644 --- a/usr/share/pam-configs/pam-abort-on-locked-password-security-misc +++ b/usr/share/pam-configs/pam-abort-on-locked-password-security-misc @@ -3,4 +3,4 @@ Default: yes Priority: 300 Auth-Type: Primary Auth: - requisite pam_exec.so debug stdout seteuid /usr/lib/security-misc/pam-abort-on-locked-password + requisite pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-abort-on-locked-password diff --git a/usr/share/pam-configs/tally2-security-misc b/usr/share/pam-configs/tally2-security-misc index 0b23744..118db41 100644 --- a/usr/share/pam-configs/tally2-security-misc +++ b/usr/share/pam-configs/tally2-security-misc @@ -3,8 +3,8 @@ Default: yes Priority: 290 Auth-Type: Primary Auth: - optional pam_exec.so debug stdout seteuid /usr/lib/security-misc/pam_tally2-info - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/lib/security-misc/pam_tally2_not_if_x + optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam_tally2-info + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_tally2_not_if_x requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug Account-Type: Primary Account: From 3756016f42d97c6bf32c9bf5fed02904a63f4a5c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 3 Aug 2021 13:04:34 -0400 Subject: [PATCH 0433/1650] `lintian --suppress-tags obsolete-command-in-modprobe.d-file` https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24 --- debian/make-helper-overrides.bsh | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100755 debian/make-helper-overrides.bsh diff --git a/debian/make-helper-overrides.bsh b/debian/make-helper-overrides.bsh new file mode 100755 index 0000000..58b7bb3 --- /dev/null +++ b/debian/make-helper-overrides.bsh @@ -0,0 +1,7 @@ +#!/bin/bash + +## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24 +genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file" From 6376bbff801f79dbb154611c3ad330b4cd863f69 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 5 Aug 2021 17:03:43 -0400 Subject: [PATCH 0434/1650] bumped changelog version --- changelog.upstream | 80 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 86 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c25b60c..840fd4d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,83 @@ +commit 3756016f42d97c6bf32c9bf5fed02904a63f4a5c +Author: Patrick Schleizer +Date: Tue Aug 3 13:04:34 2021 -0400 + + `lintian --suppress-tags obsolete-command-in-modprobe.d-file` + + https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24 + +commit 50bdd097df4c87cd4507311df9c0b14d237c534b +Author: Patrick Schleizer +Date: Tue Aug 3 12:56:31 2021 -0400 + + move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS + +commit 4fadaad8c0a79df5996372c05db635d500e41fee +Author: Patrick Schleizer +Date: Tue Aug 3 12:52:10 2021 -0400 + + lintian FHS + +commit 6607c1e4bd085ee952952e6db17714326df4b7f6 +Author: Patrick Schleizer +Date: Tue Aug 3 12:48:57 2021 -0400 + + move /usr/lib/helper-scripts and /usr/lib/curl-scripts to /usr/libexec/helper-scripts as per lintian FHS + +commit 0492f28aa10dc93063ff3b46107fa705c5ee0d7e +Author: Patrick Schleizer +Date: Tue Aug 3 12:37:39 2021 -0400 + + enable "`apt-get --error-on=any`" by default + + makes apt exit non-zero for transient failures + + `/etc/apt/apt.conf.d/40error-on-any` + + https://forums.whonix.org/t/debian-bullseye-apt-get-error-on-any/12068 + +commit 240ec7672a4d513e7e6cca280aca3d67c265d1cc +Author: Patrick Schleizer +Date: Tue Aug 3 12:19:26 2021 -0400 + + replace no longer required `/usr/lib/security-misc/apt-get-wrapper` with `apt-get --error-on=any` + +commit 8eae6356684052415f8bc494db077e033653d971 +Author: Patrick Schleizer +Date: Tue Aug 3 11:51:31 2021 -0400 + + update lintian tag name + +commit 5e3338f8d3ff799a2da4257e24b57bd55541187f +Author: Patrick Schleizer +Date: Tue Aug 3 05:48:25 2021 -0400 + + bullseye + +commit bb3e65f7a80770238bda3733bed89c15a9c76852 +Author: Patrick Schleizer +Date: Tue Aug 3 03:25:35 2021 -0400 + + bullseye + +commit c94281121e20289b718f24c13e399e5e8cac0ebd +Author: Patrick Schleizer +Date: Sun Aug 1 16:37:02 2021 -0400 + + comment + +commit 3599e8e2dabf13ad76901a9c282469f23d4d1308 +Author: Patrick Schleizer +Date: Sun Aug 1 16:24:41 2021 -0400 + + readme + +commit 82f3961a7165cc1e778be785950f1a255af43b4f +Author: Patrick Schleizer +Date: Sun Aug 1 13:12:08 2021 -0400 + + bumped changelog version + commit 5a65c35479f267b026c03e195658ef9d98ee519c Author: Patrick Schleizer Date: Sun Aug 1 13:11:18 2021 -0400 diff --git a/debian/changelog b/debian/changelog index 07a1971..d39a3b4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:21.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 05 Aug 2021 21:03:43 +0000 + security-misc (3:21.6-1) unstable; urgency=medium * New upstream version (local package). From 2aea74bd715d865f44f91aaab6ca1bf0a00a2b0b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 10 Aug 2021 15:06:04 -0400 Subject: [PATCH 0435/1650] renamed: usr/libexec/security-misc/pam_tally2-info -> usr/libexec/security-misc/pam-info renamed: usr/libexec/security-misc/pam_tally2_not_if_x -> usr/libexec/security-misc/pam_faillock_not_if_x renamed: usr/share/pam-configs/tally2-security-misc -> usr/share/pam-configs/faillock-security-misc --- usr/libexec/security-misc/{pam_tally2-info => pam-info} | 0 .../security-misc/{pam_tally2_not_if_x => pam_faillock_not_if_x} | 0 .../pam-configs/{tally2-security-misc => faillock-security-misc} | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename usr/libexec/security-misc/{pam_tally2-info => pam-info} (100%) rename usr/libexec/security-misc/{pam_tally2_not_if_x => pam_faillock_not_if_x} (100%) rename usr/share/pam-configs/{tally2-security-misc => faillock-security-misc} (100%) diff --git a/usr/libexec/security-misc/pam_tally2-info b/usr/libexec/security-misc/pam-info similarity index 100% rename from usr/libexec/security-misc/pam_tally2-info rename to usr/libexec/security-misc/pam-info diff --git a/usr/libexec/security-misc/pam_tally2_not_if_x b/usr/libexec/security-misc/pam_faillock_not_if_x similarity index 100% rename from usr/libexec/security-misc/pam_tally2_not_if_x rename to usr/libexec/security-misc/pam_faillock_not_if_x diff --git a/usr/share/pam-configs/tally2-security-misc b/usr/share/pam-configs/faillock-security-misc similarity index 100% rename from usr/share/pam-configs/tally2-security-misc rename to usr/share/pam-configs/faillock-security-misc From 2bf0e7471cbd3b813ce385d994e43e48636f7a0b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 10 Aug 2021 15:11:01 -0400 Subject: [PATCH 0436/1650] port from pam_tally2 to pam_faillock since pam_tally2 was deprecated upstream --- README.md | 4 ++-- .../pam-abort-on-locked-password | 2 +- usr/libexec/security-misc/pam-info | 20 +++++++++---------- .../security-misc/pam_faillock_not_if_x | 8 ++++---- usr/share/pam-configs/faillock-security-misc | 8 ++++---- 5 files changed, 21 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index e716c44..d5c08f8 100644 --- a/README.md +++ b/README.md @@ -282,7 +282,7 @@ See: ## Brute force attack protection -User accounts are locked after 50 failed login attempts using `pam_tally2`. +User accounts are locked after 50 failed login attempts using `pam_faillock`. Informational output during Linux PAM: @@ -294,7 +294,7 @@ Informational output during Linux PAM: See: * `/usr/share/pam-configs/tally2-security-misc` -* `/usr/libexec/security-misc/pam_tally2-info` +* `/usr/libexec/security-misc/pam-info` * `/usr/libexec/security-misc/pam-abort-on-locked-password` ## Access rights restrictions diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password index 9f08e77..d8f1888 100755 --- a/usr/libexec/security-misc/pam-abort-on-locked-password +++ b/usr/libexec/security-misc/pam-abort-on-locked-password @@ -3,7 +3,7 @@ ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## This is only a usability feature to avoid needlessly bumping pam_tally2 +## This is only a usability feature to avoid needlessly bumping pam_faillock ## counter. This is not a security feature. ## https://forums.whonix.org/t/restrict-root-access/7658/1 diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 75f65ad..2bb7461 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -43,11 +43,11 @@ fi if [ ! "$(id -u)" = "0" ]; then ## as user "user" - ## /sbin/pam_tally2 -u user - ## pam_tally2: Error opening /var/log/tallylog for update: Permission denied - ## /sbin/pam_tally2: Authentication error + ## /sbin/pam_faillock -u user + ## pam_faillock: Error opening /var/log/tallylog for update: Permission denied + ## /sbin/pam_faillock: Authentication error ## - ## xscreensaver runs as user "user", therefore pam_tally2 cannot function. + ## xscreensaver runs as user "user", therefore pam_faillock cannot function. ## xscreensaver has its own failed login counter. ## ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts @@ -74,9 +74,9 @@ fi # fi ## Using || true to not break read-only disk boot without ro-mode-init or grub-live. -pam_tally2_output="$(pam_tally2 --user "$PAM_USER")" || true +pam_faillock_output="$(pam_faillock --user "$PAM_USER")" || true -if [ "$pam_tally2_output" = "" ]; then +if [ "$pam_faillock_output" = "" ]; then true "$0: no failed login" exit 0 fi @@ -85,11 +85,11 @@ fi #Login Failures Latest failure From #user 0 -pam_tally2_output_last_line="$(echo "$pam_tally2_output" | tail -1)" +pam_faillock_output_last_line="$(echo "$pam_faillock_output" | tail -1)" ## Example: #user 0 -arr=($pam_tally2_output_last_line) +arr=($pam_faillock_output_last_line) user_name="${arr[0]}" failed_login_counter="${arr[1]}" @@ -107,7 +107,7 @@ fi deny_line="$(cat /etc/pam.d/common-auth | grep deny=)" ## Example: -#auth requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug +#auth requisite pam_faillock.so even_deny_root deny=50 onerr=fail audit debug for word in $deny_line ; do if echo "$word" | grep -q "deny=" ; then @@ -130,7 +130,7 @@ if [ "$remaining_attempts" -le "0" ]; then echo "$0: To unlock, run the following command as superuser:" >&2 echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 echo "" >&2 - echo "pam_tally2 --quiet -r --user $PAM_USER" >&2 + echo "pam_faillock --quiet -r --user $PAM_USER" >&2 echo "" >&2 echo "$0: However, most likely unlock procedure is required." >&2 echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 diff --git a/usr/libexec/security-misc/pam_faillock_not_if_x b/usr/libexec/security-misc/pam_faillock_not_if_x index 8534f5a..4f18f03 100755 --- a/usr/libexec/security-misc/pam_faillock_not_if_x +++ b/usr/libexec/security-misc/pam_faillock_not_if_x @@ -20,7 +20,7 @@ true "PAM_SERVICE: $PAM_SERVICE" ## http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html ## - Failed dovecot logins should not result in account getting locked. -## - Failed SSH public key authentication attempts do not increase pam_tally2 +## - Failed SSH public key authentication attempts do not increase pam_faillock ## counter for some reason. ## This list can later be extended as needed. pam_service_exclusion_list="dovecot" @@ -28,15 +28,15 @@ pam_service_exclusion_list="dovecot" for pam_service_exclusion_item in $pam_service_exclusion_list ; do if [ "$PAM_SERVICE" = "$pam_service_exclusion_item" ]; then ## exit success so [success=1 default=ignore] will result in skipping the - ## next PAM module (the pam_tally2 module). + ## next PAM module (the pam_faillock module). exit 0 fi done ## exit failure so [success=1 default=ignore] will result in running the -## next PAM module (the pam_tally2 module). +## next PAM module (the pam_faillock module). ## ## Causes confusing error message: -## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_tally2_not_if_x failed: exit code 1 +## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_faillock_not_if_x failed: exit code 1 ## https://github.com/linux-pam/linux-pam/issues/329 exit 1 diff --git a/usr/share/pam-configs/faillock-security-misc b/usr/share/pam-configs/faillock-security-misc index 118db41..0f88f53 100644 --- a/usr/share/pam-configs/faillock-security-misc +++ b/usr/share/pam-configs/faillock-security-misc @@ -3,9 +3,9 @@ Default: yes Priority: 290 Auth-Type: Primary Auth: - optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam_tally2-info - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_tally2_not_if_x - requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug + optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-info + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + requisite pam_faillock.so even_deny_root deny=50 onerr=fail audit debug Account-Type: Primary Account: - requisite pam_tally2.so debug + requisite pam_faillock.so debug From 582492d6d8c5f756be4d809898707cb196c5c765 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 10 Aug 2021 17:13:00 -0400 Subject: [PATCH 0437/1650] port from pam_tally2 to pam_faillock since pam_tally2 was deprecated upstream --- debian/security-misc.displace | 1 + etc/security/faillock.conf.security-misc | 62 +++++++++++++++++++ .../pam-abort-on-locked-password | 12 +++- usr/libexec/security-misc/pam-info | 49 ++++++++------- usr/share/pam-configs/faillock-security-misc | 6 +- usr/share/pam-configs/faillock2-security-misc | 7 +++ 6 files changed, 107 insertions(+), 30 deletions(-) create mode 100644 etc/security/faillock.conf.security-misc create mode 100644 usr/share/pam-configs/faillock2-security-misc diff --git a/debian/security-misc.displace b/debian/security-misc.displace index 06b6187..b7cba93 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -2,4 +2,5 @@ ## See the file COPYING for copying conditions. /etc/securetty.security-misc +/etc/security/faillock.conf.security-misc /etc/dkms/framework.conf.security-misc diff --git a/etc/security/faillock.conf.security-misc b/etc/security/faillock.conf.security-misc new file mode 100644 index 0000000..bb81754 --- /dev/null +++ b/etc/security/faillock.conf.security-misc @@ -0,0 +1,62 @@ +# Configuration for locking the user after multiple failed +# authentication attempts. +# +# The directory where the user files with the failure records are kept. +# The default is /var/run/faillock. +# dir = /var/run/faillock +# +# Will log the user name into the system log if the user is not found. +# Enabled if option is present. +audit +# +# Don't print informative messages. +# Enabled if option is present. +# silent +# +# Don't log informative messages via syslog. +# Enabled if option is present. +# no_log_info +# +# Only track failed user authentications attempts for local users +# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. +# The `faillock` command will also no longer track user failed +# authentication attempts. Enabling this option will prevent a +# double-lockout scenario where a user is locked out locally and +# in the centralized mechanism. +# Enabled if option is present. +# local_users_only +# +# Deny access if the number of consecutive authentication failures +# for this user during the recent interval exceeds n tries. +# The default is 3. +deny = 50 +# +# The length of the interval during which the consecutive +# authentication failures must happen for the user account +# lock out is n seconds. +# The default is 900 (15 minutes). +# fail_interval = 900 +# +# The access will be re-enabled after n seconds after the lock out. +# The value 0 has the same meaning as value `never` - the access +# will not be re-enabled without resetting the faillock +# entries by the `faillock` command. +# The default is 600 (10 minutes). +# unlock_time = 600 +# +# Root account can become locked as well as regular accounts. +# Enabled if option is present. +even_deny_root +# +# This option implies the `even_deny_root` option. +# Allow access after n seconds to root account after the +# account is locked. In case the option is not specified +# the value is the same as of the `unlock_time` option. +# root_unlock_time = 900 +# +# If a group name is specified with this option, members +# of the group will be handled by this module the same as +# the root account (the options `even_deny_root>` and +# `root_unlock_time` will apply to them. +# By default, the option is not set. +# admin_group = diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password index d8f1888..1fc8013 100755 --- a/usr/libexec/security-misc/pam-abort-on-locked-password +++ b/usr/libexec/security-misc/pam-abort-on-locked-password @@ -22,9 +22,13 @@ if ! passwd_output="$("$passwd_bin" -S "$PAM_USER" 2>/dev/null)" ; then exit 3 fi -if [ "$(echo "$passwd_output" | cut -d ' ' -f 2)" = "P" ]; then - true "INFO: Password not locked." -else +password_status_field="$(echo "$passwd_output" | cut -d ' ' -f 2)" + +if [ "$password_status_field" = "P" ]; then + true "$0: INFO: user \"$PAM_USER\" has a usable password." +elif [ "$password_status_field" = "NP" ]; then + true "$0: INFO: user \"$PAM_USER\" has no password." +elif [ "$password_status_field" = "L" ]; then echo "$0: INFO: Password for user \"$PAM_USER\" is locked." if [ -f /usr/share/whonix/marker ] || [ -f /usr/share/kicksecure/marker ]; then @@ -42,6 +46,8 @@ else ## 'exit 1' would be good for usability here because then the user would get ## faster feedback. A new login attempt would not be needlessly delayed. exit 0 +else + echo "$0: INFO: Password status field for user \"$PAM_USER\" could not be parsed. Please report this bug." fi exit 0 diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 2bb7461..1c69845 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -43,9 +43,9 @@ fi if [ ! "$(id -u)" = "0" ]; then ## as user "user" - ## /sbin/pam_faillock -u user - ## pam_faillock: Error opening /var/log/tallylog for update: Permission denied - ## /sbin/pam_faillock: Authentication error + ## /usr/sbin/faillock -u user + ## faillock: Error opening /var/log/tallylog for update: Permission denied + ## /usr/sbin/faillock: Authentication error ## ## xscreensaver runs as user "user", therefore pam_faillock cannot function. ## xscreensaver has its own failed login counter. @@ -53,7 +53,8 @@ if [ ! "$(id -u)" = "0" ]; then ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts ## ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html - true "$0: not started as root, exiting." + ## TODO: echo -> true + echo "$0: not started as root, exiting." exit 0 fi @@ -74,7 +75,7 @@ fi # fi ## Using || true to not break read-only disk boot without ro-mode-init or grub-live. -pam_faillock_output="$(pam_faillock --user "$PAM_USER")" || true +pam_faillock_output="$(faillock --user "$PAM_USER")" || true if [ "$pam_faillock_output" = "" ]; then true "$0: no failed login" @@ -82,16 +83,17 @@ if [ "$pam_faillock_output" = "" ]; then fi ## Example: -#Login Failures Latest failure From -#user 0 +## user: +## When Type Source Valid +## 2021-08-10 16:26:33 RHOST V +## 2021-08-10 16:26:54 RHOST V -pam_faillock_output_last_line="$(echo "$pam_faillock_output" | tail -1)" -## Example: -#user 0 +pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head -1)" +user_name="$(echo "$pam_faillock_output_first_line" | str_replace ":" "")" -arr=($pam_faillock_output_last_line) -user_name="${arr[0]}" -failed_login_counter="${arr[1]}" +pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)" + +failed_login_counter=$(( pam_faillock_output_count - 2 )) if [ ! "$PAM_USER" = "$user_name" ]; then echo "$0: ERROR: PAM_USER: '$PAM_USER' does not equal user_name: '$user_name'." >&2 @@ -105,19 +107,18 @@ if [ "$failed_login_counter" = "0" ]; then exit 0 fi -deny_line="$(cat /etc/pam.d/common-auth | grep deny=)" -## Example: -#auth requisite pam_faillock.so even_deny_root deny=50 onerr=fail audit debug +## pam_faillock default +deny=3 -for word in $deny_line ; do - if echo "$word" | grep -q "deny=" ; then - deny="$(echo "$word" | cut -d "=" -f 2)" - break - fi -done +if test -f /etc/security/faillock.conf ; then + deny_line=$(grep --invert-match "#" /etc/security/faillock.conf | grep "deny =") + deny="$(echo "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")" + ## Example: + #deny=50 +fi if [[ "$deny" == *[!0-9]* ]]; then - echo "$0: ERROR: deny is not numeric." >&2 + echo "$0: ERROR: deny is not numeric. deny: '$deny'" >&2 echo "$0: ERROR: Please report this bug." >&2 echo "" >&2 exit 0 @@ -130,7 +131,7 @@ if [ "$remaining_attempts" -le "0" ]; then echo "$0: To unlock, run the following command as superuser:" >&2 echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 echo "" >&2 - echo "pam_faillock --quiet -r --user $PAM_USER" >&2 + echo "faillock --reset --user $PAM_USER" >&2 echo "" >&2 echo "$0: However, most likely unlock procedure is required." >&2 echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 diff --git a/usr/share/pam-configs/faillock-security-misc b/usr/share/pam-configs/faillock-security-misc index 0f88f53..d337690 100644 --- a/usr/share/pam-configs/faillock-security-misc +++ b/usr/share/pam-configs/faillock-security-misc @@ -1,11 +1,11 @@ -Name: lock accounts after 50 failed authentication attempts (by package security-misc) +Name: lock accounts after 50 failed authentication attempts (part 1) (by package security-misc) Default: yes Priority: 290 Auth-Type: Primary Auth: optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-info [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x - requisite pam_faillock.so even_deny_root deny=50 onerr=fail audit debug + required pam_faillock.so preauth Account-Type: Primary Account: - requisite pam_faillock.so debug + requisite pam_faillock.so diff --git a/usr/share/pam-configs/faillock2-security-misc b/usr/share/pam-configs/faillock2-security-misc new file mode 100644 index 0000000..f5eb508 --- /dev/null +++ b/usr/share/pam-configs/faillock2-security-misc @@ -0,0 +1,7 @@ +Name: lock accounts after 50 failed authentication attempts (part 2) (by package security-misc) +Default: yes +Priority: 245 +Auth-Type: Primary +Auth: + [default=die] pam_faillock.so authfail + sufficient pam_faillock.so authsucc From 8676beef90040bdf0782e0a9c683c6463ddb48b5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 10 Aug 2021 18:26:32 -0400 Subject: [PATCH 0438/1650] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 840fd4d..dff6e9f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit 582492d6d8c5f756be4d809898707cb196c5c765 +Author: Patrick Schleizer +Date: Tue Aug 10 17:13:00 2021 -0400 + + port from pam_tally2 to pam_faillock + + since pam_tally2 was deprecated upstream + +commit 2bf0e7471cbd3b813ce385d994e43e48636f7a0b +Author: Patrick Schleizer +Date: Tue Aug 10 15:11:01 2021 -0400 + + port from pam_tally2 to pam_faillock + + since pam_tally2 was deprecated upstream + +commit 2aea74bd715d865f44f91aaab6ca1bf0a00a2b0b +Author: Patrick Schleizer +Date: Tue Aug 10 15:06:04 2021 -0400 + + renamed: usr/libexec/security-misc/pam_tally2-info -> usr/libexec/security-misc/pam-info + renamed: usr/libexec/security-misc/pam_tally2_not_if_x -> usr/libexec/security-misc/pam_faillock_not_if_x + renamed: usr/share/pam-configs/tally2-security-misc -> usr/share/pam-configs/faillock-security-misc + +commit 6376bbff801f79dbb154611c3ad330b4cd863f69 +Author: Patrick Schleizer +Date: Thu Aug 5 17:03:43 2021 -0400 + + bumped changelog version + commit 3756016f42d97c6bf32c9bf5fed02904a63f4a5c Author: Patrick Schleizer Date: Tue Aug 3 13:04:34 2021 -0400 diff --git a/debian/changelog b/debian/changelog index d39a3b4..cc014ba 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:21.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 10 Aug 2021 22:26:32 +0000 + security-misc (3:21.7-1) unstable; urgency=medium * New upstream version (local package). From 7d73b3ffa0bf13ba78debfb7f099758b0d0fbef3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 17 Aug 2021 15:21:26 -0400 Subject: [PATCH 0439/1650] add hardened malloc compatibility for haveged workaround `/lib/systemd/system/haveged.service.d/30_security-misc.conf` `SystemCallFilter=getrandom` Otherwise haveged will exit with a core dump. --- lib/systemd/system/haveged.service.d/30_security-misc.conf | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 lib/systemd/system/haveged.service.d/30_security-misc.conf diff --git a/lib/systemd/system/haveged.service.d/30_security-misc.conf b/lib/systemd/system/haveged.service.d/30_security-misc.conf new file mode 100644 index 0000000..7193a02 --- /dev/null +++ b/lib/systemd/system/haveged.service.d/30_security-misc.conf @@ -0,0 +1,7 @@ +## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +[Service] +## hardened malloc compatibility +## Otherwise haveged will exit with a core dump. +SystemCallFilter=getrandom From 08adf4a07d97940ef924f53863ec4aa62f88fb04 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 17 Aug 2021 15:23:49 -0400 Subject: [PATCH 0440/1650] readme --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index d5c08f8..b2c4736 100644 --- a/README.md +++ b/README.md @@ -389,6 +389,11 @@ information that shouldn't be accessible to unprivileged users. As this will break many things, it is disabled by default and can optionally be enabled by executing `systemctl enable hide-hardware-info.service` as root. +## miscellaneous + +* hardened malloc compatibility for haveged workaround +`/lib/systemd/system/haveged.service.d/30_security-misc.conf` + ## Related * Linux Kernel Runtime Guard (LKRG) From ef2b067c0385dbae7b16bc79a10582995d8ba5fe Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 17 Aug 2021 15:24:12 -0400 Subject: [PATCH 0441/1650] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index dff6e9f..a940395 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit 08adf4a07d97940ef924f53863ec4aa62f88fb04 +Author: Patrick Schleizer +Date: Tue Aug 17 15:23:49 2021 -0400 + + readme + +commit 7d73b3ffa0bf13ba78debfb7f099758b0d0fbef3 +Author: Patrick Schleizer +Date: Tue Aug 17 15:21:26 2021 -0400 + + add hardened malloc compatibility for haveged workaround + + `/lib/systemd/system/haveged.service.d/30_security-misc.conf` + + `SystemCallFilter=getrandom` + + Otherwise haveged will exit with a core dump. + +commit 8676beef90040bdf0782e0a9c683c6463ddb48b5 +Author: Patrick Schleizer +Date: Tue Aug 10 18:26:32 2021 -0400 + + bumped changelog version + commit 582492d6d8c5f756be4d809898707cb196c5c765 Author: Patrick Schleizer Date: Tue Aug 10 17:13:00 2021 -0400 diff --git a/debian/changelog b/debian/changelog index cc014ba..bba189e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:21.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 17 Aug 2021 19:24:12 +0000 + security-misc (3:21.8-1) unstable; urgency=medium * New upstream version (local package). From db43cedcfdf918556ae3989209a4d984527a6416 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Aug 2021 05:23:24 -0400 Subject: [PATCH 0442/1650] LANG=C str_replace --- etc/default/grub.d/40_kernel_hardening.cfg | 4 ++-- usr/libexec/security-misc/pam-info | 4 ++-- usr/libexec/security-misc/remount-secure | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index da609a4..64d85a7 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -62,9 +62,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" ## Prevent kernel info leaks in console during boot. ## https://phabricator.whonix.org/T950 -## str_replace is provided by package helper-scripts. +## LANG=C str_replace is provided by package helper-scripts. ## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. -GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "quiet" "")" +GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet loglevel=0" ## Restrict access to debugfs since it can contain a lot of sensitive information. diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 1c69845..eef5733 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -89,7 +89,7 @@ fi ## 2021-08-10 16:26:54 RHOST V pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head -1)" -user_name="$(echo "$pam_faillock_output_first_line" | str_replace ":" "")" +user_name="$(echo "$pam_faillock_output_first_line" | LANG=C str_replace ":" "")" pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)" @@ -112,7 +112,7 @@ deny=3 if test -f /etc/security/faillock.conf ; then deny_line=$(grep --invert-match "#" /etc/security/faillock.conf | grep "deny =") - deny="$(echo "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")" + deny="$(echo "$deny_line" | LANG=C str_replace "=" "" | LANG=C str_replace "deny" "" | LANG=C str_replace " " "")" ## Example: #deny=50 fi diff --git a/usr/libexec/security-misc/remount-secure b/usr/libexec/security-misc/remount-secure index 8149148..ae41e79 100755 --- a/usr/libexec/security-misc/remount-secure +++ b/usr/libexec/security-misc/remount-secure @@ -55,8 +55,8 @@ remount_secure() { ## example status_file_full_path: ## /var/run/remount-secure/_home - ## str_replace is provided by package helper-scripts. - mount_folder="$(echo "${status_file_name}" | str_replace "_" "/")" + ## LANG=C str_replace is provided by package helper-scripts. + mount_folder="$(echo "${status_file_name}" | LANG=C str_replace "_" "/")" ## example mount_folder: ## /home From 224ae730c13f4add672fffaf58206eeb7ae24090 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Aug 2021 05:32:18 -0400 Subject: [PATCH 0443/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index a940395..117a69c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit db43cedcfdf918556ae3989209a4d984527a6416 +Author: Patrick Schleizer +Date: Sun Aug 22 05:23:24 2021 -0400 + + LANG=C str_replace + +commit ef2b067c0385dbae7b16bc79a10582995d8ba5fe +Author: Patrick Schleizer +Date: Tue Aug 17 15:24:12 2021 -0400 + + bumped changelog version + commit 08adf4a07d97940ef924f53863ec4aa62f88fb04 Author: Patrick Schleizer Date: Tue Aug 17 15:23:49 2021 -0400 diff --git a/debian/changelog b/debian/changelog index bba189e..618348c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:22.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Aug 2021 09:32:18 +0000 + security-misc (3:21.9-1) unstable; urgency=medium * New upstream version (local package). From 8b104f544a9e4e8da1691659fefa4999a4f6f085 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 1 Sep 2021 15:45:36 -0400 Subject: [PATCH 0444/1650] fix, add sshd to pam_service_exclusion_list to avoid faillock --- usr/libexec/security-misc/pam_faillock_not_if_x | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/usr/libexec/security-misc/pam_faillock_not_if_x b/usr/libexec/security-misc/pam_faillock_not_if_x index 4f18f03..26cbc43 100755 --- a/usr/libexec/security-misc/pam_faillock_not_if_x +++ b/usr/libexec/security-misc/pam_faillock_not_if_x @@ -19,11 +19,9 @@ true "PAM_SERVICE: $PAM_SERVICE" ## "when used with a stack of modules, the module's return status will not contribute to the return code the application obtains." ## http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html -## - Failed dovecot logins should not result in account getting locked. -## - Failed SSH public key authentication attempts do not increase pam_faillock -## counter for some reason. +## - Failed dovecot ssh logins from malicious remotes should not result in account getting locked. ## This list can later be extended as needed. -pam_service_exclusion_list="dovecot" +pam_service_exclusion_list="dovecot sshd" for pam_service_exclusion_item in $pam_service_exclusion_list ; do if [ "$PAM_SERVICE" = "$pam_service_exclusion_item" ]; then From be8c10496f26d33378deb2427e56892771456ee5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 1 Sep 2021 15:55:53 -0400 Subject: [PATCH 0445/1650] fix faillock implementation dovecot / ssh are exempted --- usr/share/pam-configs/faillock2-security-misc | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/share/pam-configs/faillock2-security-misc b/usr/share/pam-configs/faillock2-security-misc index f5eb508..7bc5fb7 100644 --- a/usr/share/pam-configs/faillock2-security-misc +++ b/usr/share/pam-configs/faillock2-security-misc @@ -3,5 +3,6 @@ Default: yes Priority: 245 Auth-Type: Primary Auth: + [success=2 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x [default=die] pam_faillock.so authfail sufficient pam_faillock.so authsucc From 3c64ec8f917ed1237454d1526647a84bf00c9e83 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 2 Sep 2021 14:36:53 -0400 Subject: [PATCH 0446/1650] bumped changelog version --- changelog.upstream | 22 ++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 28 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 117a69c..c06babf 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit be8c10496f26d33378deb2427e56892771456ee5 +Author: Patrick Schleizer +Date: Wed Sep 1 15:55:53 2021 -0400 + + fix faillock implementation + + dovecot / ssh are exempted + +commit 8b104f544a9e4e8da1691659fefa4999a4f6f085 +Author: Patrick Schleizer +Date: Wed Sep 1 15:45:36 2021 -0400 + + fix, add sshd to pam_service_exclusion_list + + to avoid faillock + +commit 224ae730c13f4add672fffaf58206eeb7ae24090 +Author: Patrick Schleizer +Date: Sun Aug 22 05:32:18 2021 -0400 + + bumped changelog version + commit db43cedcfdf918556ae3989209a4d984527a6416 Author: Patrick Schleizer Date: Sun Aug 22 05:23:24 2021 -0400 diff --git a/debian/changelog b/debian/changelog index 618348c..1d123f1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:22.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 02 Sep 2021 18:36:53 +0000 + security-misc (3:22.0-1) unstable; urgency=medium * New upstream version (local package). From e2810f348b413bb307449a911c12a46924686a9f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 4 Sep 2021 11:50:31 -0400 Subject: [PATCH 0447/1650] Depends: libpam-modules-bin --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 07744a7..0a1e11b 100644 --- a/debian/control +++ b/debian/control @@ -15,7 +15,7 @@ Rules-Requires-Root: no Package: security-misc Architecture: all Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, - apparmor-profile-dist, helper-scripts, ${misc:Depends} + apparmor-profile-dist, helper-scripts, libpam-modules-bin, ${misc:Depends} Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest Description: Enhances Miscellaneous Security Settings https://github.com/Whonix/security-misc/blob/master/README.md From 1a10293b0408a4197620ce78cffb62cb8c00908c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 4 Sep 2021 12:00:55 -0400 Subject: [PATCH 0448/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c06babf..a4db3c0 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit e2810f348b413bb307449a911c12a46924686a9f +Author: Patrick Schleizer +Date: Sat Sep 4 11:50:31 2021 -0400 + + Depends: libpam-modules-bin + +commit 3c64ec8f917ed1237454d1526647a84bf00c9e83 +Author: Patrick Schleizer +Date: Thu Sep 2 14:36:53 2021 -0400 + + bumped changelog version + commit be8c10496f26d33378deb2427e56892771456ee5 Author: Patrick Schleizer Date: Wed Sep 1 15:55:53 2021 -0400 diff --git a/debian/changelog b/debian/changelog index 1d123f1..e4f3b97 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:22.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 04 Sep 2021 16:00:55 +0000 + security-misc (3:22.1-1) unstable; urgency=medium * New upstream version (local package). From a4e18a2ae8c19a664bb1be5bc4ec43f10a876969 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 4 Sep 2021 18:28:37 -0400 Subject: [PATCH 0449/1650] `dracut` `reproducible=yes` --- README.md | 2 ++ etc/dracut.conf.d/30-security-misc.conf | 1 + 2 files changed, 3 insertions(+) create mode 100644 etc/dracut.conf.d/30-security-misc.conf diff --git a/README.md b/README.md index b2c4736..0335f8b 100644 --- a/README.md +++ b/README.md @@ -394,6 +394,8 @@ executing `systemctl enable hide-hardware-info.service` as root. * hardened malloc compatibility for haveged workaround `/lib/systemd/system/haveged.service.d/30_security-misc.conf` +* set `dracut` `reproducible=yes` setting + ## Related * Linux Kernel Runtime Guard (LKRG) diff --git a/etc/dracut.conf.d/30-security-misc.conf b/etc/dracut.conf.d/30-security-misc.conf new file mode 100644 index 0000000..ce80509 --- /dev/null +++ b/etc/dracut.conf.d/30-security-misc.conf @@ -0,0 +1 @@ +reproducible=yes From 1b09d5671829c51bd17f44410d4122b6de7aa6e9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 4 Sep 2021 18:29:00 -0400 Subject: [PATCH 0450/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index a4db3c0..f37eb96 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit a4e18a2ae8c19a664bb1be5bc4ec43f10a876969 +Author: Patrick Schleizer +Date: Sat Sep 4 18:28:37 2021 -0400 + + `dracut` `reproducible=yes` + +commit 1a10293b0408a4197620ce78cffb62cb8c00908c +Author: Patrick Schleizer +Date: Sat Sep 4 12:00:55 2021 -0400 + + bumped changelog version + commit e2810f348b413bb307449a911c12a46924686a9f Author: Patrick Schleizer Date: Sat Sep 4 11:50:31 2021 -0400 diff --git a/debian/changelog b/debian/changelog index e4f3b97..3a784aa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:22.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 04 Sep 2021 22:29:00 +0000 + security-misc (3:22.2-1) unstable; urgency=medium * New upstream version (local package). From 6257bfa926f960b3b772dd528fe6004f81d990ea Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 5 Sep 2021 15:54:20 -0400 Subject: [PATCH 0451/1650] debugging --- etc/dracut.conf.d/30-security-misc.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/dracut.conf.d/30-security-misc.conf b/etc/dracut.conf.d/30-security-misc.conf index ce80509..189751c 100644 --- a/etc/dracut.conf.d/30-security-misc.conf +++ b/etc/dracut.conf.d/30-security-misc.conf @@ -1 +1,4 @@ reproducible=yes + +## Debugging. +show_modules=yes From a67d1754d459a221930cb92754b51bec348f8035 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 5 Sep 2021 16:04:28 -0400 Subject: [PATCH 0452/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f37eb96..0c142c5 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 6257bfa926f960b3b772dd528fe6004f81d990ea +Author: Patrick Schleizer +Date: Sun Sep 5 15:54:20 2021 -0400 + + debugging + +commit 1b09d5671829c51bd17f44410d4122b6de7aa6e9 +Author: Patrick Schleizer +Date: Sat Sep 4 18:29:00 2021 -0400 + + bumped changelog version + commit a4e18a2ae8c19a664bb1be5bc4ec43f10a876969 Author: Patrick Schleizer Date: Sat Sep 4 18:28:37 2021 -0400 diff --git a/debian/changelog b/debian/changelog index 3a784aa..f7d2b47 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:22.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 05 Sep 2021 20:04:28 +0000 + security-misc (3:22.3-1) unstable; urgency=medium * New upstream version (local package). From f5b0e4b5b856ba6fa0dea7fa18c38221d972e8a3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 6 Sep 2021 04:55:16 -0400 Subject: [PATCH 0453/1650] debugging --- etc/dracut.conf.d/30-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/dracut.conf.d/30-security-misc.conf b/etc/dracut.conf.d/30-security-misc.conf index 189751c..90c7698 100644 --- a/etc/dracut.conf.d/30-security-misc.conf +++ b/etc/dracut.conf.d/30-security-misc.conf @@ -1,4 +1,4 @@ reproducible=yes ## Debugging. -show_modules=yes +#show_modules=yes From bb3a3178f17d1b882f38ba18db7835833f758805 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 6 Sep 2021 04:55:23 -0400 Subject: [PATCH 0454/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0c142c5..3da4121 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit f5b0e4b5b856ba6fa0dea7fa18c38221d972e8a3 +Author: Patrick Schleizer +Date: Mon Sep 6 04:55:16 2021 -0400 + + debugging + +commit a67d1754d459a221930cb92754b51bec348f8035 +Author: Patrick Schleizer +Date: Sun Sep 5 16:04:28 2021 -0400 + + bumped changelog version + commit 6257bfa926f960b3b772dd528fe6004f81d990ea Author: Patrick Schleizer Date: Sun Sep 5 15:54:20 2021 -0400 diff --git a/debian/changelog b/debian/changelog index f7d2b47..9592c16 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:22.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 06 Sep 2021 08:55:23 +0000 + security-misc (3:22.4-1) unstable; urgency=medium * New upstream version (local package). From 49902b8c56512c3ee8b3d16b0ca513e44349c66d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 6 Sep 2021 08:19:41 -0400 Subject: [PATCH 0455/1650] move grub quiet to separate config file /etc/default/grub.d/41_quiet.cfg --- etc/default/grub.d/40_kernel_hardening.cfg | 7 ------- etc/default/grub.d/41_quiet.cfg | 9 +++++++++ 2 files changed, 9 insertions(+), 7 deletions(-) create mode 100644 etc/default/grub.d/41_quiet.cfg diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 64d85a7..a7b0eec 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -60,13 +60,6 @@ fi ## https://github.com/anthraxx/linux-hardened GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" -## Prevent kernel info leaks in console during boot. -## https://phabricator.whonix.org/T950 -## LANG=C str_replace is provided by package helper-scripts. -## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. -GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet loglevel=0" - ## Restrict access to debugfs since it can contain a lot of sensitive information. ## https://lkml.org/lkml/2020/7/16/122 ## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848 diff --git a/etc/default/grub.d/41_quiet.cfg b/etc/default/grub.d/41_quiet.cfg new file mode 100644 index 0000000..ffe8883 --- /dev/null +++ b/etc/default/grub.d/41_quiet.cfg @@ -0,0 +1,9 @@ +## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Prevent kernel info leaks in console during boot. +## https://phabricator.whonix.org/T950 +## LANG=C str_replace is provided by package helper-scripts. +## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. +GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet loglevel=0" From ac0c492663b9d90f99e5969193b35b53d4175d1d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 6 Sep 2021 08:22:55 -0400 Subject: [PATCH 0456/1650] do not set kernel parameter `quiet loglevel=0` for recovery boot option for easier debugging --- etc/default/grub.d/41_quiet.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/41_quiet.cfg b/etc/default/grub.d/41_quiet.cfg index ffe8883..9e6e65a 100644 --- a/etc/default/grub.d/41_quiet.cfg +++ b/etc/default/grub.d/41_quiet.cfg @@ -6,4 +6,4 @@ ## LANG=C str_replace is provided by package helper-scripts. ## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet loglevel=0" +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX quiet loglevel=0" From d16d9a545502af1ec25a165a27bdbc1033b97d59 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 6 Sep 2021 09:46:20 -0400 Subject: [PATCH 0457/1650] bumped changelog version --- changelog.upstream | 20 ++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 26 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3da4121..899af1b 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,23 @@ +commit ac0c492663b9d90f99e5969193b35b53d4175d1d +Author: Patrick Schleizer +Date: Mon Sep 6 08:22:55 2021 -0400 + + do not set kernel parameter `quiet loglevel=0` for recovery boot option + + for easier debugging + +commit 49902b8c56512c3ee8b3d16b0ca513e44349c66d +Author: Patrick Schleizer +Date: Mon Sep 6 08:19:41 2021 -0400 + + move grub quiet to separate config file /etc/default/grub.d/41_quiet.cfg + +commit bb3a3178f17d1b882f38ba18db7835833f758805 +Author: Patrick Schleizer +Date: Mon Sep 6 04:55:23 2021 -0400 + + bumped changelog version + commit f5b0e4b5b856ba6fa0dea7fa18c38221d972e8a3 Author: Patrick Schleizer Date: Mon Sep 6 04:55:16 2021 -0400 diff --git a/debian/changelog b/debian/changelog index 9592c16..51a5d87 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:22.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 06 Sep 2021 13:46:20 +0000 + security-misc (3:22.5-1) unstable; urgency=medium * New upstream version (local package). From bd31b4085c853d8b182e3a13534827a695f5493a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 9 Sep 2021 12:16:18 -0400 Subject: [PATCH 0458/1650] remove Debian buster support in /etc/default/grub.d --- etc/default/grub.d/40_kernel_hardening.cfg | 28 +++++----------------- 1 file changed, 6 insertions(+), 22 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index a7b0eec..e1216ac 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -9,26 +9,12 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## Sometimes a slab can be used in a vulnerable way which an attacker can exploit. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -if dpkg --compare-versions "$kver" ge "5.3"; then - ## Enables sanity checks (F) and redzoning (Z). - GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" +## Enables sanity checks (F) and redzoning (Z). +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" - #echo "## $kver grater or equal 5.3: yes" - ## Zero memory at allocation and free time. - GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" -else - #echo "## $kver grater or equal 5.3: no" - ## SLUB poisoning and page poisoning is used if the kernel - ## does not yet support init_on_{,alloc,free}. - GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZP" - - if command -v "qubesdb-read" >/dev/null 2>&1 ; then - ## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012 - true "skip adding page_poison=1 in Qubes" - else - GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1" - fi -fi +echo "## $kver grater or equal 5.3: yes" +## Zero memory at allocation and free time. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" ## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" @@ -40,9 +26,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" ## Enables page allocator freelist randomization. -if dpkg --compare-versions "${kver}" ge "5.2"; then - GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" -fi +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" ## Enables kernel lockdown. ## From 64e9f0016aa5804740a099890a5ef648dde07883 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 9 Sep 2021 12:35:37 -0400 Subject: [PATCH 0459/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 899af1b..48830f8 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit bd31b4085c853d8b182e3a13534827a695f5493a +Author: Patrick Schleizer +Date: Thu Sep 9 12:16:18 2021 -0400 + + remove Debian buster support in /etc/default/grub.d + +commit d16d9a545502af1ec25a165a27bdbc1033b97d59 +Author: Patrick Schleizer +Date: Mon Sep 6 09:46:20 2021 -0400 + + bumped changelog version + commit ac0c492663b9d90f99e5969193b35b53d4175d1d Author: Patrick Schleizer Date: Mon Sep 6 08:22:55 2021 -0400 diff --git a/debian/changelog b/debian/changelog index 51a5d87..d5dbc1c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:22.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 09 Sep 2021 16:35:37 +0000 + security-misc (3:22.6-1) unstable; urgency=medium * New upstream version (local package). From fb0540650c26689165b2fd0558b87ef7c3154a6e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 11 Sep 2021 16:33:14 -0400 Subject: [PATCH 0460/1650] readme --- README_generic.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README_generic.md b/README_generic.md index 3c3ac48..0cd2541 100644 --- a/README_generic.md +++ b/README_generic.md @@ -21,13 +21,13 @@ Users can [check Whonix Signing Key](https://www.whonix.org/wiki/Whonix_Signing_ 2\. Add Whonix's signing key. ``` -sudo apt-key --keyring /etc/apt/trusted.gpg.d/derivative.gpg add ~/patrick.asc +sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc ``` 3\. Add Whonix's APT repository. ``` -echo "deb https://deb.whonix.org bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list +echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.whonix.org bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list ``` 4\. Update your package lists. From d62bbaab82a33a485a82d42d8db5674d200a1c3d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 12 Sep 2021 11:40:58 -0400 Subject: [PATCH 0461/1650] fix, unduplicate kernel command line --- etc/default/grub.d/41_quiet.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/41_quiet.cfg b/etc/default/grub.d/41_quiet.cfg index 9e6e65a..7f70a54 100644 --- a/etc/default/grub.d/41_quiet.cfg +++ b/etc/default/grub.d/41_quiet.cfg @@ -6,4 +6,4 @@ ## LANG=C str_replace is provided by package helper-scripts. ## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX quiet loglevel=0" +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet loglevel=0" From 03276fbec502df9e9fc228a0c05f3c85fd1483af Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 12 Sep 2021 11:57:20 -0400 Subject: [PATCH 0462/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 48830f8..d86fb10 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit d62bbaab82a33a485a82d42d8db5674d200a1c3d +Author: Patrick Schleizer +Date: Sun Sep 12 11:40:58 2021 -0400 + + fix, unduplicate kernel command line + +commit fb0540650c26689165b2fd0558b87ef7c3154a6e +Author: Patrick Schleizer +Date: Sat Sep 11 16:33:14 2021 -0400 + + readme + +commit 64e9f0016aa5804740a099890a5ef648dde07883 +Author: Patrick Schleizer +Date: Thu Sep 9 12:35:37 2021 -0400 + + bumped changelog version + commit bd31b4085c853d8b182e3a13534827a695f5493a Author: Patrick Schleizer Date: Thu Sep 9 12:16:18 2021 -0400 diff --git a/debian/changelog b/debian/changelog index d5dbc1c..e7b402b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:22.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 12 Sep 2021 15:57:20 +0000 + security-misc (3:22.7-1) unstable; urgency=medium * New upstream version (local package). From c72567dbd215fcd60c4719fe1ebc9a0f350a2b97 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Sep 2021 14:18:44 -0400 Subject: [PATCH 0463/1650] fix --- etc/default/grub.d/40_kernel_hardening.cfg | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index e1216ac..1c594f6 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -12,7 +12,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" ## Enables sanity checks (F) and redzoning (Z). GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" -echo "## $kver grater or equal 5.3: yes" ## Zero memory at allocation and free time. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" From 96026a5e90a56cade2dff5f3dfc3687687e92c56 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Sep 2021 14:18:52 -0400 Subject: [PATCH 0464/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d86fb10..bcc9be3 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit c72567dbd215fcd60c4719fe1ebc9a0f350a2b97 +Author: Patrick Schleizer +Date: Tue Sep 14 14:18:44 2021 -0400 + + fix + +commit 03276fbec502df9e9fc228a0c05f3c85fd1483af +Author: Patrick Schleizer +Date: Sun Sep 12 11:57:20 2021 -0400 + + bumped changelog version + commit d62bbaab82a33a485a82d42d8db5674d200a1c3d Author: Patrick Schleizer Date: Sun Sep 12 11:40:58 2021 -0400 diff --git a/debian/changelog b/debian/changelog index e7b402b..b54eff4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:22.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Sep 2021 18:18:52 +0000 + security-misc (3:22.8-1) unstable; urgency=medium * New upstream version (local package). From 060d7d890a0292addaa1e85bb1b2ff7eece23378 Mon Sep 17 00:00:00 2001 From: 0xC0ncord Date: Fri, 8 Oct 2021 22:11:58 -0400 Subject: [PATCH 0465/1650] hide-hardware-info: re-enable restrictions on sysfs when using SELinux When using SELinux, restrict the parts of sysfs explicitly to ensure restrictions are working as expected. --- usr/libexec/security-misc/hide-hardware-info | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 59850ae..bd76367 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -88,6 +88,16 @@ done ## properly if [ -d /sys/fs/selinux ]; then if [ "${selinux}" = "1" ]; then + ## restrict permissions on everything but + ## what is needed + for i in /sys/* /sys/fs/* + do + if [ "${sysfs_whitelist}" = "1" ]; then + chmod o-rwx "${i}" + else + chmod og-rwx "${i}" + fi + done chmod o+rx /sys /sys/fs /sys/fs/selinux echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." else From 4172232eb75aaca301e51529e49df76ca86b93b3 Mon Sep 17 00:00:00 2001 From: 0xC0ncord Date: Fri, 8 Oct 2021 22:17:12 -0400 Subject: [PATCH 0466/1650] hide-hardware-info: make indentation consistent --- usr/libexec/security-misc/hide-hardware-info | 32 ++++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index bd76367..45bddb8 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -87,20 +87,20 @@ done ## SELinux userspace utilities will not function ## properly if [ -d /sys/fs/selinux ]; then - if [ "${selinux}" = "1" ]; then - ## restrict permissions on everything but - ## what is needed - for i in /sys/* /sys/fs/* - do - if [ "${sysfs_whitelist}" = "1" ]; then - chmod o-rwx "${i}" - else - chmod og-rwx "${i}" - fi - done - chmod o+rx /sys /sys/fs /sys/fs/selinux - echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." - else - echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." - fi + if [ "${selinux}" = "1" ]; then + ## restrict permissions on everything but + ## what is needed + for i in /sys/* /sys/fs/* + do + if [ "${sysfs_whitelist}" = "1" ]; then + chmod o-rwx "${i}" + else + chmod og-rwx "${i}" + fi + done + chmod o+rx /sys /sys/fs /sys/fs/selinux + echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." + else + echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." + fi fi From 356232677a036cd1a673d805caa4d74a327ea096 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 9 Nov 2021 14:32:33 -0500 Subject: [PATCH 0467/1650] readme --- README_generic.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README_generic.md b/README_generic.md index 0cd2541..e77e0d4 100644 --- a/README_generic.md +++ b/README_generic.md @@ -10,21 +10,21 @@ Happening primarily in Whonix forums. https://forums.whonix.org/t/kernel-hardening/7296 ## How to install `security-misc` using apt-get ## -1\. Download Whonix's Signing Key. +1\. Download the APT Signing Key. ``` -wget https://www.whonix.org/patrick.asc +wget https://www.whonix.org/derivative.asc ``` Users can [check Whonix Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key) for better security. -2\. Add Whonix's signing key. +2\. Add the APT Signing Key.. ``` sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc ``` -3\. Add Whonix's APT repository. +3\. Add the derivative repository. ``` echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.whonix.org bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list From 4f6f588fb53d2756d867ac7e29fb42f4f8fdb335 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 10 Feb 2022 13:44:55 -0500 Subject: [PATCH 0468/1650] fix, skip deletion of system.map files on read-only filesystems This is required for Qubes /lib/modules read-only implementation at time of writing. Thanks to @marmarek for the bug report! https://forums.whonix.org/t/remove-system-map-cannot-work-lib-modules-is-mounted-read-only/13324 --- usr/libexec/security-misc/remove-system.map | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/usr/libexec/security-misc/remove-system.map b/usr/libexec/security-misc/remove-system.map index ea33c8b..30fd790 100755 --- a/usr/libexec/security-misc/remove-system.map +++ b/usr/libexec/security-misc/remove-system.map @@ -26,9 +26,14 @@ fi ## Removes the System.map files as they are only used for debugging or malware. for filename in ${system_map_location} ; do if [ -f "${filename}" ]; then - ## 'shred' with '--verbose' is too chatty. (7 lines) - shred --force --zero -u "${filename}" - echo "removed '${filename}'" + if [ -w "${filename}" ]; then + ## 'shred' with '--verbose' is too chatty. (7 lines) + shred --force --zero -u "${filename}" + echo "removed '${filename}'" + else + echo "Cannot delete '${filename}' - read-only. For details, see: https://www.kicksecure.com/wiki/security-misc#system_map" + exit 0 + fi fi done From b0a0004a85387a4f7520a688f6d2a9826d8e68fb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 10 Feb 2022 13:47:10 -0500 Subject: [PATCH 0469/1650] output --- usr/libexec/security-misc/remove-system.map | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/libexec/security-misc/remove-system.map b/usr/libexec/security-misc/remove-system.map index 30fd790..d722e15 100755 --- a/usr/libexec/security-misc/remove-system.map +++ b/usr/libexec/security-misc/remove-system.map @@ -20,7 +20,7 @@ for filename in ${system_map_location} ; do done if [ "$counter" -ge "1" ]; then - echo "Deleting system.map files..." + echo "INFO: Deleting system.map files..." fi ## Removes the System.map files as they are only used for debugging or malware. @@ -29,14 +29,14 @@ for filename in ${system_map_location} ; do if [ -w "${filename}" ]; then ## 'shred' with '--verbose' is too chatty. (7 lines) shred --force --zero -u "${filename}" - echo "removed '${filename}'" + echo "INFO: removed '${filename}'" else - echo "Cannot delete '${filename}' - read-only. For details, see: https://www.kicksecure.com/wiki/security-misc#system_map" + echo "NOTE: Cannot delete '${filename}' - read-only. For details, see: https://www.kicksecure.com/wiki/security-misc#system_map" exit 0 fi fi done if [ "$counter" -ge "1" ]; then - echo "Done. Success." + echo "INFO: Done. Success." fi From 0051a6935acd2f452a9189d1581ccac7377dd23d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 10 Feb 2022 14:06:54 -0500 Subject: [PATCH 0470/1650] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index bcc9be3..87af894 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit b0a0004a85387a4f7520a688f6d2a9826d8e68fb +Author: Patrick Schleizer +Date: Thu Feb 10 13:47:10 2022 -0500 + + output + +commit 4f6f588fb53d2756d867ac7e29fb42f4f8fdb335 +Author: Patrick Schleizer +Date: Thu Feb 10 13:44:55 2022 -0500 + + fix, skip deletion of system.map files on read-only filesystems + + This is required for Qubes /lib/modules read-only implementation at time of writing. + + Thanks to @marmarek for the bug report! + + https://forums.whonix.org/t/remove-system-map-cannot-work-lib-modules-is-mounted-read-only/13324 + +commit 356232677a036cd1a673d805caa4d74a327ea096 +Author: Patrick Schleizer +Date: Tue Nov 9 14:32:33 2021 -0500 + + readme + +commit 96026a5e90a56cade2dff5f3dfc3687687e92c56 +Author: Patrick Schleizer +Date: Tue Sep 14 14:18:52 2021 -0400 + + bumped changelog version + commit c72567dbd215fcd60c4719fe1ebc9a0f350a2b97 Author: Patrick Schleizer Date: Tue Sep 14 14:18:44 2021 -0400 diff --git a/debian/changelog b/debian/changelog index b54eff4..975f020 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:23.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 10 Feb 2022 19:06:54 +0000 + security-misc (3:22.9-1) unstable; urgency=medium * New upstream version (local package). From 93efa506dac6135f1a5c260ec95d985e7fedc53d Mon Sep 17 00:00:00 2001 From: 0xC0ncord Date: Thu, 17 Mar 2022 11:41:57 -0400 Subject: [PATCH 0471/1650] hide-hardware-info: disable selinux whitelist by default --- usr/libexec/security-misc/hide-hardware-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 45bddb8..849e561 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -9,7 +9,7 @@ sysfs_whitelist=1 cpuinfo_whitelist=1 ## https://www.whonix.org/wiki/Security-misc#selinux -selinux=1 +selinux=0 shopt -s nullglob From 2677db34baeb120a402b684d4a62ccf616b5528c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 10 Apr 2022 12:40:16 -0400 Subject: [PATCH 0472/1650] readme --- README_generic.md | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/README_generic.md b/README_generic.md index e77e0d4..88b76be 100644 --- a/README_generic.md +++ b/README_generic.md @@ -8,15 +8,16 @@ Discussion: Happening primarily in Whonix forums. https://forums.whonix.org/t/kernel-hardening/7296 + ## How to install `security-misc` using apt-get ## 1\. Download the APT Signing Key. ``` -wget https://www.whonix.org/derivative.asc +wget https://www.kicksecure.com/derivative.asc ``` -Users can [check Whonix Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key) for better security. +Users can [check Whonix Signing Key](https://www.kicksecure.com/wiki/Signing_Key) for better security. 2\. Add the APT Signing Key.. @@ -27,7 +28,7 @@ sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc 3\. Add the derivative repository. ``` -echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.whonix.org bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list +echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list ``` 4\. Update your package lists. @@ -50,16 +51,18 @@ Can be build using standard Debian package build tools such as: dpkg-buildpackage -b ``` -See instructions. (Replace `generic-package` with the actual name of this package `security-misc`.) +See instructions. -* **A)** [easy](https://www.whonix.org/wiki/Dev/Build_Documentation/generic-package/easy), _OR_ -* **B)** [including verifying software signatures](https://www.whonix.org/wiki/Dev/Build_Documentation/generic-package) +NOTE: Replace `generic-package` with the actual name of this package `security-misc`. + +* **A)** [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy), _OR_ +* **B)** [including verifying software signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package) ## Contact ## -* [Free Forum Support](https://forums.whonix.org) -* [Professional Support](https://www.whonix.org/wiki/Professional_Support) +* [Free Forum Support](https://forums.kicksecure.com) +* [Professional Support](https://www.kicksecure.com/wiki/Professional_Support) ## Donate ## -`security-misc` requires [donations](https://www.whonix.org/wiki/Donate) to stay alive! +`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to stay alive! From bb0307290b59d0273f9ad585e881c91071e3edea Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 16 Apr 2022 14:18:35 -0400 Subject: [PATCH 0473/1650] update link --- etc/permission-hardening.d/30_default.conf | 2 +- usr/libexec/security-misc/pam-abort-on-locked-password | 2 +- usr/libexec/security-misc/pam-info | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index a46abcc..8771aad 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -41,7 +41,7 @@ ###################################################################### ## In case you need to use 'su'. See also: -## https://www.whonix.org/wiki/root#su +## https://www.kicksecure.com/wiki/root#su #/bin/su exactwhitelist #/usr/bin/su exactwhitelist diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password index 1fc8013..1f454cd 100755 --- a/usr/libexec/security-misc/pam-abort-on-locked-password +++ b/usr/libexec/security-misc/pam-abort-on-locked-password @@ -34,7 +34,7 @@ elif [ "$password_status_field" = "L" ]; then if [ -f /usr/share/whonix/marker ] || [ -f /usr/share/kicksecure/marker ]; then if [ "$PAM_USER" = "root" ]; then echo "$0: ERROR: root account is locked by default. See:" >&2 - echo "https://www.whonix.org/wiki/root" >&2 + echo "https://www.kicksecure.com/wiki/root" >&2 echo "" >&2 exit 4 fi diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index eef5733..b560b10 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -32,7 +32,7 @@ if [ ! "$grep_result" = "" ]; then echo "$0: However, possibly unlock procedure is required." >&2 echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 echo "$0: See also:" >&2 - echo "https://www.whonix.org/wiki/root#console" >&2 + echo "https://www.kicksecure.com/wiki/root#console" >&2 echo "" >&2 exit 0 fi @@ -67,7 +67,7 @@ fi # echo "$0: ERROR: Root login is disabled." >&2 # echo "$0: ERROR: This is because /etc/securetty is empty." >&2 # echo "$0: See also:" >&2 -# echo "https://www.whonix.org/wiki/root#login" >&2 +# echo "https://www.kicksecure.com/wiki/root#login" >&2 # echo "" >&2 # exit 0 # fi @@ -136,7 +136,7 @@ if [ "$remaining_attempts" -le "0" ]; then echo "$0: However, most likely unlock procedure is required." >&2 echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 echo "$0: See also:" >&2 - echo "https://www.whonix.org/wiki/root#unlock" >&2 + echo "https://www.kicksecure.com/wiki/root#unlock" >&2 echo "" >&2 exit 0 fi From 4a3ed17160c14ba7122d770665b53bde96038307 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 19 May 2022 17:25:58 -0400 Subject: [PATCH 0474/1650] readme --- README.md | 34 ++++++++++++++++------------------ 1 file changed, 16 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 0335f8b..c14ce82 100644 --- a/README.md +++ b/README.md @@ -243,13 +243,13 @@ This package does not yet automatically lock the root account password. It is not clear if this would be sane in such a package although, it is recommended to lock and expire the root account. -In new Whonix builds, root account will be locked by package +In new Kicksecure builds, root account will be locked by package dist-base-files. See: -* https://www.whonix.org/wiki/Root -* https://www.whonix.org/wiki/Dev/Permissions +* https://www.kicksecure.com/wiki/Root +* https://www.kicksecure.com/wiki/Dev/Permissions * https://forums.whonix.org/t/restrict-root-access/7658 However, a locked root password will break rescue and emergency shell. @@ -335,7 +335,7 @@ See: * `/lib/systemd/system/permission-hardening.service` * `/etc/permission-hardening.d` * https://forums.whonix.org/t/disable-suid-binaries/7706 -* https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener +* https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener ### Access rights relaxations @@ -400,24 +400,22 @@ executing `systemctl enable hide-hardware-info.service` as root. * Linux Kernel Runtime Guard (LKRG) * tirdad - TCP ISN CPU Information Leak Protection. -* Whonix ™ - Anonymous Operating System -* Kicksecure ™ - A Security-hardened, Non-anonymous Linux Distribution +* Kicksecure ™ - a security-hardened Linux Distribution * And more. -* https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG -* https://github.com/Whonix/tirdad -* https://www.whonix.org -* https://www.whonix.org/wiki/Kicksecure -* https://github.com/Whonix +* https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG +* https://github.com/Kicksecure/tirdad +* https://www.kicksecure.com +* https://github.com/Kicksecure ## Discussion -Happening primarily in Whonix forums. +Happening primarily in forums. https://forums.whonix.org/t/kernel-hardening/7296 ## How to install `security-misc` -See https://www.whonix.org/wiki/Security-misc#install +See https://www.kicksecure.com/wiki/Security-misc#install ## How to Build deb Package from Source Code @@ -429,14 +427,14 @@ dpkg-buildpackage -b See instructions. (Replace `generic-package` with the actual name of this package `security-misc`.) -* **A)** [easy](https://www.whonix.org/wiki/Dev/Build_Documentation/generic-package/easy), _OR_ -* **B)** [including verifying software signatures](https://www.whonix.org/wiki/Dev/Build_Documentation/generic-package) +* **A)** [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy), _OR_ +* **B)** [including verifying software signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package) ## Contact -* [Free Forum Support](https://forums.whonix.org) -* [Professional Support](https://www.whonix.org/wiki/Professional_Support) +* [Free Forum Support](https://forums.kicksecure.com) +* [Professional Support](https://www.kicksecure.com/wiki/Professional_Support) ## Donate -`security-misc` requires [donations](https://www.whonix.org/wiki/Donate) to stay alive! +`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to stay alive! From 2d37e3a1af3739eedd9191a0f0c78a2762c5fa38 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 May 2022 14:46:38 -0400 Subject: [PATCH 0475/1650] copyright --- COPYING | 2 +- debian/control | 2 +- debian/copyright | 2 +- debian/make-helper-overrides.bsh | 2 +- debian/rules | 2 +- debian/security-misc.displace | 2 +- debian/security-misc.install | 2 +- debian/security-misc.maintscript | 2 +- debian/security-misc.postinst | 2 +- debian/security-misc.postrm | 2 +- debian/security-misc.preinst | 2 +- debian/security-misc.prerm | 2 +- debian/security-misc.triggers | 2 +- debian/security-misc.undisplace | 2 +- debian/watch | 2 +- etc/X11/Xsession.d/50panic_on_oops | 2 +- etc/X11/Xsession.d/50security-misc | 2 +- etc/apparmor.d/tunables/home.d/security-misc | 2 +- etc/apt/apt.conf.d/40error-on-any | 2 +- etc/apt/apt.conf.d/40sandbox | 2 +- etc/default/grub.d/40_cpu_mitigations.cfg | 2 +- etc/default/grub.d/40_distrust_cpu.cfg | 2 +- etc/default/grub.d/40_enable_iommu.cfg | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- etc/default/grub.d/41_quiet.cfg | 2 +- etc/hide-hardware-info.d/30_default.conf | 2 +- etc/initramfs-tools/hooks/sysctl-initramfs | 2 +- etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs | 2 +- etc/kernel/postinst.d/30_remove-system-map | 2 +- etc/modprobe.d/30_security-misc.conf | 2 +- etc/permission-hardening.d/25_default_sudo.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_chromium.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_dbus.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_firejail.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_fuse.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_mount.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_policykit.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_qubes.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_selinux.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_spice.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_sudo.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_virtualbox.conf | 2 +- etc/permission-hardening.d/30_default.conf | 2 +- etc/security/access-security-misc.conf | 2 +- etc/security/limits.d/30_security-misc.conf | 2 +- etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml | 2 +- etc/sudoers.d/pkexec-security-misc | 2 +- etc/sudoers.d/security-misc | 2 +- etc/sudoers.d/xfce-security-misc | 2 +- etc/sysctl.d/30_security-misc.conf | 2 +- etc/sysctl.d/30_silent-kernel-printk.conf | 2 +- etc/thunderbird/pref/40_security-mic.js | 2 +- lib/systemd/system-preset/50-security-misc.preset | 2 +- lib/systemd/system/haveged.service.d/30_security-misc.conf | 2 +- lib/systemd/system/hide-hardware-info.service | 2 +- lib/systemd/system/permission-hardening.service | 2 +- lib/systemd/system/proc-hidepid.service | 2 +- lib/systemd/system/remount-secure.service | 2 +- lib/systemd/system/remove-system-map.service | 2 +- usr/bin/pkexec.security-misc | 2 +- usr/lib/modules-load.d/30_security-misc.conf | 2 +- usr/libexec/security-misc/apt-get-update | 2 +- usr/libexec/security-misc/apt-get-update-sanity-test | 2 +- usr/libexec/security-misc/askpass | 2 +- usr/libexec/security-misc/echo-path | 2 +- usr/libexec/security-misc/hide-hardware-info | 2 +- usr/libexec/security-misc/pam-abort-on-locked-password | 2 +- usr/libexec/security-misc/pam-info | 2 +- usr/libexec/security-misc/pam_faillock_not_if_x | 2 +- usr/libexec/security-misc/pam_only_if_login | 2 +- usr/libexec/security-misc/panic-on-oops | 2 +- usr/libexec/security-misc/permission-hardening | 2 +- usr/libexec/security-misc/permission-hardening-undo | 2 +- usr/libexec/security-misc/permission-lockdown | 2 +- usr/libexec/security-misc/remount-secure | 2 +- usr/libexec/security-misc/remove-system.map | 2 +- usr/libexec/security-misc/virusforget | 2 +- usr/share/lintian/overrides/security-misc | 2 +- usr/share/security-misc/dolphinrc | 2 +- usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf | 2 +- usr/share/security-misc/lkrg/lkrg-virtualbox | 2 +- 82 files changed, 82 insertions(+), 82 deletions(-) diff --git a/COPYING b/COPYING index 3b0825d..50fd69c 100644 --- a/COPYING +++ b/COPYING @@ -1,7 +1,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2021 ENCRYPTED SUPPORT LP +Copyright: 2012 - 2022 ENCRYPTED SUPPORT LP License: GPL-3+-with-additional-terms-1 This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/debian/control b/debian/control index 0a1e11b..d963fa4 100644 --- a/debian/control +++ b/debian/control @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. Source: security-misc diff --git a/debian/copyright b/debian/copyright index 3b0825d..50fd69c 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,7 +1,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2021 ENCRYPTED SUPPORT LP +Copyright: 2012 - 2022 ENCRYPTED SUPPORT LP License: GPL-3+-with-additional-terms-1 This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/debian/make-helper-overrides.bsh b/debian/make-helper-overrides.bsh index 58b7bb3..a3c0434 100755 --- a/debian/make-helper-overrides.bsh +++ b/debian/make-helper-overrides.bsh @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24 diff --git a/debian/rules b/debian/rules index 54cbfde..640ff5c 100755 --- a/debian/rules +++ b/debian/rules @@ -1,6 +1,6 @@ #!/usr/bin/make -f -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #export DH_VERBOSE=1 diff --git a/debian/security-misc.displace b/debian/security-misc.displace index b7cba93..f450715 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. /etc/securetty.security-misc diff --git a/debian/security-misc.install b/debian/security-misc.install index 2748341..7445979 100644 --- a/debian/security-misc.install +++ b/debian/security-misc.install @@ -1,4 +1,4 @@ -## Copyright (C) 2020 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2020 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This file was generated using genmkfile 'make debinstfile'. diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index dce7414..85865a3 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. rm_conffile /etc/sudoers.d/umask-security-misc diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index cd4bf19..7518c0a 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.postrm b/debian/security-misc.postrm index 80a0726..c5262bf 100644 --- a/debian/security-misc.postrm +++ b/debian/security-misc.postrm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index f8c516d..beeb62b 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.prerm b/debian/security-misc.prerm index d5a120c..adbe7ab 100644 --- a/debian/security-misc.prerm +++ b/debian/security-misc.prerm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index 3c09f14..5703c4f 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #### meta start diff --git a/debian/security-misc.undisplace b/debian/security-misc.undisplace index ef0fd76..e2f7f80 100644 --- a/debian/security-misc.undisplace +++ b/debian/security-misc.undisplace @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. /etc/login.defs.security-misc diff --git a/debian/watch b/debian/watch index af1173f..086770e 100644 --- a/debian/watch +++ b/debian/watch @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. version=4 diff --git a/etc/X11/Xsession.d/50panic_on_oops b/etc/X11/Xsession.d/50panic_on_oops index 81d9a9f..4ebd17e 100755 --- a/etc/X11/Xsession.d/50panic_on_oops +++ b/etc/X11/Xsession.d/50panic_on_oops @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -x /usr/libexec/security-misc/panic-on-oops ]; then diff --git a/etc/X11/Xsession.d/50security-misc b/etc/X11/Xsession.d/50security-misc index 829fe74..561cc30 100755 --- a/etc/X11/Xsession.d/50security-misc +++ b/etc/X11/Xsession.d/50security-misc @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -z "$XDG_CONFIG_DIRS" ]; then diff --git a/etc/apparmor.d/tunables/home.d/security-misc b/etc/apparmor.d/tunables/home.d/security-misc index 8795ef4..5db8ba0 100644 --- a/etc/apparmor.d/tunables/home.d/security-misc +++ b/etc/apparmor.d/tunables/home.d/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. alias /etc/pam.d/common-session -> /etc/pam.d//etc/pam.d/common-session.security-misc, diff --git a/etc/apt/apt.conf.d/40error-on-any b/etc/apt/apt.conf.d/40error-on-any index e9357e6..e23b155 100644 --- a/etc/apt/apt.conf.d/40error-on-any +++ b/etc/apt/apt.conf.d/40error-on-any @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Make "sudo apt-get update" exit non-zero for transient failures. diff --git a/etc/apt/apt.conf.d/40sandbox b/etc/apt/apt.conf.d/40sandbox index 2a66799..7a6d44b 100644 --- a/etc/apt/apt.conf.d/40sandbox +++ b/etc/apt/apt.conf.d/40sandbox @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702 diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 5bd25f7..7d6eb65 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Enables all mitigations for CPU vulnerabilities. diff --git a/etc/default/grub.d/40_distrust_cpu.cfg b/etc/default/grub.d/40_distrust_cpu.cfg index 40a759a..f7610d3 100644 --- a/etc/default/grub.d/40_distrust_cpu.cfg +++ b/etc/default/grub.d/40_distrust_cpu.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Distrusts the CPU for initial entropy at boot as it is not possible to diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg index 14d1869..f4aa582 100644 --- a/etc/default/grub.d/40_enable_iommu.cfg +++ b/etc/default/grub.d/40_enable_iommu.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Enables IOMMU to prevent DMA attacks. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 1c594f6..929d71f 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. kpkg="linux-image-$(dpkg --print-architecture)" || true diff --git a/etc/default/grub.d/41_quiet.cfg b/etc/default/grub.d/41_quiet.cfg index 7f70a54..1caaa23 100644 --- a/etc/default/grub.d/41_quiet.cfg +++ b/etc/default/grub.d/41_quiet.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Prevent kernel info leaks in console during boot. diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf index cb2de9b..a9931c3 100644 --- a/etc/hide-hardware-info.d/30_default.conf +++ b/etc/hide-hardware-info.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Disable the /sys whitelist. diff --git a/etc/initramfs-tools/hooks/sysctl-initramfs b/etc/initramfs-tools/hooks/sysctl-initramfs index 944618a..9732633 100755 --- a/etc/initramfs-tools/hooks/sysctl-initramfs +++ b/etc/initramfs-tools/hooks/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index 89e1377..88c632d 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. PREREQ="" diff --git a/etc/kernel/postinst.d/30_remove-system-map b/etc/kernel/postinst.d/30_remove-system-map index acb9786..49e995c 100755 --- a/etc/kernel/postinst.d/30_remove-system-map +++ b/etc/kernel/postinst.d/30_remove-system-map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if test -x /usr/libexec/security-misc/remove-system.map ; then diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index ffa2b33..7f177e6 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://phabricator.whonix.org/T486 diff --git a/etc/permission-hardening.d/25_default_sudo.conf b/etc/permission-hardening.d/25_default_sudo.conf index 3087ad4..32425c1 100644 --- a/etc/permission-hardening.d/25_default_sudo.conf +++ b/etc/permission-hardening.d/25_default_sudo.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf b/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf index cec7ec1..ceb0994 100644 --- a/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf +++ b/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_chromium.conf b/etc/permission-hardening.d/25_default_whitelist_chromium.conf index 399a005..b831db3 100644 --- a/etc/permission-hardening.d/25_default_whitelist_chromium.conf +++ b/etc/permission-hardening.d/25_default_whitelist_chromium.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_dbus.conf b/etc/permission-hardening.d/25_default_whitelist_dbus.conf index bdb1a03..66ffd7d 100644 --- a/etc/permission-hardening.d/25_default_whitelist_dbus.conf +++ b/etc/permission-hardening.d/25_default_whitelist_dbus.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_firejail.conf b/etc/permission-hardening.d/25_default_whitelist_firejail.conf index 5e6abef..99fa4ee 100644 --- a/etc/permission-hardening.d/25_default_whitelist_firejail.conf +++ b/etc/permission-hardening.d/25_default_whitelist_firejail.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_fuse.conf b/etc/permission-hardening.d/25_default_whitelist_fuse.conf index 8d591cc..7f4dfbb 100644 --- a/etc/permission-hardening.d/25_default_whitelist_fuse.conf +++ b/etc/permission-hardening.d/25_default_whitelist_fuse.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_mount.conf b/etc/permission-hardening.d/25_default_whitelist_mount.conf index 8f8bc51..47bb42b 100644 --- a/etc/permission-hardening.d/25_default_whitelist_mount.conf +++ b/etc/permission-hardening.d/25_default_whitelist_mount.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_policykit.conf b/etc/permission-hardening.d/25_default_whitelist_policykit.conf index be606a5..3c8a0a4 100644 --- a/etc/permission-hardening.d/25_default_whitelist_policykit.conf +++ b/etc/permission-hardening.d/25_default_whitelist_policykit.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_qubes.conf b/etc/permission-hardening.d/25_default_whitelist_qubes.conf index 1a934b0..ad359d6 100644 --- a/etc/permission-hardening.d/25_default_whitelist_qubes.conf +++ b/etc/permission-hardening.d/25_default_whitelist_qubes.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_selinux.conf b/etc/permission-hardening.d/25_default_whitelist_selinux.conf index 076b996..f643342 100644 --- a/etc/permission-hardening.d/25_default_whitelist_selinux.conf +++ b/etc/permission-hardening.d/25_default_whitelist_selinux.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_spice.conf b/etc/permission-hardening.d/25_default_whitelist_spice.conf index aa261f9..658a342 100644 --- a/etc/permission-hardening.d/25_default_whitelist_spice.conf +++ b/etc/permission-hardening.d/25_default_whitelist_spice.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_sudo.conf b/etc/permission-hardening.d/25_default_whitelist_sudo.conf index 1b8b69a..531d922 100644 --- a/etc/permission-hardening.d/25_default_whitelist_sudo.conf +++ b/etc/permission-hardening.d/25_default_whitelist_sudo.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf b/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf index 0f78927..1f77896 100644 --- a/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf +++ b/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 8771aad..a879a4c 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index 6b409a5..eefa505 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## To enable root login, see: diff --git a/etc/security/limits.d/30_security-misc.conf b/etc/security/limits.d/30_security-misc.conf index c3f5bbf..e37374d 100644 --- a/etc/security/limits.d/30_security-misc.conf +++ b/etc/security/limits.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Disable coredumps. diff --git a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml index 391680d..ff6a739 100644 --- a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +++ b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml @@ -1,6 +1,6 @@ - + diff --git a/etc/sudoers.d/pkexec-security-misc b/etc/sudoers.d/pkexec-security-misc index d0d1d35..061cf75 100644 --- a/etc/sudoers.d/pkexec-security-misc +++ b/etc/sudoers.d/pkexec-security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## REVIEW: is it ok that users can find out the PATH setting of root? diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index 1e4e16b..f6bf3a6 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops diff --git a/etc/sudoers.d/xfce-security-misc b/etc/sudoers.d/xfce-security-misc index 909a30a..9bf8083 100644 --- a/etc/sudoers.d/xfce-security-misc +++ b/etc/sudoers.d/xfce-security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 6ee134a..80afdc8 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. diff --git a/etc/sysctl.d/30_silent-kernel-printk.conf b/etc/sysctl.d/30_silent-kernel-printk.conf index 9a34d9a..4687dd8 100644 --- a/etc/sysctl.d/30_silent-kernel-printk.conf +++ b/etc/sysctl.d/30_silent-kernel-printk.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Prevent kernel info leaks in console during boot. diff --git a/etc/thunderbird/pref/40_security-mic.js b/etc/thunderbird/pref/40_security-mic.js index 06276f6..29c1e52 100644 --- a/etc/thunderbird/pref/40_security-mic.js +++ b/etc/thunderbird/pref/40_security-mic.js @@ -1,4 +1,4 @@ -//#### Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +//#### Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP //#### See the file COPYING for copying conditions. //#### meta start diff --git a/lib/systemd/system-preset/50-security-misc.preset b/lib/systemd/system-preset/50-security-misc.preset index 2d83b83..6a277b9 100644 --- a/lib/systemd/system-preset/50-security-misc.preset +++ b/lib/systemd/system-preset/50-security-misc.preset @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 diff --git a/lib/systemd/system/haveged.service.d/30_security-misc.conf b/lib/systemd/system/haveged.service.d/30_security-misc.conf index 7193a02..d3faa5b 100644 --- a/lib/systemd/system/haveged.service.d/30_security-misc.conf +++ b/lib/systemd/system/haveged.service.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Service] diff --git a/lib/systemd/system/hide-hardware-info.service b/lib/systemd/system/hide-hardware-info.service index edc0dc1..13fb16c 100644 --- a/lib/systemd/system/hide-hardware-info.service +++ b/lib/systemd/system/hide-hardware-info.service @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardening.service index bbe7eca..f925bac 100644 --- a/lib/systemd/system/permission-hardening.service +++ b/lib/systemd/system/permission-hardening.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/lib/systemd/system/proc-hidepid.service b/lib/systemd/system/proc-hidepid.service index 3952c86..59744ff 100644 --- a/lib/systemd/system/proc-hidepid.service +++ b/lib/systemd/system/proc-hidepid.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service index 518c5ef..e8a9aa3 100644 --- a/lib/systemd/system/remount-secure.service +++ b/lib/systemd/system/remount-secure.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/lib/systemd/system/remove-system-map.service b/lib/systemd/system/remove-system-map.service index a0285b4..e8a52ea 100644 --- a/lib/systemd/system/remove-system-map.service +++ b/lib/systemd/system/remove-system-map.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc index d483f1c..10c91db 100755 --- a/usr/bin/pkexec.security-misc +++ b/usr/bin/pkexec.security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with diff --git a/usr/lib/modules-load.d/30_security-misc.conf b/usr/lib/modules-load.d/30_security-misc.conf index 32dfdf3..986d390 100644 --- a/usr/lib/modules-load.d/30_security-misc.conf +++ b/usr/lib/modules-load.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://www.whonix.org/wiki/Dev/Entropy diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index ff58900..504ec62 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. sigterm_trap() { diff --git a/usr/libexec/security-misc/apt-get-update-sanity-test b/usr/libexec/security-misc/apt-get-update-sanity-test index 1fab62b..d0d34ca 100755 --- a/usr/libexec/security-misc/apt-get-update-sanity-test +++ b/usr/libexec/security-misc/apt-get-update-sanity-test @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -x diff --git a/usr/libexec/security-misc/askpass b/usr/libexec/security-misc/askpass index 0c24b25..5f7bd34 100755 --- a/usr/libexec/security-misc/askpass +++ b/usr/libexec/security-misc/askpass @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/echo-path b/usr/libexec/security-misc/echo-path index 9420ff5..e42dfda 100755 --- a/usr/libexec/security-misc/echo-path +++ b/usr/libexec/security-misc/echo-path @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 849e561..4d1c8ca 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password index 1f454cd..780f741 100755 --- a/usr/libexec/security-misc/pam-abort-on-locked-password +++ b/usr/libexec/security-misc/pam-abort-on-locked-password @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This is only a usability feature to avoid needlessly bumping pam_faillock diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index b560b10..43c5bbb 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" diff --git a/usr/libexec/security-misc/pam_faillock_not_if_x b/usr/libexec/security-misc/pam_faillock_not_if_x index 26cbc43..1c9cf8d 100755 --- a/usr/libexec/security-misc/pam_faillock_not_if_x +++ b/usr/libexec/security-misc/pam_faillock_not_if_x @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/libexec/security-misc/pam_only_if_login b/usr/libexec/security-misc/pam_only_if_login index 489e044..feb397b 100755 --- a/usr/libexec/security-misc/pam_only_if_login +++ b/usr/libexec/security-misc/pam_only_if_login @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index c0c001b..b9d6e37 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/permission-hardening b/usr/libexec/security-misc/permission-hardening index 33b4f27..c0572c2 100755 --- a/usr/libexec/security-misc/permission-hardening +++ b/usr/libexec/security-misc/permission-hardening @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/disable-suid-binaries/7706 diff --git a/usr/libexec/security-misc/permission-hardening-undo b/usr/libexec/security-misc/permission-hardening-undo index 365490f..57d0b7a 100755 --- a/usr/libexec/security-misc/permission-hardening-undo +++ b/usr/libexec/security-misc/permission-hardening-undo @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #set -x diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index c1dbaaa..19e66b8 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Doing this for all users would create many issues. diff --git a/usr/libexec/security-misc/remount-secure b/usr/libexec/security-misc/remount-secure index ae41e79..e76b66c 100755 --- a/usr/libexec/security-misc/remount-secure +++ b/usr/libexec/security-misc/remount-secure @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## noexec in /tmp and/or /home can break some malware but also legitimate diff --git a/usr/libexec/security-misc/remove-system.map b/usr/libexec/security-misc/remove-system.map index d722e15..5ef6e04 100755 --- a/usr/libexec/security-misc/remove-system.map +++ b/usr/libexec/security-misc/remove-system.map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/usr/libexec/security-misc/virusforget b/usr/libexec/security-misc/virusforget index ea010b8..84fa48f 100755 --- a/usr/libexec/security-misc/virusforget +++ b/usr/libexec/security-misc/virusforget @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## VirusForget is inspired by Christopher Laprise. diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index ecc709d..2f70119 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## The whole point of the package. diff --git a/usr/share/security-misc/dolphinrc b/usr/share/security-misc/dolphinrc index 28bdc11..12cdd99 100644 --- a/usr/share/security-misc/dolphinrc +++ b/usr/share/security-misc/dolphinrc @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions [PreviewSettings] diff --git a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf index ca327fc..be05ab0 100644 --- a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf +++ b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## LKRG VirtualBox host configuration diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox b/usr/share/security-misc/lkrg/lkrg-virtualbox index 30a114a..c600617 100755 --- a/usr/share/security-misc/lkrg/lkrg-virtualbox +++ b/usr/share/security-misc/lkrg/lkrg-virtualbox @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2021 - 2021 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -x From 7e2efe0155b97955428e64181c9a6b32402ee9db Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 May 2022 15:27:10 -0400 Subject: [PATCH 0476/1650] readme --- README_generic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README_generic.md b/README_generic.md index 88b76be..95a324f 100644 --- a/README_generic.md +++ b/README_generic.md @@ -17,7 +17,7 @@ https://forums.whonix.org/t/kernel-hardening/7296 wget https://www.kicksecure.com/derivative.asc ``` -Users can [check Whonix Signing Key](https://www.kicksecure.com/wiki/Signing_Key) for better security. +Users can [check the Signing Key](https://www.kicksecure.com/wiki/Signing_Key) for better security. 2\. Add the APT Signing Key.. From 616fe857f7a5cde1f4ad0d31e03876dcd2ab7f0f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 25 May 2022 06:07:17 -0400 Subject: [PATCH 0477/1650] bumped changelog version --- changelog.upstream | 73 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 79 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 87af894..9b3ae9c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,61 @@ +commit 7e2efe0155b97955428e64181c9a6b32402ee9db +Author: Patrick Schleizer +Date: Fri May 20 15:27:10 2022 -0400 + + readme + +commit 2d37e3a1af3739eedd9191a0f0c78a2762c5fa38 +Author: Patrick Schleizer +Date: Fri May 20 14:46:38 2022 -0400 + + copyright + +commit 78a9956b73498bad471ee1cb0fa0993f2e5ce3c0 +Merge: 4a3ed17 7651308 +Author: Patrick Schleizer +Date: Thu May 19 19:41:33 2022 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 76513087872943442df32451de5af158c2bbe944 +Merge: 4a3ed17 93efa50 +Author: Patrick Schleizer +Date: Thu May 19 19:39:42 2022 -0400 + + Merge pull request #103 from 0xC0ncord/bugfix/selinuxfs_restrictions + + hide-hardware-info: re-enable restrictions on sysfs when using SELinux + +commit 4a3ed17160c14ba7122d770665b53bde96038307 +Author: Patrick Schleizer +Date: Thu May 19 17:25:58 2022 -0400 + + readme + +commit bb0307290b59d0273f9ad585e881c91071e3edea +Author: Patrick Schleizer +Date: Sat Apr 16 14:18:35 2022 -0400 + + update link + +commit 2677db34baeb120a402b684d4a62ccf616b5528c +Author: Patrick Schleizer +Date: Sun Apr 10 12:40:16 2022 -0400 + + readme + +commit 93efa506dac6135f1a5c260ec95d985e7fedc53d +Author: 0xC0ncord +Date: Thu Mar 17 11:41:57 2022 -0400 + + hide-hardware-info: disable selinux whitelist by default + +commit 0051a6935acd2f452a9189d1581ccac7377dd23d +Author: Patrick Schleizer +Date: Thu Feb 10 14:06:54 2022 -0500 + + bumped changelog version + commit b0a0004a85387a4f7520a688f6d2a9826d8e68fb Author: Patrick Schleizer Date: Thu Feb 10 13:47:10 2022 -0500 @@ -22,6 +80,21 @@ Date: Tue Nov 9 14:32:33 2021 -0500 readme +commit 4172232eb75aaca301e51529e49df76ca86b93b3 +Author: 0xC0ncord +Date: Fri Oct 8 22:17:12 2021 -0400 + + hide-hardware-info: make indentation consistent + +commit 060d7d890a0292addaa1e85bb1b2ff7eece23378 +Author: 0xC0ncord +Date: Fri Oct 8 22:11:58 2021 -0400 + + hide-hardware-info: re-enable restrictions on sysfs when using SELinux + + When using SELinux, restrict the parts of sysfs explicitly to ensure + restrictions are working as expected. + commit 96026a5e90a56cade2dff5f3dfc3687687e92c56 Author: Patrick Schleizer Date: Tue Sep 14 14:18:52 2021 -0400 diff --git a/debian/changelog b/debian/changelog index 975f020..db08464 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:23.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 25 May 2022 10:07:17 +0000 + security-misc (3:23.0-1) unstable; urgency=medium * New upstream version (local package). From 9fd8e1c9b0250c9e00b555838bd381f162dfd8c4 Mon Sep 17 00:00:00 2001 From: Kuri Schlarb <246386+ntninja@users.noreply.github.com> Date: Tue, 7 Jun 2022 08:03:56 +0000 Subject: [PATCH 0478/1650] permission-hardening: Fix issue with pipelining failures causing incorrect user/group lookup results --- usr/libexec/security-misc/permission-hardening | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/permission-hardening b/usr/libexec/security-misc/permission-hardening index c0572c2..71c4f72 100755 --- a/usr/libexec/security-misc/permission-hardening +++ b/usr/libexec/security-misc/permission-hardening @@ -318,12 +318,12 @@ set_file_perms() { continue fi - if ! getent passwd | grep -q "^${owner_from_config}:" ; then + if ! echo "${passwd_file_contents}" | grep -q "^${owner_from_config}:" ; then echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2 continue fi - if ! getent group | grep -q "^${group_from_config}:" ; then + if ! echo "${group_file_contents}" | grep -q "^${group_from_config}:" ; then echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2 continue fi @@ -462,6 +462,15 @@ set_file_perms() { } parse_config_folder() { + # Query contents of password and group databases only once and buffer them + # + # If we don’t buffer we sometimes get incorrect results when checking for entries using + # `if getent passwd | grep -q '^root:'; …` since `grep` exits after the first match in + # this case causing `getent` to receive SIGPIPE, which then fails the pipeline since + # `set -o pipefail` is set for this script. + passwd_file_contents="$(getent passwd)" + group_file_contents="$(getent group)" + shopt -s nullglob for config_file in /etc/permission-hardening.d/*.conf /usr/local/etc/permission-hardening.d/*.conf; do set_file_perms From 3910e4ee159d8b5f80c5086915583e4e20ecd6fe Mon Sep 17 00:00:00 2001 From: Kuri Schlarb <246386+ntninja@users.noreply.github.com> Date: Tue, 7 Jun 2022 08:11:51 +0000 Subject: [PATCH 0479/1650] permission-hardening: Keep `passwd` executable but non-SetUID --- etc/permission-hardening.d/25_default_passwd.conf | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 etc/permission-hardening.d/25_default_passwd.conf diff --git a/etc/permission-hardening.d/25_default_passwd.conf b/etc/permission-hardening.d/25_default_passwd.conf new file mode 100644 index 0000000..19c2a4d --- /dev/null +++ b/etc/permission-hardening.d/25_default_passwd.conf @@ -0,0 +1,14 @@ +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +# Keep the `passwd` utility executable to prevent issues with the +# /usr/libexec/security-misc/pam-abort-on-locked-password script blocking +# user logins with `su` and KScreenLocker +# +# See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd +/usr/bin/passwd 0755 root root +/bin/passwd 0755 root root From 2bdda9d0a0a289dafb260c926d29df274c9a67da Mon Sep 17 00:00:00 2001 From: Kuri Schlarb <246386+ntninja@users.noreply.github.com> Date: Tue, 7 Jun 2022 08:18:05 +0000 Subject: [PATCH 0480/1650] permssion-hardening: Do not skip config file lines without trailing newline (ancient bash bug) --- usr/libexec/security-misc/permission-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/permission-hardening b/usr/libexec/security-misc/permission-hardening index 71c4f72..9d78068 100755 --- a/usr/libexec/security-misc/permission-hardening +++ b/usr/libexec/security-misc/permission-hardening @@ -235,7 +235,7 @@ add_nosuid_statoverride_entry() { set_file_perms() { echo "INFO: START parsing config_file: '$config_file'" local line - while read -r line; do + while read -r line || [[ -n "${line}" ]]; do if [ "$line" = "" ]; then continue fi From 6e8f584d88333d3a6fec1318ba92f76e328bf7ce Mon Sep 17 00:00:00 2001 From: Kuri Schlarb <246386+ntninja@users.noreply.github.com> Date: Wed, 8 Jun 2022 05:29:42 +0000 Subject: [PATCH 0481/1650] permission-hardening: Keep `pam_unix.so` password checking helper SetGID shadow --- .../25_default_whitelist_unix_chkpwd.conf | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf diff --git a/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf b/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf new file mode 100644 index 0000000..15ff326 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf @@ -0,0 +1,11 @@ +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## required for performing password validation from unprivileged user +## processes such as KScreenLocker’s unlock prompt +/usr/sbin/unix_chkpwd exactwhitelist +/sbin/unix_chkpwd exactwhitelist From 5c43197f10df3a49704a66ef3e3d56f122be4775 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 8 Jun 2022 08:11:28 -0400 Subject: [PATCH 0482/1650] minor --- etc/permission-hardening.d/25_default_sudo.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/permission-hardening.d/25_default_sudo.conf b/etc/permission-hardening.d/25_default_sudo.conf index 32425c1..16cfa2b 100644 --- a/etc/permission-hardening.d/25_default_sudo.conf +++ b/etc/permission-hardening.d/25_default_sudo.conf @@ -15,6 +15,6 @@ ## With this restriction, only users explicitly permitted to use sudo by being added to ## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a ## compromised network-facing daemon (such as web servers, time synchronization daemons, -## etc.) running as its own user from exploiting sudo to escalate privileges. +## etc.) running as its own user from exploiting sudo to escalate privileges. #/usr/bin/sudo 4750 root sudo #/bin/sudo 4750 root sudo From 55d16e1602c0221dbe00996a206d0691ef93ae71 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 8 Jun 2022 09:04:03 -0400 Subject: [PATCH 0483/1650] remove unicode --- README.md | 2 +- .../25_default_whitelist_unix_chkpwd.conf | 2 +- usr/libexec/security-misc/permission-hardening | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c14ce82..5a6a0c5 100644 --- a/README.md +++ b/README.md @@ -400,7 +400,7 @@ executing `systemctl enable hide-hardware-info.service` as root. * Linux Kernel Runtime Guard (LKRG) * tirdad - TCP ISN CPU Information Leak Protection. -* Kicksecure ™ - a security-hardened Linux Distribution +* Kicksecure (TM) - a security-hardened Linux Distribution * And more. * https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG * https://github.com/Kicksecure/tirdad diff --git a/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf b/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf index 15ff326..e4597bd 100644 --- a/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf +++ b/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf @@ -6,6 +6,6 @@ ## configuration. When security-misc is updated, this file may be overwritten. ## required for performing password validation from unprivileged user -## processes such as KScreenLocker’s unlock prompt +## processes such as KScreenLocker's unlock prompt /usr/sbin/unix_chkpwd exactwhitelist /sbin/unix_chkpwd exactwhitelist diff --git a/usr/libexec/security-misc/permission-hardening b/usr/libexec/security-misc/permission-hardening index 9d78068..5382676 100755 --- a/usr/libexec/security-misc/permission-hardening +++ b/usr/libexec/security-misc/permission-hardening @@ -464,7 +464,7 @@ set_file_perms() { parse_config_folder() { # Query contents of password and group databases only once and buffer them # - # If we don’t buffer we sometimes get incorrect results when checking for entries using + # If we don't buffer we sometimes get incorrect results when checking for entries using # `if getent passwd | grep -q '^root:'; …` since `grep` exits after the first match in # this case causing `getent` to receive SIGPIPE, which then fails the pipeline since # `set -o pipefail` is set for this script. From d7dd188651a5227be6b1d95e7ae9a97e0cbb34f0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 8 Jun 2022 09:27:02 -0400 Subject: [PATCH 0484/1650] remove unicode --- README.md | 16 ++++++++-------- usr/libexec/security-misc/permission-hardening | 8 ++++---- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 5a6a0c5..b991963 100644 --- a/README.md +++ b/README.md @@ -93,7 +93,7 @@ disabled. Certain kernel modules are blacklisted to reduce attack surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file. -* Deactivates Netfilter's connection tracking helper — this module +* Deactivates Netfilter's connection tracking helper - this module increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. Hence, this feature is disabled. @@ -133,7 +133,7 @@ such as IRC parsing in the kernel. Hence, this feature is disabled. p8022 - IEEE 802.2 - CAN — Controller Area Network + CAN - Controller Area Network ATM @@ -225,14 +225,14 @@ could be used. ## Root access restrictions * `su` is restricted to only users within the group `sudo` which prevents -users from using `su` to gain root access or to switch user accounts — +users from using `su` to gain root access or to switch user accounts - `/usr/share/pam-configs/wheel-security-misc` (which results in a change in file `/etc/pam.d/common-auth`). * Add user `root` to group `sudo`. This is required due to the above restriction so -that logging in from a virtual console is still possible — `debian/security-misc.postinst` +that logging in from a virtual console is still possible - `debian/security-misc.postinst` -* Abort login for users with locked passwords — +* Abort login for users with locked passwords - `/usr/libexec/security-misc/pam-abort-on-locked-password`. * Logging into the root account from a virtual, serial, whatnot console is @@ -353,10 +353,10 @@ See: ## Application-specific hardening * Enables "`apt-get --error-on=any`" which makes apt exit non-zero for - transient failures. — `/etc/apt/apt.conf.d/40error-on-any`. -* Enables APT seccomp-BPF sandboxing — `/etc/apt/apt.conf.d/40sandbox`. + transient failures. - `/etc/apt/apt.conf.d/40error-on-any`. +* Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`. * Deactivates previews in Dolphin. -* Deactivates previews in Nautilus — +* Deactivates previews in Nautilus - `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. * Deactivates thumbnails in Thunar. * Displays domain names in punycode (`network.IDN_show_punycode`) in diff --git a/usr/libexec/security-misc/permission-hardening b/usr/libexec/security-misc/permission-hardening index 5382676..1a1e13a 100755 --- a/usr/libexec/security-misc/permission-hardening +++ b/usr/libexec/security-misc/permission-hardening @@ -437,7 +437,7 @@ set_file_perms() { if [ "$capability_from_config" = "none" ]; then ## https://forums.whonix.org/t/disable-suid-binaries/7706/45 # sudo setcap -r /bin/ping 2>/dev/null - # Failed to set capabilities on file `/bin/ping' (No data available) + # Failed to set capabilities on file '/bin/ping' (No data available) # The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file ## Therefore use echo_wrapper_ignore. echo_wrapper_ignore setcap -r "$fso" @@ -465,9 +465,9 @@ parse_config_folder() { # Query contents of password and group databases only once and buffer them # # If we don't buffer we sometimes get incorrect results when checking for entries using - # `if getent passwd | grep -q '^root:'; …` since `grep` exits after the first match in - # this case causing `getent` to receive SIGPIPE, which then fails the pipeline since - # `set -o pipefail` is set for this script. + # 'if getent passwd | grep -q '^root:'; ...' since 'grep' exits after the first match in + # this case causing 'getent' to receive SIGPIPE, which then fails the pipeline since + # 'set -o pipefail' is set for this script. passwd_file_contents="$(getent passwd)" group_file_contents="$(getent group)" From adca1ebdf6c83c5c1c846cdb29f3e16ea9cdf32f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 8 Jun 2022 11:05:07 -0400 Subject: [PATCH 0485/1650] bumped changelog version --- changelog.upstream | 64 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 70 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 9b3ae9c..2e97cbf 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,67 @@ +commit d7dd188651a5227be6b1d95e7ae9a97e0cbb34f0 +Author: Patrick Schleizer +Date: Wed Jun 8 09:27:02 2022 -0400 + + remove unicode + +commit 55d16e1602c0221dbe00996a206d0691ef93ae71 +Author: Patrick Schleizer +Date: Wed Jun 8 09:04:03 2022 -0400 + + remove unicode + +commit fcaec49675ce7e240bdd049aab184fbee0945c7d +Merge: 5c43197 995e4ba +Author: Patrick Schleizer +Date: Wed Jun 8 08:20:24 2022 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 995e4ba7fafc1bf4f691b83dde415c57cebed63d +Merge: 616fe85 6e8f584 +Author: Patrick Schleizer +Date: Wed Jun 8 08:19:03 2022 -0400 + + Merge pull request #104 from ntninja/patch-1 + + Fix issues found with permission-hardening on my system + +commit 5c43197f10df3a49704a66ef3e3d56f122be4775 +Author: Patrick Schleizer +Date: Wed Jun 8 08:11:28 2022 -0400 + + minor + +commit 6e8f584d88333d3a6fec1318ba92f76e328bf7ce +Author: Kuri Schlarb <246386+ntninja@users.noreply.github.com> +Date: Wed Jun 8 05:29:42 2022 +0000 + + permission-hardening: Keep `pam_unix.so` password checking helper SetGID shadow + +commit 2bdda9d0a0a289dafb260c926d29df274c9a67da +Author: Kuri Schlarb <246386+ntninja@users.noreply.github.com> +Date: Tue Jun 7 08:18:05 2022 +0000 + + permssion-hardening: Do not skip config file lines without trailing newline (ancient bash bug) + +commit 3910e4ee159d8b5f80c5086915583e4e20ecd6fe +Author: Kuri Schlarb <246386+ntninja@users.noreply.github.com> +Date: Tue Jun 7 08:11:51 2022 +0000 + + permission-hardening: Keep `passwd` executable but non-SetUID + +commit 9fd8e1c9b0250c9e00b555838bd381f162dfd8c4 +Author: Kuri Schlarb <246386+ntninja@users.noreply.github.com> +Date: Tue Jun 7 08:03:56 2022 +0000 + + permission-hardening: Fix issue with pipelining failures causing incorrect user/group lookup results + +commit 616fe857f7a5cde1f4ad0d31e03876dcd2ab7f0f +Author: Patrick Schleizer +Date: Wed May 25 06:07:17 2022 -0400 + + bumped changelog version + commit 7e2efe0155b97955428e64181c9a6b32402ee9db Author: Patrick Schleizer Date: Fri May 20 15:27:10 2022 -0400 diff --git a/debian/changelog b/debian/changelog index db08464..1012a9f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:23.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 08 Jun 2022 15:05:07 +0000 + security-misc (3:23.1-1) unstable; urgency=medium * New upstream version (local package). From 38cdf2722bc0aa224e1ec253e77728d4e00b9be0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 09:32:55 -0400 Subject: [PATCH 0486/1650] - Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks - Confirm in console output if encrypted mounts (root disk) is unmounted. (Because that is a pre-condition for wiping the LUKS full disk encryption key from RAM.) Thanks to @friedy10! https://github.com/friedy10/dracut/tree/master/modules.d/40sdmem https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596 --- debian/control | 3 ++- .../modules.d/40sdmem-security-misc/README.md | 4 ++++ .../40sdmem-security-misc/module-setup.sh | 19 +++++++++++++++++++ .../modules.d/40sdmem-security-misc/wipe.sh | 5 +++++ 4 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 usr/lib/dracut/modules.d/40sdmem-security-misc/README.md create mode 100755 usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh create mode 100755 usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh diff --git a/debian/control b/debian/control index d963fa4..cff197e 100644 --- a/debian/control +++ b/debian/control @@ -15,7 +15,8 @@ Rules-Requires-Root: no Package: security-misc Architecture: all Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, - apparmor-profile-dist, helper-scripts, libpam-modules-bin, ${misc:Depends} + apparmor-profile-dist, helper-scripts, libpam-modules-bin, + secure-delete, dmsetup, ${misc:Depends} Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest Description: Enhances Miscellaneous Security Settings https://github.com/Whonix/security-misc/blob/master/README.md diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/README.md b/usr/lib/dracut/modules.d/40sdmem-security-misc/README.md new file mode 100644 index 0000000..3ae2595 --- /dev/null +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/README.md @@ -0,0 +1,4 @@ +### Make sure sdmem is part of the initramfs +sudo apt-get install secure-delete + +sudo dracut --include /usr/bin/sdmem /bin/sdmem --force diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh new file mode 100755 index 0000000..6d5c4c5 --- /dev/null +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh +check() { +return 0 +} + +depends() { +return 0 +} + +install() { +inst_hook shutdown 40 "$moddir/wipe.sh" +} + +installkernel() { +return 0 +} + diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh new file mode 100755 index 0000000..7fb2a60 --- /dev/null +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh @@ -0,0 +1,5 @@ +echo "Checking for mounted disks..." +dmsetup ls --target crypt +echo "WIPE RAM!" +/bin/sdmem -f +echo "WIPE DONE!" From 6f19af1542d3b6d2d6af89136ce909f7f7335ff1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 09:35:08 -0400 Subject: [PATCH 0487/1650] add shebang /bin/sh to fix lintian warning security-misc: executable-not-elf-or-script usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh --- usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh index 7fb2a60..669ffcc 100755 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh @@ -1,3 +1,5 @@ +#!/bin/sh + echo "Checking for mounted disks..." dmsetup ls --target crypt echo "WIPE RAM!" From 29253004b6be7c7d2b3fce6cceff2df3e845f15a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 09:38:18 -0400 Subject: [PATCH 0488/1650] minor --- .../dracut/modules.d/40sdmem-security-misc/README.md | 7 +++++-- .../modules.d/40sdmem-security-misc/module-setup.sh | 10 +++++----- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/README.md b/usr/lib/dracut/modules.d/40sdmem-security-misc/README.md index 3ae2595..9de79d3 100644 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/README.md +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/README.md @@ -1,4 +1,7 @@ -### Make sure sdmem is part of the initramfs -sudo apt-get install secure-delete +### Make sure sdmem and dmsetup is part of the initramfs + +sudo apt update + +sudo apt --no-install-recommends install secure-delete dmsetup sudo dracut --include /usr/bin/sdmem /bin/sdmem --force diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh index 6d5c4c5..c70ec9a 100755 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh @@ -1,19 +1,19 @@ #!/bin/bash # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- # ex: ts=8 sw=4 sts=4 et filetype=sh + check() { -return 0 + return 0 } depends() { -return 0 + return 0 } install() { -inst_hook shutdown 40 "$moddir/wipe.sh" + inst_hook shutdown 40 "$moddir/wipe.sh" } installkernel() { -return 0 + return 0 } - From 024d52a67ebb6028d5df890e469fec5dc42be00a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 09:52:53 -0400 Subject: [PATCH 0489/1650] improve usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh --- .../dracut/modules.d/40sdmem-security-misc/module-setup.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh index c70ec9a..3d5d0a2 100755 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh @@ -2,18 +2,25 @@ # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- # ex: ts=8 sw=4 sts=4 et filetype=sh +# called by dracut check() { + require_binaries dmsetup || return 1 + require_binaries sdmem || return 1 return 0 } +# called by dracut depends() { return 0 } +# called by dracut install() { + inst $(command -v sdmem) /bin/sdmem inst_hook shutdown 40 "$moddir/wipe.sh" } +# called by dracut installkernel() { return 0 } From 83519a58c7c1eccee7544fbc3ec0cf67bda976a7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 09:54:27 -0400 Subject: [PATCH 0490/1650] bumped changelog version --- changelog.upstream | 40 ++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 46 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 2e97cbf..bc820d9 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,43 @@ +commit 024d52a67ebb6028d5df890e469fec5dc42be00a +Author: Patrick Schleizer +Date: Wed Jun 29 09:52:53 2022 -0400 + + improve usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh + +commit 29253004b6be7c7d2b3fce6cceff2df3e845f15a +Author: Patrick Schleizer +Date: Wed Jun 29 09:38:18 2022 -0400 + + minor + +commit 6f19af1542d3b6d2d6af89136ce909f7f7335ff1 +Author: Patrick Schleizer +Date: Wed Jun 29 09:35:08 2022 -0400 + + add shebang /bin/sh + + to fix lintian warning + security-misc: executable-not-elf-or-script usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh + +commit 38cdf2722bc0aa224e1ec253e77728d4e00b9be0 +Author: Patrick Schleizer +Date: Wed Jun 29 09:32:55 2022 -0400 + + - Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks + - Confirm in console output if encrypted mounts (root disk) is unmounted. (Because that is a pre-condition for wiping the LUKS full disk encryption key from RAM.) + + Thanks to @friedy10! + + https://github.com/friedy10/dracut/tree/master/modules.d/40sdmem + + https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596 + +commit adca1ebdf6c83c5c1c846cdb29f3e16ea9cdf32f +Author: Patrick Schleizer +Date: Wed Jun 8 11:05:07 2022 -0400 + + bumped changelog version + commit d7dd188651a5227be6b1d95e7ae9a97e0cbb34f0 Author: Patrick Schleizer Date: Wed Jun 8 09:27:02 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 1012a9f..bc21d4f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:23.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 13:54:27 +0000 + security-misc (3:23.2-1) unstable; urgency=medium * New upstream version (local package). From cfae7de6a842b77e50f9e6f5cb1eed0eac63ff2f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 09:58:37 -0400 Subject: [PATCH 0491/1650] lintian --- usr/share/lintian/overrides/security-misc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index 2f70119..21eaac5 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -9,3 +9,8 @@ security-misc: no-manual-page usr/bin/pkexec.security-misc ## Non-ideal but still a good solution. security-misc: file-in-unusual-dir var/cache/security-misc/state-files/placeholder + +## This is how dracut is still implemented. +security-misc: package-contains-documentation-outside-usr-share-doc usr/lib/dracut/modules.d/40sdmem-security-misc/README.md +security-misc: executable-in-usr-lib usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh +security-misc: executable-in-usr-lib usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh From af8ff65f8404ac1d423ad3c28342d8fe7bc3a018 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 10:01:51 -0400 Subject: [PATCH 0492/1650] comment --- debian/security-misc.triggers | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index 5703c4f..157a9e6 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -6,7 +6,10 @@ #### category security #### description -## Activate initramfs hook that sets the sysctl values before init is executed. +## Trigger 'activate-noawait update-initramfs' also works with both, +## initramfs-tools as well as dracut. +## - Activate initramfs hook that sets the sysctl values before init is executed. +## - dracut module 40sdmem-security-misc activate-noawait update-initramfs ## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox From e5d85d69efefdfcee63c8c7d4ced1ed1bf1aeee7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 10:02:18 -0400 Subject: [PATCH 0493/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index bc820d9..f3c0fc5 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit af8ff65f8404ac1d423ad3c28342d8fe7bc3a018 +Author: Patrick Schleizer +Date: Wed Jun 29 10:01:51 2022 -0400 + + comment + +commit cfae7de6a842b77e50f9e6f5cb1eed0eac63ff2f +Author: Patrick Schleizer +Date: Wed Jun 29 09:58:37 2022 -0400 + + lintian + +commit 83519a58c7c1eccee7544fbc3ec0cf67bda976a7 +Author: Patrick Schleizer +Date: Wed Jun 29 09:54:27 2022 -0400 + + bumped changelog version + commit 024d52a67ebb6028d5df890e469fec5dc42be00a Author: Patrick Schleizer Date: Wed Jun 29 09:52:53 2022 -0400 diff --git a/debian/changelog b/debian/changelog index bc21d4f..d7dd91d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:23.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 14:02:18 +0000 + security-misc (3:23.3-1) unstable; urgency=medium * New upstream version (local package). From 295811a88f9505687447ebf605fa108bc795da46 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 11:14:52 -0400 Subject: [PATCH 0494/1650] improvements --- .../dracut/modules.d/40sdmem-security-misc/module-setup.sh | 5 ++++- usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh index 3d5d0a2..b394574 100755 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh @@ -4,6 +4,7 @@ # called by dracut check() { + require_binaries sleep || return 1 require_binaries dmsetup || return 1 require_binaries sdmem || return 1 return 0 @@ -16,7 +17,9 @@ depends() { # called by dracut install() { - inst $(command -v sdmem) /bin/sdmem + inst_multiple sleep + inst_multiple sdmem + inst_multiple dmsetup inst_hook shutdown 40 "$moddir/wipe.sh" } diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh index 669ffcc..4167c77 100755 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh @@ -3,5 +3,5 @@ echo "Checking for mounted disks..." dmsetup ls --target crypt echo "WIPE RAM!" -/bin/sdmem -f +sdmem -f echo "WIPE DONE!" From 43ea4dbb8363c511270fd704b138633da9ad088a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 11:18:59 -0400 Subject: [PATCH 0495/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f3c0fc5..fbb95db 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 295811a88f9505687447ebf605fa108bc795da46 +Author: Patrick Schleizer +Date: Wed Jun 29 11:14:52 2022 -0400 + + improvements + +commit e5d85d69efefdfcee63c8c7d4ced1ed1bf1aeee7 +Author: Patrick Schleizer +Date: Wed Jun 29 10:02:18 2022 -0400 + + bumped changelog version + commit af8ff65f8404ac1d423ad3c28342d8fe7bc3a018 Author: Patrick Schleizer Date: Wed Jun 29 10:01:51 2022 -0400 diff --git a/debian/changelog b/debian/changelog index d7dd91d..885bda9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:23.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 15:18:59 +0000 + security-misc (3:23.4-1) unstable; urgency=medium * New upstream version (local package). From 72908d6b0dd65d6c9691977047b2bfdaa16ba147 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 11:34:55 -0400 Subject: [PATCH 0496/1650] comments --- etc/default/grub.d/41_quiet.cfg | 8 ++++++++ etc/sysctl.d/30_silent-kernel-printk.conf | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/etc/default/grub.d/41_quiet.cfg b/etc/default/grub.d/41_quiet.cfg index 1caaa23..8b70cbd 100644 --- a/etc/default/grub.d/41_quiet.cfg +++ b/etc/default/grub.d/41_quiet.cfg @@ -7,3 +7,11 @@ ## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet loglevel=0" + +## NOTE: +## For higher verbosity, the user might also want to delete file +## /etc/sysctl.d/30_silent-kernel-printk.conf +## (or out-comment its settings). +## +## Alternatively, the user could consider to install the debug-misc package, +## which will undo the settings found here. diff --git a/etc/sysctl.d/30_silent-kernel-printk.conf b/etc/sysctl.d/30_silent-kernel-printk.conf index 4687dd8..e2fecc5 100644 --- a/etc/sysctl.d/30_silent-kernel-printk.conf +++ b/etc/sysctl.d/30_silent-kernel-printk.conf @@ -4,3 +4,11 @@ ## Prevent kernel info leaks in console during boot. ## https://phabricator.whonix.org/T950 kernel.printk = 3 3 3 3 + +## NOTE: +## For higher verbosity, the user might also want to delete file +## /etc/default/grub.d/41_quiet.cfg +## (or out-comment its settings). +## +## Alternatively, the user could consider to install the debug-misc package, +## which will undo the settings found here. From 67eaf8c9167da545189390b6f0f58b0b5b20976c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 11:40:38 -0400 Subject: [PATCH 0497/1650] comments --- etc/default/grub.d/41_quiet.cfg | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/41_quiet.cfg b/etc/default/grub.d/41_quiet.cfg index 8b70cbd..b557478 100644 --- a/etc/default/grub.d/41_quiet.cfg +++ b/etc/default/grub.d/41_quiet.cfg @@ -3,13 +3,23 @@ ## Prevent kernel info leaks in console during boot. ## https://phabricator.whonix.org/T950 + ## LANG=C str_replace is provided by package helper-scripts. + +## The following command actually removed "quiet" from the kernel command line. +## If verbosity is desired, the user might want to keep this line. ## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" + +## If verbosity is desired, the user might want to out-comment the following line. GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet loglevel=0" ## NOTE: -## For higher verbosity, the user might also want to delete file +## After editing this file, running: +## sudo update-grub +## is required. +## +## If higher verbosity is desired, the user might also want to delete file ## /etc/sysctl.d/30_silent-kernel-printk.conf ## (or out-comment its settings). ## From 73d2ada0deb98064979ea1feedb01c6312c4b4d5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 13:02:01 -0400 Subject: [PATCH 0498/1650] comment --- usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh index 4167c77..1273294 100755 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh @@ -3,5 +3,6 @@ echo "Checking for mounted disks..." dmsetup ls --target crypt echo "WIPE RAM!" +## TODO: remove -f sdmem -f echo "WIPE DONE!" From db301dfd7feb07799a00871f0e1f8fdccef0b777 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 13:02:39 -0400 Subject: [PATCH 0499/1650] comment --- usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh index 1273294..90d1263 100755 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh @@ -3,6 +3,6 @@ echo "Checking for mounted disks..." dmsetup ls --target crypt echo "WIPE RAM!" -## TODO: remove -f +## TODO: remove -f (fast and insecure mode) sdmem -f echo "WIPE DONE!" From 924077e04cd0d5b06a410b2a9289047286500e8a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 13:02:53 -0400 Subject: [PATCH 0500/1650] verbose --- usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh index 90d1263..b881c44 100755 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh @@ -4,5 +4,5 @@ echo "Checking for mounted disks..." dmsetup ls --target crypt echo "WIPE RAM!" ## TODO: remove -f (fast and insecure mode) -sdmem -f +sdmem -v -f echo "WIPE DONE!" From 4d937f551f6cccf40f933576a7fa210066f1fc8a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 13:03:35 -0400 Subject: [PATCH 0501/1650] bumped changelog version --- changelog.upstream | 36 ++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 42 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index fbb95db..957b627 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,39 @@ +commit 924077e04cd0d5b06a410b2a9289047286500e8a +Author: Patrick Schleizer +Date: Wed Jun 29 13:02:53 2022 -0400 + + verbose + +commit db301dfd7feb07799a00871f0e1f8fdccef0b777 +Author: Patrick Schleizer +Date: Wed Jun 29 13:02:39 2022 -0400 + + comment + +commit 73d2ada0deb98064979ea1feedb01c6312c4b4d5 +Author: Patrick Schleizer +Date: Wed Jun 29 13:02:01 2022 -0400 + + comment + +commit 67eaf8c9167da545189390b6f0f58b0b5b20976c +Author: Patrick Schleizer +Date: Wed Jun 29 11:40:38 2022 -0400 + + comments + +commit 72908d6b0dd65d6c9691977047b2bfdaa16ba147 +Author: Patrick Schleizer +Date: Wed Jun 29 11:34:55 2022 -0400 + + comments + +commit 43ea4dbb8363c511270fd704b138633da9ad088a +Author: Patrick Schleizer +Date: Wed Jun 29 11:18:59 2022 -0400 + + bumped changelog version + commit 295811a88f9505687447ebf605fa108bc795da46 Author: Patrick Schleizer Date: Wed Jun 29 11:14:52 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 885bda9..968cdaf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:23.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 17:03:35 +0000 + security-misc (3:23.5-1) unstable; urgency=medium * New upstream version (local package). From 8a072437cc6478757a8f21f3a6a0ea51a97b978b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 14:13:30 -0400 Subject: [PATCH 0502/1650] ram wipe on shutdown: fix, added `need_shutdown` hook Otherwise dracut does not run on shutdown. Without `need_shutdown` file `/run/initramfs/.need_shutdown` does not get created. And without that file `/usr/lib/dracut/dracut-initramfs-restore`, which itself is started by `/lib/systemd/system/dracut-shutdown.service` does nothing. --- usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh | 1 + .../modules.d/40sdmem-security-misc/wipe-needshutdown.sh | 3 +++ 2 files changed, 4 insertions(+) create mode 100755 usr/lib/dracut/modules.d/40sdmem-security-misc/wipe-needshutdown.sh diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh index b394574..18cd8d5 100755 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh @@ -21,6 +21,7 @@ install() { inst_multiple sdmem inst_multiple dmsetup inst_hook shutdown 40 "$moddir/wipe.sh" + inst_hook cleanup 80 "$moddir/wipe-needshutdown.sh" } # called by dracut diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe-needshutdown.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe-needshutdown.sh new file mode 100755 index 0000000..16df8ec --- /dev/null +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe-needshutdown.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +need_shutdown From 81c15e88afd11d3359ae748d5c43e7bcc8b9a855 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 14:15:48 -0400 Subject: [PATCH 0503/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 957b627..dfe743f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 8a072437cc6478757a8f21f3a6a0ea51a97b978b +Author: Patrick Schleizer +Date: Wed Jun 29 14:13:30 2022 -0400 + + ram wipe on shutdown: fix, added `need_shutdown` hook + + Otherwise dracut does not run on shutdown. + + Without `need_shutdown` file `/run/initramfs/.need_shutdown` does not get created. + And without that file `/usr/lib/dracut/dracut-initramfs-restore`, + which itself is started by `/lib/systemd/system/dracut-shutdown.service` does nothing. + +commit 4d937f551f6cccf40f933576a7fa210066f1fc8a +Author: Patrick Schleizer +Date: Wed Jun 29 13:03:35 2022 -0400 + + bumped changelog version + commit 924077e04cd0d5b06a410b2a9289047286500e8a Author: Patrick Schleizer Date: Wed Jun 29 13:02:53 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 968cdaf..4d79927 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:23.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 18:15:48 +0000 + security-misc (3:23.6-1) unstable; urgency=medium * New upstream version (local package). From 6eba53767f3af2436fd00b807e71a94dff813dfc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 14:17:52 -0400 Subject: [PATCH 0504/1650] lintian --- usr/share/lintian/overrides/security-misc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index 21eaac5..0b1e8f9 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -12,5 +12,4 @@ security-misc: file-in-unusual-dir var/cache/security-misc/state-files/placehold ## This is how dracut is still implemented. security-misc: package-contains-documentation-outside-usr-share-doc usr/lib/dracut/modules.d/40sdmem-security-misc/README.md -security-misc: executable-in-usr-lib usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh -security-misc: executable-in-usr-lib usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh +security-misc: executable-in-usr-lib usr/lib/dracut/modules.d/40sdmem-security-misc/* From 87e5f49f8dc72f14e96cc06b924566668991037f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 14:18:02 -0400 Subject: [PATCH 0505/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index dfe743f..9cc5b13 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 6eba53767f3af2436fd00b807e71a94dff813dfc +Author: Patrick Schleizer +Date: Wed Jun 29 14:17:52 2022 -0400 + + lintian + +commit 81c15e88afd11d3359ae748d5c43e7bcc8b9a855 +Author: Patrick Schleizer +Date: Wed Jun 29 14:15:48 2022 -0400 + + bumped changelog version + commit 8a072437cc6478757a8f21f3a6a0ea51a97b978b Author: Patrick Schleizer Date: Wed Jun 29 14:13:30 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 4d79927..1d23c96 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:23.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 18:18:02 +0000 + security-misc (3:23.7-1) unstable; urgency=medium * New upstream version (local package). From 6d3a08a9365207923edd2f0b6f8aebdc635d3b33 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 15:17:40 -0400 Subject: [PATCH 0506/1650] improvements --- .../modules.d/40sdmem-security-misc/wipe.sh | 37 ++++++++++++++++--- 1 file changed, 31 insertions(+), 6 deletions(-) diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh index b881c44..d1a2e56 100755 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh @@ -1,8 +1,33 @@ #!/bin/sh -echo "Checking for mounted disks..." -dmsetup ls --target crypt -echo "WIPE RAM!" -## TODO: remove -f (fast and insecure mode) -sdmem -v -f -echo "WIPE DONE!" +ram_wipe() { + info "$0: START: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" + + info "$0: Checking if there are still mounted encrypted disks..." + + local dmsetup_actual_output dmsetup_expected_output + dmsetup_actual_output="$(dmsetup ls --target crypt)" + dmsetup_expected_output="No devices found" + + if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then + info "$0: Success, there are no more mounted encrypted disks, OK." + else + warn "\ +$0: There are still mounted encrypted disks! RAM wipe failed! + +debugging information: +dmsetup_expected_output: '$dmsetup_expected_output' +dmsetup_actual_output: '$dmsetup_actual_output'" + return 0 + fi + + info "$0: Starting RAM wipe..." + + ## TODO: sdmem settings. One pass only. Secure? Configurable? + sdmem -l -l -f + + info "$0: RAM wipe completed, OK." + info "$0: END COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" +} + +ram_wipe From fc202ede16ee41aceeec356ba35ba71cc7fc821d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 15:18:28 -0400 Subject: [PATCH 0507/1650] delete no longer required `usr/lib/dracut/modules.d/40sdmem-security-misc/README.md` --- usr/lib/dracut/modules.d/40sdmem-security-misc/README.md | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 usr/lib/dracut/modules.d/40sdmem-security-misc/README.md diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/README.md b/usr/lib/dracut/modules.d/40sdmem-security-misc/README.md deleted file mode 100644 index 9de79d3..0000000 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/README.md +++ /dev/null @@ -1,7 +0,0 @@ -### Make sure sdmem and dmsetup is part of the initramfs - -sudo apt update - -sudo apt --no-install-recommends install secure-delete dmsetup - -sudo dracut --include /usr/bin/sdmem /bin/sdmem --force From 19439033de840ed39039f04db7b13f6e168a627e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 15:19:56 -0400 Subject: [PATCH 0508/1650] copyright --- usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh | 3 +++ .../modules.d/40sdmem-security-misc/wipe-needshutdown.sh | 3 +++ usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh | 3 +++ 3 files changed, 9 insertions(+) diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh index 18cd8d5..9edf964 100755 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh @@ -2,6 +2,9 @@ # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- # ex: ts=8 sw=4 sts=4 et filetype=sh +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + # called by dracut check() { require_binaries sleep || return 1 diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe-needshutdown.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe-needshutdown.sh index 16df8ec..65a08f1 100755 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe-needshutdown.sh +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe-needshutdown.sh @@ -1,3 +1,6 @@ #!/bin/sh +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + need_shutdown diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh index d1a2e56..fc1278e 100755 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh @@ -1,5 +1,8 @@ #!/bin/sh +## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + ram_wipe() { info "$0: START: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" From 9ab81d45810b71374520603c32812e22685f59cb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 15:22:00 -0400 Subject: [PATCH 0509/1650] do not power off too fast so wipe ram messages can be read --- usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh index fc1278e..afcf414 100755 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh @@ -21,6 +21,7 @@ $0: There are still mounted encrypted disks! RAM wipe failed! debugging information: dmsetup_expected_output: '$dmsetup_expected_output' dmsetup_actual_output: '$dmsetup_actual_output'" + sleep 10 return 0 fi @@ -30,7 +31,8 @@ dmsetup_actual_output: '$dmsetup_actual_output'" sdmem -l -l -f info "$0: RAM wipe completed, OK." - info "$0: END COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" + info "$0: END: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" + sleep 3 } ram_wipe From 4b0cd53fee691f68dd6292869b6f6870bc0b6cbe Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 15:22:41 -0400 Subject: [PATCH 0510/1650] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 9cc5b13..86669e4 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit 9ab81d45810b71374520603c32812e22685f59cb +Author: Patrick Schleizer +Date: Wed Jun 29 15:22:00 2022 -0400 + + do not power off too fast so wipe ram messages can be read + +commit 19439033de840ed39039f04db7b13f6e168a627e +Author: Patrick Schleizer +Date: Wed Jun 29 15:19:56 2022 -0400 + + copyright + +commit fc202ede16ee41aceeec356ba35ba71cc7fc821d +Author: Patrick Schleizer +Date: Wed Jun 29 15:18:28 2022 -0400 + + delete no longer required `usr/lib/dracut/modules.d/40sdmem-security-misc/README.md` + +commit 6d3a08a9365207923edd2f0b6f8aebdc635d3b33 +Author: Patrick Schleizer +Date: Wed Jun 29 15:17:40 2022 -0400 + + improvements + +commit 87e5f49f8dc72f14e96cc06b924566668991037f +Author: Patrick Schleizer +Date: Wed Jun 29 14:18:02 2022 -0400 + + bumped changelog version + commit 6eba53767f3af2436fd00b807e71a94dff813dfc Author: Patrick Schleizer Date: Wed Jun 29 14:17:52 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 1d23c96..6994dad 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:23.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 19:22:41 +0000 + security-misc (3:23.8-1) unstable; urgency=medium * New upstream version (local package). From 1c51d156494e743c7ad89f76510209a97eef5e45 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 15:23:53 -0400 Subject: [PATCH 0511/1650] lintian --- usr/share/lintian/overrides/security-misc | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index 0b1e8f9..f67062f 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -11,5 +11,4 @@ security-misc: no-manual-page usr/bin/pkexec.security-misc security-misc: file-in-unusual-dir var/cache/security-misc/state-files/placeholder ## This is how dracut is still implemented. -security-misc: package-contains-documentation-outside-usr-share-doc usr/lib/dracut/modules.d/40sdmem-security-misc/README.md security-misc: executable-in-usr-lib usr/lib/dracut/modules.d/40sdmem-security-misc/* From e9cd5d934b04f7d06a14616ef52a914198f03b97 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 15:24:27 -0400 Subject: [PATCH 0512/1650] copyright --- usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh | 2 +- .../dracut/modules.d/40sdmem-security-misc/wipe-needshutdown.sh | 2 +- usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh index 9edf964..ac9f4a6 100755 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh @@ -2,7 +2,7 @@ # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- # ex: ts=8 sw=4 sts=4 et filetype=sh -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. # called by dracut diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe-needshutdown.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe-needshutdown.sh index 65a08f1..723421c 100755 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe-needshutdown.sh +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe-needshutdown.sh @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. need_shutdown diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh index afcf414..0244fc1 100755 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ram_wipe() { From 0b0cda8f8f2ff1da256473115df37456273cdcdd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 15:24:40 -0400 Subject: [PATCH 0513/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 86669e4..0236580 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit e9cd5d934b04f7d06a14616ef52a914198f03b97 +Author: Patrick Schleizer +Date: Wed Jun 29 15:24:27 2022 -0400 + + copyright + +commit 1c51d156494e743c7ad89f76510209a97eef5e45 +Author: Patrick Schleizer +Date: Wed Jun 29 15:23:53 2022 -0400 + + lintian + +commit 4b0cd53fee691f68dd6292869b6f6870bc0b6cbe +Author: Patrick Schleizer +Date: Wed Jun 29 15:22:41 2022 -0400 + + bumped changelog version + commit 9ab81d45810b71374520603c32812e22685f59cb Author: Patrick Schleizer Date: Wed Jun 29 15:22:00 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 6994dad..4cef2c1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:24.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 19:24:40 +0000 + security-misc (3:23.9-1) unstable; urgency=medium * New upstream version (local package). From af8b211c238f6fe83db5990dc0984d1c532456ae Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 15:50:20 -0400 Subject: [PATCH 0514/1650] improvements --- usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh index 0244fc1..b731087 100755 --- a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh +++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh @@ -6,6 +6,10 @@ ram_wipe() { info "$0: START: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" + local OLD_DRACUT_QUIET + OLD_DRACUT_QUIET="$DRACUT_QUIET" + DRACUT_QUIET='no' + info "$0: Checking if there are still mounted encrypted disks..." local dmsetup_actual_output dmsetup_expected_output @@ -21,7 +25,7 @@ $0: There are still mounted encrypted disks! RAM wipe failed! debugging information: dmsetup_expected_output: '$dmsetup_expected_output' dmsetup_actual_output: '$dmsetup_actual_output'" - sleep 10 + sleep 5 return 0 fi @@ -31,6 +35,10 @@ dmsetup_actual_output: '$dmsetup_actual_output'" sdmem -l -l -f info "$0: RAM wipe completed, OK." + + ## Restore to previous value. + DRACUT_QUIET="$OLD_DRACUT_QUIET" + info "$0: END: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" sleep 3 } From 2a8504cf1bd2a4d7e373bde3f34f6f22e3d5ebc4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 15:51:14 -0400 Subject: [PATCH 0515/1650] move --- .../module-setup.sh | 0 .../wipe-needshutdown.sh | 0 .../{40sdmem-security-misc => 40cold-boot-attack-defense}/wipe.sh | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename usr/lib/dracut/modules.d/{40sdmem-security-misc => 40cold-boot-attack-defense}/module-setup.sh (100%) rename usr/lib/dracut/modules.d/{40sdmem-security-misc => 40cold-boot-attack-defense}/wipe-needshutdown.sh (100%) rename usr/lib/dracut/modules.d/{40sdmem-security-misc => 40cold-boot-attack-defense}/wipe.sh (100%) diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh similarity index 100% rename from usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh rename to usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe-needshutdown.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-needshutdown.sh similarity index 100% rename from usr/lib/dracut/modules.d/40sdmem-security-misc/wipe-needshutdown.sh rename to usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-needshutdown.sh diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe.sh similarity index 100% rename from usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh rename to usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe.sh From 619bb3cf4d347c1575c58c74adbbede94d60f79b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 15:53:24 -0400 Subject: [PATCH 0516/1650] rename --- .../modules.d/40cold-boot-attack-defense/{wipe.sh => wipe-ram.sh} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename usr/lib/dracut/modules.d/40cold-boot-attack-defense/{wipe.sh => wipe-ram.sh} (100%) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh similarity index 100% rename from usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe.sh rename to usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh From 52aaac9b6d3a9611317e919d78840554bfce9778 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 15:53:52 -0400 Subject: [PATCH 0517/1650] rename --- .../{wipe-needshutdown.sh => wipe-ram-needshutdown.sh} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename usr/lib/dracut/modules.d/40cold-boot-attack-defense/{wipe-needshutdown.sh => wipe-ram-needshutdown.sh} (100%) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-needshutdown.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh similarity index 100% rename from usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-needshutdown.sh rename to usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh From 42e24f3c241471d91af6f16b74b5bf85dfad85d7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 15:54:49 -0400 Subject: [PATCH 0518/1650] update file names --- .../modules.d/40cold-boot-attack-defense/module-setup.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh index ac9f4a6..316cdc0 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh @@ -23,8 +23,8 @@ install() { inst_multiple sleep inst_multiple sdmem inst_multiple dmsetup - inst_hook shutdown 40 "$moddir/wipe.sh" - inst_hook cleanup 80 "$moddir/wipe-needshutdown.sh" + inst_hook shutdown 40 "$moddir/wipe-ram.sh" + inst_hook cleanup 80 "$moddir/wipe-ram-needshutdown.sh" } # called by dracut From f5e0c1742abc009b1af95f0d106a5e1cd90d1ef4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 16:02:05 -0400 Subject: [PATCH 0519/1650] credits --- .../modules.d/40cold-boot-attack-defense/module-setup.sh | 4 ++++ .../dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh index 316cdc0..a81fdef 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh @@ -5,6 +5,10 @@ ## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Credits: +## First version by @friedy10. +## https://github.com/friedy10/dracut/blob/master/modules.d/40sdmem/module-setup.sh + # called by dracut check() { require_binaries sleep || return 1 diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index b731087..47e4777 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -3,6 +3,10 @@ ## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Credits: +## First version by @friedy10. +## https://github.com/friedy10/dracut/blob/master/modules.d/40sdmem/wipe.sh + ram_wipe() { info "$0: START: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" From a1f752ad00563b61a62a2dd33058365f1b6027de Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 16:03:58 -0400 Subject: [PATCH 0520/1650] bumped changelog version --- changelog.upstream | 42 ++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 48 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0236580..6072d5c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,45 @@ +commit f5e0c1742abc009b1af95f0d106a5e1cd90d1ef4 +Author: Patrick Schleizer +Date: Wed Jun 29 16:02:05 2022 -0400 + + credits + +commit 42e24f3c241471d91af6f16b74b5bf85dfad85d7 +Author: Patrick Schleizer +Date: Wed Jun 29 15:54:49 2022 -0400 + + update file names + +commit 52aaac9b6d3a9611317e919d78840554bfce9778 +Author: Patrick Schleizer +Date: Wed Jun 29 15:53:52 2022 -0400 + + rename + +commit 619bb3cf4d347c1575c58c74adbbede94d60f79b +Author: Patrick Schleizer +Date: Wed Jun 29 15:53:24 2022 -0400 + + rename + +commit 2a8504cf1bd2a4d7e373bde3f34f6f22e3d5ebc4 +Author: Patrick Schleizer +Date: Wed Jun 29 15:51:14 2022 -0400 + + move + +commit af8b211c238f6fe83db5990dc0984d1c532456ae +Author: Patrick Schleizer +Date: Wed Jun 29 15:50:20 2022 -0400 + + improvements + +commit 0b0cda8f8f2ff1da256473115df37456273cdcdd +Author: Patrick Schleizer +Date: Wed Jun 29 15:24:40 2022 -0400 + + bumped changelog version + commit e9cd5d934b04f7d06a14616ef52a914198f03b97 Author: Patrick Schleizer Date: Wed Jun 29 15:24:27 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 4cef2c1..a17e549 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:24.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 20:03:58 +0000 + security-misc (3:24.0-1) unstable; urgency=medium * New upstream version (local package). From 8b584c570af5d9ada8083af9bd80f3f992e3dceb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 16:06:22 -0400 Subject: [PATCH 0521/1650] lintian --- usr/share/lintian/overrides/security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index f67062f..b93fa50 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -11,4 +11,4 @@ security-misc: no-manual-page usr/bin/pkexec.security-misc security-misc: file-in-unusual-dir var/cache/security-misc/state-files/placeholder ## This is how dracut is still implemented. -security-misc: executable-in-usr-lib usr/lib/dracut/modules.d/40sdmem-security-misc/* +security-misc: executable-in-usr-lib usr/lib/dracut/modules.d/40cold-boot-attack-defense/* From aae4fdcffd0e3ed168975bc84db149843ffdfe47 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 16:06:33 -0400 Subject: [PATCH 0522/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 6072d5c..065670c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 8b584c570af5d9ada8083af9bd80f3f992e3dceb +Author: Patrick Schleizer +Date: Wed Jun 29 16:06:22 2022 -0400 + + lintian + +commit a1f752ad00563b61a62a2dd33058365f1b6027de +Author: Patrick Schleizer +Date: Wed Jun 29 16:03:58 2022 -0400 + + bumped changelog version + commit f5e0c1742abc009b1af95f0d106a5e1cd90d1ef4 Author: Patrick Schleizer Date: Wed Jun 29 16:02:05 2022 -0400 diff --git a/debian/changelog b/debian/changelog index a17e549..fcfc730 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:24.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 20:06:33 +0000 + security-misc (3:24.1-1) unstable; urgency=medium * New upstream version (local package). From 1ce7b27297bce446fb5726eba1cbb0cd3746fa85 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 16:23:12 -0400 Subject: [PATCH 0523/1650] improvement --- .../40cold-boot-attack-defense/wipe-ram.sh | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 47e4777..7722bd7 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -12,6 +12,7 @@ ram_wipe() { local OLD_DRACUT_QUIET OLD_DRACUT_QUIET="$DRACUT_QUIET" + ## check_quiet should show info in console. DRACUT_QUIET='no' info "$0: Checking if there are still mounted encrypted disks..." @@ -35,15 +36,23 @@ dmsetup_actual_output: '$dmsetup_actual_output'" info "$0: Starting RAM wipe..." + ## - If DRACUT_QUIET previously was set to '', reset to '' for auto detection by check_quiet. + ## - If DRACUT_QUIET previously was set to 'no', reset to 'no' for verbose output. + ## - If DRACUT_QUIET previously was set to 'yes', reset to 'yes' to hide sdmem output, + ## as well as the oom killing at the end. + DRACUT_QUIET="$OLD_DRACUT_QUIET" + ## TODO: sdmem settings. One pass only. Secure? Configurable? sdmem -l -l -f + ## Reset to DRACUT_QUIET='no' so info messages can be shown. + DRACUT_QUIET='no' + info "$0: RAM wipe completed, OK." + info "$0: END: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" ## Restore to previous value. DRACUT_QUIET="$OLD_DRACUT_QUIET" - - info "$0: END: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" sleep 3 } From d4161b2748665ca3b67e5ced5ae576acb93cda46 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 16:23:42 -0400 Subject: [PATCH 0524/1650] output --- .../dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 7722bd7..7dc5000 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -8,13 +8,12 @@ ## https://github.com/friedy10/dracut/blob/master/modules.d/40sdmem/wipe.sh ram_wipe() { - info "$0: START: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" - local OLD_DRACUT_QUIET OLD_DRACUT_QUIET="$DRACUT_QUIET" ## check_quiet should show info in console. DRACUT_QUIET='no' + info "$0: START: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" info "$0: Checking if there are still mounted encrypted disks..." local dmsetup_actual_output dmsetup_expected_output From 92c543e71ff5386f4458102e1795132399292328 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 16:24:52 -0400 Subject: [PATCH 0525/1650] output --- .../40cold-boot-attack-defense/wipe-ram.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 7dc5000..29f5644 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -13,18 +13,18 @@ ram_wipe() { ## check_quiet should show info in console. DRACUT_QUIET='no' - info "$0: START: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" - info "$0: Checking if there are still mounted encrypted disks..." + info "wipe-ram.sh: START: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" + info "wipe-ram.sh: Checking if there are still mounted encrypted disks..." local dmsetup_actual_output dmsetup_expected_output dmsetup_actual_output="$(dmsetup ls --target crypt)" dmsetup_expected_output="No devices found" if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then - info "$0: Success, there are no more mounted encrypted disks, OK." + info "wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." else warn "\ -$0: There are still mounted encrypted disks! RAM wipe failed! +wipe-ram.sh: There are still mounted encrypted disks! RAM wipe failed! debugging information: dmsetup_expected_output: '$dmsetup_expected_output' @@ -33,7 +33,7 @@ dmsetup_actual_output: '$dmsetup_actual_output'" return 0 fi - info "$0: Starting RAM wipe..." + info "wipe-ram.sh: Starting RAM wipe..." ## - If DRACUT_QUIET previously was set to '', reset to '' for auto detection by check_quiet. ## - If DRACUT_QUIET previously was set to 'no', reset to 'no' for verbose output. @@ -47,8 +47,8 @@ dmsetup_actual_output: '$dmsetup_actual_output'" ## Reset to DRACUT_QUIET='no' so info messages can be shown. DRACUT_QUIET='no' - info "$0: RAM wipe completed, OK." - info "$0: END: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" + info "wipe-ram.sh: RAM wipe completed, OK." + info "wipe-ram.sh: END: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" ## Restore to previous value. DRACUT_QUIET="$OLD_DRACUT_QUIET" From 26be74bfe5c51a8ae41bb736847d3e93e7ae27d7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 16:25:07 -0400 Subject: [PATCH 0526/1650] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 065670c..fe6f24f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit 92c543e71ff5386f4458102e1795132399292328 +Author: Patrick Schleizer +Date: Wed Jun 29 16:24:52 2022 -0400 + + output + +commit d4161b2748665ca3b67e5ced5ae576acb93cda46 +Author: Patrick Schleizer +Date: Wed Jun 29 16:23:42 2022 -0400 + + output + +commit 1ce7b27297bce446fb5726eba1cbb0cd3746fa85 +Author: Patrick Schleizer +Date: Wed Jun 29 16:23:12 2022 -0400 + + improvement + +commit aae4fdcffd0e3ed168975bc84db149843ffdfe47 +Author: Patrick Schleizer +Date: Wed Jun 29 16:06:33 2022 -0400 + + bumped changelog version + commit 8b584c570af5d9ada8083af9bd80f3f992e3dceb Author: Patrick Schleizer Date: Wed Jun 29 16:06:22 2022 -0400 diff --git a/debian/changelog b/debian/changelog index fcfc730..083f55d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:24.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 20:25:07 +0000 + security-misc (3:24.2-1) unstable; urgency=medium * New upstream version (local package). From 1b97d9cb766b00914769e5add699a8bdbcf1e7aa Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 16:30:31 -0400 Subject: [PATCH 0527/1650] fix --- usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 29f5644..7c29300 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -42,7 +42,7 @@ dmsetup_actual_output: '$dmsetup_actual_output'" DRACUT_QUIET="$OLD_DRACUT_QUIET" ## TODO: sdmem settings. One pass only. Secure? Configurable? - sdmem -l -l -f + sdmem -l -l -v ## Reset to DRACUT_QUIET='no' so info messages can be shown. DRACUT_QUIET='no' From e06405c7be683450e6c6f737171b4f10513254e7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jun 2022 16:56:16 -0400 Subject: [PATCH 0528/1650] undo --- .../modules.d/40cold-boot-attack-defense/wipe-ram.sh | 9 --------- 1 file changed, 9 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 7c29300..33cd804 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -35,18 +35,9 @@ dmsetup_actual_output: '$dmsetup_actual_output'" info "wipe-ram.sh: Starting RAM wipe..." - ## - If DRACUT_QUIET previously was set to '', reset to '' for auto detection by check_quiet. - ## - If DRACUT_QUIET previously was set to 'no', reset to 'no' for verbose output. - ## - If DRACUT_QUIET previously was set to 'yes', reset to 'yes' to hide sdmem output, - ## as well as the oom killing at the end. - DRACUT_QUIET="$OLD_DRACUT_QUIET" - ## TODO: sdmem settings. One pass only. Secure? Configurable? sdmem -l -l -v - ## Reset to DRACUT_QUIET='no' so info messages can be shown. - DRACUT_QUIET='no' - info "wipe-ram.sh: RAM wipe completed, OK." info "wipe-ram.sh: END: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" From 0e2fae2b693d6c45344cfdf592bac0adf3338d58 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 30 Jun 2022 13:50:18 -0400 Subject: [PATCH 0529/1650] skip ram wipe inside VMs https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596/40 --- .../dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 33cd804..7de4c67 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -13,6 +13,11 @@ ram_wipe() { ## check_quiet should show info in console. DRACUT_QUIET='no' + if systemd-detect-virt &>/dev/null ; then + info "wipe-ram.sh: Skip, because VM detected, OK." + return 0 + fi + info "wipe-ram.sh: START: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" info "wipe-ram.sh: Checking if there are still mounted encrypted disks..." From 036f518ddc067461979f5b61a576b7f74b7c6e65 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 30 Jun 2022 13:56:29 -0400 Subject: [PATCH 0530/1650] improvement --- .../40cold-boot-attack-defense/wipe-ram.sh | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 7de4c67..8ea64a1 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -18,7 +18,17 @@ ram_wipe() { return 0 fi - info "wipe-ram.sh: START: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" + info "wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." + + ## TODO: sdmem settings. One pass only. Secure? Configurable? + sdmem -l -l -v + + info "wipe-ram.sh: RAM wipe completed, OK." + + ## In theory might be better to check this beforehand, but the test is + ## really fast. The user has no chance of reading the console output + ## without introducing an artificial delay because the sdmem which runs + ## after this, results in much more console output. info "wipe-ram.sh: Checking if there are still mounted encrypted disks..." local dmsetup_actual_output dmsetup_expected_output @@ -34,18 +44,8 @@ wipe-ram.sh: There are still mounted encrypted disks! RAM wipe failed! debugging information: dmsetup_expected_output: '$dmsetup_expected_output' dmsetup_actual_output: '$dmsetup_actual_output'" - sleep 5 - return 0 fi - info "wipe-ram.sh: Starting RAM wipe..." - - ## TODO: sdmem settings. One pass only. Secure? Configurable? - sdmem -l -l -v - - info "wipe-ram.sh: RAM wipe completed, OK." - info "wipe-ram.sh: END: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN" - ## Restore to previous value. DRACUT_QUIET="$OLD_DRACUT_QUIET" sleep 3 From 32fdcf522be994e693f39c347ab1063ccd94255b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 30 Jun 2022 14:47:45 -0400 Subject: [PATCH 0531/1650] - introduce `wiperam=skip` kernel parameter to skip wipe ram - introduce `wiperam=force` kernel parameter to force wipe ram inside VMs --- .../wipe-ram-needshutdown.sh | 33 ++++++++++++++++++- .../40cold-boot-attack-defense/wipe-ram.sh | 20 +++++++++-- 2 files changed, 50 insertions(+), 3 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh index 723421c..1ab5419 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh @@ -3,4 +3,35 @@ ## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -need_shutdown +ram_wipe_check_needshutdown() { + local OLD_DRACUT_QUIET + OLD_DRACUT_QUIET="$DRACUT_QUIET" + DRACUT_QUIET='no' + + local kernel_wiperam_setting + kernel_wiperam_setting=$(getarg wiperam) + + if [ "$kernel_wiperam_setting" = "skip" ]; then + info "wipe-ram-needshutdown.sh: Skip, because wiperam=skip kernel parameter detected, OK." + DRACUT_QUIET="$OLD_DRACUT_QUIET" + return 0 + fi + + if [ "$kernel_wiperam_setting" = "force" ]; then + info "wipe-ram-needshutdown.sh: wiperam=force detected, OK." + else + if systemd-detect-virt &>/dev/null ; then + info "wipe-ram-needshutdown.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." + DRACUT_QUIET="$OLD_DRACUT_QUIET" + return 0 + fi + fi + + info "wipe-ram-needshutdown.sh: Calling dracut function need_shutdown to drop back into initramfs at shutdown, OK." + need_shutdown + + DRACUT_QUIET="$OLD_DRACUT_QUIET" + return 0 +} + +ram_wipe_check_needshutdown diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 8ea64a1..4b1f773 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -13,11 +13,27 @@ ram_wipe() { ## check_quiet should show info in console. DRACUT_QUIET='no' - if systemd-detect-virt &>/dev/null ; then - info "wipe-ram.sh: Skip, because VM detected, OK." + local kernel_wiperam_setting + ## getarg returns the last parameter only. + ## if /proc/cmdline contains 'wiperam=skip wiperam=force' the last one wins. + kernel_wiperam_setting=$(getarg wiperam) + + if [ "$kernel_wiperam_setting" = "skip" ]; then + info "wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." + DRACUT_QUIET="$OLD_DRACUT_QUIET" return 0 fi + if [ "$kernel_wiperam_setting" = "force" ]; then + info "wipe-ram.sh: wiperam=force detected, OK." + else + if systemd-detect-virt &>/dev/null ; then + info "wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." + DRACUT_QUIET="$OLD_DRACUT_QUIET" + return 0 + fi + fi + info "wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." ## TODO: sdmem settings. One pass only. Secure? Configurable? From 7a448e01a1f2be432c763678742301b64739b920 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 2 Jul 2022 14:27:04 -0400 Subject: [PATCH 0532/1650] bumped changelog version --- changelog.upstream | 39 +++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 45 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index fe6f24f..aeb13f6 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,42 @@ +commit 32fdcf522be994e693f39c347ab1063ccd94255b +Author: Patrick Schleizer +Date: Thu Jun 30 14:47:45 2022 -0400 + + - introduce `wiperam=skip` kernel parameter to skip wipe ram + - introduce `wiperam=force` kernel parameter to force wipe ram inside VMs + +commit 036f518ddc067461979f5b61a576b7f74b7c6e65 +Author: Patrick Schleizer +Date: Thu Jun 30 13:56:29 2022 -0400 + + improvement + +commit 0e2fae2b693d6c45344cfdf592bac0adf3338d58 +Author: Patrick Schleizer +Date: Thu Jun 30 13:50:18 2022 -0400 + + skip ram wipe inside VMs + + https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596/40 + +commit e06405c7be683450e6c6f737171b4f10513254e7 +Author: Patrick Schleizer +Date: Wed Jun 29 16:56:16 2022 -0400 + + undo + +commit 1b97d9cb766b00914769e5add699a8bdbcf1e7aa +Author: Patrick Schleizer +Date: Wed Jun 29 16:30:31 2022 -0400 + + fix + +commit 26be74bfe5c51a8ae41bb736847d3e93e7ae27d7 +Author: Patrick Schleizer +Date: Wed Jun 29 16:25:07 2022 -0400 + + bumped changelog version + commit 92c543e71ff5386f4458102e1795132399292328 Author: Patrick Schleizer Date: Wed Jun 29 16:24:52 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 083f55d..bf036e1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:24.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 02 Jul 2022 18:27:04 +0000 + security-misc (3:24.3-1) unstable; urgency=medium * New upstream version (local package). From d34fe21963442c6025b56209d0ba10479cde09a6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 2 Jul 2022 15:32:42 -0400 Subject: [PATCH 0533/1650] fix --- .../40cold-boot-attack-defense/wipe-ram-needshutdown.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh index 1ab5419..1f59d15 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh @@ -3,6 +3,8 @@ ## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh + ram_wipe_check_needshutdown() { local OLD_DRACUT_QUIET OLD_DRACUT_QUIET="$DRACUT_QUIET" From ed8ce9a7d0869d62eecea7ffc59c176bec061d08 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 2 Jul 2022 15:32:51 -0400 Subject: [PATCH 0534/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index aeb13f6..28c1e20 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit d34fe21963442c6025b56209d0ba10479cde09a6 +Author: Patrick Schleizer +Date: Sat Jul 2 15:32:42 2022 -0400 + + fix + +commit 7a448e01a1f2be432c763678742301b64739b920 +Author: Patrick Schleizer +Date: Sat Jul 2 14:27:04 2022 -0400 + + bumped changelog version + commit 32fdcf522be994e693f39c347ab1063ccd94255b Author: Patrick Schleizer Date: Thu Jun 30 14:47:45 2022 -0400 diff --git a/debian/changelog b/debian/changelog index bf036e1..b6969f8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:24.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 02 Jul 2022 19:32:50 +0000 + security-misc (3:24.4-1) unstable; urgency=medium * New upstream version (local package). From c29b21c08a839d8dafe2c9654a58f2b178055935 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 2 Jul 2022 15:45:19 -0400 Subject: [PATCH 0535/1650] output --- .../40cold-boot-attack-defense/wipe-ram-needshutdown.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh index 1f59d15..c77d51d 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh @@ -23,10 +23,11 @@ ram_wipe_check_needshutdown() { info "wipe-ram-needshutdown.sh: wiperam=force detected, OK." else if systemd-detect-virt &>/dev/null ; then - info "wipe-ram-needshutdown.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." + info "wipe-ram-needshutdown.sh: Skip, because running inside a VM detected and not using wiperam=force kernel parameter, OK." DRACUT_QUIET="$OLD_DRACUT_QUIET" return 0 fi + info "wipe-ram-needshutdown.sh: Bare metal (not running inside a VM) detected, OK." fi info "wipe-ram-needshutdown.sh: Calling dracut function need_shutdown to drop back into initramfs at shutdown, OK." From 1144b39e5efcb318ad92413f623b6f039fd7a5fa Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 2 Jul 2022 15:50:59 -0400 Subject: [PATCH 0536/1650] debugging --- .../40cold-boot-attack-defense/wipe-ram-needshutdown.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh index c77d51d..2245fe4 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh @@ -22,7 +22,11 @@ ram_wipe_check_needshutdown() { if [ "$kernel_wiperam_setting" = "force" ]; then info "wipe-ram-needshutdown.sh: wiperam=force detected, OK." else - if systemd-detect-virt &>/dev/null ; then + detect_virt_output="$(systemd-detect-virt 2>&1)" + detect_virt_exit_code="$?" + info "wipe-ram-needshutdown.sh: detect_virt_output: '$detect_virt_output'" + info "wipe-ram-needshutdown.sh: detect_virt_exit_code: '$detect_virt_exit_code'" + if [ "$detect_virt_exit_code" = "0" ]; then info "wipe-ram-needshutdown.sh: Skip, because running inside a VM detected and not using wiperam=force kernel parameter, OK." DRACUT_QUIET="$OLD_DRACUT_QUIET" return 0 From aebca1b3dce026bbccefa38381e62f30904e5a6d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 2 Jul 2022 15:52:08 -0400 Subject: [PATCH 0537/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 28c1e20..1c56a26 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 1144b39e5efcb318ad92413f623b6f039fd7a5fa +Author: Patrick Schleizer +Date: Sat Jul 2 15:50:59 2022 -0400 + + debugging + +commit c29b21c08a839d8dafe2c9654a58f2b178055935 +Author: Patrick Schleizer +Date: Sat Jul 2 15:45:19 2022 -0400 + + output + +commit ed8ce9a7d0869d62eecea7ffc59c176bec061d08 +Author: Patrick Schleizer +Date: Sat Jul 2 15:32:51 2022 -0400 + + bumped changelog version + commit d34fe21963442c6025b56209d0ba10479cde09a6 Author: Patrick Schleizer Date: Sat Jul 2 15:32:42 2022 -0400 diff --git a/debian/changelog b/debian/changelog index b6969f8..01f0bb5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:24.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 02 Jul 2022 19:52:08 +0000 + security-misc (3:24.5-1) unstable; urgency=medium * New upstream version (local package). From 82e7863d5b1efff2c558204bfdf04812af10660b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 2 Jul 2022 16:02:28 -0400 Subject: [PATCH 0538/1650] improvement --- .../40cold-boot-attack-defense/wipe-ram.sh | 43 +++++++++++-------- 1 file changed, 26 insertions(+), 17 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 4b1f773..39d5b5b 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -7,54 +7,65 @@ ## First version by @friedy10. ## https://github.com/friedy10/dracut/blob/master/modules.d/40sdmem/wipe.sh -ram_wipe() { - local OLD_DRACUT_QUIET - OLD_DRACUT_QUIET="$DRACUT_QUIET" - ## check_quiet should show info in console. - DRACUT_QUIET='no' +if [ -z "$DRACUT_SYSTEMD" ]; then + warn_debug() { + echo "<28>dracut Warning: $*" > /dev/kmsg + echo "dracut Warning: $*" >&2 + } + info_debug() { + echo "<30>dracut Info: $*" > /dev/kmsg + echo "dracut Info: $*" >&2 || : + } +else + warn_debug() { + echo "Warning: $*" >&2 + } + info_debug() { + echo "Info: $*" + } +fi +ram_wipe() { local kernel_wiperam_setting ## getarg returns the last parameter only. ## if /proc/cmdline contains 'wiperam=skip wiperam=force' the last one wins. kernel_wiperam_setting=$(getarg wiperam) if [ "$kernel_wiperam_setting" = "skip" ]; then - info "wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." - DRACUT_QUIET="$OLD_DRACUT_QUIET" + info_debug "wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." return 0 fi if [ "$kernel_wiperam_setting" = "force" ]; then - info "wipe-ram.sh: wiperam=force detected, OK." + info_debug "wipe-ram.sh: wiperam=force detected, OK." else if systemd-detect-virt &>/dev/null ; then - info "wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." - DRACUT_QUIET="$OLD_DRACUT_QUIET" + info_debug "wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." return 0 fi fi - info "wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." + info_debug "wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." ## TODO: sdmem settings. One pass only. Secure? Configurable? sdmem -l -l -v - info "wipe-ram.sh: RAM wipe completed, OK." + info_debug "wipe-ram.sh: RAM wipe completed, OK." ## In theory might be better to check this beforehand, but the test is ## really fast. The user has no chance of reading the console output ## without introducing an artificial delay because the sdmem which runs ## after this, results in much more console output. - info "wipe-ram.sh: Checking if there are still mounted encrypted disks..." + info_debug "wipe-ram.sh: Checking if there are still mounted encrypted disks..." local dmsetup_actual_output dmsetup_expected_output dmsetup_actual_output="$(dmsetup ls --target crypt)" dmsetup_expected_output="No devices found" if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then - info "wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." + info_debug "wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." else - warn "\ + warn_debug "\ wipe-ram.sh: There are still mounted encrypted disks! RAM wipe failed! debugging information: @@ -62,8 +73,6 @@ dmsetup_expected_output: '$dmsetup_expected_output' dmsetup_actual_output: '$dmsetup_actual_output'" fi - ## Restore to previous value. - DRACUT_QUIET="$OLD_DRACUT_QUIET" sleep 3 } From 148a050468658c254b67de2de61cad3e147e2178 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 2 Jul 2022 16:03:45 -0400 Subject: [PATCH 0539/1650] fix --- .../dracut/modules.d/40cold-boot-attack-defense/module-setup.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh index a81fdef..388649e 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh @@ -14,6 +14,7 @@ check() { require_binaries sleep || return 1 require_binaries dmsetup || return 1 require_binaries sdmem || return 1 + require_binaries systemd-detect-virt || return 1 return 0 } @@ -27,6 +28,7 @@ install() { inst_multiple sleep inst_multiple sdmem inst_multiple dmsetup + inst_multiple systemd-detect-virt inst_hook shutdown 40 "$moddir/wipe-ram.sh" inst_hook cleanup 80 "$moddir/wipe-ram-needshutdown.sh" } From 3bd87d019fb08644578d2ee73d2ac7185687f115 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 2 Jul 2022 16:03:52 -0400 Subject: [PATCH 0540/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1c56a26..d5d63bc 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 148a050468658c254b67de2de61cad3e147e2178 +Author: Patrick Schleizer +Date: Sat Jul 2 16:03:45 2022 -0400 + + fix + +commit 82e7863d5b1efff2c558204bfdf04812af10660b +Author: Patrick Schleizer +Date: Sat Jul 2 16:02:28 2022 -0400 + + improvement + +commit aebca1b3dce026bbccefa38381e62f30904e5a6d +Author: Patrick Schleizer +Date: Sat Jul 2 15:52:08 2022 -0400 + + bumped changelog version + commit 1144b39e5efcb318ad92413f623b6f039fd7a5fa Author: Patrick Schleizer Date: Sat Jul 2 15:50:59 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 01f0bb5..3564c7d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:24.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 02 Jul 2022 20:03:52 +0000 + security-misc (3:24.6-1) unstable; urgency=medium * New upstream version (local package). From 95187bd357e6f2f855afbf546da42c6229a8394e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 2 Jul 2022 17:21:33 -0400 Subject: [PATCH 0541/1650] fix --- .../40cold-boot-attack-defense/wipe-ram.sh | 39 ++++++------------- 1 file changed, 11 insertions(+), 28 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 39d5b5b..5f72a0d 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -7,24 +7,6 @@ ## First version by @friedy10. ## https://github.com/friedy10/dracut/blob/master/modules.d/40sdmem/wipe.sh -if [ -z "$DRACUT_SYSTEMD" ]; then - warn_debug() { - echo "<28>dracut Warning: $*" > /dev/kmsg - echo "dracut Warning: $*" >&2 - } - info_debug() { - echo "<30>dracut Info: $*" > /dev/kmsg - echo "dracut Info: $*" >&2 || : - } -else - warn_debug() { - echo "Warning: $*" >&2 - } - info_debug() { - echo "Info: $*" - } -fi - ram_wipe() { local kernel_wiperam_setting ## getarg returns the last parameter only. @@ -32,45 +14,46 @@ ram_wipe() { kernel_wiperam_setting=$(getarg wiperam) if [ "$kernel_wiperam_setting" = "skip" ]; then - info_debug "wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." + echo "INFO: wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." > /dev/kmsg return 0 fi if [ "$kernel_wiperam_setting" = "force" ]; then - info_debug "wipe-ram.sh: wiperam=force detected, OK." + echo "INFO: wipe-ram.sh: wiperam=force detected, OK." > /dev/kmsg else if systemd-detect-virt &>/dev/null ; then - info_debug "wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." + echo "INFO: wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." > /dev/kmsg return 0 fi fi - info_debug "wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." + echo "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." > /dev/kmsg ## TODO: sdmem settings. One pass only. Secure? Configurable? + ## TODO: > /dev/kmsg 2> /dev/kmsg sdmem -l -l -v - info_debug "wipe-ram.sh: RAM wipe completed, OK." + echo "INFO: wipe-ram.sh: RAM wipe completed, OK." > /dev/kmsg ## In theory might be better to check this beforehand, but the test is ## really fast. The user has no chance of reading the console output ## without introducing an artificial delay because the sdmem which runs ## after this, results in much more console output. - info_debug "wipe-ram.sh: Checking if there are still mounted encrypted disks..." + echo "INFO: wipe-ram.sh: Checking if there are still mounted encrypted disks..." > /dev/kmsg local dmsetup_actual_output dmsetup_expected_output dmsetup_actual_output="$(dmsetup ls --target crypt)" dmsetup_expected_output="No devices found" if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then - info_debug "wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." + echo "INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." > /dev/kmsg else - warn_debug "\ -wipe-ram.sh: There are still mounted encrypted disks! RAM wipe failed! + echo "\ +WARNING: wipe-ram.sh:There are still mounted encrypted disks! RAM wipe failed! debugging information: dmsetup_expected_output: '$dmsetup_expected_output' -dmsetup_actual_output: '$dmsetup_actual_output'" +dmsetup_actual_output: '$dmsetup_actual_output'" > /dev/kmsg fi sleep 3 From e783ddc71e5e528051e1bd0fda3f60decc0af9bf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 2 Jul 2022 17:37:16 -0400 Subject: [PATCH 0542/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d5d63bc..cc5a573 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 95187bd357e6f2f855afbf546da42c6229a8394e +Author: Patrick Schleizer +Date: Sat Jul 2 17:21:33 2022 -0400 + + fix + +commit 3bd87d019fb08644578d2ee73d2ac7185687f115 +Author: Patrick Schleizer +Date: Sat Jul 2 16:03:52 2022 -0400 + + bumped changelog version + commit 148a050468658c254b67de2de61cad3e147e2178 Author: Patrick Schleizer Date: Sat Jul 2 16:03:45 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 3564c7d..7d1c924 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:24.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 02 Jul 2022 21:37:16 +0000 + security-misc (3:24.7-1) unstable; urgency=medium * New upstream version (local package). From 973f117aa6a7418ea29125753f6c6b6f7e7986a4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 2 Jul 2022 18:12:36 -0400 Subject: [PATCH 0543/1650] wipe RAM at shutdown: Ensure any remaining disk cache is erased by Linux' memory poisoning by running: `echo 3 > /proc/sys/vm/drop_caches` Inspired by Tails: https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook --- .../dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 5f72a0d..8a543d8 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -29,6 +29,10 @@ ram_wipe() { echo "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." > /dev/kmsg + ## https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook + ### Ensure any remaining disk cache is erased by Linux' memory poisoning + echo 3 > /proc/sys/vm/drop_caches + ## TODO: sdmem settings. One pass only. Secure? Configurable? ## TODO: > /dev/kmsg 2> /dev/kmsg sdmem -l -l -v From 01b82bf0f0b96b3e08e272b8b2e69c1b3f0dcc16 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 2 Jul 2022 18:30:06 -0400 Subject: [PATCH 0544/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index cc5a573..d3c1fc3 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 973f117aa6a7418ea29125753f6c6b6f7e7986a4 +Author: Patrick Schleizer +Date: Sat Jul 2 18:12:36 2022 -0400 + + wipe RAM at shutdown: Ensure any remaining disk cache is erased by Linux' memory poisoning + + by running: + `echo 3 > /proc/sys/vm/drop_caches` + + Inspired by Tails: + https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook + +commit e783ddc71e5e528051e1bd0fda3f60decc0af9bf +Author: Patrick Schleizer +Date: Sat Jul 2 17:37:16 2022 -0400 + + bumped changelog version + commit 95187bd357e6f2f855afbf546da42c6229a8394e Author: Patrick Schleizer Date: Sat Jul 2 17:21:33 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 7d1c924..9227546 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:24.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 02 Jul 2022 22:30:06 +0000 + security-misc (3:24.8-1) unstable; urgency=medium * New upstream version (local package). From 67bdd58bf2a8090a29e35b85fb4a25d42a8f8a1a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 2 Jul 2022 19:07:06 -0400 Subject: [PATCH 0545/1650] sync --- .../dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 8a543d8..7446314 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -29,10 +29,14 @@ ram_wipe() { echo "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." > /dev/kmsg + sync + ## https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook ### Ensure any remaining disk cache is erased by Linux' memory poisoning echo 3 > /proc/sys/vm/drop_caches + sync + ## TODO: sdmem settings. One pass only. Secure? Configurable? ## TODO: > /dev/kmsg 2> /dev/kmsg sdmem -l -l -v From 69af8be7b80dcc30e3a5d1b0a1d1aa198528b876 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 2 Jul 2022 19:10:55 -0400 Subject: [PATCH 0546/1650] drop_caches before and after sdmem --- .../40cold-boot-attack-defense/wipe-ram.sh | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 7446314..aefbd8d 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -7,6 +7,14 @@ ## First version by @friedy10. ## https://github.com/friedy10/dracut/blob/master/modules.d/40sdmem/wipe.sh +drop_caches() { + sync + ## https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook + ### Ensure any remaining disk cache is erased by Linux' memory poisoning + echo 3 > /proc/sys/vm/drop_caches + sync +} + ram_wipe() { local kernel_wiperam_setting ## getarg returns the last parameter only. @@ -29,18 +37,14 @@ ram_wipe() { echo "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." > /dev/kmsg - sync - - ## https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook - ### Ensure any remaining disk cache is erased by Linux' memory poisoning - echo 3 > /proc/sys/vm/drop_caches - - sync + drop_caches ## TODO: sdmem settings. One pass only. Secure? Configurable? ## TODO: > /dev/kmsg 2> /dev/kmsg sdmem -l -l -v + drop_caches + echo "INFO: wipe-ram.sh: RAM wipe completed, OK." > /dev/kmsg ## In theory might be better to check this beforehand, but the test is From e5f8004a9401727f1be2db492ea756bc19090866 Mon Sep 17 00:00:00 2001 From: Krish-sysadmin Date: Tue, 5 Jul 2022 03:37:40 +0200 Subject: [PATCH 0547/1650] Update hide-hardware-info --- usr/libexec/security-misc/hide-hardware-info | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 4d1c8ca..30c2db8 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -93,9 +93,9 @@ if [ -d /sys/fs/selinux ]; then for i in /sys/* /sys/fs/* do if [ "${sysfs_whitelist}" = "1" ]; then - chmod o-rwx "${i}" + chmod o-rwx "${i}" || continue else - chmod og-rwx "${i}" + chmod og-rwx "${i}" || continue fi done chmod o+rx /sys /sys/fs /sys/fs/selinux From b342ce930ea14a365ba23f37642cc9c098470362 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 5 Jul 2022 10:28:22 -0400 Subject: [PATCH 0548/1650] add `/etc/default/grub.d/40_cold_boot_attack_defense.cfg` --- .../grub.d/40_cold_boot_attack_defense.cfg | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 etc/default/grub.d/40_cold_boot_attack_defense.cfg diff --git a/etc/default/grub.d/40_cold_boot_attack_defense.cfg b/etc/default/grub.d/40_cold_boot_attack_defense.cfg new file mode 100644 index 0000000..3cf1c69 --- /dev/null +++ b/etc/default/grub.d/40_cold_boot_attack_defense.cfg @@ -0,0 +1,17 @@ +## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## RAM wipe is enabled by default on real hardware / bare metal. +## RAM wipe is disabled by in virtual machines (VMs). +## https://www.kicksecure.com/wiki/Dev/RAM_Wipe + +## RAM wipe is omitted in virtual machines (VMs) by default because it is +## unclear if that could actually lead to the host operating system using +## swap. Through use of kernel parameter wiperam=force it is possible to +## force RAM wipe inside VMs which is useful for testing, development purposes. +#GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT wiperam=force" + +## Kernel parameter wiperam=skip is provided to support disabling RAM wipe +## at shutdown, which might be useful to speed up shutdown or in case should +## there ever be issues. +#GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT wiperam=skip" From 8f03ce049a1f48bb088cf92f4f39cceb2e3a5ae6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 5 Jul 2022 10:41:55 -0400 Subject: [PATCH 0549/1650] readme --- README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/README.md b/README.md index b991963..0881958 100644 --- a/README.md +++ b/README.md @@ -389,6 +389,21 @@ information that shouldn't be accessible to unprivileged users. As this will break many things, it is disabled by default and can optionally be enabled by executing `systemctl enable hide-hardware-info.service` as root. +## Cold Boot Attack Defense + +Wiping RAM at shutdown to defeat cold boot attacks. + +User documentation: +https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense + +Design documentation: +https://www.kicksecure.com/wiki/Dev/RAM_Wipe + +Source code: + +* `/usr/lib/dracut/modules.d/40cold-boot-attack-defense` +* `/etc/default/grub.d/40_cold_boot_attack_defense.cfg` + ## miscellaneous * hardened malloc compatibility for haveged workaround From c20d588d7871bce1b8a02d46e6f658844a014572 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 5 Jul 2022 10:42:37 -0400 Subject: [PATCH 0550/1650] comments --- etc/default/grub.d/40_cold_boot_attack_defense.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_cold_boot_attack_defense.cfg b/etc/default/grub.d/40_cold_boot_attack_defense.cfg index 3cf1c69..1b4793a 100644 --- a/etc/default/grub.d/40_cold_boot_attack_defense.cfg +++ b/etc/default/grub.d/40_cold_boot_attack_defense.cfg @@ -3,6 +3,11 @@ ## RAM wipe is enabled by default on real hardware / bare metal. ## RAM wipe is disabled by in virtual machines (VMs). +## +## User documentation: +## https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense +## +## Design documentation: ## https://www.kicksecure.com/wiki/Dev/RAM_Wipe ## RAM wipe is omitted in virtual machines (VMs) by default because it is From 435c689cf9ee9e94dec42ab3c45bc02beb8f9c40 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 5 Jul 2022 10:44:28 -0400 Subject: [PATCH 0551/1650] comments --- etc/default/grub.d/40_cold_boot_attack_defense.cfg | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cold_boot_attack_defense.cfg b/etc/default/grub.d/40_cold_boot_attack_defense.cfg index 1b4793a..9342c5a 100644 --- a/etc/default/grub.d/40_cold_boot_attack_defense.cfg +++ b/etc/default/grub.d/40_cold_boot_attack_defense.cfg @@ -1,7 +1,7 @@ ## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## RAM wipe is enabled by default on real hardware / bare metal. +## RAM wipe is enabled by default on host operating systems, real hardware. ## RAM wipe is disabled by in virtual machines (VMs). ## ## User documentation: @@ -14,6 +14,8 @@ ## unclear if that could actually lead to the host operating system using ## swap. Through use of kernel parameter wiperam=force it is possible to ## force RAM wipe inside VMs which is useful for testing, development purposes. +## There is no additional security benefit by the wiperam=force setting +## for host operating systems. #GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT wiperam=force" ## Kernel parameter wiperam=skip is provided to support disabling RAM wipe From 5d47f5f74cc9f5e186de8db5305a44029ebbb362 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 5 Jul 2022 10:45:09 -0400 Subject: [PATCH 0552/1650] comments --- etc/default/grub.d/40_cold_boot_attack_defense.cfg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/default/grub.d/40_cold_boot_attack_defense.cfg b/etc/default/grub.d/40_cold_boot_attack_defense.cfg index 9342c5a..a4a04eb 100644 --- a/etc/default/grub.d/40_cold_boot_attack_defense.cfg +++ b/etc/default/grub.d/40_cold_boot_attack_defense.cfg @@ -1,6 +1,8 @@ ## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Wiping RAM at shutdown to defeat cold boot attacks. +## ## RAM wipe is enabled by default on host operating systems, real hardware. ## RAM wipe is disabled by in virtual machines (VMs). ## From 1c0e0719483c68ce04b5c14159ad09a87c386deb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 5 Jul 2022 10:45:55 -0400 Subject: [PATCH 0553/1650] comments --- etc/default/grub.d/40_cold_boot_attack_defense.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/default/grub.d/40_cold_boot_attack_defense.cfg b/etc/default/grub.d/40_cold_boot_attack_defense.cfg index a4a04eb..1729c14 100644 --- a/etc/default/grub.d/40_cold_boot_attack_defense.cfg +++ b/etc/default/grub.d/40_cold_boot_attack_defense.cfg @@ -6,6 +6,9 @@ ## RAM wipe is enabled by default on host operating systems, real hardware. ## RAM wipe is disabled by in virtual machines (VMs). ## +## Most users should not make any modifications to this config file because +## there is no need for that. +## ## User documentation: ## https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense ## From 949edf3e1753fcd403015c2d0dc8f3503a7f62d2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 5 Jul 2022 10:48:58 -0400 Subject: [PATCH 0554/1650] readme --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 0881958..68a00d5 100644 --- a/README.md +++ b/README.md @@ -393,6 +393,12 @@ executing `systemctl enable hide-hardware-info.service` as root. Wiping RAM at shutdown to defeat cold boot attacks. +Requires `dracut`. In other words, RAM wipe is incompatible with systems +using `initramfs-tools`. To switch to, install dracut: + + sudo apt update + sudo apt install --no-install-recommends dracut + User documentation: https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense From b8ba6085357631fb1f346a613d7e354aaf780560 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 5 Jul 2022 10:57:28 -0400 Subject: [PATCH 0555/1650] readme --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 68a00d5..bc7e406 100644 --- a/README.md +++ b/README.md @@ -393,12 +393,20 @@ executing `systemctl enable hide-hardware-info.service` as root. Wiping RAM at shutdown to defeat cold boot attacks. +Implemented as `dracut` module `cold-boot-attack-defense`. + Requires `dracut`. In other words, RAM wipe is incompatible with systems using `initramfs-tools`. To switch to, install dracut: sudo apt update sudo apt install --no-install-recommends dracut +`dracut` is intentionally not declared as a dependency of `security-misc` to +avoid making all of `security-misc` dependent on `dracut` only for the sake of +the wipe RAM at shutdown feature. Linux distribution such as Kicksecure are +advised to (and Kicksecure is planning to) install `dracut` instead of +`initramfs-tools` by default. + User documentation: https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense From 92ff868ecefed4377c5f1e99eb5e5eecbb021564 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 5 Jul 2022 11:05:36 -0400 Subject: [PATCH 0556/1650] readme --- README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index bc7e406..d7c9ea4 100644 --- a/README.md +++ b/README.md @@ -172,7 +172,10 @@ encryption keys or passwords. See: * An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and `/etc/sysctl.d` before init is executed so sysctl hardening is enabled -as early as possible. +as early as possible. This is implemented for `initramfs-tools` only because +this is not needed for `dracut` because `dracut` does that by default, at least +on `systemd` enabled systems. Not researched for non-`systemd` systems by the +author of this part of the readme. ## Network hardening @@ -407,6 +410,8 @@ the wipe RAM at shutdown feature. Linux distribution such as Kicksecure are advised to (and Kicksecure is planning to) install `dracut` instead of `initramfs-tools` by default. +Only tested on `systemd` enabled systems. + User documentation: https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense From 1b287a6430527c762f9bf909bcda58ab52041668 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 5 Jul 2022 11:16:33 -0400 Subject: [PATCH 0557/1650] bumped changelog version --- changelog.upstream | 72 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 78 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d3c1fc3..3776ec7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,75 @@ +commit 92ff868ecefed4377c5f1e99eb5e5eecbb021564 +Author: Patrick Schleizer +Date: Tue Jul 5 11:05:36 2022 -0400 + + readme + +commit b8ba6085357631fb1f346a613d7e354aaf780560 +Author: Patrick Schleizer +Date: Tue Jul 5 10:57:28 2022 -0400 + + readme + +commit 949edf3e1753fcd403015c2d0dc8f3503a7f62d2 +Author: Patrick Schleizer +Date: Tue Jul 5 10:48:58 2022 -0400 + + readme + +commit 1c0e0719483c68ce04b5c14159ad09a87c386deb +Author: Patrick Schleizer +Date: Tue Jul 5 10:45:55 2022 -0400 + + comments + +commit 5d47f5f74cc9f5e186de8db5305a44029ebbb362 +Author: Patrick Schleizer +Date: Tue Jul 5 10:45:09 2022 -0400 + + comments + +commit 435c689cf9ee9e94dec42ab3c45bc02beb8f9c40 +Author: Patrick Schleizer +Date: Tue Jul 5 10:44:28 2022 -0400 + + comments + +commit c20d588d7871bce1b8a02d46e6f658844a014572 +Author: Patrick Schleizer +Date: Tue Jul 5 10:42:37 2022 -0400 + + comments + +commit 8f03ce049a1f48bb088cf92f4f39cceb2e3a5ae6 +Author: Patrick Schleizer +Date: Tue Jul 5 10:41:55 2022 -0400 + + readme + +commit b342ce930ea14a365ba23f37642cc9c098470362 +Author: Patrick Schleizer +Date: Tue Jul 5 10:28:22 2022 -0400 + + add `/etc/default/grub.d/40_cold_boot_attack_defense.cfg` + +commit 69af8be7b80dcc30e3a5d1b0a1d1aa198528b876 +Author: Patrick Schleizer +Date: Sat Jul 2 19:10:55 2022 -0400 + + drop_caches before and after sdmem + +commit 67bdd58bf2a8090a29e35b85fb4a25d42a8f8a1a +Author: Patrick Schleizer +Date: Sat Jul 2 19:07:06 2022 -0400 + + sync + +commit 01b82bf0f0b96b3e08e272b8b2e69c1b3f0dcc16 +Author: Patrick Schleizer +Date: Sat Jul 2 18:30:06 2022 -0400 + + bumped changelog version + commit 973f117aa6a7418ea29125753f6c6b6f7e7986a4 Author: Patrick Schleizer Date: Sat Jul 2 18:12:36 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 9227546..77c7ca1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:25.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 05 Jul 2022 15:16:33 +0000 + security-misc (3:24.9-1) unstable; urgency=medium * New upstream version (local package). From 18d67dbc5309a2403bece92881e671f46dc27f86 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 7 Jul 2022 09:26:55 +0000 Subject: [PATCH 0558/1650] Blacklist more modules --- etc/modprobe.d/30_security-misc.conf | 33 ++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 7f177e6..03d902e 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -12,8 +12,17 @@ install bluetooth /bin/false install btusb /bin/false # Blacklist thunderbolt and firewire to prevent some DMA attacks. -install firewire-core /bin/false install thunderbolt /bin/false +install firewire-core /bin/false +install firewire_core /bin/false +install firewire-ohci /bin/false +install firewire_ohci /bin/false +install ohci1394 /bin/false +install sbp2 /bin/false +install dv1394 /bin/false +install raw1394 /bin/false +install video1394 /bin/false +install firewire-sbp2 /bin/false # Blacklist CPU MSRs as they can be abused to write to # arbitrary memory. @@ -47,10 +56,22 @@ install p8022 /bin/false install can /bin/false install atm /bin/false -# Disable uncommon filesystems to reduce attack surface +# Disable uncommon file systems to reduce attack surface install cramfs /bin/false +install freevxfs /bin/false +install jffs2 /bin/false +install hfs /bin/false +install hfsplus /bin/false install udf /bin/false +# Disable uncommon network filesystems to reduce attack surface +install cifs /bin/false +install nfs /bin/false +install nfsv3 /bin/false +install nfsv4 /bin/false +install ksmbd /bin/false +install gfs2 /bin/false + ## Blacklists the vivid kernel module as it's only required for ## testing and has been the cause of multiple vulnerabilities. ## @@ -58,3 +79,11 @@ install udf /bin/false ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 install vivid /bin/false + +# Disable CD-ROM +install cdrom /bin/false +install sr_mod /bin/false + +# Disable Intel Management Engine (ME) interface with OS +install mei /bin/false +install mei-me /bin/false From f0511635a9725f79863c41a7b8d9f8a077ba8788 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 7 Jul 2022 09:27:53 +0000 Subject: [PATCH 0559/1650] replace /bin/false -> /bin/true --- etc/modprobe.d/30_security-misc.conf | 100 +++++++++++++-------------- 1 file changed, 50 insertions(+), 50 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 03d902e..3d87d2a 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -8,25 +8,25 @@ options nf_conntrack nf_conntrack_helper=0 # Bluetooth also has a history of security vulnerabilities: # # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -install bluetooth /bin/false -install btusb /bin/false +install bluetooth /bin/true +install btusb /bin/true # Blacklist thunderbolt and firewire to prevent some DMA attacks. -install thunderbolt /bin/false -install firewire-core /bin/false -install firewire_core /bin/false -install firewire-ohci /bin/false -install firewire_ohci /bin/false -install ohci1394 /bin/false -install sbp2 /bin/false -install dv1394 /bin/false -install raw1394 /bin/false -install video1394 /bin/false -install firewire-sbp2 /bin/false +install thunderbolt /bin/true +install firewire-core /bin/true +install firewire_core /bin/true +install firewire-ohci /bin/true +install firewire_ohci /bin/true +install ohci1394 /bin/true +install sbp2 /bin/true +install dv1394 /bin/true +install raw1394 /bin/true +install video1394 /bin/true +install firewire-sbp2 /bin/true # Blacklist CPU MSRs as they can be abused to write to # arbitrary memory. -install msr /bin/false +install msr /bin/true # Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. # @@ -36,41 +36,41 @@ install msr /bin/false # # > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. # -install dccp /bin/false -install sctp /bin/false -install rds /bin/false -install tipc /bin/false -install n-hdlc /bin/false -install ax25 /bin/false -install netrom /bin/false -install x25 /bin/false -install rose /bin/false -install decnet /bin/false -install econet /bin/false -install af_802154 /bin/false -install ipx /bin/false -install appletalk /bin/false -install psnap /bin/false -install p8023 /bin/false -install p8022 /bin/false -install can /bin/false -install atm /bin/false +install dccp /bin/true +install sctp /bin/true +install rds /bin/true +install tipc /bin/true +install n-hdlc /bin/true +install ax25 /bin/true +install netrom /bin/true +install x25 /bin/true +install rose /bin/true +install decnet /bin/true +install econet /bin/true +install af_802154 /bin/true +install ipx /bin/true +install appletalk /bin/true +install psnap /bin/true +install p8023 /bin/true +install p8022 /bin/true +install can /bin/true +install atm /bin/true # Disable uncommon file systems to reduce attack surface -install cramfs /bin/false -install freevxfs /bin/false -install jffs2 /bin/false -install hfs /bin/false -install hfsplus /bin/false -install udf /bin/false +install cramfs /bin/true +install freevxfs /bin/true +install jffs2 /bin/true +install hfs /bin/true +install hfsplus /bin/true +install udf /bin/true # Disable uncommon network filesystems to reduce attack surface -install cifs /bin/false -install nfs /bin/false -install nfsv3 /bin/false -install nfsv4 /bin/false -install ksmbd /bin/false -install gfs2 /bin/false +install cifs /bin/true +install nfs /bin/true +install nfsv3 /bin/true +install nfsv4 /bin/true +install ksmbd /bin/true +install gfs2 /bin/true ## Blacklists the vivid kernel module as it's only required for ## testing and has been the cause of multiple vulnerabilities. @@ -78,12 +78,12 @@ install gfs2 /bin/false ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -install vivid /bin/false +install vivid /bin/true # Disable CD-ROM -install cdrom /bin/false -install sr_mod /bin/false +install cdrom /bin/true +install sr_mod /bin/true # Disable Intel Management Engine (ME) interface with OS -install mei /bin/false -install mei-me /bin/false +install mei /bin/true +install mei-me /bin/true From 28381e81d4a57c59929a37745fa8ba5f3e0b25cb Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 7 Jul 2022 09:28:30 +0000 Subject: [PATCH 0560/1650] Update README.md --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index d7c9ea4..0b016ed 100644 --- a/README.md +++ b/README.md @@ -149,6 +149,11 @@ of multiple vulnerabilities so it is blacklisted. * The MSR kernel module is blacklisted to prevent CPU MSRs from being abused to write to arbitrary memory. +* Disables a large array of uncommon file systems and network file systems that reduces the attack surface especially against legacy approaches. + +* Disables the use of CD-ROM devices by default. + +* Provides some blocking of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS. ### Other * A systemd service clears the System.map file on boot as these contain kernel From da389d6682f6eb1d0c0172c50a4b529152384415 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 8 Jul 2022 02:12:04 +1000 Subject: [PATCH 0561/1650] Revert "replace /bin/false -> /bin/true" This reverts commit f0511635a9725f79863c41a7b8d9f8a077ba8788. --- etc/modprobe.d/30_security-misc.conf | 100 +++++++++++++-------------- 1 file changed, 50 insertions(+), 50 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 3d87d2a..03d902e 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -8,25 +8,25 @@ options nf_conntrack nf_conntrack_helper=0 # Bluetooth also has a history of security vulnerabilities: # # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -install bluetooth /bin/true -install btusb /bin/true +install bluetooth /bin/false +install btusb /bin/false # Blacklist thunderbolt and firewire to prevent some DMA attacks. -install thunderbolt /bin/true -install firewire-core /bin/true -install firewire_core /bin/true -install firewire-ohci /bin/true -install firewire_ohci /bin/true -install ohci1394 /bin/true -install sbp2 /bin/true -install dv1394 /bin/true -install raw1394 /bin/true -install video1394 /bin/true -install firewire-sbp2 /bin/true +install thunderbolt /bin/false +install firewire-core /bin/false +install firewire_core /bin/false +install firewire-ohci /bin/false +install firewire_ohci /bin/false +install ohci1394 /bin/false +install sbp2 /bin/false +install dv1394 /bin/false +install raw1394 /bin/false +install video1394 /bin/false +install firewire-sbp2 /bin/false # Blacklist CPU MSRs as they can be abused to write to # arbitrary memory. -install msr /bin/true +install msr /bin/false # Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. # @@ -36,41 +36,41 @@ install msr /bin/true # # > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. # -install dccp /bin/true -install sctp /bin/true -install rds /bin/true -install tipc /bin/true -install n-hdlc /bin/true -install ax25 /bin/true -install netrom /bin/true -install x25 /bin/true -install rose /bin/true -install decnet /bin/true -install econet /bin/true -install af_802154 /bin/true -install ipx /bin/true -install appletalk /bin/true -install psnap /bin/true -install p8023 /bin/true -install p8022 /bin/true -install can /bin/true -install atm /bin/true +install dccp /bin/false +install sctp /bin/false +install rds /bin/false +install tipc /bin/false +install n-hdlc /bin/false +install ax25 /bin/false +install netrom /bin/false +install x25 /bin/false +install rose /bin/false +install decnet /bin/false +install econet /bin/false +install af_802154 /bin/false +install ipx /bin/false +install appletalk /bin/false +install psnap /bin/false +install p8023 /bin/false +install p8022 /bin/false +install can /bin/false +install atm /bin/false # Disable uncommon file systems to reduce attack surface -install cramfs /bin/true -install freevxfs /bin/true -install jffs2 /bin/true -install hfs /bin/true -install hfsplus /bin/true -install udf /bin/true +install cramfs /bin/false +install freevxfs /bin/false +install jffs2 /bin/false +install hfs /bin/false +install hfsplus /bin/false +install udf /bin/false # Disable uncommon network filesystems to reduce attack surface -install cifs /bin/true -install nfs /bin/true -install nfsv3 /bin/true -install nfsv4 /bin/true -install ksmbd /bin/true -install gfs2 /bin/true +install cifs /bin/false +install nfs /bin/false +install nfsv3 /bin/false +install nfsv4 /bin/false +install ksmbd /bin/false +install gfs2 /bin/false ## Blacklists the vivid kernel module as it's only required for ## testing and has been the cause of multiple vulnerabilities. @@ -78,12 +78,12 @@ install gfs2 /bin/true ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -install vivid /bin/true +install vivid /bin/false # Disable CD-ROM -install cdrom /bin/true -install sr_mod /bin/true +install cdrom /bin/false +install sr_mod /bin/false # Disable Intel Management Engine (ME) interface with OS -install mei /bin/true -install mei-me /bin/true +install mei /bin/false +install mei-me /bin/false From fa2e30f5125e438250acfdc52107a936ecb7b1b4 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 8 Jul 2022 03:04:37 +1000 Subject: [PATCH 0562/1650] Updated descriptions of disabled modules --- etc/modprobe.d/30_security-misc.conf | 38 +++++++++++++++------------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 03d902e..422fcd0 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -1,17 +1,20 @@ ## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## https://phabricator.whonix.org/T486 +# See the following links for a community discussion and overview regarding the selections +# https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 +# https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules + +# Blacklist automatic conntrack helper assignment +# https://phabricator.whonix.org/T486 options nf_conntrack nf_conntrack_helper=0 -# Blacklists bluetooth to reduce attack surface. -# Bluetooth also has a history of security vulnerabilities: -# +# Blacklist bluetooth to reduce attack surface due to extended history of security vulnerabilities # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns install bluetooth /bin/false install btusb /bin/false -# Blacklist thunderbolt and firewire to prevent some DMA attacks. +# Blacklist thunderbolt and firewire modules to prevent some DMA attacks install thunderbolt /bin/false install firewire-core /bin/false install firewire_core /bin/false @@ -24,11 +27,10 @@ install raw1394 /bin/false install video1394 /bin/false install firewire-sbp2 /bin/false -# Blacklist CPU MSRs as they can be abused to write to -# arbitrary memory. +# Blacklist CPU MSRs as they can be abused to write to arbitrary memory. install msr /bin/false -# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. +# Blacklists unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. # # Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. # @@ -56,7 +58,7 @@ install p8022 /bin/false install can /bin/false install atm /bin/false -# Disable uncommon file systems to reduce attack surface +# Blacklist uncommon file systems to reduce attack surface install cramfs /bin/false install freevxfs /bin/false install jffs2 /bin/false @@ -64,7 +66,7 @@ install hfs /bin/false install hfsplus /bin/false install udf /bin/false -# Disable uncommon network filesystems to reduce attack surface +# Blacklist uncommon network file systems to reduce attack surface install cifs /bin/false install nfs /bin/false install nfsv3 /bin/false @@ -72,18 +74,18 @@ install nfsv4 /bin/false install ksmbd /bin/false install gfs2 /bin/false -## Blacklists the vivid kernel module as it's only required for -## testing and has been the cause of multiple vulnerabilities. -## -## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 -## https://www.openwall.com/lists/oss-security/2019/11/02/1 -## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 +# Blacklists the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities +# https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 +# https://www.openwall.com/lists/oss-security/2019/11/02/1 +# https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 install vivid /bin/false -# Disable CD-ROM +# Blacklist CD-ROM devices +# https://nvd.nist.gov/vuln/detail/CVE-2018-11506 install cdrom /bin/false install sr_mod /bin/false -# Disable Intel Management Engine (ME) interface with OS +# Blacklist Intel Management Engine (ME) interface with the OS +# https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html install mei /bin/false install mei-me /bin/false From 780dc8eec99915a7466249e219ad59c5db5f0364 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 8 Jul 2022 04:11:25 +1000 Subject: [PATCH 0563/1650] replace /bin/false -> /bin/disabled-by-security-misc --- etc/modprobe.d/30_security-misc.conf | 100 +++++++++++++-------------- usr/bin/disabled-by-security-misc | 10 +++ 2 files changed, 60 insertions(+), 50 deletions(-) create mode 100755 usr/bin/disabled-by-security-misc diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 422fcd0..a855e79 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -11,24 +11,24 @@ options nf_conntrack nf_conntrack_helper=0 # Blacklist bluetooth to reduce attack surface due to extended history of security vulnerabilities # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -install bluetooth /bin/false -install btusb /bin/false +install bluetooth /bin/disabled-by-security-misc +install btusb /bin/disabled-by-security-misc # Blacklist thunderbolt and firewire modules to prevent some DMA attacks -install thunderbolt /bin/false -install firewire-core /bin/false -install firewire_core /bin/false -install firewire-ohci /bin/false -install firewire_ohci /bin/false -install ohci1394 /bin/false -install sbp2 /bin/false -install dv1394 /bin/false -install raw1394 /bin/false -install video1394 /bin/false -install firewire-sbp2 /bin/false +install thunderbolt /bin/disabled-by-security-misc +install firewire-core /bin/disabled-by-security-misc +install firewire_core /bin/disabled-by-security-misc +install firewire-ohci /bin/disabled-by-security-misc +install firewire_ohci /bin/disabled-by-security-misc +install ohci1394 /bin/disabled-by-security-misc +install sbp2 /bin/disabled-by-security-misc +install dv1394 /bin/disabled-by-security-misc +install raw1394 /bin/disabled-by-security-misc +install video1394 /bin/disabled-by-security-misc +install firewire-sbp2 /bin/disabled-by-security-misc # Blacklist CPU MSRs as they can be abused to write to arbitrary memory. -install msr /bin/false +install msr /bin/disabled-by-security-misc # Blacklists unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. # @@ -38,54 +38,54 @@ install msr /bin/false # # > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. # -install dccp /bin/false -install sctp /bin/false -install rds /bin/false -install tipc /bin/false -install n-hdlc /bin/false -install ax25 /bin/false -install netrom /bin/false -install x25 /bin/false -install rose /bin/false -install decnet /bin/false -install econet /bin/false -install af_802154 /bin/false -install ipx /bin/false -install appletalk /bin/false -install psnap /bin/false -install p8023 /bin/false -install p8022 /bin/false -install can /bin/false -install atm /bin/false +install dccp /bin/disabled-by-security-misc +install sctp /bin/disabled-by-security-misc +install rds /bin/disabled-by-security-misc +install tipc /bin/disabled-by-security-misc +install n-hdlc /bin/disabled-by-security-misc +install ax25 /bin/disabled-by-security-misc +install netrom /bin/disabled-by-security-misc +install x25 /bin/disabled-by-security-misc +install rose /bin/disabled-by-security-misc +install decnet /bin/disabled-by-security-misc +install econet /bin/disabled-by-security-misc +install af_802154 /bin/disabled-by-security-misc +install ipx /bin/disabled-by-security-misc +install appletalk /bin/disabled-by-security-misc +install psnap /bin/disabled-by-security-misc +install p8023 /bin/disabled-by-security-misc +install p8022 /bin/disabled-by-security-misc +install can /bin/disabled-by-security-misc +install atm /bin/disabled-by-security-misc # Blacklist uncommon file systems to reduce attack surface -install cramfs /bin/false -install freevxfs /bin/false -install jffs2 /bin/false -install hfs /bin/false -install hfsplus /bin/false -install udf /bin/false +install cramfs /bin/disabled-by-security-misc +install freevxfs /bin/disabled-by-security-misc +install jffs2 /bin/disabled-by-security-misc +install hfs /bin/disabled-by-security-misc +install hfsplus /bin/disabled-by-security-misc +install udf /bin/disabled-by-security-misc # Blacklist uncommon network file systems to reduce attack surface -install cifs /bin/false -install nfs /bin/false -install nfsv3 /bin/false -install nfsv4 /bin/false -install ksmbd /bin/false -install gfs2 /bin/false +install cifs /bin/disabled-by-security-misc +install nfs /bin/disabled-by-security-misc +install nfsv3 /bin/disabled-by-security-misc +install nfsv4 /bin/disabled-by-security-misc +install ksmbd /bin/disabled-by-security-misc +install gfs2 /bin/disabled-by-security-misc # Blacklists the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities # https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 # https://www.openwall.com/lists/oss-security/2019/11/02/1 # https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -install vivid /bin/false +install vivid /bin/disabled-by-security-misc # Blacklist CD-ROM devices # https://nvd.nist.gov/vuln/detail/CVE-2018-11506 -install cdrom /bin/false -install sr_mod /bin/false +install cdrom /bin/disabled-by-security-misc +install sr_mod /bin/disabled-by-security-misc # Blacklist Intel Management Engine (ME) interface with the OS # https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html -install mei /bin/false -install mei-me /bin/false +install mei /bin/disabled-by-security-misc +install mei-me /bin/disabled-by-security-misc diff --git a/usr/bin/disabled-by-security-misc b/usr/bin/disabled-by-security-misc new file mode 100755 index 0000000..9d11c80 --- /dev/null +++ b/usr/bin/disabled-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 From ca19d78d48ca88f5b00dcceb18ac4803c7893ca4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 7 Jul 2022 15:27:15 -0400 Subject: [PATCH 0564/1650] shuffle --- etc/modprobe.d/30_security-misc.conf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index a855e79..c8851dd 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -80,12 +80,12 @@ install gfs2 /bin/disabled-by-security-misc # https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 install vivid /bin/disabled-by-security-misc -# Blacklist CD-ROM devices -# https://nvd.nist.gov/vuln/detail/CVE-2018-11506 -install cdrom /bin/disabled-by-security-misc -install sr_mod /bin/disabled-by-security-misc - # Blacklist Intel Management Engine (ME) interface with the OS # https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html install mei /bin/disabled-by-security-misc install mei-me /bin/disabled-by-security-misc + +# Blacklist CD-ROM devices +# https://nvd.nist.gov/vuln/detail/CVE-2018-11506 +install cdrom /bin/disabled-by-security-misc +install sr_mod /bin/disabled-by-security-misc From d5c16503411bee4199c35a51226fc59924d6e142 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 7 Jul 2022 15:28:09 -0400 Subject: [PATCH 0565/1650] shuffle --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0b016ed..753d6aa 100644 --- a/README.md +++ b/README.md @@ -151,9 +151,10 @@ abused to write to arbitrary memory. * Disables a large array of uncommon file systems and network file systems that reduces the attack surface especially against legacy approaches. +* Provides some blocking of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS. + * Disables the use of CD-ROM devices by default. -* Provides some blocking of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS. ### Other * A systemd service clears the System.map file on boot as these contain kernel From 26b2c9727f5ba6f78f5cd10c28c3561a97c81be9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 7 Jul 2022 15:39:40 -0400 Subject: [PATCH 0566/1650] not blacklist CD-ROM / DVD yet https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 --- README.md | 2 +- etc/modprobe.d/30_security-misc.conf | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 753d6aa..039c9c4 100644 --- a/README.md +++ b/README.md @@ -153,7 +153,7 @@ abused to write to arbitrary memory. * Provides some blocking of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS. -* Disables the use of CD-ROM devices by default. +* Not enabled by default yet, comment only: Disables the use of CD-ROM devices by default. ### Other diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index c8851dd..42da9b5 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -87,5 +87,6 @@ install mei-me /bin/disabled-by-security-misc # Blacklist CD-ROM devices # https://nvd.nist.gov/vuln/detail/CVE-2018-11506 -install cdrom /bin/disabled-by-security-misc -install sr_mod /bin/disabled-by-security-misc +# https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 +#install cdrom /bin/disabled-by-security-misc +#install sr_mod /bin/disabled-by-security-misc From eb8535fe870e79a5c818a38c414147819d32346d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 7 Jul 2022 15:48:39 -0400 Subject: [PATCH 0567/1650] renamed: usr/bin/disabled-by-security-misc -> bin/disabled-by-security-misc --- {usr/bin => bin}/disabled-by-security-misc | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {usr/bin => bin}/disabled-by-security-misc (100%) diff --git a/usr/bin/disabled-by-security-misc b/bin/disabled-by-security-misc similarity index 100% rename from usr/bin/disabled-by-security-misc rename to bin/disabled-by-security-misc From 277749f27b2da8d33b70fb6f88c6757fab77e636 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 7 Jul 2022 15:49:08 -0400 Subject: [PATCH 0568/1650] genmkfile debinstfile --- debian/security-misc.install | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/security-misc.install b/debian/security-misc.install index 7445979..0d542c6 100644 --- a/debian/security-misc.install +++ b/debian/security-misc.install @@ -1,8 +1,9 @@ ## Copyright (C) 2020 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## This file was generated using genmkfile 'make debinstfile'. +## This file was generated using 'genmkfile debinstfile'. +bin/* etc/* lib/* usr/* From 1b8500cc22fdd6a51ec66ae1b04abccb9a529150 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 7 Jul 2022 17:41:13 -0400 Subject: [PATCH 0569/1650] bumped changelog version --- changelog.upstream | 83 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 89 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3776ec7..aa58569 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,86 @@ +commit 277749f27b2da8d33b70fb6f88c6757fab77e636 +Author: Patrick Schleizer +Date: Thu Jul 7 15:49:08 2022 -0400 + + genmkfile debinstfile + +commit eb8535fe870e79a5c818a38c414147819d32346d +Author: Patrick Schleizer +Date: Thu Jul 7 15:48:39 2022 -0400 + + renamed: usr/bin/disabled-by-security-misc -> bin/disabled-by-security-misc + +commit 26b2c9727f5ba6f78f5cd10c28c3561a97c81be9 +Author: Patrick Schleizer +Date: Thu Jul 7 15:39:40 2022 -0400 + + not blacklist CD-ROM / DVD yet + + https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 + +commit d5c16503411bee4199c35a51226fc59924d6e142 +Author: Patrick Schleizer +Date: Thu Jul 7 15:28:09 2022 -0400 + + shuffle + +commit ca19d78d48ca88f5b00dcceb18ac4803c7893ca4 +Author: Patrick Schleizer +Date: Thu Jul 7 15:27:15 2022 -0400 + + shuffle + +commit d018bdaf73e109a61c0687a171af843c890729e0 +Merge: 1b287a6 780dc8e +Author: Patrick Schleizer +Date: Thu Jul 7 15:26:08 2022 -0400 + + Merge remote-tracking branch 'raja-gerwal/master' + +commit 780dc8eec99915a7466249e219ad59c5db5f0364 +Author: Raja Grewal +Date: Fri Jul 8 04:11:25 2022 +1000 + + replace /bin/false -> /bin/disabled-by-security-misc + +commit fa2e30f5125e438250acfdc52107a936ecb7b1b4 +Author: Raja Grewal +Date: Fri Jul 8 03:04:37 2022 +1000 + + Updated descriptions of disabled modules + +commit da389d6682f6eb1d0c0172c50a4b529152384415 +Author: Raja Grewal +Date: Fri Jul 8 02:12:04 2022 +1000 + + Revert "replace /bin/false -> /bin/true" + + This reverts commit f0511635a9725f79863c41a7b8d9f8a077ba8788. + +commit 28381e81d4a57c59929a37745fa8ba5f3e0b25cb +Author: raja-grewal +Date: Thu Jul 7 09:28:30 2022 +0000 + + Update README.md + +commit f0511635a9725f79863c41a7b8d9f8a077ba8788 +Author: raja-grewal +Date: Thu Jul 7 09:27:53 2022 +0000 + + replace /bin/false -> /bin/true + +commit 18d67dbc5309a2403bece92881e671f46dc27f86 +Author: raja-grewal +Date: Thu Jul 7 09:26:55 2022 +0000 + + Blacklist more modules + +commit 1b287a6430527c762f9bf909bcda58ab52041668 +Author: Patrick Schleizer +Date: Tue Jul 5 11:16:33 2022 -0400 + + bumped changelog version + commit 92ff868ecefed4377c5f1e99eb5e5eecbb021564 Author: Patrick Schleizer Date: Tue Jul 5 11:05:36 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 77c7ca1..9cfe180 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:25.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 07 Jul 2022 21:41:13 +0000 + security-misc (3:25.0-1) unstable; urgency=medium * New upstream version (local package). From fede41e6e03c33f2f6569f03593f76edb9969e6a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 9 Jul 2022 11:38:04 -0400 Subject: [PATCH 0570/1650] fix --- usr/libexec/security-misc/hide-hardware-info | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 30c2db8..4e7fd0e 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -93,9 +93,9 @@ if [ -d /sys/fs/selinux ]; then for i in /sys/* /sys/fs/* do if [ "${sysfs_whitelist}" = "1" ]; then - chmod o-rwx "${i}" || continue + chmod o-rwx "${i}" || true else - chmod og-rwx "${i}" || continue + chmod og-rwx "${i}" || true fi done chmod o+rx /sys /sys/fs /sys/fs/selinux From 1df2cfd1add8b2277cb37499ced4fbb713c17668 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 9 Jul 2022 11:38:37 -0400 Subject: [PATCH 0571/1650] comment --- usr/libexec/security-misc/hide-hardware-info | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 4e7fd0e..b603631 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -92,6 +92,8 @@ if [ -d /sys/fs/selinux ]; then ## what is needed for i in /sys/* /sys/fs/* do + ## Using '|| true': + ## https://github.com/Kicksecure/security-misc/pull/108 if [ "${sysfs_whitelist}" = "1" ]; then chmod o-rwx "${i}" || true else From adfdac6dea0e8f971c59557b383d116cd51619fd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 9 Jul 2022 11:40:01 -0400 Subject: [PATCH 0572/1650] output --- usr/libexec/security-misc/hide-hardware-info | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index b603631..ba65b30 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -80,13 +80,12 @@ do fi done -## https://www.whonix.org/wiki/Security-misc#selinux -## ## on SELinux systems, at least /sys/fs/selinux ## must be visible to unprivileged users, else ## SELinux userspace utilities will not function ## properly if [ -d /sys/fs/selinux ]; then + echo "INFO: https://www.whonix.org/wiki/Security-misc#selinux" if [ "${selinux}" = "1" ]; then ## restrict permissions on everything but ## what is needed From 73d2c9d921c5c75ef3cca5461acc350c648f26d2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 9 Jul 2022 11:40:15 -0400 Subject: [PATCH 0573/1650] output --- usr/libexec/security-misc/hide-hardware-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index ba65b30..726c002 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -85,7 +85,7 @@ done ## SELinux userspace utilities will not function ## properly if [ -d /sys/fs/selinux ]; then - echo "INFO: https://www.whonix.org/wiki/Security-misc#selinux" + echo "INFO: https://www.kicksecure.com/wiki/Security-misc#selinux" if [ "${selinux}" = "1" ]; then ## restrict permissions on everything but ## what is needed From 3b844eaab25fecf90292c88291be77abf0be694c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 9 Jul 2022 11:42:11 -0400 Subject: [PATCH 0574/1650] output --- usr/libexec/security-misc/hide-hardware-info | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 726c002..6719b37 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -85,7 +85,8 @@ done ## SELinux userspace utilities will not function ## properly if [ -d /sys/fs/selinux ]; then - echo "INFO: https://www.kicksecure.com/wiki/Security-misc#selinux" + echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" + echo "https://www.kicksecure.com/wiki/Security-misc#selinux" if [ "${selinux}" = "1" ]; then ## restrict permissions on everything but ## what is needed From 6aa9a9472f10d4d6270dd59fbcd94d9001aca9e6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 9 Jul 2022 11:42:24 -0400 Subject: [PATCH 0575/1650] bumped changelog version --- changelog.upstream | 58 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 64 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index aa58569..16be21f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,55 @@ +commit 3b844eaab25fecf90292c88291be77abf0be694c +Author: Patrick Schleizer +Date: Sat Jul 9 11:42:11 2022 -0400 + + output + +commit 73d2c9d921c5c75ef3cca5461acc350c648f26d2 +Author: Patrick Schleizer +Date: Sat Jul 9 11:40:15 2022 -0400 + + output + +commit adfdac6dea0e8f971c59557b383d116cd51619fd +Author: Patrick Schleizer +Date: Sat Jul 9 11:40:01 2022 -0400 + + output + +commit 1df2cfd1add8b2277cb37499ced4fbb713c17668 +Author: Patrick Schleizer +Date: Sat Jul 9 11:38:37 2022 -0400 + + comment + +commit fede41e6e03c33f2f6569f03593f76edb9969e6a +Author: Patrick Schleizer +Date: Sat Jul 9 11:38:04 2022 -0400 + + fix + +commit 52c46e4706d5799d452f260616a3909c9a3bc78f +Merge: 1b8500c dc41a58 +Author: Patrick Schleizer +Date: Sat Jul 9 11:37:41 2022 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit dc41a58102a114e21209aabeef9ad6b851365898 +Merge: 1b8500c e5f8004 +Author: Patrick Schleizer +Date: Sat Jul 9 11:37:57 2022 -0400 + + Merge pull request #108 from Krish-sysadmin/master + + Continue for loop if unable to change one directory's permission + +commit 1b8500cc22fdd6a51ec66ae1b04abccb9a529150 +Author: Patrick Schleizer +Date: Thu Jul 7 17:41:13 2022 -0400 + + bumped changelog version + commit 277749f27b2da8d33b70fb6f88c6757fab77e636 Author: Patrick Schleizer Date: Thu Jul 7 15:49:08 2022 -0400 @@ -135,6 +187,12 @@ Date: Tue Jul 5 10:28:22 2022 -0400 add `/etc/default/grub.d/40_cold_boot_attack_defense.cfg` +commit e5f8004a9401727f1be2db492ea756bc19090866 +Author: Krish-sysadmin +Date: Tue Jul 5 03:37:40 2022 +0200 + + Update hide-hardware-info + commit 69af8be7b80dcc30e3a5d1b0a1d1aa198528b876 Author: Patrick Schleizer Date: Sat Jul 2 19:10:55 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 9cfe180..e1fa1be 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:25.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 09 Jul 2022 15:42:24 +0000 + security-misc (3:25.1-1) unstable; urgency=medium * New upstream version (local package). From 61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 10 Jul 2022 04:52:00 +1000 Subject: [PATCH 0576/1650] =?UTF-8?q?Incorporated=20Ubuntu=E2=80=99s=20ker?= =?UTF-8?q?nel=20module=20blacklists?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- etc/modprobe.d/30_security-misc.conf | 76 ++++++++++++++++++++++++---- 1 file changed, 65 insertions(+), 11 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 42da9b5..2b6894a 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -5,32 +5,33 @@ # https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules -# Blacklist automatic conntrack helper assignment +# Disable automatic conntrack helper assignment # https://phabricator.whonix.org/T486 options nf_conntrack nf_conntrack_helper=0 -# Blacklist bluetooth to reduce attack surface due to extended history of security vulnerabilities +# Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns install bluetooth /bin/disabled-by-security-misc install btusb /bin/disabled-by-security-misc -# Blacklist thunderbolt and firewire modules to prevent some DMA attacks +# Disable thunderbolt and firewire modules to prevent some DMA attacks install thunderbolt /bin/disabled-by-security-misc install firewire-core /bin/disabled-by-security-misc install firewire_core /bin/disabled-by-security-misc install firewire-ohci /bin/disabled-by-security-misc install firewire_ohci /bin/disabled-by-security-misc +install firewire_sbp2 /bin/disabled-by-security-misc +install firewire-sbp2 /bin/disabled-by-security-misc install ohci1394 /bin/disabled-by-security-misc install sbp2 /bin/disabled-by-security-misc install dv1394 /bin/disabled-by-security-misc install raw1394 /bin/disabled-by-security-misc install video1394 /bin/disabled-by-security-misc -install firewire-sbp2 /bin/disabled-by-security-misc -# Blacklist CPU MSRs as they can be abused to write to arbitrary memory. +# Disable CPU MSRs as they can be abused to write to arbitrary memory. install msr /bin/disabled-by-security-misc -# Blacklists unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. +# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. # # Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. # @@ -58,7 +59,7 @@ install p8022 /bin/disabled-by-security-misc install can /bin/disabled-by-security-misc install atm /bin/disabled-by-security-misc -# Blacklist uncommon file systems to reduce attack surface +# Disable uncommon file systems to reduce attack surface install cramfs /bin/disabled-by-security-misc install freevxfs /bin/disabled-by-security-misc install jffs2 /bin/disabled-by-security-misc @@ -66,7 +67,7 @@ install hfs /bin/disabled-by-security-misc install hfsplus /bin/disabled-by-security-misc install udf /bin/disabled-by-security-misc -# Blacklist uncommon network file systems to reduce attack surface +# Disable uncommon network file systems to reduce attack surface install cifs /bin/disabled-by-security-misc install nfs /bin/disabled-by-security-misc install nfsv3 /bin/disabled-by-security-misc @@ -74,18 +75,71 @@ install nfsv4 /bin/disabled-by-security-misc install ksmbd /bin/disabled-by-security-misc install gfs2 /bin/disabled-by-security-misc -# Blacklists the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities +# Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities # https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 # https://www.openwall.com/lists/oss-security/2019/11/02/1 # https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 install vivid /bin/disabled-by-security-misc -# Blacklist Intel Management Engine (ME) interface with the OS +# Disable Intel Management Engine (ME) interface with the OS # https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html install mei /bin/disabled-by-security-misc install mei-me /bin/disabled-by-security-misc -# Blacklist CD-ROM devices +# Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver +# https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco +blacklist ath_pci + +# Blacklist automatic loading of miscellaneous modules +# https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +blacklist evbug +blacklist usbmouse +blacklist usbkbd +blacklist eepro100 +blacklist de4x5 +blacklist eth1394 +blacklist snd_intel8x0m +blacklist snd_aw2 +blacklist prism54 +blacklist bcm43xx +blacklist garmin_gps +blacklist asus_acpi +blacklist snd_pcsp +blacklist pcspkr +blacklist amd76x_edac + +# Blacklist automatic loading of framebuffer drivers +# https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +blacklist aty128fb +blacklist atyfb +# blacklist radeonfb +blacklist cirrusfb +blacklist cyber2000fb +blacklist cyblafb +blacklist gx1fb +blacklist hgafb +blacklist i810fb +# blacklist intelfb +blacklist kyrofb +blacklist lxfb +blacklist matroxfb_base +blacklist neofb +# blacklist nvidiafb +blacklist pm2fb +blacklist rivafb +blacklist s1d13xxxfb +blacklist savagefb +blacklist sisfb +blacklist sstfb +blacklist tdfxfb +blacklist tridentfb +# blacklist vesafb +blacklist vfb +blacklist viafb +blacklist vt8623fb +blacklist udlfb + +# Disable CD-ROM devices # https://nvd.nist.gov/vuln/detail/CVE-2018-11506 # https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 #install cdrom /bin/disabled-by-security-misc From ef1ef9917d896f1cd837f399def6a75704e9bfd2 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 10 Jul 2022 04:53:25 +1000 Subject: [PATCH 0577/1650] Blacklist automatic loading of CD-ROM modules --- etc/modprobe.d/30_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 2b6894a..697057d 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -144,3 +144,5 @@ blacklist udlfb # https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 #install cdrom /bin/disabled-by-security-misc #install sr_mod /bin/disabled-by-security-misc +blacklist cdrom +blacklist sr_mod From 40ec791774f2a6ae7d42ccf2bfbe4a98a9963f08 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 12 Jul 2022 16:58:16 +1000 Subject: [PATCH 0578/1650] Updated comments --- etc/modprobe.d/30_security-misc.conf | 75 +++++++++++++--------------- 1 file changed, 36 insertions(+), 39 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 697057d..b6c8424 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -1,20 +1,20 @@ ## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -# See the following links for a community discussion and overview regarding the selections -# https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 -# https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules +## See the following links for a community discussion and overview regarding the selections +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules -# Disable automatic conntrack helper assignment -# https://phabricator.whonix.org/T486 +## Disable automatic conntrack helper assignment +## https://phabricator.whonix.org/T486 options nf_conntrack nf_conntrack_helper=0 -# Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities -# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns +## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities +## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns install bluetooth /bin/disabled-by-security-misc install btusb /bin/disabled-by-security-misc -# Disable thunderbolt and firewire modules to prevent some DMA attacks +## Disable thunderbolt and firewire modules to prevent some DMA attacks install thunderbolt /bin/disabled-by-security-misc install firewire-core /bin/disabled-by-security-misc install firewire_core /bin/disabled-by-security-misc @@ -28,17 +28,14 @@ install dv1394 /bin/disabled-by-security-misc install raw1394 /bin/disabled-by-security-misc install video1394 /bin/disabled-by-security-misc -# Disable CPU MSRs as they can be abused to write to arbitrary memory. +## Disable CPU MSRs as they can be abused to write to arbitrary memory. +## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode install msr /bin/disabled-by-security-misc -# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. -# -# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. -# -# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. -# -# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. -# +## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. +## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. +## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. +## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. install dccp /bin/disabled-by-security-misc install sctp /bin/disabled-by-security-misc install rds /bin/disabled-by-security-misc @@ -59,7 +56,7 @@ install p8022 /bin/disabled-by-security-misc install can /bin/disabled-by-security-misc install atm /bin/disabled-by-security-misc -# Disable uncommon file systems to reduce attack surface +## Disable uncommon file systems to reduce attack surface install cramfs /bin/disabled-by-security-misc install freevxfs /bin/disabled-by-security-misc install jffs2 /bin/disabled-by-security-misc @@ -67,7 +64,7 @@ install hfs /bin/disabled-by-security-misc install hfsplus /bin/disabled-by-security-misc install udf /bin/disabled-by-security-misc -# Disable uncommon network file systems to reduce attack surface +## Disable uncommon network file systems to reduce attack surface install cifs /bin/disabled-by-security-misc install nfs /bin/disabled-by-security-misc install nfsv3 /bin/disabled-by-security-misc @@ -75,23 +72,23 @@ install nfsv4 /bin/disabled-by-security-misc install ksmbd /bin/disabled-by-security-misc install gfs2 /bin/disabled-by-security-misc -# Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities -# https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 -# https://www.openwall.com/lists/oss-security/2019/11/02/1 -# https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 +## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities +## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 +## https://www.openwall.com/lists/oss-security/2019/11/02/1 +## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 install vivid /bin/disabled-by-security-misc -# Disable Intel Management Engine (ME) interface with the OS -# https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html +## Disable Intel Management Engine (ME) interface with the OS +## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html install mei /bin/disabled-by-security-misc install mei-me /bin/disabled-by-security-misc -# Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver -# https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco +## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco blacklist ath_pci -# Blacklist automatic loading of miscellaneous modules -# https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +## Blacklist automatic loading of miscellaneous modules +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco blacklist evbug blacklist usbmouse blacklist usbkbd @@ -108,23 +105,23 @@ blacklist snd_pcsp blacklist pcspkr blacklist amd76x_edac -# Blacklist automatic loading of framebuffer drivers -# https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +## Blacklist automatic loading of framebuffer drivers +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco blacklist aty128fb blacklist atyfb -# blacklist radeonfb +#blacklist radeonfb blacklist cirrusfb blacklist cyber2000fb blacklist cyblafb blacklist gx1fb blacklist hgafb blacklist i810fb -# blacklist intelfb +#blacklist intelfb blacklist kyrofb blacklist lxfb -blacklist matroxfb_base +blacklist matroxfb_bases blacklist neofb -# blacklist nvidiafb +#blacklist nvidiafb blacklist pm2fb blacklist rivafb blacklist s1d13xxxfb @@ -133,15 +130,15 @@ blacklist sisfb blacklist sstfb blacklist tdfxfb blacklist tridentfb -# blacklist vesafb +#blacklist vesafb blacklist vfb blacklist viafb blacklist vt8623fb blacklist udlfb -# Disable CD-ROM devices -# https://nvd.nist.gov/vuln/detail/CVE-2018-11506 -# https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 +## Disable CD-ROM devices +## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 #install cdrom /bin/disabled-by-security-misc #install sr_mod /bin/disabled-by-security-misc blacklist cdrom From 48089e5ba43b0b72449f888b98b63119ed57e2fd Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 12 Jul 2022 17:02:12 +1000 Subject: [PATCH 0579/1650] More verbose kernel module blocking error logs --- .../block-bluetooth | 10 ++ .../block-cdrom | 10 ++ .../block-filesys | 10 ++ .../block-firewire | 10 ++ .../block-intelme | 10 ++ .../block-msr | 10 ++ .../block-netfilesys | 10 ++ .../block-network | 10 ++ .../block-thunderbolt | 10 ++ .../block-vivid | 10 ++ etc/modprobe.d/30_security-misc.conf | 102 +++++++++--------- 11 files changed, 151 insertions(+), 51 deletions(-) create mode 100755 bin/disabled-module-by-security-misc/block-bluetooth create mode 100755 bin/disabled-module-by-security-misc/block-cdrom create mode 100755 bin/disabled-module-by-security-misc/block-filesys create mode 100755 bin/disabled-module-by-security-misc/block-firewire create mode 100755 bin/disabled-module-by-security-misc/block-intelme create mode 100755 bin/disabled-module-by-security-misc/block-msr create mode 100755 bin/disabled-module-by-security-misc/block-netfilesys create mode 100755 bin/disabled-module-by-security-misc/block-network create mode 100755 bin/disabled-module-by-security-misc/block-thunderbolt create mode 100755 bin/disabled-module-by-security-misc/block-vivid diff --git a/bin/disabled-module-by-security-misc/block-bluetooth b/bin/disabled-module-by-security-misc/block-bluetooth new file mode 100755 index 0000000..e708783 --- /dev/null +++ b/bin/disabled-module-by-security-misc/block-bluetooth @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-module-by-security-misc/block-cdrom b/bin/disabled-module-by-security-misc/block-cdrom new file mode 100755 index 0000000..5057e32 --- /dev/null +++ b/bin/disabled-module-by-security-misc/block-cdrom @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-module-by-security-misc/block-filesys b/bin/disabled-module-by-security-misc/block-filesys new file mode 100755 index 0000000..9050a8c --- /dev/null +++ b/bin/disabled-module-by-security-misc/block-filesys @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-module-by-security-misc/block-firewire b/bin/disabled-module-by-security-misc/block-firewire new file mode 100755 index 0000000..5aa44e3 --- /dev/null +++ b/bin/disabled-module-by-security-misc/block-firewire @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-module-by-security-misc/block-intelme b/bin/disabled-module-by-security-misc/block-intelme new file mode 100755 index 0000000..9c8c96c --- /dev/null +++ b/bin/disabled-module-by-security-misc/block-intelme @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-module-by-security-misc/block-msr b/bin/disabled-module-by-security-misc/block-msr new file mode 100755 index 0000000..3cf3937 --- /dev/null +++ b/bin/disabled-module-by-security-misc/block-msr @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This CPU MSR kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-module-by-security-misc/block-netfilesys b/bin/disabled-module-by-security-misc/block-netfilesys new file mode 100755 index 0000000..0dc5672 --- /dev/null +++ b/bin/disabled-module-by-security-misc/block-netfilesys @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-module-by-security-misc/block-network b/bin/disabled-module-by-security-misc/block-network new file mode 100755 index 0000000..7cb3041 --- /dev/null +++ b/bin/disabled-module-by-security-misc/block-network @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-module-by-security-misc/block-thunderbolt b/bin/disabled-module-by-security-misc/block-thunderbolt new file mode 100755 index 0000000..bfb52e1 --- /dev/null +++ b/bin/disabled-module-by-security-misc/block-thunderbolt @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-module-by-security-misc/block-vivid b/bin/disabled-module-by-security-misc/block-vivid new file mode 100755 index 0000000..45c14bd --- /dev/null +++ b/bin/disabled-module-by-security-misc/block-vivid @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index b6c8424..fa219bf 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -11,77 +11,77 @@ options nf_conntrack nf_conntrack_helper=0 ## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -install bluetooth /bin/disabled-by-security-misc -install btusb /bin/disabled-by-security-misc +install bluetooth /bin/disabled-module-by-security-misc/block-bluetooth +install btusb /bin/disabled-module-by-security-misc/block-bluetooth ## Disable thunderbolt and firewire modules to prevent some DMA attacks -install thunderbolt /bin/disabled-by-security-misc -install firewire-core /bin/disabled-by-security-misc -install firewire_core /bin/disabled-by-security-misc -install firewire-ohci /bin/disabled-by-security-misc -install firewire_ohci /bin/disabled-by-security-misc -install firewire_sbp2 /bin/disabled-by-security-misc -install firewire-sbp2 /bin/disabled-by-security-misc -install ohci1394 /bin/disabled-by-security-misc -install sbp2 /bin/disabled-by-security-misc -install dv1394 /bin/disabled-by-security-misc -install raw1394 /bin/disabled-by-security-misc -install video1394 /bin/disabled-by-security-misc +install thunderbolt /bin/disabled-module-by-security-misc/block-thunderbolt +install firewire-core /bin/disabled-module-by-security-misc/block-firewire +install firewire_core /bin/disabled-module-by-security-misc/block-firewire +install firewire-ohci /bin/disabled-module-by-security-misc/block-firewire +install firewire_ohci /bin/disabled-module-by-security-misc/block-firewire +install firewire_sbp2 /bin/disabled-module-by-security-misc/block-firewire +install firewire-sbp2 /bin/disabled-module-by-security-misc/block-firewire +install ohci1394 /bin/disabled-module-by-security-misc/block-firewire +install sbp2 /bin/disabled-module-by-security-misc/block-firewire +install dv1394 /bin/disabled-module-by-security-misc/block-firewire +install raw1394 /bin/disabled-module-by-security-misc/block-firewire +install video1394 /bin/disabled-module-by-security-misc/block-firewire ## Disable CPU MSRs as they can be abused to write to arbitrary memory. ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -install msr /bin/disabled-by-security-misc +install msr /bin/disabled-module-by-security-misc/block-msr ## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. ## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. ## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. ## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. -install dccp /bin/disabled-by-security-misc -install sctp /bin/disabled-by-security-misc -install rds /bin/disabled-by-security-misc -install tipc /bin/disabled-by-security-misc -install n-hdlc /bin/disabled-by-security-misc -install ax25 /bin/disabled-by-security-misc -install netrom /bin/disabled-by-security-misc -install x25 /bin/disabled-by-security-misc -install rose /bin/disabled-by-security-misc -install decnet /bin/disabled-by-security-misc -install econet /bin/disabled-by-security-misc -install af_802154 /bin/disabled-by-security-misc -install ipx /bin/disabled-by-security-misc -install appletalk /bin/disabled-by-security-misc -install psnap /bin/disabled-by-security-misc -install p8023 /bin/disabled-by-security-misc -install p8022 /bin/disabled-by-security-misc -install can /bin/disabled-by-security-misc -install atm /bin/disabled-by-security-misc +install dccp /bin/disabled-module-by-security-misc/block-network +install sctp /bin/disabled-module-by-security-misc/block-network +install rds /bin/disabled-module-by-security-misc/block-network +install tipc /bin/disabled-module-by-security-misc/block-network +install n-hdlc /bin/disabled-module-by-security-misc/block-network +install ax25 /bin/disabled-module-by-security-misc/block-network +install netrom /bin/disabled-module-by-security-misc/block-network +install x25 /bin/disabled-module-by-security-misc/block-network +install rose /bin/disabled-module-by-security-misc/block-network +install decnet /bin/disabled-module-by-security-misc/block-network +install econet /bin/disabled-module-by-security-misc/block-network +install af_802154 /bin/disabled-module-by-security-misc/block-network +install ipx /bin/disabled-module-by-security-misc/block-network +install appletalk /bin/disabled-module-by-security-misc/block-network +install psnap /bin/disabled-module-by-security-misc/block-network +install p8023 /bin/disabled-module-by-security-misc/block-network +install p8022 /bin/disabled-module-by-security-misc/block-network +install can /bin/disabled-module-by-security-misc/block-network +install atm /bin/disabled-module-by-security-misc/block-network ## Disable uncommon file systems to reduce attack surface -install cramfs /bin/disabled-by-security-misc -install freevxfs /bin/disabled-by-security-misc -install jffs2 /bin/disabled-by-security-misc -install hfs /bin/disabled-by-security-misc -install hfsplus /bin/disabled-by-security-misc -install udf /bin/disabled-by-security-misc +install cramfs /bin/disabled-module-by-security-misc/block-filesys +install freevxfs /bin/disabled-module-by-security-misc/block-filesys +install jffs2 /bin/disabled-module-by-security-misc/block-filesys +install hfs /bin/disabled-module-by-security-misc/block-filesys +install hfsplus /bin/disabled-module-by-security-misc/block-filesys +install udf /bin/disabled-module-by-security-misc/block-filesys ## Disable uncommon network file systems to reduce attack surface -install cifs /bin/disabled-by-security-misc -install nfs /bin/disabled-by-security-misc -install nfsv3 /bin/disabled-by-security-misc -install nfsv4 /bin/disabled-by-security-misc -install ksmbd /bin/disabled-by-security-misc -install gfs2 /bin/disabled-by-security-misc +install cifs /bin/disabled-module-by-security-misc/block-netfilesys +install nfs /bin/disabled-module-by-security-misc/block-netfilesys +install nfsv3 /bin/disabled-module-by-security-misc/block-netfilesys +install nfsv4 /bin/disabled-module-by-security-misc/block-netfilesys +install ksmbd /bin/disabled-module-by-security-misc/block-netfilesys +install gfs2 /bin/disabled-module-by-security-misc/block-netfilesys ## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -install vivid /bin/disabled-by-security-misc +install vivid /bin/disabled-module-by-security-misc/block-vivid ## Disable Intel Management Engine (ME) interface with the OS ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html -install mei /bin/disabled-by-security-misc -install mei-me /bin/disabled-by-security-misc +install mei /bin/disabled-module-by-security-misc/block-intelme +install mei-me /bin/disabled-module-by-security-misc/block-intelme ## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco @@ -139,7 +139,7 @@ blacklist udlfb ## Disable CD-ROM devices ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 -#install cdrom /bin/disabled-by-security-misc -#install sr_mod /bin/disabled-by-security-misc +#install cdrom /bin/disabled-module-by-security-misc/block-cdrom +#install sr_mod /bin/disabled-module-by-security-misc/block-cdrom blacklist cdrom blacklist sr_mod From fe0cc1089086273794bd6b54df3528ff78c10f6a Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 12 Jul 2022 17:18:47 +1000 Subject: [PATCH 0580/1650] Updated README.md --- README.md | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 039c9c4..73428f2 100644 --- a/README.md +++ b/README.md @@ -88,15 +88,24 @@ disabled. * IOMMU is enabled to prevent DMA attacks. -### Blacklisted kernel modules +### Disables and blacklists kernel modules -Certain kernel modules are blacklisted to reduce attack surface via the +Certain kernel modules are disabled and blacklisted by default to reduce attack surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file. * Deactivates Netfilter's connection tracking helper - this module increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. Hence, this feature is disabled. +* Bluetooth is disabled to reduce attack surface. Bluetooth has +a lengthy history of security concerns. + +* Thunderbolt and numerous FireWire kernel modules are also disabled as they are +often vulnerable to DMA attacks. + +* The MSR kernel module is disabled to prevent CPU MSRs from being +abused to write to arbitrary memory. + * Uncommon network protocols are blacklisted. This includes: DCCP - Datagram Congestion Control Protocol @@ -137,23 +146,16 @@ such as IRC parsing in the kernel. Hence, this feature is disabled. ATM -* Bluetooth is also blacklisted to reduce attack surface. Bluetooth has -a history of security concerns. - -* The Thunderbolt and FireWire kernel modules are blacklisted as they are -often vulnerable to DMA attacks. - -* The vivid kernel module is only required for testing and has been the cause -of multiple vulnerabilities so it is blacklisted. - -* The MSR kernel module is blacklisted to prevent CPU MSRs from being -abused to write to arbitrary memory. - * Disables a large array of uncommon file systems and network file systems that reduces the attack surface especially against legacy approaches. -* Provides some blocking of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS. +* The vivid kernel module is only required for testing and has been the cause +of multiple vulnerabilities so it is disabled. -* Not enabled by default yet, comment only: Disables the use of CD-ROM devices by default. +* Provides some disabling of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS. + +* Incorporates much of [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) default blacklist of modules to be blocked from automatically loading. However, they are still permitted to load. + +* Blocks automatic loading of the modules needed to use of CD-ROM devices by default. Not completely disabled yet. ### Other From dabcaf22e1006cc60297c55e3e254f080562d552 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 04:28:03 +1000 Subject: [PATCH 0581/1650] enforce default kernel.randomize_va_space --- etc/sysctl.d/30_security-misc.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 80afdc8..31666a7 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -60,6 +60,8 @@ kernel.yama.ptrace_scope=2 ## Prevent setuid processes from creating coredumps. fs.suid_dumpable=0 +## Randomize the addresses for mmap base, heap, stack, and VDSO pages +kernel.randomize_va_space=2 #### meta start #### project Kicksecure @@ -157,4 +159,3 @@ kernel.perf_event_paranoid=3 # Do not accept router advertisments net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 - From 79156262c9e3fe92344847b627afc64b2c7f7717 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 04:29:42 +1000 Subject: [PATCH 0582/1650] enforce default net.ipv4.icmp_ignore_bogus_error_responses --- etc/sysctl.d/30_security-misc.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 31666a7..846c8b0 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -90,6 +90,9 @@ net.ipv6.conf.default.accept_redirects=0 ## Ignores ICMP requests. net.ipv4.icmp_echo_ignore_all=1 +## Ignores bogus ICMP error responses +net.ipv4.icmp_ignore_bogus_error_responses=1 + ## Enables TCP syncookies. net.ipv4.tcp_syncookies=1 From 57b5b2145c4e6779f0b879ee4199d46938f20965 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 04:30:43 +1000 Subject: [PATCH 0583/1650] enforce defualt net.ipv4.ip_forward --- etc/sysctl.d/30_security-misc.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 846c8b0..1b93769 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -108,6 +108,9 @@ net.ipv6.conf.default.accept_source_route=0 net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 +## Disables IP forwarding (we are not a router!) +net.ipv4.ip_forward=0 + #### meta end From f572332108c06eb77d24e776910463e69d49acd3 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 04:32:03 +1000 Subject: [PATCH 0584/1650] disable slub_debug --- etc/default/grub.d/40_kernel_hardening.cfg | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 929d71f..ed6039c 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -10,7 +10,9 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" ## Enables sanity checks (F) and redzoning (Z). -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" +## Disabled due to kernel deciding to implicitly disable kernel pointer hashing +## https://github.com/torvalds/linux/commit/792702911f581f7793962fbeb99d5c3a1b28f4c3 +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" ## Zero memory at allocation and free time. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" From 74858d257b8de40f082ce21241e680a5eeaf4053 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 04:34:35 +1000 Subject: [PATCH 0585/1650] enable randomize_kstack_offset --- etc/default/grub.d/40_kernel_hardening.cfg | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index ed6039c..f3d6487 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -29,6 +29,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" ## Enables page allocator freelist randomization. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" +## Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13). +## https://lkml.org/lkml/2019/3/18/246 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" + ## Enables kernel lockdown. ## ## Disabled for now as it enforces module signature verification which breaks From d0779a96fc054df925523a76510c1aae5d672f96 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 04:36:34 +1000 Subject: [PATCH 0586/1650] add reference --- etc/default/grub.d/40_distrust_cpu.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/default/grub.d/40_distrust_cpu.cfg b/etc/default/grub.d/40_distrust_cpu.cfg index f7610d3..5910d55 100644 --- a/etc/default/grub.d/40_distrust_cpu.cfg +++ b/etc/default/grub.d/40_distrust_cpu.cfg @@ -8,4 +8,5 @@ ## https://twitter.com/pid_eins/status/1149649806056280069 ## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html ## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 +## https://lkml.org/lkml/2022/6/5/271 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" From 33df16af805597057c7aad0d5a4fb135ed9e286b Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 04:37:03 +1000 Subject: [PATCH 0587/1650] disables random.trust_bootloader --- etc/default/grub.d/40_distrust_bootloader.cfg | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 etc/default/grub.d/40_distrust_bootloader.cfg diff --git a/etc/default/grub.d/40_distrust_bootloader.cfg b/etc/default/grub.d/40_distrust_bootloader.cfg new file mode 100644 index 0000000..2174db2 --- /dev/null +++ b/etc/default/grub.d/40_distrust_bootloader.cfg @@ -0,0 +1,7 @@ +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Distrusts the bootloader for initial entropy at boot. +## +## https://lkml.org/lkml/2022/6/5/271 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" From a47922ad28fc9ebba93615a6ffdaaeb4887cc140 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 04:47:07 +1000 Subject: [PATCH 0588/1650] enforce of IOMMU TLB invalidation --- etc/default/grub.d/40_enable_iommu.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg index f4aa582..8d395d2 100644 --- a/etc/default/grub.d/40_enable_iommu.cfg +++ b/etc/default/grub.d/40_enable_iommu.cfg @@ -10,3 +10,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on" ## https://mjg59.dreamwidth.org/54433.html ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" + +## Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents +## https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97 +## Page 11 of https://lenovopress.lenovo.com/lp1467.pdf +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0 iommu.strict=1" From 4e93b4d37e4c6d23a0ac76ddb2144c6504a66ad1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 21:10:39 +1000 Subject: [PATCH 0589/1650] Revert "enforce defualt net.ipv4.ip_forward" This reverts commit 57b5b2145c4e6779f0b879ee4199d46938f20965. --- etc/sysctl.d/30_security-misc.conf | 3 --- 1 file changed, 3 deletions(-) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 1b93769..846c8b0 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -108,9 +108,6 @@ net.ipv6.conf.default.accept_source_route=0 net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 -## Disables IP forwarding (we are not a router!) -net.ipv4.ip_forward=0 - #### meta end From 2b237039cf1db66100f7f0bb4880981ee0489abf Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 22:25:53 +1000 Subject: [PATCH 0590/1650] Update README.md --- README.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index d7c9ea4..76ef0fe 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,8 @@ arbitrary code execution in kernel mode. * The bits of entropy used for mmap ASLR are increased, therefore improving its effectiveness. +* Randomises the addresses for mmap base, heap, stack, and VDSO pages. + * Prevents unintentional writes to attacker-controlled files. * Prevents common symlink and hardlink TOCTOU races. @@ -54,19 +56,13 @@ prevents writing potentially sensitive contents of memory to disk. ### Boot parameters -Boot parameters are configured via the `/etc/modprobe.d/30_security-misc.conf` -configuration file. +Boot parameters are outlined in configuration files located in the +`etc/default/grub.d/` directory. * Slab merging is disabled which significantly increases the difficulty of heap exploitation by preventing overwriting objects from merged caches and by making it harder to influence slab cache layout. -* Sanity checks are enabled which add various checks to prevent corruption -in certain slab operations. - -* Redzoning is enabled which adds extra areas around slabs that detect when -a slab is overwritten past its real size which can help detect overflows. - * Memory zeroing at allocation and free time is enabled to mitigate some use-after-free vulnerabilities and erase sensitive information in memory. @@ -83,10 +79,15 @@ are a potential target for ROP. * The kernel panics on oopses to thwart certain kernel exploits. +* Enables randomisation of the kernel stack offset on syscall entries. + * All mitigations for known CPU vulnerabilities are enabled and SMT is disabled. -* IOMMU is enabled to prevent DMA attacks. +* IOMMU is enabled to prevent DMA attacks along with strict enforcement of IOMMU +TLB invalidation so devices will never be able to access stale data contents. + +* Distrust the 'randomly' generated CPU and bootloader seeds. ### Blacklisted kernel modules From 24d6a93eacf5b41cfb9133471049776a16a07b03 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 13 Jul 2022 08:28:34 -0400 Subject: [PATCH 0591/1650] bumped changelog version --- changelog.upstream | 52 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 58 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 16be21f..cd0a0fc 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,55 @@ +commit 8f31e5d1d172eb117bde63702f63081da182d5c5 +Merge: 6aa9a94 c410890 +Author: Patrick Schleizer +Date: Wed Jul 13 07:26:58 2022 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit c410890a8ade6d4be13dc99a7003f03ebded8153 +Merge: 6aa9a94 fe0cc10 +Author: Patrick Schleizer +Date: Wed Jul 13 07:24:12 2022 -0400 + + Merge pull request #110 from raja-grewal/master + + Incorporated Ubuntu’s kernel module blacklists and more verbose errors + +commit fe0cc1089086273794bd6b54df3528ff78c10f6a +Author: Raja Grewal +Date: Tue Jul 12 17:18:47 2022 +1000 + + Updated README.md + +commit 48089e5ba43b0b72449f888b98b63119ed57e2fd +Author: Raja Grewal +Date: Tue Jul 12 17:02:12 2022 +1000 + + More verbose kernel module blocking error logs + +commit 40ec791774f2a6ae7d42ccf2bfbe4a98a9963f08 +Author: Raja Grewal +Date: Tue Jul 12 16:58:16 2022 +1000 + + Updated comments + +commit ef1ef9917d896f1cd837f399def6a75704e9bfd2 +Author: Raja Grewal +Date: Sun Jul 10 04:53:25 2022 +1000 + + Blacklist automatic loading of CD-ROM modules + +commit 61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc +Author: Raja Grewal +Date: Sun Jul 10 04:52:00 2022 +1000 + + Incorporated Ubuntu’s kernel module blacklists + +commit 6aa9a9472f10d4d6270dd59fbcd94d9001aca9e6 +Author: Patrick Schleizer +Date: Sat Jul 9 11:42:24 2022 -0400 + + bumped changelog version + commit 3b844eaab25fecf90292c88291be77abf0be694c Author: Patrick Schleizer Date: Sat Jul 9 11:42:11 2022 -0400 diff --git a/debian/changelog b/debian/changelog index e1fa1be..d6601a5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:25.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 13 Jul 2022 12:28:34 +0000 + security-misc (3:25.2-1) unstable; urgency=medium * New upstream version (local package). From a72bbb1883613ee56be29949c153e0edb2d72a29 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 23:42:13 +1000 Subject: [PATCH 0592/1650] Corrected kerenl module disabling --- ...th => disabled-bluetooth-by-security-misc} | 0 bin/disabled-by-security-misc | 10 -- ...-cdrom => disabled-cdrom-by-security-misc} | 0 ...esys => disabled-filesys-by-security-misc} | 0 ...ire => disabled-firewire-by-security-misc} | 0 ...elme => disabled-intelme-by-security-misc} | 0 ...lock-msr => disabled-msr-by-security-misc} | 0 ...s => disabled-netfilesys-by-security-misc} | 0 ...work => disabled-network-by-security-misc} | 0 ... => disabled-thunderbolt-by-security-misc} | 0 ...-vivid => disabled-vivid-by-security-misc} | 0 etc/modprobe.d/30_security-misc.conf | 102 +++++++++--------- 12 files changed, 51 insertions(+), 61 deletions(-) rename bin/{disabled-module-by-security-misc/block-bluetooth => disabled-bluetooth-by-security-misc} (100%) delete mode 100755 bin/disabled-by-security-misc rename bin/{disabled-module-by-security-misc/block-cdrom => disabled-cdrom-by-security-misc} (100%) rename bin/{disabled-module-by-security-misc/block-filesys => disabled-filesys-by-security-misc} (100%) rename bin/{disabled-module-by-security-misc/block-firewire => disabled-firewire-by-security-misc} (100%) rename bin/{disabled-module-by-security-misc/block-intelme => disabled-intelme-by-security-misc} (100%) rename bin/{disabled-module-by-security-misc/block-msr => disabled-msr-by-security-misc} (100%) rename bin/{disabled-module-by-security-misc/block-netfilesys => disabled-netfilesys-by-security-misc} (100%) rename bin/{disabled-module-by-security-misc/block-network => disabled-network-by-security-misc} (100%) rename bin/{disabled-module-by-security-misc/block-thunderbolt => disabled-thunderbolt-by-security-misc} (100%) rename bin/{disabled-module-by-security-misc/block-vivid => disabled-vivid-by-security-misc} (100%) diff --git a/bin/disabled-module-by-security-misc/block-bluetooth b/bin/disabled-bluetooth-by-security-misc similarity index 100% rename from bin/disabled-module-by-security-misc/block-bluetooth rename to bin/disabled-bluetooth-by-security-misc diff --git a/bin/disabled-by-security-misc b/bin/disabled-by-security-misc deleted file mode 100755 index 9d11c80..0000000 --- a/bin/disabled-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. - -echo "$0: ERROR: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 - -exit 1 diff --git a/bin/disabled-module-by-security-misc/block-cdrom b/bin/disabled-cdrom-by-security-misc similarity index 100% rename from bin/disabled-module-by-security-misc/block-cdrom rename to bin/disabled-cdrom-by-security-misc diff --git a/bin/disabled-module-by-security-misc/block-filesys b/bin/disabled-filesys-by-security-misc similarity index 100% rename from bin/disabled-module-by-security-misc/block-filesys rename to bin/disabled-filesys-by-security-misc diff --git a/bin/disabled-module-by-security-misc/block-firewire b/bin/disabled-firewire-by-security-misc similarity index 100% rename from bin/disabled-module-by-security-misc/block-firewire rename to bin/disabled-firewire-by-security-misc diff --git a/bin/disabled-module-by-security-misc/block-intelme b/bin/disabled-intelme-by-security-misc similarity index 100% rename from bin/disabled-module-by-security-misc/block-intelme rename to bin/disabled-intelme-by-security-misc diff --git a/bin/disabled-module-by-security-misc/block-msr b/bin/disabled-msr-by-security-misc similarity index 100% rename from bin/disabled-module-by-security-misc/block-msr rename to bin/disabled-msr-by-security-misc diff --git a/bin/disabled-module-by-security-misc/block-netfilesys b/bin/disabled-netfilesys-by-security-misc similarity index 100% rename from bin/disabled-module-by-security-misc/block-netfilesys rename to bin/disabled-netfilesys-by-security-misc diff --git a/bin/disabled-module-by-security-misc/block-network b/bin/disabled-network-by-security-misc similarity index 100% rename from bin/disabled-module-by-security-misc/block-network rename to bin/disabled-network-by-security-misc diff --git a/bin/disabled-module-by-security-misc/block-thunderbolt b/bin/disabled-thunderbolt-by-security-misc similarity index 100% rename from bin/disabled-module-by-security-misc/block-thunderbolt rename to bin/disabled-thunderbolt-by-security-misc diff --git a/bin/disabled-module-by-security-misc/block-vivid b/bin/disabled-vivid-by-security-misc similarity index 100% rename from bin/disabled-module-by-security-misc/block-vivid rename to bin/disabled-vivid-by-security-misc diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index fa219bf..48d5b25 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -11,77 +11,77 @@ options nf_conntrack nf_conntrack_helper=0 ## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -install bluetooth /bin/disabled-module-by-security-misc/block-bluetooth -install btusb /bin/disabled-module-by-security-misc/block-bluetooth +install bluetooth /bin/disabled-bluetooth-by-security-misc +install btusb /bin/disabled-bluetooth-by-security-misc ## Disable thunderbolt and firewire modules to prevent some DMA attacks -install thunderbolt /bin/disabled-module-by-security-misc/block-thunderbolt -install firewire-core /bin/disabled-module-by-security-misc/block-firewire -install firewire_core /bin/disabled-module-by-security-misc/block-firewire -install firewire-ohci /bin/disabled-module-by-security-misc/block-firewire -install firewire_ohci /bin/disabled-module-by-security-misc/block-firewire -install firewire_sbp2 /bin/disabled-module-by-security-misc/block-firewire -install firewire-sbp2 /bin/disabled-module-by-security-misc/block-firewire -install ohci1394 /bin/disabled-module-by-security-misc/block-firewire -install sbp2 /bin/disabled-module-by-security-misc/block-firewire -install dv1394 /bin/disabled-module-by-security-misc/block-firewire -install raw1394 /bin/disabled-module-by-security-misc/block-firewire -install video1394 /bin/disabled-module-by-security-misc/block-firewire +install thunderbolt /bin/disabled-thunderbolt-by-security-misc +install firewire-core /bin/disabled-firewire-by-security-misc +install firewire_core /bin/disabled-firewire-by-security-misc +install firewire-ohci /bin/disabled-firewire-by-security-misc +install firewire_ohci /bin/disabled-firewire-by-security-misc +install firewire_sbp2 /bin/disabled-firewire-by-security-misc +install firewire-sbp2 /bin/disabled-firewire-by-security-misc +install ohci1394 /bin/disabled-firewire-by-security-misc +install sbp2 /bin/disabled-firewire-by-security-misc +install dv1394 /bin/disabled-firewire-by-security-misc +install raw1394 /bin/disabled-firewire-by-security-misc +install video1394 /bin/disabled-firewire-by-security-misc ## Disable CPU MSRs as they can be abused to write to arbitrary memory. ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -install msr /bin/disabled-module-by-security-misc/block-msr +install msr /bin/disabled-msr-by-security-misc ## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. ## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. ## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. ## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. -install dccp /bin/disabled-module-by-security-misc/block-network -install sctp /bin/disabled-module-by-security-misc/block-network -install rds /bin/disabled-module-by-security-misc/block-network -install tipc /bin/disabled-module-by-security-misc/block-network -install n-hdlc /bin/disabled-module-by-security-misc/block-network -install ax25 /bin/disabled-module-by-security-misc/block-network -install netrom /bin/disabled-module-by-security-misc/block-network -install x25 /bin/disabled-module-by-security-misc/block-network -install rose /bin/disabled-module-by-security-misc/block-network -install decnet /bin/disabled-module-by-security-misc/block-network -install econet /bin/disabled-module-by-security-misc/block-network -install af_802154 /bin/disabled-module-by-security-misc/block-network -install ipx /bin/disabled-module-by-security-misc/block-network -install appletalk /bin/disabled-module-by-security-misc/block-network -install psnap /bin/disabled-module-by-security-misc/block-network -install p8023 /bin/disabled-module-by-security-misc/block-network -install p8022 /bin/disabled-module-by-security-misc/block-network -install can /bin/disabled-module-by-security-misc/block-network -install atm /bin/disabled-module-by-security-misc/block-network +install dccp /bin/disabled-network-by-security-misc +install sctp /bin/disabled-network-by-security-misc +install rds /bin/disabled-network-by-security-misc +install tipc /bin/disabled-network-by-security-misc +install n-hdlc /bin/disabled-network-by-security-misc +install ax25 /bin/disabled-network-by-security-misc +install netrom /bin/disabled-network-by-security-misc +install x25 /bin/disabled-network-by-security-misc +install rose /bin/disabled-network-by-security-misc +install decnet /bin/disabled-network-by-security-misc +install econet /bin/disabled-network-by-security-misc +install af_802154 /bin/disabled-network-by-security-misc +install ipx /bin/disabled-network-by-security-misc +install appletalk /bin/disabled-network-by-security-misc +install psnap /bin/disabled-network-by-security-misc +install p8023 /bin/disabled-network-by-security-misc +install p8022 /bin/disabled-network-by-security-misc +install can /bin/disabled-network-by-security-misc +install atm /bin/disabled-network-by-security-misc ## Disable uncommon file systems to reduce attack surface -install cramfs /bin/disabled-module-by-security-misc/block-filesys -install freevxfs /bin/disabled-module-by-security-misc/block-filesys -install jffs2 /bin/disabled-module-by-security-misc/block-filesys -install hfs /bin/disabled-module-by-security-misc/block-filesys -install hfsplus /bin/disabled-module-by-security-misc/block-filesys -install udf /bin/disabled-module-by-security-misc/block-filesys +install cramfs /bin/disabled-filesys-by-security-misc +install freevxfs /bin/disabled-filesys-by-security-misc +install jffs2 /bin/disabled-filesys-by-security-misc +install hfs /bin/disabled-filesys-by-security-misc +install hfsplus /bin/disabled-filesys-by-security-misc +install udf /bin/disabled-filesys-by-security-misc ## Disable uncommon network file systems to reduce attack surface -install cifs /bin/disabled-module-by-security-misc/block-netfilesys -install nfs /bin/disabled-module-by-security-misc/block-netfilesys -install nfsv3 /bin/disabled-module-by-security-misc/block-netfilesys -install nfsv4 /bin/disabled-module-by-security-misc/block-netfilesys -install ksmbd /bin/disabled-module-by-security-misc/block-netfilesys -install gfs2 /bin/disabled-module-by-security-misc/block-netfilesys +install cifs /bin/disabled-netfilesys-by-security-misc +install nfs /bin/disabled-netfilesys-by-security-misc +install nfsv3 /bin/disabled-netfilesys-by-security-misc +install nfsv4 /bin/disabled-netfilesys-by-security-misc +install ksmbd /bin/disabled-netfilesys-by-security-misc +install gfs2 /bin/disabled-netfilesys-by-security-misc ## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -install vivid /bin/disabled-module-by-security-misc/block-vivid +install vivid /bin/disabled-vivid-by-security-misc ## Disable Intel Management Engine (ME) interface with the OS ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html -install mei /bin/disabled-module-by-security-misc/block-intelme -install mei-me /bin/disabled-module-by-security-misc/block-intelme +install mei /bin/disabled-intelme-by-security-misc +install mei-me /bin/disabled-intelme-by-security-misc ## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco @@ -139,7 +139,7 @@ blacklist udlfb ## Disable CD-ROM devices ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 -#install cdrom /bin/disabled-module-by-security-misc/block-cdrom -#install sr_mod /bin/disabled-module-by-security-misc/block-cdrom +#install cdrom /bin/disabled-cdrom-by-security-misc +#install sr_mod /bin/disabled-cdrom-by-security-misc blacklist cdrom blacklist sr_mod From 465775c9dc1b97c98a5470acaffabb103ea7239f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 16 Jul 2022 08:00:16 -0400 Subject: [PATCH 0593/1650] bumped changelog version --- changelog.upstream | 28 ++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index cd0a0fc..ba8c92d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,31 @@ +commit 1fafb5f53bbec57812f535e79bfb475628cc58e3 +Merge: 24d6a93 27aa523 +Author: Patrick Schleizer +Date: Fri Jul 15 08:09:16 2022 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 27aa5231e2d1dafd89ba19c8d6becf461e781605 +Merge: 24d6a93 a72bbb1 +Author: Patrick Schleizer +Date: Fri Jul 15 08:06:08 2022 -0400 + + Merge pull request #112 from raja-grewal/blacklist + + Corrected kernel module disabling + +commit a72bbb1883613ee56be29949c153e0edb2d72a29 +Author: Raja Grewal +Date: Wed Jul 13 23:42:13 2022 +1000 + + Corrected kerenl module disabling + +commit 24d6a93eacf5b41cfb9133471049776a16a07b03 +Author: Patrick Schleizer +Date: Wed Jul 13 08:28:34 2022 -0400 + + bumped changelog version + commit 8f31e5d1d172eb117bde63702f63081da182d5c5 Merge: 6aa9a94 c410890 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index d6601a5..ee79eb0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:25.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 16 Jul 2022 12:00:16 +0000 + security-misc (3:25.3-1) unstable; urgency=medium * New upstream version (local package). From c77a2a78bc48df2af7653a306bd1b046a8f99a6b Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 19 Jul 2022 00:37:31 +1000 Subject: [PATCH 0594/1650] enforce default net.ipv6.icmp_ignore_bogus_error_responses --- etc/sysctl.d/30_security-misc.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 846c8b0..0e7bc3d 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -89,6 +89,7 @@ net.ipv6.conf.default.accept_redirects=0 ## Ignores ICMP requests. net.ipv4.icmp_echo_ignore_all=1 +net.ipv6.icmp.echo_ignore_all=1 ## Ignores bogus ICMP error responses net.ipv4.icmp_ignore_bogus_error_responses=1 From bb831d57bcdcc8195a4b8169a4ddc25fb0c61173 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 19 Jul 2022 00:38:32 +1000 Subject: [PATCH 0595/1650] delete repeated commands --- etc/sysctl.d/30_security-misc.conf | 2 -- 1 file changed, 2 deletions(-) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 0e7bc3d..3862e1d 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -84,8 +84,6 @@ net.ipv6.conf.default.accept_redirects=0 ## Disables ICMP redirect sending. net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 -net.ipv6.conf.all.accept_redirects=0 -net.ipv6.conf.default.accept_redirects=0 ## Ignores ICMP requests. net.ipv4.icmp_echo_ignore_all=1 From 73f1e233327cc0edec83eac322b7f03bcb7fba22 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 19 Jul 2022 02:29:46 +1000 Subject: [PATCH 0596/1650] shuffle and rewording --- etc/default/grub.d/40_cpu_mitigations.cfg | 39 ++++++++++++----------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 7d6eb65..1977eeb 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,11 +1,17 @@ ## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Enables all mitigations for CPU vulnerabilities. +## Enables all known mitigations for CPU vulnerabilities. ## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 -## Enable all mitigations for Spectre Variant 2. +## Force disable SMT as it has caused numerous CPU vulnerabilities. +## +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" + +## Enable mitigations for Spectre variant 2 (indirect branch speculation). ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" @@ -13,30 +19,25 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" ## Disable Speculative Store Bypass. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" -## Disable TSX, enable all mitigations for the TSX Async Abort -## vulnerability and disable SMT. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" - -## Enable all mitigations for the MDS vulnerability and disable -## SMT. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" - -## Enable all mitigations for the L1TF vulnerability and disable SMT +## Enable mitigations for the L1TF vulnerability through disabling SMT ## and L1D flush runtime control. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" -## Force disable SMT as it has caused numerous CPU vulnerabilities. +## Enable mitigations for the MDS vulnerability through clearing buffer cache +## and disabling SMT. ## -## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" + +## Patches the TAA vulnerability by disabling TSX and enables mitigations using +## TSX Async Abort along with disabling SMT. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" ## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. ## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html#mitigation-control-on-the-kernel-command-line-and-kvm-module-parameter +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" From 8531fbf99dea1b4cd806babd6072a8a1f0506eb3 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 19 Jul 2022 02:30:49 +1000 Subject: [PATCH 0597/1650] CPU mitigation - SRBDS --- etc/default/grub.d/40_cpu_mitigations.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 1977eeb..fa9bd80 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -41,3 +41,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" + +## Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX srbds=on" From 59e90ff1226bd6330d85244cf7c73ecf7fd5fdf1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 19 Jul 2022 02:32:41 +1000 Subject: [PATCH 0598/1650] CPU mitigation - L1D FLushing --- etc/default/grub.d/40_cpu_mitigations.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index fa9bd80..9caafb8 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -46,3 +46,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX srbds=on" + +## Enables the prctl interface to prevent leaks from L1D on context switches. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" From c3ebb9160ffbbd2972cc898e3c1c0055d89beb5c Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 19 Jul 2022 02:33:16 +1000 Subject: [PATCH 0599/1650] CPU mitigation - MMIO Stale Data --- etc/default/grub.d/40_cpu_mitigations.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 9caafb8..7eb5875 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -51,3 +51,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX srbds=on" ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" + +## Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" From bfd78a2c06153ebadfee39190055edf0a13958f4 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 19 Jul 2022 03:16:08 +1000 Subject: [PATCH 0600/1650] update SRBDS mitigation --- etc/default/grub.d/40_cpu_mitigations.cfg | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 7eb5875..4537871 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -43,9 +43,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" ## Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions. +## Only mitigated through microcode updates from Intel. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX srbds=on" +## https://access.redhat.com/solutions/5142691 ## Enables the prctl interface to prevent leaks from L1D on context switches. ## From 1660aaa6dd1013ede105baebbb8ff3e1afc7b268 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 19 Jul 2022 03:38:41 +1000 Subject: [PATCH 0601/1650] update details around disabling SMT --- etc/default/grub.d/40_cpu_mitigations.cfg | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 4537871..a54de29 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -6,11 +6,6 @@ ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 -## Force disable SMT as it has caused numerous CPU vulnerabilities. -## -## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" - ## Enable mitigations for Spectre variant 2 (indirect branch speculation). ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html @@ -48,6 +43,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html ## https://access.redhat.com/solutions/5142691 +## Force disable SMT as it has caused numerous CPU vulnerabilities. +## The only full mitigation of cross-HT attacks is to disable SMT. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" + ## Enables the prctl interface to prevent leaks from L1D on context switches. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html From ca764d8de0f17bb7e6d44e3d79ea1805276fc521 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 20 Jul 2022 04:06:35 +1000 Subject: [PATCH 0602/1650] force kernel to panic on "oopses" --- etc/default/grub.d/40_kernel_hardening.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index f3d6487..a6dfb3e 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -53,3 +53,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" ## https://lkml.org/lkml/2020/7/16/122 ## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" + +## Force the kernel to panic on "oopses" (which may be due to false positives) +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" From 0c5b1e9f577d52e2c056e786e32c14ff37db344b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 23 Jul 2022 07:49:56 -0400 Subject: [PATCH 0603/1650] undo `"force kernel to panic on "oopses"` because implemented differently already https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 --- etc/default/grub.d/40_kernel_hardening.cfg | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index a6dfb3e..5f8476e 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -55,4 +55,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Force the kernel to panic on "oopses" (which may be due to false positives) -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" +## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 +## Implemented differently: +## /usr/libexec/security-misc/panic-on-oops +## /etc/X11/Xsession.d/50panic_on_oops +## /etc/sudoers.d/security-misc +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" From 73f6523e09f12fc56da0ed3555d050686ff441f3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 23 Jul 2022 08:07:37 -0400 Subject: [PATCH 0604/1650] bumped changelog version --- changelog.upstream | 162 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 168 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index ba8c92d..817bc42 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,103 @@ +commit 0c5b1e9f577d52e2c056e786e32c14ff37db344b +Author: Patrick Schleizer +Date: Sat Jul 23 07:49:56 2022 -0400 + + undo `"force kernel to panic on "oopses"` + + because implemented differently already + + https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 + +commit c1c04b4619eea4c79a0dbb5cced3ebb77482877c +Merge: 465775c bfe6b88 +Author: Patrick Schleizer +Date: Sat Jul 23 07:43:19 2022 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit bfe6b888395abf554623a9e530fe7e6605047e12 +Merge: 465775c ca764d8 +Author: Patrick Schleizer +Date: Sat Jul 23 07:27:24 2022 -0400 + + Merge pull request #111 from raja-grewal/harden + + Increased kernel hardening at boot + +commit ca764d8de0f17bb7e6d44e3d79ea1805276fc521 +Author: Raja Grewal +Date: Wed Jul 20 04:06:35 2022 +1000 + + force kernel to panic on "oopses" + +commit 1660aaa6dd1013ede105baebbb8ff3e1afc7b268 +Author: Raja Grewal +Date: Tue Jul 19 03:38:41 2022 +1000 + + update details around disabling SMT + +commit bfd78a2c06153ebadfee39190055edf0a13958f4 +Author: Raja Grewal +Date: Tue Jul 19 03:16:08 2022 +1000 + + update SRBDS mitigation + +commit c3ebb9160ffbbd2972cc898e3c1c0055d89beb5c +Author: Raja Grewal +Date: Tue Jul 19 02:33:16 2022 +1000 + + CPU mitigation - MMIO Stale Data + +commit 59e90ff1226bd6330d85244cf7c73ecf7fd5fdf1 +Author: Raja Grewal +Date: Tue Jul 19 02:32:41 2022 +1000 + + CPU mitigation - L1D FLushing + +commit 8531fbf99dea1b4cd806babd6072a8a1f0506eb3 +Author: Raja Grewal +Date: Tue Jul 19 02:30:49 2022 +1000 + + CPU mitigation - SRBDS + +commit 73f1e233327cc0edec83eac322b7f03bcb7fba22 +Author: Raja Grewal +Date: Tue Jul 19 02:29:46 2022 +1000 + + shuffle and rewording + +commit 39314b291263a93fcb11756ce12bd8691a1fa0f6 +Merge: bb831d5 c4a1094 +Author: Raja Grewal +Date: Tue Jul 19 00:49:08 2022 +1000 + + Merge branch 'harden' of https://github.com/raja-grewal/security-misc into harden + +commit bb831d57bcdcc8195a4b8169a4ddc25fb0c61173 +Author: Raja Grewal +Date: Tue Jul 19 00:38:32 2022 +1000 + + delete repeated commands + +commit c77a2a78bc48df2af7653a306bd1b046a8f99a6b +Author: Raja Grewal +Date: Tue Jul 19 00:37:31 2022 +1000 + + enforce default net.ipv6.icmp_ignore_bogus_error_responses + +commit c4a10947608b0d5508ef5b18e0ab34a2ee4f35de +Merge: 2b23703 465775c +Author: Raja Grewal +Date: Mon Jul 18 13:36:23 2022 +0000 + + Merge branch 'Kicksecure:master' into harden + +commit 465775c9dc1b97c98a5470acaffabb103ea7239f +Author: Patrick Schleizer +Date: Sat Jul 16 08:00:16 2022 -0400 + + bumped changelog version + commit 1fafb5f53bbec57812f535e79bfb475628cc58e3 Merge: 24d6a93 27aa523 Author: Patrick Schleizer @@ -26,6 +126,12 @@ Date: Wed Jul 13 08:28:34 2022 -0400 bumped changelog version +commit 2b237039cf1db66100f7f0bb4880981ee0489abf +Author: Raja Grewal +Date: Wed Jul 13 22:25:53 2022 +1000 + + Update README.md + commit 8f31e5d1d172eb117bde63702f63081da182d5c5 Merge: 6aa9a94 c410890 Author: Patrick Schleizer @@ -42,6 +148,62 @@ Date: Wed Jul 13 07:24:12 2022 -0400 Incorporated Ubuntu’s kernel module blacklists and more verbose errors +commit 4e93b4d37e4c6d23a0ac76ddb2144c6504a66ad1 +Author: Raja Grewal +Date: Wed Jul 13 21:10:39 2022 +1000 + + Revert "enforce defualt net.ipv4.ip_forward" + + This reverts commit 57b5b2145c4e6779f0b879ee4199d46938f20965. + +commit a47922ad28fc9ebba93615a6ffdaaeb4887cc140 +Author: Raja Grewal +Date: Wed Jul 13 04:47:07 2022 +1000 + + enforce of IOMMU TLB invalidation + +commit 33df16af805597057c7aad0d5a4fb135ed9e286b +Author: Raja Grewal +Date: Wed Jul 13 04:37:03 2022 +1000 + + disables random.trust_bootloader + +commit d0779a96fc054df925523a76510c1aae5d672f96 +Author: Raja Grewal +Date: Wed Jul 13 04:36:34 2022 +1000 + + add reference + +commit 74858d257b8de40f082ce21241e680a5eeaf4053 +Author: Raja Grewal +Date: Wed Jul 13 04:34:35 2022 +1000 + + enable randomize_kstack_offset + +commit f572332108c06eb77d24e776910463e69d49acd3 +Author: Raja Grewal +Date: Wed Jul 13 04:32:03 2022 +1000 + + disable slub_debug + +commit 57b5b2145c4e6779f0b879ee4199d46938f20965 +Author: Raja Grewal +Date: Wed Jul 13 04:30:43 2022 +1000 + + enforce defualt net.ipv4.ip_forward + +commit 79156262c9e3fe92344847b627afc64b2c7f7717 +Author: Raja Grewal +Date: Wed Jul 13 04:29:42 2022 +1000 + + enforce default net.ipv4.icmp_ignore_bogus_error_responses + +commit dabcaf22e1006cc60297c55e3e254f080562d552 +Author: Raja Grewal +Date: Wed Jul 13 04:28:03 2022 +1000 + + enforce default kernel.randomize_va_space + commit fe0cc1089086273794bd6b54df3528ff78c10f6a Author: Raja Grewal Date: Tue Jul 12 17:18:47 2022 +1000 diff --git a/debian/changelog b/debian/changelog index ee79eb0..2843ce8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:25.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 23 Jul 2022 12:07:37 +0000 + security-misc (3:25.4-1) unstable; urgency=medium * New upstream version (local package). From 053142cdb57f23172fd0155dde4ff4c0183c4f65 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 26 Jul 2022 10:00:21 -0400 Subject: [PATCH 0605/1650] fix --- .../modules.d/40cold-boot-attack-defense/module-setup.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh index 388649e..0d72a11 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh @@ -11,9 +11,10 @@ # called by dracut check() { + require_binaries sync || return 1 require_binaries sleep || return 1 - require_binaries dmsetup || return 1 require_binaries sdmem || return 1 + require_binaries dmsetup || return 1 require_binaries systemd-detect-virt || return 1 return 0 } @@ -25,6 +26,7 @@ depends() { # called by dracut install() { + inst_multiple sync inst_multiple sleep inst_multiple sdmem inst_multiple dmsetup From 109594952335f94c2a21f22d6a517ecc8b864d81 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 26 Jul 2022 10:00:53 -0400 Subject: [PATCH 0606/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 817bc42..3014f17 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 053142cdb57f23172fd0155dde4ff4c0183c4f65 +Author: Patrick Schleizer +Date: Tue Jul 26 10:00:21 2022 -0400 + + fix + +commit 73f6523e09f12fc56da0ed3555d050686ff441f3 +Author: Patrick Schleizer +Date: Sat Jul 23 08:07:37 2022 -0400 + + bumped changelog version + commit 0c5b1e9f577d52e2c056e786e32c14ff37db344b Author: Patrick Schleizer Date: Sat Jul 23 07:49:56 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 2843ce8..6a83cd0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:25.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 26 Jul 2022 14:00:53 +0000 + security-misc (3:25.5-1) unstable; urgency=medium * New upstream version (local package). From a6bee1493d4113ab63f8d0671f97989b00d23544 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 28 Jul 2022 09:55:12 -0400 Subject: [PATCH 0607/1650] cold-boot-attack-defense wait longer to make messages readable by user --- .../dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index aefbd8d..3019ab0 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -59,6 +59,8 @@ ram_wipe() { if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then echo "INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." > /dev/kmsg + + sleep 3 else echo "\ WARNING: wipe-ram.sh:There are still mounted encrypted disks! RAM wipe failed! @@ -66,9 +68,10 @@ WARNING: wipe-ram.sh:There are still mounted encrypted disks! RAM wipe failed! debugging information: dmsetup_expected_output: '$dmsetup_expected_output' dmsetup_actual_output: '$dmsetup_actual_output'" > /dev/kmsg + + sleep 5 fi - sleep 3 } ram_wipe From 82da4ed18f5682c0cc76cd435b6de2459c7b5f83 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 28 Jul 2022 09:56:24 -0400 Subject: [PATCH 0608/1650] comments --- .../dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 3019ab0..1f7566c 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -59,7 +59,7 @@ ram_wipe() { if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then echo "INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." > /dev/kmsg - + ## This should probably be removed in production? sleep 3 else echo "\ @@ -68,7 +68,7 @@ WARNING: wipe-ram.sh:There are still mounted encrypted disks! RAM wipe failed! debugging information: dmsetup_expected_output: '$dmsetup_expected_output' dmsetup_actual_output: '$dmsetup_actual_output'" > /dev/kmsg - + ## How else could the user be informed that something is wrong? sleep 5 fi From 7d5246693c5c07f76e3f2e29c3ed39d4910673ff Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 12 Aug 2022 07:52:26 -0400 Subject: [PATCH 0609/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3014f17..e23c52a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 82da4ed18f5682c0cc76cd435b6de2459c7b5f83 +Author: Patrick Schleizer +Date: Thu Jul 28 09:56:24 2022 -0400 + + comments + +commit a6bee1493d4113ab63f8d0671f97989b00d23544 +Author: Patrick Schleizer +Date: Thu Jul 28 09:55:12 2022 -0400 + + cold-boot-attack-defense wait longer to make messages readable by user + +commit 109594952335f94c2a21f22d6a517ecc8b864d81 +Author: Patrick Schleizer +Date: Tue Jul 26 10:00:53 2022 -0400 + + bumped changelog version + commit 053142cdb57f23172fd0155dde4ff4c0183c4f65 Author: Patrick Schleizer Date: Tue Jul 26 10:00:21 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 6a83cd0..54d1d3a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:25.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 12 Aug 2022 11:52:26 +0000 + security-misc (3:25.6-1) unstable; urgency=medium * New upstream version (local package). From 272a33fe2c3c7666de96f9037094db8e9ab8e09e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 13 Aug 2022 11:35:25 -0400 Subject: [PATCH 0610/1650] addgroup -> adduser fix --- debian/security-misc.preinst | 8 ++++---- usr/libexec/security-misc/pam-info | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index beeb62b..67eeb24 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -22,7 +22,7 @@ user_groups_modifications() { ## group 'sudo' membership required to use 'su' ## /usr/share/pam-configs/wheel-security-misc - addgroup root sudo + adduser root sudo ## Useful to create groups in preinst rather than postinst. ## Otherwise if a user saw an error message such as this: @@ -45,7 +45,7 @@ user_groups_modifications() { ## In case a system administrator edits /etc/securetty, there is no need to ## block for this to be still blocked by console lockdown. See also: ## https://www.whonix.org/wiki/Root#Root_Login - addgroup root console + adduser root console } output_skip_checks() { @@ -209,11 +209,11 @@ legacy() { user_to_be_created=user if ! id "$user_to_be_created" &>/dev/null ; then - true "INFO: user '$user_to_be_created' does not exist. Skipping addgroup console and pam-auth-update." + true "INFO: user '$user_to_be_created' does not exist. Skipping adduser console and pam-auth-update." return 0 fi - addgroup "$user_to_be_created" console + adduser "$user_to_be_created" console pam-auth-update --enable console-lockdown-security-misc diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 43c5bbb..906fc0d 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -27,7 +27,7 @@ if [ ! "$grep_result" = "" ]; then echo "$0: To unlock, run the following command as superuser:" >&2 echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 echo "" >&2 - echo "addgroup $PAM_USER console" >&2 + echo "adduser $PAM_USER console" >&2 echo "" >&2 echo "$0: However, possibly unlock procedure is required." >&2 echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 From ff8451469ad3b9cbd101ca4b93d72a2ac6cebe37 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 13 Aug 2022 11:40:04 -0400 Subject: [PATCH 0611/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index e23c52a..4ed7673 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 272a33fe2c3c7666de96f9037094db8e9ab8e09e +Author: Patrick Schleizer +Date: Sat Aug 13 11:35:25 2022 -0400 + + addgroup -> adduser fix + +commit 7d5246693c5c07f76e3f2e29c3ed39d4910673ff +Author: Patrick Schleizer +Date: Fri Aug 12 07:52:26 2022 -0400 + + bumped changelog version + commit 82da4ed18f5682c0cc76cd435b6de2459c7b5f83 Author: Patrick Schleizer Date: Thu Jul 28 09:56:24 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 54d1d3a..4001e17 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:25.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 13 Aug 2022 15:40:04 +0000 + security-misc (3:25.7-1) unstable; urgency=medium * New upstream version (local package). From 92669dba186c6ac40ff601fd39639945cd7633c6 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 21 Aug 2022 23:02:44 +1000 Subject: [PATCH 0612/1650] Comment out machine check exception --- etc/default/grub.d/40_kernel_hardening.cfg | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 5f8476e..30dd19a 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -17,8 +17,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" ## Zero memory at allocation and free time. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" -## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" +## Machine check exception handler decides whether the system should panic or not based on the exception that happened. +## https://forums.whonix.org/t/kernel-hardening/7296/494 +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" ## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" From d500205f556ba896417eb0bae1df0144b00ef7b9 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 21 Aug 2022 23:03:13 +1000 Subject: [PATCH 0613/1650] Update README.md --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index db4fe8e..0e1cf1b 100644 --- a/README.md +++ b/README.md @@ -68,9 +68,6 @@ use-after-free vulnerabilities and erase sensitive information in memory. * Page allocator freelist randomization is enabled. -* The machine check tolerance level is decreased which makes the kernel panic -on uncorrectable errors in ECC memory that could be exploited. - * Kernel Page Table Isolation is enabled to mitigate Meltdown and increase KASLR effectiveness. From 2319458e9f1a0ae2b60cf5786122c19459bbaea1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Aug 2022 18:28:39 -0400 Subject: [PATCH 0614/1650] bumped changelog version --- changelog.upstream | 34 ++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 40 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 4ed7673..12bbc46 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,37 @@ +commit cdfc175953a8ab358bb8e6db2610df11733ba258 +Merge: ff84514 ae4d498 +Author: Patrick Schleizer +Date: Mon Aug 22 06:09:30 2022 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit ae4d4989b0e8ea79b5661f098e9814379ff9401e +Merge: ff84514 d500205 +Author: Patrick Schleizer +Date: Mon Aug 22 06:09:40 2022 -0400 + + Merge pull request #113 from raja-grewal/master + + Comment out machine check exception + +commit d500205f556ba896417eb0bae1df0144b00ef7b9 +Author: Raja Grewal +Date: Sun Aug 21 23:03:13 2022 +1000 + + Update README.md + +commit 92669dba186c6ac40ff601fd39639945cd7633c6 +Author: Raja Grewal +Date: Sun Aug 21 23:02:44 2022 +1000 + + Comment out machine check exception + +commit ff8451469ad3b9cbd101ca4b93d72a2ac6cebe37 +Author: Patrick Schleizer +Date: Sat Aug 13 11:40:04 2022 -0400 + + bumped changelog version + commit 272a33fe2c3c7666de96f9037094db8e9ab8e09e Author: Patrick Schleizer Date: Sat Aug 13 11:35:25 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 4001e17..5367362 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:25.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 24 Aug 2022 22:28:39 +0000 + security-misc (3:25.8-1) unstable; urgency=medium * New upstream version (local package). From daa30d4e7830ba38ed52f83e6ac93c3a4e03ee33 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 9 Nov 2022 20:43:59 +1100 Subject: [PATCH 0615/1650] Include several framebuffer drivers into blacklist These were previously commented out to test for compatibility issues. --- etc/modprobe.d/30_security-misc.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 48d5b25..7acdb74 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -109,19 +109,19 @@ blacklist amd76x_edac ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco blacklist aty128fb blacklist atyfb -#blacklist radeonfb +blacklist radeonfb blacklist cirrusfb blacklist cyber2000fb blacklist cyblafb blacklist gx1fb blacklist hgafb blacklist i810fb -#blacklist intelfb +blacklist intelfb blacklist kyrofb blacklist lxfb blacklist matroxfb_bases blacklist neofb -#blacklist nvidiafb +blacklist nvidiafb blacklist pm2fb blacklist rivafb blacklist s1d13xxxfb @@ -130,7 +130,7 @@ blacklist sisfb blacklist sstfb blacklist tdfxfb blacklist tridentfb -#blacklist vesafb +blacklist vesafb blacklist vfb blacklist viafb blacklist vt8623fb From 6033de78152cb5d7a9659f58aa8035ae2a7d6532 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 15 Nov 2022 11:58:50 -0500 Subject: [PATCH 0616/1650] debugging --- usr/libexec/security-misc/pam-info | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 906fc0d..e2be3d0 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -3,6 +3,8 @@ ## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +true "$0: START" + grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" ## Check if grep matched something. @@ -151,4 +153,6 @@ if [ "$PAM_SERVICE" = "su" ]; then echo "" >&2 fi +true "$0: END" + exit 0 From 2872c2ab52ae9a1eaa25ea8b9852401e82d5616a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 15 Nov 2022 12:00:59 -0500 Subject: [PATCH 0617/1650] comments --- usr/libexec/security-misc/pam-info | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index e2be3d0..4b09ef8 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -3,6 +3,9 @@ ## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +#set -x +#exec 5>&1 1>> ~/pam-info-debug.txt +#exec 6>&2 2>> ~/pam-info-debug.txt true "$0: START" grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" From 95487346dbb18c4ac9133fc21b4abed12dc346b3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 15 Nov 2022 12:29:41 -0500 Subject: [PATCH 0618/1650] pam-info: create debug log file ~/pam-info-debug.txt when file /etc/pam-info-debug exists --- usr/libexec/security-misc/pam-info | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 4b09ef8..9872e15 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -3,10 +3,21 @@ ## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -#set -x -#exec 5>&1 1>> ~/pam-info-debug.txt -#exec 6>&2 2>> ~/pam-info-debug.txt -true "$0: START" +## To enable debug log, run: +## /etc/pam-info-debug +## +## Debug log if enabled can be found in file: +## /root/pam-info-debug.txt + +true "$0: START PHASE 1" + +if test -f /etc/pam-info-debug ; then + set -x + exec 5>&1 1>> ~/pam-info-debug.txt + exec 6>&2 2>> ~/pam-info-debug.txt +fi + +true "$0: START PHASE 2" grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" From 23b936b573c8989222a50d1ef8c35dc95589bb0e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 15 Nov 2022 12:31:14 -0500 Subject: [PATCH 0619/1650] also support /usr/local/etc/pam-info-debug --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 9872e15..1799826 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -11,7 +11,7 @@ true "$0: START PHASE 1" -if test -f /etc/pam-info-debug ; then +if test -f /etc/pam-info-debug || test -f /usr/local/etc/pam-info-debug ; then set -x exec 5>&1 1>> ~/pam-info-debug.txt exec 6>&2 2>> ~/pam-info-debug.txt From e5d7ab7082908e64596ccd1da835a781cae22456 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 15 Nov 2022 12:44:12 -0500 Subject: [PATCH 0620/1650] comment --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 1799826..cdccbb8 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -4,7 +4,7 @@ ## See the file COPYING for copying conditions. ## To enable debug log, run: -## /etc/pam-info-debug +## sudo touch /etc/pam-info-debug ## ## Debug log if enabled can be found in file: ## /root/pam-info-debug.txt From bb6b509d06a1ae34ee407cb309c530e5dddfedfd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 16 Nov 2022 01:44:21 -0500 Subject: [PATCH 0621/1650] pam-info refactoring --- usr/libexec/security-misc/pam-info | 34 ++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index cdccbb8..6a065fe 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -19,6 +19,11 @@ fi true "$0: START PHASE 2" +set -o pipefail + +## Debugging. +who_ami="$(whoami)" + grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" ## Check if grep matched something. @@ -104,12 +109,16 @@ fi ## 2021-08-10 16:26:33 RHOST V ## 2021-08-10 16:26:54 RHOST V -pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head -1)" +## Get first line. +#pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head --lines=1)" +echo "$pam_faillock_output" | read -t 10 -r pam_faillock_output_first_line || true + +## example pam_faillock_output_first_line: +## user: + user_name="$(echo "$pam_faillock_output_first_line" | LANG=C str_replace ":" "")" - -pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)" - -failed_login_counter=$(( pam_faillock_output_count - 2 )) +## example user_name: +## user if [ ! "$PAM_USER" = "$user_name" ]; then echo "$0: ERROR: PAM_USER: '$PAM_USER' does not equal user_name: '$user_name'." >&2 @@ -118,12 +127,25 @@ if [ ! "$PAM_USER" = "$user_name" ]; then exit 0 fi +pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)" +## example pam_faillock_output_count: +## 2 +## example pam_faillock_output_count: +## 4 + +## Do not count the first two informational textual output lines +## (starting with "user:" and "When"). +failed_login_counter=$(( pam_faillock_output_count - 2 )) + +## example failed_login_counter: +## 2 + if [ "$failed_login_counter" = "0" ]; then true "$0: INFO: Failed login counter is 0, ok." exit 0 fi -## pam_faillock default +## pam_faillock default if it cannot be determined below. deny=3 if test -f /etc/security/faillock.conf ; then From ae113442a162969561a24fcf17718ceb6a11d928 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 16 Nov 2022 01:49:45 -0500 Subject: [PATCH 0622/1650] pam-info refactoring --- usr/libexec/security-misc/pam-info | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 6a065fe..f62982a 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -95,20 +95,27 @@ fi # fi # fi -## Using || true to not break read-only disk boot without ro-mode-init or grub-live. -pam_faillock_output="$(faillock --user "$PAM_USER")" || true +## Checking exit code to avoid breaking when read-only disk boot without ro-mode-init or grub-live. +if ! pam_faillock_output="$(faillock --user "$PAM_USER" 2>&1)" ; then + true "$0: faillock non-zero exit code." + exit 0 +fi if [ "$pam_faillock_output" = "" ]; then true "$0: no failed login" exit 0 fi -## Example: +## example pam_faillock_output (stdout): ## user: ## When Type Source Valid ## 2021-08-10 16:26:33 RHOST V ## 2021-08-10 16:26:54 RHOST V +## example pam_faillock_output (stderr): +## faillock: No user name supplied. +## Usage: faillock [--dir /path/to/tally-directory] [--user username] [--reset] + ## Get first line. #pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head --lines=1)" echo "$pam_faillock_output" | read -t 10 -r pam_faillock_output_first_line || true From f59f959a8d43ebd80a4037e65ec26df7143bcaf5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 16 Nov 2022 01:55:14 -0500 Subject: [PATCH 0623/1650] pam-info fix --- usr/libexec/security-misc/pam-info | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index f62982a..b16f84b 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -118,8 +118,11 @@ fi ## Get first line. #pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head --lines=1)" -echo "$pam_faillock_output" | read -t 10 -r pam_faillock_output_first_line || true +while read -t 10 -r pam_faillock_output_first_line ; do + break +done <<< "$pam_faillock_output" +true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'" ## example pam_faillock_output_first_line: ## user: From 487f63bb01c6dfc71d0e4efef2c70dae94093dce Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 16 Nov 2022 01:56:01 -0500 Subject: [PATCH 0624/1650] comment --- usr/libexec/security-misc/pam-info | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index b16f84b..0d9b4f3 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -95,7 +95,8 @@ fi # fi # fi -## Checking exit code to avoid breaking when read-only disk boot without ro-mode-init or grub-live. +## Checking exit code to avoid breaking when read-only disk boot but +## without ro-mode-init or grub-live being used. if ! pam_faillock_output="$(faillock --user "$PAM_USER" 2>&1)" ; then true "$0: faillock non-zero exit code." exit 0 From caf0099064747a2048363e3600a53af51df549ad Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 16 Nov 2022 02:00:32 -0500 Subject: [PATCH 0625/1650] pam-info refactoring --- usr/libexec/security-misc/pam-info | 34 +++++++++++++++--------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 0d9b4f3..2140026 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -24,6 +24,23 @@ set -o pipefail ## Debugging. who_ami="$(whoami)" +if [ ! "$(id -u)" = "0" ]; then + ## as user "user" + ## /usr/sbin/faillock -u user + ## faillock: Error opening /var/log/tallylog for update: Permission denied + ## /usr/sbin/faillock: Authentication error + ## + ## xscreensaver runs as user "user", therefore pam_faillock cannot function. + ## xscreensaver has its own failed login counter. + ## + ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts + ## + ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html + ## TODO: echo -> true + echo "$0: not started as root, exiting." + exit 0 +fi + grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" ## Check if grep matched something. @@ -62,23 +79,6 @@ fi ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 -if [ ! "$(id -u)" = "0" ]; then - ## as user "user" - ## /usr/sbin/faillock -u user - ## faillock: Error opening /var/log/tallylog for update: Permission denied - ## /usr/sbin/faillock: Authentication error - ## - ## xscreensaver runs as user "user", therefore pam_faillock cannot function. - ## xscreensaver has its own failed login counter. - ## - ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts - ## - ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html - ## TODO: echo -> true - echo "$0: not started as root, exiting." - exit 0 -fi - ## Does not work (yet) for login, pam_securetty runs before and aborts. ## Also this should only run for login since securetty covers only login. # if [ "$PAM_USER" = "root" ]; then From 09e6af5c080f776d56d7e2390f88c4ae7e01bdb7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 16 Nov 2022 02:01:23 -0500 Subject: [PATCH 0626/1650] pam-info refactoring --- usr/libexec/security-misc/pam-info | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 2140026..c751e2d 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -41,6 +41,11 @@ if [ ! "$(id -u)" = "0" ]; then exit 0 fi +if ! command -v "faillock" &>/dev/null; then + echo "$0: The faillock program is unavailable, exiting." + exit 0 +fi + grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" ## Check if grep matched something. From d419898ee494fb159ed6811a719dbb4a5ffb469a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 17 Nov 2022 10:15:36 -0500 Subject: [PATCH 0627/1650] bumped changelog version --- changelog.upstream | 74 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 80 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 12bbc46..e2ffcff 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,77 @@ +commit 09e6af5c080f776d56d7e2390f88c4ae7e01bdb7 +Author: Patrick Schleizer +Date: Wed Nov 16 02:01:23 2022 -0500 + + pam-info refactoring + +commit caf0099064747a2048363e3600a53af51df549ad +Author: Patrick Schleizer +Date: Wed Nov 16 02:00:32 2022 -0500 + + pam-info refactoring + +commit 487f63bb01c6dfc71d0e4efef2c70dae94093dce +Author: Patrick Schleizer +Date: Wed Nov 16 01:56:01 2022 -0500 + + comment + +commit f59f959a8d43ebd80a4037e65ec26df7143bcaf5 +Author: Patrick Schleizer +Date: Wed Nov 16 01:55:14 2022 -0500 + + pam-info fix + +commit ae113442a162969561a24fcf17718ceb6a11d928 +Author: Patrick Schleizer +Date: Wed Nov 16 01:49:45 2022 -0500 + + pam-info refactoring + +commit bb6b509d06a1ae34ee407cb309c530e5dddfedfd +Author: Patrick Schleizer +Date: Wed Nov 16 01:44:21 2022 -0500 + + pam-info refactoring + +commit e5d7ab7082908e64596ccd1da835a781cae22456 +Author: Patrick Schleizer +Date: Tue Nov 15 12:44:12 2022 -0500 + + comment + +commit 23b936b573c8989222a50d1ef8c35dc95589bb0e +Author: Patrick Schleizer +Date: Tue Nov 15 12:31:14 2022 -0500 + + also support /usr/local/etc/pam-info-debug + +commit 95487346dbb18c4ac9133fc21b4abed12dc346b3 +Author: Patrick Schleizer +Date: Tue Nov 15 12:29:41 2022 -0500 + + pam-info: create debug log file ~/pam-info-debug.txt + + when file /etc/pam-info-debug exists + +commit 2872c2ab52ae9a1eaa25ea8b9852401e82d5616a +Author: Patrick Schleizer +Date: Tue Nov 15 12:00:59 2022 -0500 + + comments + +commit 6033de78152cb5d7a9659f58aa8035ae2a7d6532 +Author: Patrick Schleizer +Date: Tue Nov 15 11:58:50 2022 -0500 + + debugging + +commit 2319458e9f1a0ae2b60cf5786122c19459bbaea1 +Author: Patrick Schleizer +Date: Wed Aug 24 18:28:39 2022 -0400 + + bumped changelog version + commit cdfc175953a8ab358bb8e6db2610df11733ba258 Merge: ff84514 ae4d498 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 5367362..c38ad9f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:26.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 17 Nov 2022 15:15:36 +0000 + security-misc (3:25.9-1) unstable; urgency=medium * New upstream version (local package). From e5255a630ad3c9c99b6b7ffa4c7be43a44dffba9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 22 Nov 2022 05:57:30 -0500 Subject: [PATCH 0628/1650] pam-info: support non-root environments (such as during graphical display manager login and xscreensaver) --- etc/sudoers.d/security-misc | 3 +++ usr/bin/faillock-user | 35 ++++++++++++++++++++++++++++++ usr/libexec/security-misc/pam-info | 24 +++++--------------- 3 files changed, 44 insertions(+), 18 deletions(-) create mode 100755 usr/bin/faillock-user diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index f6bf3a6..9b3404d 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -3,3 +3,6 @@ user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops %sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops + +user ALL=NOPASSWD: /usr/bin/faillock-user +%sudo ALL=NOPASSWD: /usr/bin/faillock-user diff --git a/usr/bin/faillock-user b/usr/bin/faillock-user new file mode 100755 index 0000000..fac1da8 --- /dev/null +++ b/usr/bin/faillock-user @@ -0,0 +1,35 @@ +#!/bin/bash + +## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +if ! command -v "/usr/sbin/faillock" &>/dev/null; then + true "$0: ERROR: The faillock program is unavailable, exiting." + exit 2 +fi + +who_ami="$(whoami)" + +if [ "$(id -u)" = "0" ]; then + faillock_program="/usr/sbin/faillock" +else + ## as user "user" + ## /usr/sbin/faillock -u user + ## faillock: Error opening /var/log/tallylog for update: Permission denied + ## /usr/sbin/faillock: Authentication error + ## + ## xscreensaver runs as user "user", therefore pam_faillock cannot function. + ## xscreensaver has its own failed login counter. + ## + ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts + ## + ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html + #true "$0: not started as root, exiting." + #exit 0 + + faillock_program="sudo --non-interactive /usr/sbin/faillock" +fi + +$faillock_program --user "$who_ami" + +exit $? diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index c751e2d..d16a584 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -24,25 +24,13 @@ set -o pipefail ## Debugging. who_ami="$(whoami)" -if [ ! "$(id -u)" = "0" ]; then - ## as user "user" - ## /usr/sbin/faillock -u user - ## faillock: Error opening /var/log/tallylog for update: Permission denied - ## /usr/sbin/faillock: Authentication error - ## - ## xscreensaver runs as user "user", therefore pam_faillock cannot function. - ## xscreensaver has its own failed login counter. - ## - ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts - ## - ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html - ## TODO: echo -> true - echo "$0: not started as root, exiting." +if [ "$PAM_USER" = "" ]; then + true "$0: ERROR: Environment variable PAM_USER is unset!" exit 0 fi -if ! command -v "faillock" &>/dev/null; then - echo "$0: The faillock program is unavailable, exiting." +if ! command -v "/usr/bin/faillock-user" &>/dev/null; then + true "$0: The /usr/bin/faillock-user wrapper is unavailable, exiting." exit 0 fi @@ -102,8 +90,8 @@ fi ## Checking exit code to avoid breaking when read-only disk boot but ## without ro-mode-init or grub-live being used. -if ! pam_faillock_output="$(faillock --user "$PAM_USER" 2>&1)" ; then - true "$0: faillock non-zero exit code." +if ! pam_faillock_output="$(/usr/bin/faillock-user)" ; then + true "$0: /usr/bin/faillock-user non-zero exit code." exit 0 fi From d7222b5678aa182866c389d8a88f55b6488e74e0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 22 Nov 2022 06:03:13 -0500 Subject: [PATCH 0629/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index e2ffcff..c100eed 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit e5255a630ad3c9c99b6b7ffa4c7be43a44dffba9 +Author: Patrick Schleizer +Date: Tue Nov 22 05:57:30 2022 -0500 + + pam-info: support non-root environments (such as during graphical display manager login and xscreensaver) + +commit d419898ee494fb159ed6811a719dbb4a5ffb469a +Author: Patrick Schleizer +Date: Thu Nov 17 10:15:36 2022 -0500 + + bumped changelog version + commit 09e6af5c080f776d56d7e2390f88c4ae7e01bdb7 Author: Patrick Schleizer Date: Wed Nov 16 02:01:23 2022 -0500 diff --git a/debian/changelog b/debian/changelog index c38ad9f..a7624d3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:26.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 22 Nov 2022 11:03:13 +0000 + security-misc (3:26.0-1) unstable; urgency=medium * New upstream version (local package). From 6f695902fb70cbbc95b71f827216ab84edcfeb83 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 23 Nov 2022 23:53:40 +1100 Subject: [PATCH 0630/1650] Add comment about legacy Apple fiesystems --- etc/modprobe.d/30_security-misc.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 7acdb74..cda71ad 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -57,6 +57,7 @@ install can /bin/disabled-network-by-security-misc install atm /bin/disabled-network-by-security-misc ## Disable uncommon file systems to reduce attack surface +## HFS and HFS+ are legacy Apple filesystems that may be required depending of the EFI parition format install cramfs /bin/disabled-filesys-by-security-misc install freevxfs /bin/disabled-filesys-by-security-misc install jffs2 /bin/disabled-filesys-by-security-misc From 497b5b45442b1293b130fef63de1b84d091d27eb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 24 Nov 2022 06:14:04 -0500 Subject: [PATCH 0631/1650] fix --- usr/bin/faillock-user | 8 +++++++- usr/libexec/security-misc/pam-info | 16 +++++----------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/usr/bin/faillock-user b/usr/bin/faillock-user index fac1da8..fd491f1 100755 --- a/usr/bin/faillock-user +++ b/usr/bin/faillock-user @@ -10,6 +10,12 @@ fi who_ami="$(whoami)" +if [ "$SUDO_USER" = "" ]; then + user_to_check="$who_ami" +else + user_to_check="$SUDO_USER" +fi + if [ "$(id -u)" = "0" ]; then faillock_program="/usr/sbin/faillock" else @@ -30,6 +36,6 @@ else faillock_program="sudo --non-interactive /usr/sbin/faillock" fi -$faillock_program --user "$who_ami" +$faillock_program --user "$user_to_check" exit $? diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index d16a584..0210634 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -21,14 +21,14 @@ true "$0: START PHASE 2" set -o pipefail -## Debugging. -who_ami="$(whoami)" - if [ "$PAM_USER" = "" ]; then true "$0: ERROR: Environment variable PAM_USER is unset!" exit 0 fi +## Debugging. +who_ami="$(whoami)" + if ! command -v "/usr/bin/faillock-user" &>/dev/null; then true "$0: The /usr/bin/faillock-user wrapper is unavailable, exiting." exit 0 @@ -123,13 +123,7 @@ true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'" user_name="$(echo "$pam_faillock_output_first_line" | LANG=C str_replace ":" "")" ## example user_name: ## user - -if [ ! "$PAM_USER" = "$user_name" ]; then - echo "$0: ERROR: PAM_USER: '$PAM_USER' does not equal user_name: '$user_name'." >&2 - echo "$0: ERROR: Please report this bug." >&2 - echo "" >&2 - exit 0 -fi +## root pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)" ## example pam_faillock_output_count: @@ -183,7 +177,7 @@ if [ "$remaining_attempts" -le "0" ]; then exit 0 fi -echo "$0: WARNING: $failed_login_counter failed login attempts." >&2 +echo "$0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'." >&2 echo "$0: Login will be blocked after $deny attempts." >&2 echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2 echo "" >&2 From 97722d1926bc106a0645783fcb55b7d5691c873b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 24 Nov 2022 06:14:15 -0500 Subject: [PATCH 0632/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c100eed..3d897e4 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 497b5b45442b1293b130fef63de1b84d091d27eb +Author: Patrick Schleizer +Date: Thu Nov 24 06:14:04 2022 -0500 + + fix + +commit d7222b5678aa182866c389d8a88f55b6488e74e0 +Author: Patrick Schleizer +Date: Tue Nov 22 06:03:13 2022 -0500 + + bumped changelog version + commit e5255a630ad3c9c99b6b7ffa4c7be43a44dffba9 Author: Patrick Schleizer Date: Tue Nov 22 05:57:30 2022 -0500 diff --git a/debian/changelog b/debian/changelog index a7624d3..ced8f30 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:26.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 24 Nov 2022 11:14:15 +0000 + security-misc (3:26.1-1) unstable; urgency=medium * New upstream version (local package). From e06b173a1be8c0e3e47a9c4bab2d94fe88d422e0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 24 Nov 2022 06:24:14 -0500 Subject: [PATCH 0633/1650] debugging --- usr/bin/faillock-user | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/usr/bin/faillock-user b/usr/bin/faillock-user index fd491f1..083615c 100755 --- a/usr/bin/faillock-user +++ b/usr/bin/faillock-user @@ -3,6 +3,16 @@ ## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +true "$0: START PHASE 1" + +if test -f /etc/pam-info-debug || test -f /usr/local/etc/pam-info-debug ; then + set -x + exec 5>&1 1>> ~/pam-info-debug.txt + exec 6>&2 2>> ~/pam-info-debug.txt +fi + +true "$0: START PHASE 2" + if ! command -v "/usr/sbin/faillock" &>/dev/null; then true "$0: ERROR: The faillock program is unavailable, exiting." exit 2 From 36454c2dbf43de4805f2f156b05d263c37b9615a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 24 Nov 2022 06:25:47 -0500 Subject: [PATCH 0634/1650] debugging --- usr/bin/faillock-user | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/bin/faillock-user b/usr/bin/faillock-user index 083615c..ffe1988 100755 --- a/usr/bin/faillock-user +++ b/usr/bin/faillock-user @@ -20,6 +20,8 @@ fi who_ami="$(whoami)" +true "$0: SUDO_USER: $SUDO_USER" + if [ "$SUDO_USER" = "" ]; then user_to_check="$who_ami" else From d05c10172178d04781976026243297fa153125a0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 24 Nov 2022 06:31:24 -0500 Subject: [PATCH 0635/1650] debugging --- usr/bin/faillock-user | 4 +++- usr/libexec/security-misc/pam-info | 9 ++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/usr/bin/faillock-user b/usr/bin/faillock-user index ffe1988..e8cf697 100755 --- a/usr/bin/faillock-user +++ b/usr/bin/faillock-user @@ -18,8 +18,10 @@ if ! command -v "/usr/sbin/faillock" &>/dev/null; then exit 2 fi +## Debugging. who_ami="$(whoami)" - +true "$0: who_ami: $who_ami" +true "$0: PAM_USER: $PAM_USER" true "$0: SUDO_USER: $SUDO_USER" if [ "$SUDO_USER" = "" ]; then diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 0210634..ab5f85f 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -21,14 +21,17 @@ true "$0: START PHASE 2" set -o pipefail +## Debugging. +who_ami="$(whoami)" +true "$0: who_ami: $who_ami" +true "$0: PAM_USER: $PAM_USER" +true "$0: SUDO_USER: $SUDO_USER" + if [ "$PAM_USER" = "" ]; then true "$0: ERROR: Environment variable PAM_USER is unset!" exit 0 fi -## Debugging. -who_ami="$(whoami)" - if ! command -v "/usr/bin/faillock-user" &>/dev/null; then true "$0: The /usr/bin/faillock-user wrapper is unavailable, exiting." exit 0 From 73963a9e6847fd8099093da1253267d79db7d261 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 24 Nov 2022 06:31:37 -0500 Subject: [PATCH 0636/1650] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3d897e4..46ad6d7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit d05c10172178d04781976026243297fa153125a0 +Author: Patrick Schleizer +Date: Thu Nov 24 06:31:24 2022 -0500 + + debugging + +commit 36454c2dbf43de4805f2f156b05d263c37b9615a +Author: Patrick Schleizer +Date: Thu Nov 24 06:25:47 2022 -0500 + + debugging + +commit e06b173a1be8c0e3e47a9c4bab2d94fe88d422e0 +Author: Patrick Schleizer +Date: Thu Nov 24 06:24:14 2022 -0500 + + debugging + +commit 97722d1926bc106a0645783fcb55b7d5691c873b +Author: Patrick Schleizer +Date: Thu Nov 24 06:14:15 2022 -0500 + + bumped changelog version + commit 497b5b45442b1293b130fef63de1b84d091d27eb Author: Patrick Schleizer Date: Thu Nov 24 06:14:04 2022 -0500 diff --git a/debian/changelog b/debian/changelog index ced8f30..0f2b02a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:26.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 24 Nov 2022 11:31:37 +0000 + security-misc (3:26.2-1) unstable; urgency=medium * New upstream version (local package). From 39b35ef9ac7489685df5486334a0acf5936e9b47 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 24 Nov 2022 06:49:15 -0500 Subject: [PATCH 0637/1650] fix --- usr/bin/faillock-user | 24 +++--------------------- usr/libexec/security-misc/pam-info | 14 +++++++++++++- 2 files changed, 16 insertions(+), 22 deletions(-) diff --git a/usr/bin/faillock-user b/usr/bin/faillock-user index e8cf697..aabdd1e 100755 --- a/usr/bin/faillock-user +++ b/usr/bin/faillock-user @@ -30,26 +30,8 @@ else user_to_check="$SUDO_USER" fi -if [ "$(id -u)" = "0" ]; then - faillock_program="/usr/sbin/faillock" -else - ## as user "user" - ## /usr/sbin/faillock -u user - ## faillock: Error opening /var/log/tallylog for update: Permission denied - ## /usr/sbin/faillock: Authentication error - ## - ## xscreensaver runs as user "user", therefore pam_faillock cannot function. - ## xscreensaver has its own failed login counter. - ## - ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts - ## - ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html - #true "$0: not started as root, exiting." - #exit 0 - - faillock_program="sudo --non-interactive /usr/sbin/faillock" -fi - -$faillock_program --user "$user_to_check" +faillock --user "$user_to_check" +## Debugging. +## Explicit "exit $?" to have it recorded in the xtrace if enabled. exit $? diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index ab5f85f..3da4d11 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -91,9 +91,21 @@ fi # fi # fi +## as user "user" +## /usr/sbin/faillock -u user +## faillock: Error opening /var/log/tallylog for update: Permission denied +## /usr/sbin/faillock: Authentication error +## +## xscreensaver runs as user "user", therefore pam_faillock cannot function. +## xscreensaver has its own failed login counter. +## +## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts +## +## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html +## ## Checking exit code to avoid breaking when read-only disk boot but ## without ro-mode-init or grub-live being used. -if ! pam_faillock_output="$(/usr/bin/faillock-user)" ; then +if ! pam_faillock_output="$(sudo --non-interactive /usr/bin/faillock-user)" ; then true "$0: /usr/bin/faillock-user non-zero exit code." exit 0 fi From 4601e106c4823f2cb0dc7a8ba601670395c96326 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 24 Nov 2022 06:49:26 -0500 Subject: [PATCH 0638/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 46ad6d7..6f034ed 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 39b35ef9ac7489685df5486334a0acf5936e9b47 +Author: Patrick Schleizer +Date: Thu Nov 24 06:49:15 2022 -0500 + + fix + +commit 73963a9e6847fd8099093da1253267d79db7d261 +Author: Patrick Schleizer +Date: Thu Nov 24 06:31:37 2022 -0500 + + bumped changelog version + commit d05c10172178d04781976026243297fa153125a0 Author: Patrick Schleizer Date: Thu Nov 24 06:31:24 2022 -0500 diff --git a/debian/changelog b/debian/changelog index 0f2b02a..02fd616 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:26.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 24 Nov 2022 11:49:25 +0000 + security-misc (3:26.3-1) unstable; urgency=medium * New upstream version (local package). From a806c782d78d691617dd650808a0403ce72d4a1a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 24 Nov 2022 07:00:23 -0500 Subject: [PATCH 0639/1650] fix --- usr/libexec/security-misc/pam-info | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 3da4d11..e9441a2 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -32,11 +32,6 @@ if [ "$PAM_USER" = "" ]; then exit 0 fi -if ! command -v "/usr/bin/faillock-user" &>/dev/null; then - true "$0: The /usr/bin/faillock-user wrapper is unavailable, exiting." - exit 0 -fi - grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" ## Check if grep matched something. @@ -105,8 +100,8 @@ fi ## ## Checking exit code to avoid breaking when read-only disk boot but ## without ro-mode-init or grub-live being used. -if ! pam_faillock_output="$(sudo --non-interactive /usr/bin/faillock-user)" ; then - true "$0: /usr/bin/faillock-user non-zero exit code." +if ! pam_faillock_output="$(faillock --user "$PAM_USER")" ; then + true "$0: faillock non-zero exit code." exit 0 fi From ad1e722879ef049ef421f0062ee383770d66bfee Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 24 Nov 2022 07:00:33 -0500 Subject: [PATCH 0640/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 6f034ed..7e718a8 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit a806c782d78d691617dd650808a0403ce72d4a1a +Author: Patrick Schleizer +Date: Thu Nov 24 07:00:23 2022 -0500 + + fix + +commit 4601e106c4823f2cb0dc7a8ba601670395c96326 +Author: Patrick Schleizer +Date: Thu Nov 24 06:49:26 2022 -0500 + + bumped changelog version + commit 39b35ef9ac7489685df5486334a0acf5936e9b47 Author: Patrick Schleizer Date: Thu Nov 24 06:49:15 2022 -0500 diff --git a/debian/changelog b/debian/changelog index 02fd616..c053659 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:26.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 24 Nov 2022 12:00:33 +0000 + security-misc (3:26.4-1) unstable; urgency=medium * New upstream version (local package). From 421f03ae9e648d366146415532d4dd9dda106980 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 24 Nov 2022 07:20:56 -0500 Subject: [PATCH 0641/1650] fix --- usr/libexec/security-misc/pam-info | 78 ++++++++++++++++-------------- 1 file changed, 42 insertions(+), 36 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index e9441a2..381bedc 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -52,17 +52,18 @@ if [ ! "$grep_result" = "" ]; then fi if [ ! "$console_allowed" = "true" ]; then - echo "$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console'" >&2 - echo "$0: To unlock, run the following command as superuser:" >&2 - echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 - echo "" >&2 - echo "adduser $PAM_USER console" >&2 - echo "" >&2 - echo "$0: However, possibly unlock procedure is required." >&2 - echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 - echo "$0: See also:" >&2 - echo "https://www.kicksecure.com/wiki/root#console" >&2 - echo "" >&2 + echo "\ +$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console' +To unlock, run the following command as superuser: +(If you still have a sudo/root shell somewhere.) + +adduser $PAM_USER console + +However, possibly unlock procedure is required. +First boot into recovery mode at grub boot menu and then run above command. +See also: +https://www.kicksecure.com/wiki/root#console +" >&2 exit 0 fi fi @@ -76,11 +77,12 @@ fi # if [ -f /etc/securetty ]; then # grep_result="$(grep "^[^#]" /etc/securetty)" # if [ "$grep_result" = "" ]; then -# echo "$0: ERROR: Root login is disabled." >&2 -# echo "$0: ERROR: This is because /etc/securetty is empty." >&2 -# echo "$0: See also:" >&2 -# echo "https://www.kicksecure.com/wiki/root#login" >&2 -# echo "" >&2 +# echo "\ +# $0: ERROR: Root login is disabled. +# ERROR: This is because /etc/securetty is empty. +# See also: +# https://www.kicksecure.com/wiki/root#login +# " >&2 # exit 0 # fi # fi @@ -164,37 +166,41 @@ if test -f /etc/security/faillock.conf ; then fi if [[ "$deny" == *[!0-9]* ]]; then - echo "$0: ERROR: deny is not numeric. deny: '$deny'" >&2 - echo "$0: ERROR: Please report this bug." >&2 - echo "" >&2 + echo "\ +$0: ERROR: deny is not numeric. deny: '$deny' +ERROR: Please report this bug. +" >&2 exit 0 fi remaining_attempts="$(( $deny - $failed_login_counter ))" if [ "$remaining_attempts" -le "0" ]; then - echo "$0: ERROR: Login blocked after $failed_login_counter attempts." >&2 - echo "$0: To unlock, run the following command as superuser:" >&2 - echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 - echo "" >&2 - echo "faillock --reset --user $PAM_USER" >&2 - echo "" >&2 - echo "$0: However, most likely unlock procedure is required." >&2 - echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 - echo "$0: See also:" >&2 - echo "https://www.kicksecure.com/wiki/root#unlock" >&2 - echo "" >&2 + echo "\ +$0: ERROR: Login blocked after $failed_login_counter attempts. +To unlock, run the following command as superuser: +(If you still have a sudo/root shell somewhere.) + +faillock --reset --user $PAM_USER + +However, most likely unlock procedure is required. +First boot into recovery mode at grub boot menu and then run above command. +See also: +https://www.kicksecure.com/wiki/root#unlock +" >&2 exit 0 fi -echo "$0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'." >&2 -echo "$0: Login will be blocked after $deny attempts." >&2 -echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2 -echo "" >&2 +echo "\ +$0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'. +Login will be blocked after $deny attempts. +You have $remaining_attempts more attempts before unlock procedure is required. +" >&2 if [ "$PAM_SERVICE" = "su" ]; then - echo "$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown." >&2 - echo "" >&2 + echo "\ +$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown. +" >&2 fi true "$0: END" From 6d7a78262464c054c46df155605a480f1b32f22c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 24 Nov 2022 07:21:46 -0500 Subject: [PATCH 0642/1650] fix --- etc/sudoers.d/security-misc | 2 -- usr/bin/faillock-user | 37 ------------------------------------- 2 files changed, 39 deletions(-) delete mode 100755 usr/bin/faillock-user diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index 9b3404d..96b9b92 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -4,5 +4,3 @@ user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops %sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops -user ALL=NOPASSWD: /usr/bin/faillock-user -%sudo ALL=NOPASSWD: /usr/bin/faillock-user diff --git a/usr/bin/faillock-user b/usr/bin/faillock-user deleted file mode 100755 index aabdd1e..0000000 --- a/usr/bin/faillock-user +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -true "$0: START PHASE 1" - -if test -f /etc/pam-info-debug || test -f /usr/local/etc/pam-info-debug ; then - set -x - exec 5>&1 1>> ~/pam-info-debug.txt - exec 6>&2 2>> ~/pam-info-debug.txt -fi - -true "$0: START PHASE 2" - -if ! command -v "/usr/sbin/faillock" &>/dev/null; then - true "$0: ERROR: The faillock program is unavailable, exiting." - exit 2 -fi - -## Debugging. -who_ami="$(whoami)" -true "$0: who_ami: $who_ami" -true "$0: PAM_USER: $PAM_USER" -true "$0: SUDO_USER: $SUDO_USER" - -if [ "$SUDO_USER" = "" ]; then - user_to_check="$who_ami" -else - user_to_check="$SUDO_USER" -fi - -faillock --user "$user_to_check" - -## Debugging. -## Explicit "exit $?" to have it recorded in the xtrace if enabled. -exit $? From 98f753d8ffcf6673a3130d45c23b84a4c35917b1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 24 Nov 2022 07:21:58 -0500 Subject: [PATCH 0643/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7e718a8..088bb95 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 6d7a78262464c054c46df155605a480f1b32f22c +Author: Patrick Schleizer +Date: Thu Nov 24 07:21:46 2022 -0500 + + fix + +commit 421f03ae9e648d366146415532d4dd9dda106980 +Author: Patrick Schleizer +Date: Thu Nov 24 07:20:56 2022 -0500 + + fix + +commit ad1e722879ef049ef421f0062ee383770d66bfee +Author: Patrick Schleizer +Date: Thu Nov 24 07:00:33 2022 -0500 + + bumped changelog version + commit a806c782d78d691617dd650808a0403ce72d4a1a Author: Patrick Schleizer Date: Thu Nov 24 07:00:23 2022 -0500 diff --git a/debian/changelog b/debian/changelog index c053659..9181bec 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:26.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 24 Nov 2022 12:21:58 +0000 + security-misc (3:26.5-1) unstable; urgency=medium * New upstream version (local package). From d67845fea89f4a74ed4b0a6eefbf2bf228b13a1b Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 13 Dec 2022 16:11:24 +1100 Subject: [PATCH 0644/1650] Typo --- etc/modprobe.d/30_security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index cda71ad..0b3a84a 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -57,7 +57,7 @@ install can /bin/disabled-network-by-security-misc install atm /bin/disabled-network-by-security-misc ## Disable uncommon file systems to reduce attack surface -## HFS and HFS+ are legacy Apple filesystems that may be required depending of the EFI parition format +## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI parition format install cramfs /bin/disabled-filesys-by-security-misc install freevxfs /bin/disabled-filesys-by-security-misc install jffs2 /bin/disabled-filesys-by-security-misc From 929f49f333fc88d91ed4cef849921b0b4a69bfea Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 18 Dec 2022 14:37:51 -0500 Subject: [PATCH 0645/1650] bumped changelog version --- changelog.upstream | 49 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 55 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 088bb95..9d71871 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,38 @@ +commit 75beb52bd5b7cee4a48eead53dbbe7fac9f6cc9e +Merge: 98f753d 58b622f +Author: Patrick Schleizer +Date: Sun Dec 18 06:24:41 2022 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 58b622f0fe373b6e2fb30b9564b22f1064f690b0 +Merge: 98f753d f81714b +Author: Patrick Schleizer +Date: Sun Dec 18 06:23:26 2022 -0500 + + Merge pull request #114 from raja-grewal/framebuffer + + Add some framebuffer drivers into blacklist + +commit f81714be506d1b15c0e79cbe8378bf8a18a2256f +Merge: d67845f 98f753d +Author: Raja Grewal +Date: Tue Dec 13 05:14:56 2022 +0000 + + Merge branch 'Kicksecure:master' into framebuffer + +commit d67845fea89f4a74ed4b0a6eefbf2bf228b13a1b +Author: Raja Grewal +Date: Tue Dec 13 16:11:24 2022 +1100 + + Typo + +commit 98f753d8ffcf6673a3130d45c23b84a4c35917b1 +Author: Patrick Schleizer +Date: Thu Nov 24 07:21:58 2022 -0500 + + bumped changelog version + commit 6d7a78262464c054c46df155605a480f1b32f22c Author: Patrick Schleizer Date: Thu Nov 24 07:21:46 2022 -0500 @@ -70,6 +105,12 @@ Date: Thu Nov 24 06:14:04 2022 -0500 fix +commit 6f695902fb70cbbc95b71f827216ab84edcfeb83 +Author: Raja Grewal +Date: Wed Nov 23 23:53:40 2022 +1100 + + Add comment about legacy Apple fiesystems + commit d7222b5678aa182866c389d8a88f55b6488e74e0 Author: Patrick Schleizer Date: Tue Nov 22 06:03:13 2022 -0500 @@ -156,6 +197,14 @@ Date: Tue Nov 15 11:58:50 2022 -0500 debugging +commit daa30d4e7830ba38ed52f83e6ac93c3a4e03ee33 +Author: Raja Grewal +Date: Wed Nov 9 20:43:59 2022 +1100 + + Include several framebuffer drivers into blacklist + + These were previously commented out to test for compatibility issues. + commit 2319458e9f1a0ae2b60cf5786122c19459bbaea1 Author: Patrick Schleizer Date: Wed Aug 24 18:28:39 2022 -0400 diff --git a/debian/changelog b/debian/changelog index 9181bec..1172ac5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:26.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 18 Dec 2022 19:37:51 +0000 + security-misc (3:26.6-1) unstable; urgency=medium * New upstream version (local package). From a7015f4ddff892cab17f96713ddb0a720ebb7901 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 10:50:34 -0500 Subject: [PATCH 0646/1650] added files --- ...-boot-attack-defense-kexec-prepare.service | 10 ++++ .../modules.d/10ram-wipe-exit/module-setup.sh | 47 +++++++++++++++++++ .../10ram-wipe-exit/wipe-ram-needshutdown.sh | 27 +++++++++++ .../modules.d/10ram-wipe-exit/wipe-ram.sh | 27 +++++++++++ .../40cold-boot-attack-defense/wipe-ram.sh | 1 + .../cold-boot-attack-defense-kexec-prepare | 39 +++++++++++++++ 6 files changed, 151 insertions(+) create mode 100644 lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service create mode 100644 usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh create mode 100644 usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh create mode 100644 usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh create mode 100755 usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare diff --git a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service new file mode 100644 index 0000000..cfc1887 --- /dev/null +++ b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service @@ -0,0 +1,10 @@ +[Unit] +Description=My Script + +[Service] +Type=oneshot +ExecStart=/bin/true +ExecStop=/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare + +[Install] +WantedBy=multi-user.target diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh new file mode 100644 index 0000000..b23bdbf --- /dev/null +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh @@ -0,0 +1,47 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh + +# Author: friedy10 friedrichdoku@gmail.com + +# called by dracut +check() { + require_binaries sync || return 1 + require_binaries sleep || return 1 + require_binaries ls || return 1 + require_binaries halt || return 1 + require_binaries poweroff || return 1 + require_binaries reboot || return 1 + require_binaries cat || return 1 + require_binaries sdmem || return 1 + require_binaries pgrep || return 1 + require_binaries dmsetup || return 1 + return 0 +} + +# called by dracut +depends() { + return 0 +} + +# called by dracut +install() { + inst_multiple sync + inst_multiple sleep + inst_multiple ls + inst_multiple halt + inst_multiple poweroff + inst_multiple reboot + inst_multiple cat + inst_multiple sdmem + inst_multiple pgrep + inst_multiple dmsetup + inst_hook pre-udev 40 "$moddir/wipe-ram.sh" + inst_hook pre-trigger 40 "$moddir/wipe-ram-needshutdown.sh" +} + +# called by dracut +installkernel() { + return 0 +} + diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh new file mode 100644 index 0000000..2f061b7 --- /dev/null +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +## Author: friedy10 friedrichdoku@gmail.com + + +ram_wipe_check_needshutdown() { + local wipe_action + wipe_action=$(getarg wiperamaction) + + wait $(pgrep sdmem) + info "DONE WAITING..." + + if [ "$wipe_action" = "reboot" ]; then + reboot -f + fi + + if [ "$wipe_action" = "poweroff" ]; then + poweroff -f + fi + + if [ "$wipe_action" = "halt" ]; then + halt -f + fi +} + +ram_wipe_check_needshutdown + diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh new file mode 100644 index 0000000..78cadef --- /dev/null +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +## Author: friedy10 friedrichdoku@gmail.com + +ram_wipe_action() { + local kernel_wiperam_exit + ## getarg returns the last parameter only. + ## if /proc/cmdline contains 'wiperam=skip wiperam=force' the last one wins. + kernel_wiperam_exit=$(getarg wiperamexit) + + + if [ "$kernel_wiperam_exit" = "no" ]; then + info "INFO: Skip, because wiperamexit=no kernel parameter detected, OK." + return 0 + else + if [ "$kernel_wiperam_exit" != "yes" ]; then + info "INFO: Skip, becuase wiperamexit parameter is not used. " + return 0 + fi + fi + + info "INFO: wiperamexit=yes. Running second RAM wipe... " + + sdmem -l -l -v +} +ram_wipe_action + diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 1f7566c..b7aa945 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -72,6 +72,7 @@ dmsetup_actual_output: '$dmsetup_actual_output'" > /dev/kmsg sleep 5 fi + kexec -e } ram_wipe diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare new file mode 100755 index 0000000..3865afb --- /dev/null +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -0,0 +1,39 @@ +#!/bin/bash +## Copyrigh (C) 2022 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. +## modified by Friedrich Doku + +set -x +set -e + +true "env:" +env + +## Debugging. +## Lets hope $1 is set to reboot, poweroff or halt by systemd. +true "1: $1" + +sudo dbus-monitor --system | + while read -r line; do + if [[ $line =~ .*"poweroff.target".* ]]; then + kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=poweroff" + break + fi + + if [[ $line =~ .*"reboot.target".* ]]; then + kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=reboot" + break + fi + + if [[ $line =~ .*"halt.target".* ]]; then + kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=halt" + break + fi + + if [[ $line =~ .*"kexec.target".* ]]; then + kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=reboot" + break + fi + done + +sleep 10 From 73913ea5afef8354f433f7cf87c7cd64c16be0a0 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 12:49:34 -0500 Subject: [PATCH 0647/1650] Added checks --- ...-boot-attack-defense-kexec-prepare.service | 4 ++- .../40cold-boot-attack-defense/wipe-ram.sh | 2 +- .../cold-boot-attack-defense-kexec-prepare | 32 ++++++++++++++----- 3 files changed, 28 insertions(+), 10 deletions(-) diff --git a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service index cfc1887..13bf23a 100644 --- a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service +++ b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service @@ -1,5 +1,7 @@ +### Copyrigh (C) 2023 - 2023 Friedrich Doku + [Unit] -Description=My Script +Description=https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense [Service] Type=oneshot diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index b7aa945..d96f32b 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -72,7 +72,7 @@ dmsetup_actual_output: '$dmsetup_actual_output'" > /dev/kmsg sleep 5 fi - kexec -e + kexec -e && echo "kexec -e succeeded" || echo "kexec -e failed" } ram_wipe diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 3865afb..1e6f7a5 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -1,8 +1,7 @@ #!/bin/bash ## Copyrigh (C) 2022 - 2022 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. -## modified by Friedrich Doku - set -x set -e @@ -13,27 +12,44 @@ env ## Lets hope $1 is set to reboot, poweroff or halt by systemd. true "1: $1" -sudo dbus-monitor --system | +initrd=/boot/initrd.img-$(uname -r) +kernel=/boot/vmlinuz-$(uname -r) + +if test -e $initrd; then + echo "Initrd File Found" +else + exit 1 + echo "Initrd File NOT FOUND" +fi + +if test -e $kernel; then + echo "Kernel File Found" +else + exit 1 + echo "Kernel File NOT FOUND" +fi + + +dbus-monitor --system | while read -r line; do if [[ $line =~ .*"poweroff.target".* ]]; then - kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=poweroff" + kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=yes wiperamaction=poweroff" break fi if [[ $line =~ .*"reboot.target".* ]]; then - kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=reboot" + kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=yes wiperamaction=reboot" break fi if [[ $line =~ .*"halt.target".* ]]; then - kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=halt" + kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=yes wiperamaction=halt" break fi if [[ $line =~ .*"kexec.target".* ]]; then - kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=reboot" + kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=yes wiperamaction=reboot" break fi done -sleep 10 From 14c7239681300edc4f715bc96c5235cddf677c60 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 12:50:42 -0500 Subject: [PATCH 0648/1650] Update module-setup.sh --- usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh index b23bdbf..28482a4 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh @@ -2,7 +2,7 @@ # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- # ex: ts=8 sw=4 sts=4 et filetype=sh -# Author: friedy10 friedrichdoku@gmail.com +### Copyrigh (C) 2023 - 2023 Friedrich Doku # called by dracut check() { From 7fa64d68423d24668e44eb0d7e19ccf4845ee711 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 12:50:58 -0500 Subject: [PATCH 0649/1650] Update wipe-ram-needshutdown.sh --- .../dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 2f061b7..72911b2 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -1,6 +1,6 @@ #!/bin/sh -## Author: friedy10 friedrichdoku@gmail.com +### Copyrigh (C) 2023 - 2023 Friedrich Doku ram_wipe_check_needshutdown() { From d67d3c1d7d788fff589806457ff140e8f82089a0 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 12:51:18 -0500 Subject: [PATCH 0650/1650] Update wipe-ram.sh --- usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index 78cadef..e53d03b 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -1,6 +1,6 @@ #!/bin/sh -## Author: friedy10 friedrichdoku@gmail.com +### Copyrigh (C) 2023 - 2023 Friedrich Doku ram_wipe_action() { local kernel_wiperam_exit From 28687092ef4f57afab5e8d32f68492799694a379 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 12:52:36 -0500 Subject: [PATCH 0651/1650] Update cold-boot-attack-defense-kexec-prepare --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 1e6f7a5..2c895ca 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -18,15 +18,15 @@ kernel=/boot/vmlinuz-$(uname -r) if test -e $initrd; then echo "Initrd File Found" else - exit 1 echo "Initrd File NOT FOUND" + exit 1 fi if test -e $kernel; then echo "Kernel File Found" else - exit 1 echo "Kernel File NOT FOUND" + exit 1 fi From f9ebc3cfa86674025ccd65c22cde2427ea2f4ae3 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:46:40 -0500 Subject: [PATCH 0652/1650] Update module-setup.sh --- .../modules.d/40cold-boot-attack-defense/module-setup.sh | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh index 0d72a11..eedcf3f 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh @@ -2,13 +2,10 @@ # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- # ex: ts=8 sw=4 sts=4 et filetype=sh -## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. -## Credits: -## First version by @friedy10. -## https://github.com/friedy10/dracut/blob/master/modules.d/40sdmem/module-setup.sh - # called by dracut check() { require_binaries sync || return 1 From c5accc5ad191fe54a96e12cd1f1286508da8243c Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:46:51 -0500 Subject: [PATCH 0653/1650] Update wipe-ram-needshutdown.sh --- .../40cold-boot-attack-defense/wipe-ram-needshutdown.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh index 2245fe4..6b94638 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh @@ -1,6 +1,7 @@ #!/bin/sh -## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh From 1eeb32b7b96ab1df63d808b6715fef7a6e1a9482 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:47:01 -0500 Subject: [PATCH 0654/1650] Update wipe-ram.sh --- .../dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index d96f32b..5ac3465 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -1,6 +1,7 @@ #!/bin/sh -## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. ## Credits: From 114a37fcd39ff20ddd9e8cca829763a9b96a8115 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:47:14 -0500 Subject: [PATCH 0655/1650] Update module-setup.sh --- usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh index 28482a4..48e1054 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh @@ -2,7 +2,9 @@ # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- # ex: ts=8 sw=4 sts=4 et filetype=sh -### Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 Friedrich Doku +## See the file COPYING for copying conditions. # called by dracut check() { From 7ac45acd0f3e3e0a68e3fc4036787e8e7d4ebe9f Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:47:23 -0500 Subject: [PATCH 0656/1650] Update wipe-ram-needshutdown.sh --- .../dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 72911b2..58d496f 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -1,6 +1,8 @@ #!/bin/sh -### Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 Friedrich Doku +## See the file COPYING for copying conditions. ram_wipe_check_needshutdown() { From 37a5264696797c0807570606361e04cb8dcb2395 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:47:34 -0500 Subject: [PATCH 0657/1650] Update wipe-ram.sh --- usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index e53d03b..ee2e955 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -1,6 +1,8 @@ #!/bin/sh -### Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 Friedrich Doku +## See the file COPYING for copying conditions. ram_wipe_action() { local kernel_wiperam_exit From 14abfbfccdd3403d90a16dd5b2a1057ccf4da3d5 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:48:03 -0500 Subject: [PATCH 0658/1650] Update cold-boot-attack-defense-kexec-prepare --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 2c895ca..fe0e2bb 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -1,5 +1,5 @@ #!/bin/bash -## Copyrigh (C) 2022 - 2022 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP ## Copyrigh (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. set -x From f4637509205c11eddaa13151b93c961e9d345be6 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:48:22 -0500 Subject: [PATCH 0659/1650] Update cold-boot-attack-defense-kexec-prepare.service --- .../system/cold-boot-attack-defense-kexec-prepare.service | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service index 13bf23a..d07b932 100644 --- a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service +++ b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service @@ -1,4 +1,6 @@ -### Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 Friedrich Doku +## See the file COPYING for copying conditions. [Unit] Description=https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense From 62dcdcf7649175e0587a84708e8f0aa318a45d30 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:51:45 -0500 Subject: [PATCH 0660/1650] Update cold-boot-attack-defense-kexec-prepare --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index fe0e2bb..3a43274 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -1,6 +1,6 @@ #!/bin/bash -## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. set -x set -e From 014d10b9778907a9282ec337023f8c2b01b0ca6b Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:52:09 -0500 Subject: [PATCH 0661/1650] Update cold-boot-attack-defense-kexec-prepare.service --- .../system/cold-boot-attack-defense-kexec-prepare.service | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service index d07b932..67589bc 100644 --- a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service +++ b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service @@ -1,5 +1,5 @@ -## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. [Unit] From ec68ee6ded7294c161b3d0793bf8874b12262190 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:52:32 -0500 Subject: [PATCH 0662/1650] Update module-setup.sh --- usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh index 48e1054..9785aa9 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh @@ -2,8 +2,8 @@ # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- # ex: ts=8 sw=4 sts=4 et filetype=sh -## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. # called by dracut From 33877250172349cccb2c776c1fa7aed2e8ad716f Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:52:42 -0500 Subject: [PATCH 0663/1650] Update wipe-ram-needshutdown.sh --- .../dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 58d496f..0a9e368 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -1,7 +1,7 @@ #!/bin/sh -## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. From b3d4314a069a608380ca9dd01d76c653bdb87078 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:52:51 -0500 Subject: [PATCH 0664/1650] Update wipe-ram.sh --- usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index ee2e955..6b35028 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -1,7 +1,7 @@ #!/bin/sh -## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. ram_wipe_action() { From d45ba826bca6f5efef846de01a34a0a8c7936442 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:53:10 -0500 Subject: [PATCH 0665/1650] Update module-setup.sh --- .../modules.d/40cold-boot-attack-defense/module-setup.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh index eedcf3f..194fa8b 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh @@ -2,8 +2,8 @@ # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- # ex: ts=8 sw=4 sts=4 et filetype=sh -## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. # called by dracut From 779ad24b573b83c08e89569e5213e018377d1535 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:53:18 -0500 Subject: [PATCH 0666/1650] Update wipe-ram-needshutdown.sh --- .../40cold-boot-attack-defense/wipe-ram-needshutdown.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh index 6b94638..1876294 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh @@ -1,7 +1,7 @@ #!/bin/sh -## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh From 4b7053a6353cf0e092a6ef712e955b4318671bfc Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:53:28 -0500 Subject: [PATCH 0667/1650] Update wipe-ram.sh --- .../dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 5ac3465..5d69f65 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -1,7 +1,7 @@ #!/bin/sh -## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. ## Credits: From 7cf51a1b433bfb2ccf4fa14b7807184e9e3681c5 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 21:32:57 -0500 Subject: [PATCH 0668/1650] Checking job queue instead of dbus --- ...-boot-attack-defense-kexec-prepare.service | 1 + .../10ram-wipe-exit/wipe-ram-needshutdown.sh | 10 +++++ .../cold-boot-attack-defense-kexec-prepare | 39 +++++++++---------- 3 files changed, 29 insertions(+), 21 deletions(-) diff --git a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service index 67589bc..7d78ce0 100644 --- a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service +++ b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service @@ -7,6 +7,7 @@ Description=https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense [Service] Type=oneshot +RemainAfterExit=yes ExecStart=/bin/true ExecStop=/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 0a9e368..c696284 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -15,6 +15,10 @@ ram_wipe_check_needshutdown() { if [ "$wipe_action" = "reboot" ]; then reboot -f fi + + if [ "$wipe_action" = "kexec" ]; then + reboot -f + fi if [ "$wipe_action" = "poweroff" ]; then poweroff -f @@ -23,6 +27,12 @@ ram_wipe_check_needshutdown() { if [ "$wipe_action" = "halt" ]; then halt -f fi + + if [ "$wipe_action" = "error" ]; then + echo "Choice of shutdown option led to an error. Shutting down..." + sleep 5 + poweroff -f + fi } ram_wipe_check_needshutdown diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 3a43274..dab095d 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -30,26 +30,23 @@ else fi -dbus-monitor --system | - while read -r line; do - if [[ $line =~ .*"poweroff.target".* ]]; then - kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=yes wiperamaction=poweroff" - break - fi +if systemctl list-jobs | grep "poweroff.target" | grep -q "start"; then + wram="yes" + wact="poweroff" +elif systemctl list-jobs | grep "reboot.target" | grep -q "start"; then + wram="yes" + wact="reboot" +elif systemctl list-jobs | grep "halt.target" | grep -q "start"; then + wram="yes" + wact="halt" +elif systemctl list-jobs | grep "kexec.target" | grep -q "start"; then + wram="yes" + wact="kexec" +else + echo "Error no shutdown option found!" + wram="yes" + wact="error" +fi - if [[ $line =~ .*"reboot.target".* ]]; then - kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=yes wiperamaction=reboot" - break - fi - - if [[ $line =~ .*"halt.target".* ]]; then - kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=yes wiperamaction=halt" - break - fi - - if [[ $line =~ .*"kexec.target".* ]]; then - kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=yes wiperamaction=reboot" - break - fi - done +kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=$wram wiperamaction=$wact" From 8da3b9c40c6ee073addcc06d5227b3043438b768 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 21:40:17 -0500 Subject: [PATCH 0669/1650] fix last line --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index dab095d..7ae5b8b 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -48,5 +48,5 @@ else wact="error" fi -kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=$wram wiperamaction=$wact" +kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=$wram wiperamaction=$wact" From 78a4fad6674bb11fa682b908e0d3bc63705e7d20 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Sat, 7 Jan 2023 11:14:31 -0500 Subject: [PATCH 0670/1650] Change echo to info. Included more reliable way of getting initrd and kernel. Allow user custom kexec --- etc/sysctl.d/30_security-misc.conf | 3 ++- .../10ram-wipe-exit/wipe-ram-needshutdown.sh | 6 +----- .../modules.d/10ram-wipe-exit/wipe-ram.sh | 17 +++++++-------- .../40cold-boot-attack-defense/wipe-ram.sh | 18 ++++++++-------- .../cold-boot-attack-defense-kexec-prepare | 21 +++++++++++-------- 5 files changed, 32 insertions(+), 33 deletions(-) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 3862e1d..c376779 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -37,7 +37,8 @@ net.core.bpf_jit_harden=2 ## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. ## Disables kexec which can be used to replace the running kernel. -kernel.kexec_load_disabled=1 +## kexec is required for cold boot attack defense +## kernel.kexec_load_disabled=1 ## Hides kernel addresses in various files in /proc. ## Kernel addresses can be very useful in certain exploits. diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index c696284..952e418 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -16,10 +16,6 @@ ram_wipe_check_needshutdown() { reboot -f fi - if [ "$wipe_action" = "kexec" ]; then - reboot -f - fi - if [ "$wipe_action" = "poweroff" ]; then poweroff -f fi @@ -29,7 +25,7 @@ ram_wipe_check_needshutdown() { fi if [ "$wipe_action" = "error" ]; then - echo "Choice of shutdown option led to an error. Shutting down..." + info "Choice of shutdown option led to an error. Shutting down..." sleep 5 poweroff -f fi diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index 6b35028..e2daa84 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -6,19 +6,18 @@ ram_wipe_action() { local kernel_wiperam_exit - ## getarg returns the last parameter only. - ## if /proc/cmdline contains 'wiperam=skip wiperam=force' the last one wins. kernel_wiperam_exit=$(getarg wiperamexit) if [ "$kernel_wiperam_exit" = "no" ]; then - info "INFO: Skip, because wiperamexit=no kernel parameter detected, OK." - return 0 - else - if [ "$kernel_wiperam_exit" != "yes" ]; then - info "INFO: Skip, becuase wiperamexit parameter is not used. " - return 0 - fi + info "INFO: Skip, because wiperamexit=no kernel parameter detected, OK." + return 0 + fi + + + if [ "$kernel_wiperam_exit" != "yes" ]; then + info "INFO: Skip, becuase wiperamexit parameter is not used. " + return 0 fi info "INFO: wiperamexit=yes. Running second RAM wipe... " diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 5d69f65..a30c285 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -23,20 +23,20 @@ ram_wipe() { kernel_wiperam_setting=$(getarg wiperam) if [ "$kernel_wiperam_setting" = "skip" ]; then - echo "INFO: wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." > /dev/kmsg return 0 fi if [ "$kernel_wiperam_setting" = "force" ]; then - echo "INFO: wipe-ram.sh: wiperam=force detected, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: wiperam=force detected, OK." > /dev/kmsg else if systemd-detect-virt &>/dev/null ; then - echo "INFO: wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." > /dev/kmsg return 0 fi fi - echo "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." > /dev/kmsg + info "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." > /dev/kmsg drop_caches @@ -46,24 +46,24 @@ ram_wipe() { drop_caches - echo "INFO: wipe-ram.sh: RAM wipe completed, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: RAM wipe completed, OK." > /dev/kmsg ## In theory might be better to check this beforehand, but the test is ## really fast. The user has no chance of reading the console output ## without introducing an artificial delay because the sdmem which runs ## after this, results in much more console output. - echo "INFO: wipe-ram.sh: Checking if there are still mounted encrypted disks..." > /dev/kmsg + info "INFO: wipe-ram.sh: Checking if there are still mounted encrypted disks..." > /dev/kmsg local dmsetup_actual_output dmsetup_expected_output dmsetup_actual_output="$(dmsetup ls --target crypt)" dmsetup_expected_output="No devices found" if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then - echo "INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." > /dev/kmsg ## This should probably be removed in production? sleep 3 else - echo "\ + info "\ WARNING: wipe-ram.sh:There are still mounted encrypted disks! RAM wipe failed! debugging information: @@ -73,7 +73,7 @@ dmsetup_actual_output: '$dmsetup_actual_output'" > /dev/kmsg sleep 5 fi - kexec -e && echo "kexec -e succeeded" || echo "kexec -e failed" + kexec -e && info "kexec -e succeeded" || info "kexec -e failed" } ram_wipe diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 7ae5b8b..83e35f5 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -12,8 +12,16 @@ env ## Lets hope $1 is set to reboot, poweroff or halt by systemd. true "1: $1" -initrd=/boot/initrd.img-$(uname -r) -kernel=/boot/vmlinuz-$(uname -r) + +# Get the kernel command-line arguments +cmdline=$(cat /proc/cmdline) + +# Get the current boot image +kernel=$(echo "$cmdline" | grep -o 'BOOT_IMAGE=\S*' | cut -d '=' -f 2) +initrd=$(echo "$kernel" | sed "s#vmlinuz#initrd.img#") + +kernel="/boot/$kernel" +initrd="/boot/$initrd" if test -e $initrd; then echo "Initrd File Found" @@ -39,14 +47,9 @@ elif systemctl list-jobs | grep "reboot.target" | grep -q "start"; then elif systemctl list-jobs | grep "halt.target" | grep -q "start"; then wram="yes" wact="halt" -elif systemctl list-jobs | grep "kexec.target" | grep -q "start"; then - wram="yes" - wact="kexec" else - echo "Error no shutdown option found!" - wram="yes" - wact="error" + echo "No shutdown option found!" + exit 0 fi kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=$wram wiperamaction=$wact" - From b8e82fffca0138afaf20e1b2faf755ce1533af45 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Sat, 7 Jan 2023 11:31:02 -0500 Subject: [PATCH 0671/1650] Get rid of /dev/kmsg --- .../40cold-boot-attack-defense/wipe-ram.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index a30c285..2346a12 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -23,20 +23,20 @@ ram_wipe() { kernel_wiperam_setting=$(getarg wiperam) if [ "$kernel_wiperam_setting" = "skip" ]; then - info "INFO: wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." return 0 fi if [ "$kernel_wiperam_setting" = "force" ]; then - info "INFO: wipe-ram.sh: wiperam=force detected, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: wiperam=force detected, OK." else if systemd-detect-virt &>/dev/null ; then - info "INFO: wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." return 0 fi fi - info "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." > /dev/kmsg + info "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." drop_caches @@ -46,20 +46,20 @@ ram_wipe() { drop_caches - info "INFO: wipe-ram.sh: RAM wipe completed, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: RAM wipe completed, OK." ## In theory might be better to check this beforehand, but the test is ## really fast. The user has no chance of reading the console output ## without introducing an artificial delay because the sdmem which runs ## after this, results in much more console output. - info "INFO: wipe-ram.sh: Checking if there are still mounted encrypted disks..." > /dev/kmsg + info "INFO: wipe-ram.sh: Checking if there are still mounted encrypted disks..." local dmsetup_actual_output dmsetup_expected_output dmsetup_actual_output="$(dmsetup ls --target crypt)" dmsetup_expected_output="No devices found" if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then - info "INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." ## This should probably be removed in production? sleep 3 else @@ -68,7 +68,7 @@ WARNING: wipe-ram.sh:There are still mounted encrypted disks! RAM wipe failed! debugging information: dmsetup_expected_output: '$dmsetup_expected_output' -dmsetup_actual_output: '$dmsetup_actual_output'" > /dev/kmsg +dmsetup_actual_output: '$dmsetup_actual_output'" ## How else could the user be informed that something is wrong? sleep 5 fi From 2860560edb7951a8ac9de1c23c9655c655b40f23 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 12:43:07 -0500 Subject: [PATCH 0672/1650] minor --- .../modules.d/10ram-wipe-exit/module-setup.sh | 1 - .../10ram-wipe-exit/wipe-ram-needshutdown.sh | 13 ++++---- .../modules.d/10ram-wipe-exit/wipe-ram.sh | 10 +++---- .../module-setup.sh | 30 +++++++++---------- .../40cold-boot-attack-defense/wipe-ram.sh | 2 +- 5 files changed, 26 insertions(+), 30 deletions(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh index 9785aa9..76d4ac2 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh @@ -46,4 +46,3 @@ install() { installkernel() { return 0 } - diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 952e418..9621efe 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -15,21 +15,20 @@ ram_wipe_check_needshutdown() { if [ "$wipe_action" = "reboot" ]; then reboot -f fi - + if [ "$wipe_action" = "poweroff" ]; then poweroff -f fi - + if [ "$wipe_action" = "halt" ]; then halt -f fi - + if [ "$wipe_action" = "error" ]; then - info "Choice of shutdown option led to an error. Shutting down..." - sleep 5 - poweroff -f + info "Choice of shutdown option led to an error. Shutting down..." + sleep 5 + poweroff -f fi } ram_wipe_check_needshutdown - diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index e2daa84..d43ff5e 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -8,21 +8,19 @@ ram_wipe_action() { local kernel_wiperam_exit kernel_wiperam_exit=$(getarg wiperamexit) - if [ "$kernel_wiperam_exit" = "no" ]; then info "INFO: Skip, because wiperamexit=no kernel parameter detected, OK." return 0 fi - if [ "$kernel_wiperam_exit" != "yes" ]; then - info "INFO: Skip, becuase wiperamexit parameter is not used. " + info "INFO: Skip, becuase wiperamexit parameter is not used." return 0 fi - info "INFO: wiperamexit=yes. Running second RAM wipe... " - + info "INFO: wiperamexit=yes. Running second RAM wipe..." + sdmem -l -l -v } -ram_wipe_action +ram_wipe_action diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh index 194fa8b..cb679e8 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh @@ -8,31 +8,31 @@ # called by dracut check() { - require_binaries sync || return 1 - require_binaries sleep || return 1 - require_binaries sdmem || return 1 - require_binaries dmsetup || return 1 - require_binaries systemd-detect-virt || return 1 - return 0 + require_binaries sync || return 1 + require_binaries sleep || return 1 + require_binaries sdmem || return 1 + require_binaries dmsetup || return 1 + require_binaries systemd-detect-virt || return 1 + return 0 } # called by dracut depends() { - return 0 + return 0 } # called by dracut install() { - inst_multiple sync - inst_multiple sleep - inst_multiple sdmem - inst_multiple dmsetup - inst_multiple systemd-detect-virt - inst_hook shutdown 40 "$moddir/wipe-ram.sh" - inst_hook cleanup 80 "$moddir/wipe-ram-needshutdown.sh" + inst_multiple sync + inst_multiple sleep + inst_multiple sdmem + inst_multiple dmsetup + inst_multiple systemd-detect-virt + inst_hook shutdown 40 "$moddir/wipe-ram.sh" + inst_hook cleanup 80 "$moddir/wipe-ram-needshutdown.sh" } # called by dracut installkernel() { - return 0 + return 0 } diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 2346a12..edab86b 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -64,7 +64,7 @@ ram_wipe() { sleep 3 else info "\ -WARNING: wipe-ram.sh:There are still mounted encrypted disks! RAM wipe failed! +WARNING: wipe-ram.sh: There are still mounted encrypted disks! RAM wipe failed! debugging information: dmsetup_expected_output: '$dmsetup_expected_output' From 999a82ed946c8fd57654a0a90e2a2e53ef98a788 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 12:46:21 -0500 Subject: [PATCH 0673/1650] output --- .../modules.d/10ram-wipe-exit/wipe-ram.sh | 6 +++--- .../40cold-boot-attack-defense/wipe-ram.sh | 20 +++++++++---------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index d43ff5e..b08c7bd 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -9,16 +9,16 @@ ram_wipe_action() { kernel_wiperam_exit=$(getarg wiperamexit) if [ "$kernel_wiperam_exit" = "no" ]; then - info "INFO: Skip, because wiperamexit=no kernel parameter detected, OK." + info "Skip, because wiperamexit=no kernel parameter detected, OK." return 0 fi if [ "$kernel_wiperam_exit" != "yes" ]; then - info "INFO: Skip, becuase wiperamexit parameter is not used." + info "Skip, because wiperamexit parameter is unset." return 0 fi - info "INFO: wiperamexit=yes. Running second RAM wipe..." + info "wiperamexit=yes, therefore running second RAM wipe..." sdmem -l -l -v } diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index edab86b..2cf5043 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -23,20 +23,20 @@ ram_wipe() { kernel_wiperam_setting=$(getarg wiperam) if [ "$kernel_wiperam_setting" = "skip" ]; then - info "INFO: wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." + info "wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." return 0 fi if [ "$kernel_wiperam_setting" = "force" ]; then - info "INFO: wipe-ram.sh: wiperam=force detected, OK." + info "wipe-ram.sh: wiperam=force detected, OK." else if systemd-detect-virt &>/dev/null ; then - info "INFO: wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." + info "wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." return 0 fi fi - info "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." + info "wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." drop_caches @@ -46,25 +46,25 @@ ram_wipe() { drop_caches - info "INFO: wipe-ram.sh: RAM wipe completed, OK." + info "wipe-ram.sh: RAM wipe completed, OK." ## In theory might be better to check this beforehand, but the test is ## really fast. The user has no chance of reading the console output ## without introducing an artificial delay because the sdmem which runs ## after this, results in much more console output. - info "INFO: wipe-ram.sh: Checking if there are still mounted encrypted disks..." + info "wipe-ram.sh: Checking if there are still mounted encrypted disks..." local dmsetup_actual_output dmsetup_expected_output dmsetup_actual_output="$(dmsetup ls --target crypt)" dmsetup_expected_output="No devices found" if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then - info "INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." + info "wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." ## This should probably be removed in production? sleep 3 else - info "\ -WARNING: wipe-ram.sh: There are still mounted encrypted disks! RAM wipe failed! + warn "\ +wipe-ram.sh: There are still mounted encrypted disks! RAM wipe failed! debugging information: dmsetup_expected_output: '$dmsetup_expected_output' @@ -73,7 +73,7 @@ dmsetup_actual_output: '$dmsetup_actual_output'" sleep 5 fi - kexec -e && info "kexec -e succeeded" || info "kexec -e failed" + kexec -e && info "kexec -e succeeded" || warn "kexec -e failed" } ram_wipe From c2b20603fdd62a3f82c842c7ebeaad0f70e005d0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 12:49:18 -0500 Subject: [PATCH 0674/1650] output --- .../modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 4 ++-- usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh | 6 +++--- .../dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 9621efe..094380b 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -10,7 +10,7 @@ ram_wipe_check_needshutdown() { wipe_action=$(getarg wiperamaction) wait $(pgrep sdmem) - info "DONE WAITING..." + info "wipe-ram.sh wiperamexit: DONE WAITING..." if [ "$wipe_action" = "reboot" ]; then reboot -f @@ -25,7 +25,7 @@ ram_wipe_check_needshutdown() { fi if [ "$wipe_action" = "error" ]; then - info "Choice of shutdown option led to an error. Shutting down..." + info "wipe-ram.sh wiperamexit: Choice of shutdown option led to an error. Shutting down..." sleep 5 poweroff -f fi diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index b08c7bd..1076c73 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -9,16 +9,16 @@ ram_wipe_action() { kernel_wiperam_exit=$(getarg wiperamexit) if [ "$kernel_wiperam_exit" = "no" ]; then - info "Skip, because wiperamexit=no kernel parameter detected, OK." + info "wipe-ram.sh wiperamexit: Skip, because wiperamexit=no kernel parameter detected, OK." return 0 fi if [ "$kernel_wiperam_exit" != "yes" ]; then - info "Skip, because wiperamexit parameter is unset." + info "wipe-ram.sh wiperamexit: Skip, because wiperamexit parameter is unset." return 0 fi - info "wiperamexit=yes, therefore running second RAM wipe..." + info "wipe-ram.sh wiperamexit: wiperamexit=yes, therefore running second RAM wipe..." sdmem -l -l -v } diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 2cf5043..56cd275 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -73,7 +73,7 @@ dmsetup_actual_output: '$dmsetup_actual_output'" sleep 5 fi - kexec -e && info "kexec -e succeeded" || warn "kexec -e failed" + kexec -e && info "wipe-ram.sh: kexec -e succeeded" || warn "wipe-ram.sh: kexec -e failed" } ram_wipe From c1df2fd601f3445a0a811a679efa7d2176026558 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 12:52:14 -0500 Subject: [PATCH 0675/1650] comment --- usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index 1076c73..0d01449 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -21,6 +21,7 @@ ram_wipe_action() { info "wipe-ram.sh wiperamexit: wiperamexit=yes, therefore running second RAM wipe..." sdmem -l -l -v + ## TODO: drop_caches } ram_wipe_action From 0367250dc74f9e6ec38f9da5809ff661493134a8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 12:54:35 -0500 Subject: [PATCH 0676/1650] comment --- usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index 0d01449..e8a47d7 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -4,6 +4,8 @@ ## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. +## TODO: rename to wipe-ram-exit.sh (so it is different from wipe-ram.sh) + ram_wipe_action() { local kernel_wiperam_exit kernel_wiperam_exit=$(getarg wiperamexit) From d37b19fb6bb3cadbb74d011be026fd8d2653ac17 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 12:55:05 -0500 Subject: [PATCH 0677/1650] comment --- usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index e8a47d7..30b68f6 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -22,6 +22,7 @@ ram_wipe_action() { info "wipe-ram.sh wiperamexit: wiperamexit=yes, therefore running second RAM wipe..." + ## TODO: drop_caches sdmem -l -l -v ## TODO: drop_caches } From 42ab341a58de4c54b20b8f6dc4e048ce61068cf4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 12:57:36 -0500 Subject: [PATCH 0678/1650] bumped changelog version --- changelog.upstream | 205 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 211 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 9d71871..4cdfaf4 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,208 @@ +commit d37b19fb6bb3cadbb74d011be026fd8d2653ac17 +Author: Patrick Schleizer +Date: Sat Jan 7 12:55:05 2023 -0500 + + comment + +commit 0367250dc74f9e6ec38f9da5809ff661493134a8 +Author: Patrick Schleizer +Date: Sat Jan 7 12:54:35 2023 -0500 + + comment + +commit c1df2fd601f3445a0a811a679efa7d2176026558 +Author: Patrick Schleizer +Date: Sat Jan 7 12:52:14 2023 -0500 + + comment + +commit c2b20603fdd62a3f82c842c7ebeaad0f70e005d0 +Author: Patrick Schleizer +Date: Sat Jan 7 12:49:18 2023 -0500 + + output + +commit 999a82ed946c8fd57654a0a90e2a2e53ef98a788 +Author: Patrick Schleizer +Date: Sat Jan 7 12:46:21 2023 -0500 + + output + +commit 2860560edb7951a8ac9de1c23c9655c655b40f23 +Author: Patrick Schleizer +Date: Sat Jan 7 12:43:07 2023 -0500 + + minor + +commit 450ff378b067070618e4a972f8131acac5b292e0 +Merge: 929f49f b8e82ff +Author: Patrick Schleizer +Date: Sat Jan 7 12:38:14 2023 -0500 + + Merge remote-tracking branch 'friedy10/master' + +commit b8e82fffca0138afaf20e1b2faf755ce1533af45 +Author: Friedrich Doku +Date: Sat Jan 7 11:31:02 2023 -0500 + + Get rid of /dev/kmsg + +commit 78a4fad6674bb11fa682b908e0d3bc63705e7d20 +Author: Friedrich Doku +Date: Sat Jan 7 11:14:31 2023 -0500 + + Change echo to info. Included more reliable way of getting initrd and kernel. Allow user custom kexec + +commit 8da3b9c40c6ee073addcc06d5227b3043438b768 +Author: Friedrich Doku +Date: Fri Jan 6 21:40:17 2023 -0500 + + fix last line + +commit 7cf51a1b433bfb2ccf4fa14b7807184e9e3681c5 +Author: Friedrich Doku +Date: Fri Jan 6 21:32:57 2023 -0500 + + Checking job queue instead of dbus + +commit 4b7053a6353cf0e092a6ef712e955b4318671bfc +Author: Friedrich Doku +Date: Fri Jan 6 13:53:28 2023 -0500 + + Update wipe-ram.sh + +commit 779ad24b573b83c08e89569e5213e018377d1535 +Author: Friedrich Doku +Date: Fri Jan 6 13:53:18 2023 -0500 + + Update wipe-ram-needshutdown.sh + +commit d45ba826bca6f5efef846de01a34a0a8c7936442 +Author: Friedrich Doku +Date: Fri Jan 6 13:53:10 2023 -0500 + + Update module-setup.sh + +commit b3d4314a069a608380ca9dd01d76c653bdb87078 +Author: Friedrich Doku +Date: Fri Jan 6 13:52:51 2023 -0500 + + Update wipe-ram.sh + +commit 33877250172349cccb2c776c1fa7aed2e8ad716f +Author: Friedrich Doku +Date: Fri Jan 6 13:52:42 2023 -0500 + + Update wipe-ram-needshutdown.sh + +commit ec68ee6ded7294c161b3d0793bf8874b12262190 +Author: Friedrich Doku +Date: Fri Jan 6 13:52:32 2023 -0500 + + Update module-setup.sh + +commit 014d10b9778907a9282ec337023f8c2b01b0ca6b +Author: Friedrich Doku +Date: Fri Jan 6 13:52:09 2023 -0500 + + Update cold-boot-attack-defense-kexec-prepare.service + +commit 62dcdcf7649175e0587a84708e8f0aa318a45d30 +Author: Friedrich Doku +Date: Fri Jan 6 13:51:45 2023 -0500 + + Update cold-boot-attack-defense-kexec-prepare + +commit f4637509205c11eddaa13151b93c961e9d345be6 +Author: Friedrich Doku +Date: Fri Jan 6 13:48:22 2023 -0500 + + Update cold-boot-attack-defense-kexec-prepare.service + +commit 14abfbfccdd3403d90a16dd5b2a1057ccf4da3d5 +Author: Friedrich Doku +Date: Fri Jan 6 13:48:03 2023 -0500 + + Update cold-boot-attack-defense-kexec-prepare + +commit 37a5264696797c0807570606361e04cb8dcb2395 +Author: Friedrich Doku +Date: Fri Jan 6 13:47:34 2023 -0500 + + Update wipe-ram.sh + +commit 7ac45acd0f3e3e0a68e3fc4036787e8e7d4ebe9f +Author: Friedrich Doku +Date: Fri Jan 6 13:47:23 2023 -0500 + + Update wipe-ram-needshutdown.sh + +commit 114a37fcd39ff20ddd9e8cca829763a9b96a8115 +Author: Friedrich Doku +Date: Fri Jan 6 13:47:14 2023 -0500 + + Update module-setup.sh + +commit 1eeb32b7b96ab1df63d808b6715fef7a6e1a9482 +Author: Friedrich Doku +Date: Fri Jan 6 13:47:01 2023 -0500 + + Update wipe-ram.sh + +commit c5accc5ad191fe54a96e12cd1f1286508da8243c +Author: Friedrich Doku +Date: Fri Jan 6 13:46:51 2023 -0500 + + Update wipe-ram-needshutdown.sh + +commit f9ebc3cfa86674025ccd65c22cde2427ea2f4ae3 +Author: Friedrich Doku +Date: Fri Jan 6 13:46:40 2023 -0500 + + Update module-setup.sh + +commit 28687092ef4f57afab5e8d32f68492799694a379 +Author: Friedrich Doku +Date: Fri Jan 6 12:52:36 2023 -0500 + + Update cold-boot-attack-defense-kexec-prepare + +commit d67d3c1d7d788fff589806457ff140e8f82089a0 +Author: Friedrich Doku +Date: Fri Jan 6 12:51:18 2023 -0500 + + Update wipe-ram.sh + +commit 7fa64d68423d24668e44eb0d7e19ccf4845ee711 +Author: Friedrich Doku +Date: Fri Jan 6 12:50:58 2023 -0500 + + Update wipe-ram-needshutdown.sh + +commit 14c7239681300edc4f715bc96c5235cddf677c60 +Author: Friedrich Doku +Date: Fri Jan 6 12:50:42 2023 -0500 + + Update module-setup.sh + +commit 73913ea5afef8354f433f7cf87c7cd64c16be0a0 +Author: Friedrich Doku +Date: Fri Jan 6 12:49:34 2023 -0500 + + Added checks + +commit a7015f4ddff892cab17f96713ddb0a720ebb7901 +Author: Friedrich Doku +Date: Fri Jan 6 10:50:34 2023 -0500 + + added files + +commit 929f49f333fc88d91ed4cef849921b0b4a69bfea +Author: Patrick Schleizer +Date: Sun Dec 18 14:37:51 2022 -0500 + + bumped changelog version + commit 75beb52bd5b7cee4a48eead53dbbe7fac9f6cc9e Merge: 98f753d 58b622f Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 1172ac5..e4451a8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:26.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 07 Jan 2023 17:57:36 +0000 + security-misc (3:26.7-1) unstable; urgency=medium * New upstream version (local package). From bb121e52bbab151b2104f1a333cabc3889ef47b0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 14:27:22 -0500 Subject: [PATCH 0679/1650] chmod +x --- usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh | 0 usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 0 usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh | 0 3 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh mode change 100644 => 100755 usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh mode change 100644 => 100755 usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh old mode 100644 new mode 100755 diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh old mode 100644 new mode 100755 diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh old mode 100644 new mode 100755 From 53ab93d8f6553eab1682290d42faf0d466f06219 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 14:27:42 -0500 Subject: [PATCH 0680/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 4cdfaf4..d9a3cbc 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit bb121e52bbab151b2104f1a333cabc3889ef47b0 +Author: Patrick Schleizer +Date: Sat Jan 7 14:27:22 2023 -0500 + + chmod +x + +commit 42ab341a58de4c54b20b8f6dc4e048ce61068cf4 +Author: Patrick Schleizer +Date: Sat Jan 7 12:57:36 2023 -0500 + + bumped changelog version + commit d37b19fb6bb3cadbb74d011be026fd8d2653ac17 Author: Patrick Schleizer Date: Sat Jan 7 12:55:05 2023 -0500 diff --git a/debian/changelog b/debian/changelog index e4451a8..1d6f406 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:26.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 07 Jan 2023 19:27:42 +0000 + security-misc (3:26.8-1) unstable; urgency=medium * New upstream version (local package). From e83ba18553832134b2f6da6ce98b0ee0c852961e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 14:29:12 -0500 Subject: [PATCH 0681/1650] minor --- usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index 30b68f6..a4ff399 100755 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -11,13 +11,13 @@ ram_wipe_action() { kernel_wiperam_exit=$(getarg wiperamexit) if [ "$kernel_wiperam_exit" = "no" ]; then - info "wipe-ram.sh wiperamexit: Skip, because wiperamexit=no kernel parameter detected, OK." - return 0 + info "wipe-ram.sh wiperamexit: Skip, because wiperamexit=no kernel parameter detected, OK." + return 0 fi if [ "$kernel_wiperam_exit" != "yes" ]; then - info "wipe-ram.sh wiperamexit: Skip, because wiperamexit parameter is unset." - return 0 + info "wipe-ram.sh wiperamexit: Skip, because wiperamexit parameter is unset." + return 0 fi info "wipe-ram.sh wiperamexit: wiperamexit=yes, therefore running second RAM wipe..." From 41d116aa2f6d5ab33a1d5889f6ae251e5b8b5538 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 14:30:12 -0500 Subject: [PATCH 0682/1650] lintian --- usr/share/lintian/overrides/security-misc | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index b93fa50..09b5679 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -12,3 +12,4 @@ security-misc: file-in-unusual-dir var/cache/security-misc/state-files/placehold ## This is how dracut is still implemented. security-misc: executable-in-usr-lib usr/lib/dracut/modules.d/40cold-boot-attack-defense/* +security-misc: executable-in-usr-lib usr/lib/dracut/modules.d/40cold-boot-attack-defense/* From d31c17ea047fbbd698ad9f074a00d6fba2aaf283 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 14:31:14 -0500 Subject: [PATCH 0683/1650] fix --- usr/share/lintian/overrides/security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index 09b5679..52893f0 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -11,5 +11,5 @@ security-misc: no-manual-page usr/bin/pkexec.security-misc security-misc: file-in-unusual-dir var/cache/security-misc/state-files/placeholder ## This is how dracut is still implemented. -security-misc: executable-in-usr-lib usr/lib/dracut/modules.d/40cold-boot-attack-defense/* +security-misc: executable-in-usr-lib usr/lib/dracut/modules.d/10ram-wipe-exit/* security-misc: executable-in-usr-lib usr/lib/dracut/modules.d/40cold-boot-attack-defense/* From d5271d6250f0f6ea5adf7bc71fc48fddab1a9af4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 14:31:40 -0500 Subject: [PATCH 0684/1650] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d9a3cbc..76059db 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit d31c17ea047fbbd698ad9f074a00d6fba2aaf283 +Author: Patrick Schleizer +Date: Sat Jan 7 14:31:14 2023 -0500 + + fix + +commit 41d116aa2f6d5ab33a1d5889f6ae251e5b8b5538 +Author: Patrick Schleizer +Date: Sat Jan 7 14:30:12 2023 -0500 + + lintian + +commit e83ba18553832134b2f6da6ce98b0ee0c852961e +Author: Patrick Schleizer +Date: Sat Jan 7 14:29:12 2023 -0500 + + minor + +commit 53ab93d8f6553eab1682290d42faf0d466f06219 +Author: Patrick Schleizer +Date: Sat Jan 7 14:27:42 2023 -0500 + + bumped changelog version + commit bb121e52bbab151b2104f1a333cabc3889ef47b0 Author: Patrick Schleizer Date: Sat Jan 7 14:27:22 2023 -0500 diff --git a/debian/changelog b/debian/changelog index 1d6f406..34ce252 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:27.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 07 Jan 2023 19:31:40 +0000 + security-misc (3:26.9-1) unstable; urgency=medium * New upstream version (local package). From c0304ec029198665aaf63c843f5b7d5567f95208 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 14:35:09 -0500 Subject: [PATCH 0685/1650] minor --- .../dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 094380b..985277c 100755 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -4,7 +4,6 @@ ## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. - ram_wipe_check_needshutdown() { local wipe_action wipe_action=$(getarg wiperamaction) From 059ebb212d03f5d01d46362530702dbeaefdce5e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 14:35:30 -0500 Subject: [PATCH 0686/1650] comment --- .../dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 985277c..37079cd 100755 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -8,6 +8,7 @@ ram_wipe_check_needshutdown() { local wipe_action wipe_action=$(getarg wiperamaction) + ## TODO: disable wait $(pgrep sdmem) info "wipe-ram.sh wiperamexit: DONE WAITING..." From 06034d2e4f97712fc84ad75e3fa8ba6bf4fccfee Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:03:06 -0500 Subject: [PATCH 0687/1650] fix --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 3 --- 1 file changed, 3 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 83e35f5..945e5b3 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -20,9 +20,6 @@ cmdline=$(cat /proc/cmdline) kernel=$(echo "$cmdline" | grep -o 'BOOT_IMAGE=\S*' | cut -d '=' -f 2) initrd=$(echo "$kernel" | sed "s#vmlinuz#initrd.img#") -kernel="/boot/$kernel" -initrd="/boot/$initrd" - if test -e $initrd; then echo "Initrd File Found" else From c88e95ce33f30f67726ac086c1b8d020b1024ebc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:04:07 -0500 Subject: [PATCH 0688/1650] output --- .../cold-boot-attack-defense-kexec-prepare | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 945e5b3..0aca0a8 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -21,16 +21,16 @@ kernel=$(echo "$cmdline" | grep -o 'BOOT_IMAGE=\S*' | cut -d '=' -f 2) initrd=$(echo "$kernel" | sed "s#vmlinuz#initrd.img#") if test -e $initrd; then - echo "Initrd File Found" + echo "$0: INFO: Initrd File Found" else - echo "Initrd File NOT FOUND" + echo "$0: ERROR: Initrd File NOT FOUND" exit 1 fi if test -e $kernel; then - echo "Kernel File Found" + echo "$0: INFO: Kernel File Found" else - echo "Kernel File NOT FOUND" + echo "$0: ERROR: Kernel File NOT FOUND" exit 1 fi @@ -45,7 +45,7 @@ elif systemctl list-jobs | grep "halt.target" | grep -q "start"; then wram="yes" wact="halt" else - echo "No shutdown option found!" + echo "$0: ERROR: No shutdown option found!" exit 0 fi From 10932bb5d83c469f556b46f42ee517e882d87a4f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:04:23 -0500 Subject: [PATCH 0689/1650] minor --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 2 -- 1 file changed, 2 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 0aca0a8..edd4a75 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -12,7 +12,6 @@ env ## Lets hope $1 is set to reboot, poweroff or halt by systemd. true "1: $1" - # Get the kernel command-line arguments cmdline=$(cat /proc/cmdline) @@ -34,7 +33,6 @@ else exit 1 fi - if systemctl list-jobs | grep "poweroff.target" | grep -q "start"; then wram="yes" wact="poweroff" From 2cc3c6c59ca88cf44751bc2e9bb7055b46102284 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:04:42 -0500 Subject: [PATCH 0690/1650] lower debugging --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 7 ------- 1 file changed, 7 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index edd4a75..b1bc6b6 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -5,13 +5,6 @@ set -x set -e -true "env:" -env - -## Debugging. -## Lets hope $1 is set to reboot, poweroff or halt by systemd. -true "1: $1" - # Get the kernel command-line arguments cmdline=$(cat /proc/cmdline) From 8bcf7e3c235c1193f3a6d43a7c8b23b50e972de7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:04:57 -0500 Subject: [PATCH 0691/1650] minor --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index b1bc6b6..2ad7a08 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -1,7 +1,9 @@ #!/bin/bash + ## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP ## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. + set -x set -e From d0daf75db3529e206565604a63e11ee1268ed39b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:05:24 -0500 Subject: [PATCH 0692/1650] quotes --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 2ad7a08..880a39e 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -14,14 +14,14 @@ cmdline=$(cat /proc/cmdline) kernel=$(echo "$cmdline" | grep -o 'BOOT_IMAGE=\S*' | cut -d '=' -f 2) initrd=$(echo "$kernel" | sed "s#vmlinuz#initrd.img#") -if test -e $initrd; then +if test -e "$initrd"; then echo "$0: INFO: Initrd File Found" else echo "$0: ERROR: Initrd File NOT FOUND" exit 1 fi -if test -e $kernel; then +if test -e "$kernel"; then echo "$0: INFO: Kernel File Found" else echo "$0: ERROR: Kernel File NOT FOUND" From f675f8da0d33ab18efa782ee155a8632e9a3dc0f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:05:58 -0500 Subject: [PATCH 0693/1650] quotes --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 880a39e..3fdd4b8 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -42,4 +42,4 @@ else exit 0 fi -kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=$wram wiperamaction=$wact" +kexec -l "$kernel" --initrd="$initrd" --reuse-cmdline --append="wiperamexit=$wram wiperamaction=$wact" From 01fee8a7b4a12c8c2be4173337decc37ec3e6019 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:06:31 -0500 Subject: [PATCH 0694/1650] refactoring --- .../cold-boot-attack-defense-kexec-prepare | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 3fdd4b8..0315f3e 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -29,17 +29,17 @@ else fi if systemctl list-jobs | grep "poweroff.target" | grep -q "start"; then - wram="yes" - wact="poweroff" + wiperamexit="yes" + wiperamaction="poweroff" elif systemctl list-jobs | grep "reboot.target" | grep -q "start"; then - wram="yes" - wact="reboot" + wiperamexit="yes" + wiperamaction="reboot" elif systemctl list-jobs | grep "halt.target" | grep -q "start"; then - wram="yes" - wact="halt" + wiperamexit="yes" + wiperamaction="halt" else echo "$0: ERROR: No shutdown option found!" exit 0 fi -kexec -l "$kernel" --initrd="$initrd" --reuse-cmdline --append="wiperamexit=$wram wiperamaction=$wact" +kexec -l "$kernel" --initrd="$initrd" --reuse-cmdline --append="wiperamexit=$wiperamexit wiperamaction=$wiperamaction" From c09f4da1922f40f666dae0570295b5ab5c02e8a9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:06:56 -0500 Subject: [PATCH 0695/1650] code simplification --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 0315f3e..48dc3e6 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -14,16 +14,12 @@ cmdline=$(cat /proc/cmdline) kernel=$(echo "$cmdline" | grep -o 'BOOT_IMAGE=\S*' | cut -d '=' -f 2) initrd=$(echo "$kernel" | sed "s#vmlinuz#initrd.img#") -if test -e "$initrd"; then - echo "$0: INFO: Initrd File Found" -else +if ! test -e "$initrd"; then echo "$0: ERROR: Initrd File NOT FOUND" exit 1 fi -if test -e "$kernel"; then - echo "$0: INFO: Kernel File Found" -else +if ! test -e "$kernel"; then echo "$0: ERROR: Kernel File NOT FOUND" exit 1 fi From 227871c12c57ecc5ff6d4075ea59a7dc9eca3dd3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:07:34 -0500 Subject: [PATCH 0696/1650] output --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 48dc3e6..13b2224 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -15,12 +15,12 @@ kernel=$(echo "$cmdline" | grep -o 'BOOT_IMAGE=\S*' | cut -d '=' -f 2) initrd=$(echo "$kernel" | sed "s#vmlinuz#initrd.img#") if ! test -e "$initrd"; then - echo "$0: ERROR: Initrd File NOT FOUND" + echo "$0: ERROR: Initrd File '$initrd' NOT FOUND!" exit 1 fi if ! test -e "$kernel"; then - echo "$0: ERROR: Kernel File NOT FOUND" + echo "$0: ERROR: Kernel File '$kernel' NOT FOUND!" exit 1 fi From c3a822af0e9c8bb6c9b34b732ba48710e3ee1974 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:09:25 -0500 Subject: [PATCH 0697/1650] test if readable --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 13b2224..4135614 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -14,13 +14,13 @@ cmdline=$(cat /proc/cmdline) kernel=$(echo "$cmdline" | grep -o 'BOOT_IMAGE=\S*' | cut -d '=' -f 2) initrd=$(echo "$kernel" | sed "s#vmlinuz#initrd.img#") -if ! test -e "$initrd"; then - echo "$0: ERROR: Initrd File '$initrd' NOT FOUND!" +if ! test -r "$initrd"; then + echo "$0: ERROR: Initrd File '$initrd' not found or not readable!" exit 1 fi -if ! test -e "$kernel"; then - echo "$0: ERROR: Kernel File '$kernel' NOT FOUND!" +if ! test -r "$kernel"; then + echo "$0: ERROR: Kernel File '$kernel' not found or not readable!" exit 1 fi From bb2f0a3c4421e3686477a6dff81bb87d5dcd836f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:12:15 -0500 Subject: [PATCH 0698/1650] minor --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 4135614..eda249b 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -7,10 +7,10 @@ set -x set -e -# Get the kernel command-line arguments +## Get the kernel command-line arguments cmdline=$(cat /proc/cmdline) -# Get the current boot image +## Get the current boot image kernel=$(echo "$cmdline" | grep -o 'BOOT_IMAGE=\S*' | cut -d '=' -f 2) initrd=$(echo "$kernel" | sed "s#vmlinuz#initrd.img#") @@ -34,7 +34,7 @@ elif systemctl list-jobs | grep "halt.target" | grep -q "start"; then wiperamexit="yes" wiperamaction="halt" else - echo "$0: ERROR: No shutdown option found!" + echo "$0: INFO: No shutdown option found!" exit 0 fi From 822cf646182f8ff649ea08da2fd4365022871a61 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:13:36 -0500 Subject: [PATCH 0699/1650] output --- .../cold-boot-attack-defense-kexec-prepare | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index eda249b..fcf13f7 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -15,27 +15,28 @@ kernel=$(echo "$cmdline" | grep -o 'BOOT_IMAGE=\S*' | cut -d '=' -f 2) initrd=$(echo "$kernel" | sed "s#vmlinuz#initrd.img#") if ! test -r "$initrd"; then - echo "$0: ERROR: Initrd File '$initrd' not found or not readable!" - exit 1 + echo "$0: ERROR: Initrd File '$initrd' not found or not readable!" + exit 1 fi if ! test -r "$kernel"; then - echo "$0: ERROR: Kernel File '$kernel' not found or not readable!" - exit 1 + echo "$0: ERROR: Kernel File '$kernel' not found or not readable!" + exit 1 fi if systemctl list-jobs | grep "poweroff.target" | grep -q "start"; then - wiperamexit="yes" - wiperamaction="poweroff" + wiperamexit="yes" + wiperamaction="poweroff" elif systemctl list-jobs | grep "reboot.target" | grep -q "start"; then - wiperamexit="yes" - wiperamaction="reboot" + wiperamexit="yes" + wiperamaction="reboot" elif systemctl list-jobs | grep "halt.target" | grep -q "start"; then - wiperamexit="yes" - wiperamaction="halt" + wiperamexit="yes" + wiperamaction="halt" else - echo "$0: INFO: No shutdown option found!" - exit 0 + ## Could be kexec.target. + echo "$0: INFO: Neither poweroff, reboot or halt. Therefore skipping kexec load, ok." + exit 0 fi kexec -l "$kernel" --initrd="$initrd" --reuse-cmdline --append="wiperamexit=$wiperamexit wiperamaction=$wiperamaction" From 83800fcb4fd365aab58a5f70f78f39af7d9371dc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:18:58 -0500 Subject: [PATCH 0700/1650] --no-legend --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index fcf13f7..8d7eb44 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -24,13 +24,13 @@ if ! test -r "$kernel"; then exit 1 fi -if systemctl list-jobs | grep "poweroff.target" | grep -q "start"; then +if systemctl list-jobs --no-legend | grep "poweroff.target" | grep -q "start"; then wiperamexit="yes" wiperamaction="poweroff" -elif systemctl list-jobs | grep "reboot.target" | grep -q "start"; then +elif systemctl list-jobs --no-legend | grep "reboot.target" | grep -q "start"; then wiperamexit="yes" wiperamaction="reboot" -elif systemctl list-jobs | grep "halt.target" | grep -q "start"; then +elif systemctl list-jobs --no-legend | grep "halt.target" | grep -q "start"; then wiperamexit="yes" wiperamaction="halt" else From 51a5f68c7654774d37986916029607da588189ab Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:22:25 -0500 Subject: [PATCH 0701/1650] refactoring --- .../modules.d/40cold-boot-attack-defense/wipe-ram.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 56cd275..c02bc95 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -73,7 +73,13 @@ dmsetup_actual_output: '$dmsetup_actual_output'" sleep 5 fi - kexec -e && info "wipe-ram.sh: kexec -e succeeded" || warn "wipe-ram.sh: kexec -e failed" + if kexec -e ; then + info "wipe-ram.sh: kexec -e succeeded" + return 0 + fi + + warn "wipe-ram.sh: kexec -e failed" + sleep 5 } ram_wipe From 6e0926eece54a55502fa67c2abedf5b718e306e6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:22:58 -0500 Subject: [PATCH 0702/1650] long options --- .../dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index c02bc95..a3f432c 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -73,12 +73,12 @@ dmsetup_actual_output: '$dmsetup_actual_output'" sleep 5 fi - if kexec -e ; then - info "wipe-ram.sh: kexec -e succeeded" + if kexec --exec ; then + info "wipe-ram.sh: kexec --exec succeeded." return 0 fi - warn "wipe-ram.sh: kexec -e failed" + warn "wipe-ram.sh: kexec --exec failed!" sleep 5 } From dde01f36634337a24d0cd37cfe5a456ff77e8b0e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:23:23 -0500 Subject: [PATCH 0703/1650] long options --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 8d7eb44..b7816d8 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -39,4 +39,4 @@ else exit 0 fi -kexec -l "$kernel" --initrd="$initrd" --reuse-cmdline --append="wiperamexit=$wiperamexit wiperamaction=$wiperamaction" +kexec --load "$kernel" --initrd="$initrd" --reuse-cmdline --append="wiperamexit=$wiperamexit wiperamaction=$wiperamaction" From b0630f58c136d6c7a964447806ec8ee603a73aa8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:24:05 -0500 Subject: [PATCH 0704/1650] debugging --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index b7816d8..08bc172 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -39,4 +39,7 @@ else exit 0 fi +## Debugging. +echo kexec --load "$kernel" --initrd="$initrd" --reuse-cmdline --append="wiperamexit=$wiperamexit wiperamaction=$wiperamaction" + kexec --load "$kernel" --initrd="$initrd" --reuse-cmdline --append="wiperamexit=$wiperamexit wiperamaction=$wiperamaction" From 1e19c2cbad8cdf97f6bb460c90cfa330492b8019 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:32:25 -0500 Subject: [PATCH 0705/1650] Depends: kexec-tools required for cold boot attack defense second RAM wipe after reboot --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index cff197e..3889dc9 100644 --- a/debian/control +++ b/debian/control @@ -16,7 +16,7 @@ Package: security-misc Architecture: all Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, apparmor-profile-dist, helper-scripts, libpam-modules-bin, - secure-delete, dmsetup, ${misc:Depends} + secure-delete, dmsetup, kexec-tools, ${misc:Depends} Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest Description: Enhances Miscellaneous Security Settings https://github.com/Whonix/security-misc/blob/master/README.md From 20596488be39f92f069523a3d86c0e6b6ec15399 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:34:20 -0500 Subject: [PATCH 0706/1650] long options --- .../modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 37079cd..16bc5a1 100755 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -13,21 +13,21 @@ ram_wipe_check_needshutdown() { info "wipe-ram.sh wiperamexit: DONE WAITING..." if [ "$wipe_action" = "reboot" ]; then - reboot -f + reboot --force fi if [ "$wipe_action" = "poweroff" ]; then - poweroff -f + poweroff --force fi if [ "$wipe_action" = "halt" ]; then - halt -f + halt --force fi if [ "$wipe_action" = "error" ]; then info "wipe-ram.sh wiperamexit: Choice of shutdown option led to an error. Shutting down..." sleep 5 - poweroff -f + poweroff --force fi } From 166a6863a1c249e68e3f38109b115503bc5663ec Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:35:15 -0500 Subject: [PATCH 0707/1650] output --- .../dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 16bc5a1..e173b1f 100755 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -13,14 +13,17 @@ ram_wipe_check_needshutdown() { info "wipe-ram.sh wiperamexit: DONE WAITING..." if [ "$wipe_action" = "reboot" ]; then + info "wipe-ram.sh wiperamexit: reboot..." reboot --force fi if [ "$wipe_action" = "poweroff" ]; then + info "wipe-ram.sh wiperamexit: poweroff..." poweroff --force fi if [ "$wipe_action" = "halt" ]; then + info "wipe-ram.sh wiperamexit: halt..." halt --force fi From d8bf40f7a28f53f2f51c41b77663e5a40a5d8fb4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:35:45 -0500 Subject: [PATCH 0708/1650] refactoring --- .../modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index e173b1f..3da07c8 100755 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -15,14 +15,10 @@ ram_wipe_check_needshutdown() { if [ "$wipe_action" = "reboot" ]; then info "wipe-ram.sh wiperamexit: reboot..." reboot --force - fi - - if [ "$wipe_action" = "poweroff" ]; then + elif [ "$wipe_action" = "poweroff" ]; then info "wipe-ram.sh wiperamexit: poweroff..." poweroff --force - fi - - if [ "$wipe_action" = "halt" ]; then + elif [ "$wipe_action" = "halt" ]; then info "wipe-ram.sh wiperamexit: halt..." halt --force fi From 368ad8e636ae30eb60c8f2c6ce7117970a77c021 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:36:05 -0500 Subject: [PATCH 0709/1650] cleanup --- .../modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 6 ------ 1 file changed, 6 deletions(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 3da07c8..754c5fc 100755 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -22,12 +22,6 @@ ram_wipe_check_needshutdown() { info "wipe-ram.sh wiperamexit: halt..." halt --force fi - - if [ "$wipe_action" = "error" ]; then - info "wipe-ram.sh wiperamexit: Choice of shutdown option led to an error. Shutting down..." - sleep 5 - poweroff --force - fi } ram_wipe_check_needshutdown From 91aedb234aa7c516dca8016f6b82536cfe25f410 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:36:36 -0500 Subject: [PATCH 0710/1650] output --- .../dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 754c5fc..11f4dbe 100755 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -21,6 +21,8 @@ ram_wipe_check_needshutdown() { elif [ "$wipe_action" = "halt" ]; then info "wipe-ram.sh wiperamexit: halt..." halt --force + else + info "wipe-ram.sh wiperamexit: normal boot..." fi } From c1b87d250c4e5decd726e7fd67b482ff1eaecbf1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:37:47 -0500 Subject: [PATCH 0711/1650] bumped changelog version --- changelog.upstream | 164 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 170 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 76059db..72f8f40 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,167 @@ +commit 91aedb234aa7c516dca8016f6b82536cfe25f410 +Author: Patrick Schleizer +Date: Sat Jan 7 15:36:36 2023 -0500 + + output + +commit 368ad8e636ae30eb60c8f2c6ce7117970a77c021 +Author: Patrick Schleizer +Date: Sat Jan 7 15:36:05 2023 -0500 + + cleanup + +commit d8bf40f7a28f53f2f51c41b77663e5a40a5d8fb4 +Author: Patrick Schleizer +Date: Sat Jan 7 15:35:45 2023 -0500 + + refactoring + +commit 166a6863a1c249e68e3f38109b115503bc5663ec +Author: Patrick Schleizer +Date: Sat Jan 7 15:35:15 2023 -0500 + + output + +commit 20596488be39f92f069523a3d86c0e6b6ec15399 +Author: Patrick Schleizer +Date: Sat Jan 7 15:34:20 2023 -0500 + + long options + +commit 1e19c2cbad8cdf97f6bb460c90cfa330492b8019 +Author: Patrick Schleizer +Date: Sat Jan 7 15:32:25 2023 -0500 + + Depends: kexec-tools + + required for cold boot attack defense second RAM wipe after reboot + +commit b0630f58c136d6c7a964447806ec8ee603a73aa8 +Author: Patrick Schleizer +Date: Sat Jan 7 15:24:05 2023 -0500 + + debugging + +commit dde01f36634337a24d0cd37cfe5a456ff77e8b0e +Author: Patrick Schleizer +Date: Sat Jan 7 15:23:23 2023 -0500 + + long options + +commit 6e0926eece54a55502fa67c2abedf5b718e306e6 +Author: Patrick Schleizer +Date: Sat Jan 7 15:22:58 2023 -0500 + + long options + +commit 51a5f68c7654774d37986916029607da588189ab +Author: Patrick Schleizer +Date: Sat Jan 7 15:22:25 2023 -0500 + + refactoring + +commit 83800fcb4fd365aab58a5f70f78f39af7d9371dc +Author: Patrick Schleizer +Date: Sat Jan 7 15:18:58 2023 -0500 + + --no-legend + +commit 822cf646182f8ff649ea08da2fd4365022871a61 +Author: Patrick Schleizer +Date: Sat Jan 7 15:13:36 2023 -0500 + + output + +commit bb2f0a3c4421e3686477a6dff81bb87d5dcd836f +Author: Patrick Schleizer +Date: Sat Jan 7 15:12:15 2023 -0500 + + minor + +commit c3a822af0e9c8bb6c9b34b732ba48710e3ee1974 +Author: Patrick Schleizer +Date: Sat Jan 7 15:09:25 2023 -0500 + + test if readable + +commit 227871c12c57ecc5ff6d4075ea59a7dc9eca3dd3 +Author: Patrick Schleizer +Date: Sat Jan 7 15:07:34 2023 -0500 + + output + +commit c09f4da1922f40f666dae0570295b5ab5c02e8a9 +Author: Patrick Schleizer +Date: Sat Jan 7 15:06:56 2023 -0500 + + code simplification + +commit 01fee8a7b4a12c8c2be4173337decc37ec3e6019 +Author: Patrick Schleizer +Date: Sat Jan 7 15:06:31 2023 -0500 + + refactoring + +commit f675f8da0d33ab18efa782ee155a8632e9a3dc0f +Author: Patrick Schleizer +Date: Sat Jan 7 15:05:58 2023 -0500 + + quotes + +commit d0daf75db3529e206565604a63e11ee1268ed39b +Author: Patrick Schleizer +Date: Sat Jan 7 15:05:24 2023 -0500 + + quotes + +commit 8bcf7e3c235c1193f3a6d43a7c8b23b50e972de7 +Author: Patrick Schleizer +Date: Sat Jan 7 15:04:57 2023 -0500 + + minor + +commit 2cc3c6c59ca88cf44751bc2e9bb7055b46102284 +Author: Patrick Schleizer +Date: Sat Jan 7 15:04:42 2023 -0500 + + lower debugging + +commit 10932bb5d83c469f556b46f42ee517e882d87a4f +Author: Patrick Schleizer +Date: Sat Jan 7 15:04:23 2023 -0500 + + minor + +commit c88e95ce33f30f67726ac086c1b8d020b1024ebc +Author: Patrick Schleizer +Date: Sat Jan 7 15:04:07 2023 -0500 + + output + +commit 06034d2e4f97712fc84ad75e3fa8ba6bf4fccfee +Author: Patrick Schleizer +Date: Sat Jan 7 15:03:06 2023 -0500 + + fix + +commit 059ebb212d03f5d01d46362530702dbeaefdce5e +Author: Patrick Schleizer +Date: Sat Jan 7 14:35:30 2023 -0500 + + comment + +commit c0304ec029198665aaf63c843f5b7d5567f95208 +Author: Patrick Schleizer +Date: Sat Jan 7 14:35:09 2023 -0500 + + minor + +commit d5271d6250f0f6ea5adf7bc71fc48fddab1a9af4 +Author: Patrick Schleizer +Date: Sat Jan 7 14:31:40 2023 -0500 + + bumped changelog version + commit d31c17ea047fbbd698ad9f074a00d6fba2aaf283 Author: Patrick Schleizer Date: Sat Jan 7 14:31:14 2023 -0500 diff --git a/debian/changelog b/debian/changelog index 34ce252..eb641f9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:27.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 07 Jan 2023 20:37:47 +0000 + security-misc (3:27.0-1) unstable; urgency=medium * New upstream version (local package). From c0b5fea6806ea07b667a341b2400aacb7191b27f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 15:59:52 -0500 Subject: [PATCH 0712/1650] protect against wipe RAM reboot loop --- .../modules.d/40cold-boot-attack-defense/wipe-ram.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index a3f432c..ef0ac06 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -36,6 +36,12 @@ ram_wipe() { fi fi + kernel_wiperamexit_setting=$(getarg wiperamexit) + if [ "$kernel_wiperamexit_setting" = "yes" ]; then + warn "wipe-ram.sh: Skip, because wiperamexit=yes to avoid RAM wipe reboot loop." + return 0 + fi + info "wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." drop_caches @@ -73,6 +79,7 @@ dmsetup_actual_output: '$dmsetup_actual_output'" sleep 5 fi + info "wipe-ram.sh: Now running kexec --exec..." if kexec --exec ; then info "wipe-ram.sh: kexec --exec succeeded." return 0 From 2456fed3614268abfb238f3a0783719adb45b711 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 16:00:42 -0500 Subject: [PATCH 0713/1650] output --- usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index a4ff399..14e01e1 100755 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -25,6 +25,8 @@ ram_wipe_action() { ## TODO: drop_caches sdmem -l -l -v ## TODO: drop_caches + + info "wipe-ram.sh wiperamexit: Second RAM wipe completed." } ram_wipe_action From 2bd9cc5bc1ac94d039a7e515d3a839af820fb4be Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 16:08:12 -0500 Subject: [PATCH 0714/1650] output --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 08bc172..ad81793 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -43,3 +43,5 @@ fi echo kexec --load "$kernel" --initrd="$initrd" --reuse-cmdline --append="wiperamexit=$wiperamexit wiperamaction=$wiperamaction" kexec --load "$kernel" --initrd="$initrd" --reuse-cmdline --append="wiperamexit=$wiperamexit wiperamaction=$wiperamaction" + +echo "$0: OK." From b7bb24f984cb5669d9cc9b3522ee57a05070cef9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 16:09:11 -0500 Subject: [PATCH 0715/1650] description --- .../system/cold-boot-attack-defense-kexec-prepare.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service index 7d78ce0..e8daccb 100644 --- a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service +++ b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service @@ -3,7 +3,7 @@ ## See the file COPYING for copying conditions. [Unit] -Description=https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense +Description=Cold Boot Attack Defense Reboot RAM Wipe [Service] Type=oneshot From c9107bb044e3038d837e371aa7467edcedbbdb16 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 16:11:48 -0500 Subject: [PATCH 0716/1650] debugging --- .../system/cold-boot-attack-defense-kexec-prepare.service | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service index e8daccb..5e2733c 100644 --- a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service +++ b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service @@ -10,6 +10,8 @@ Type=oneshot RemainAfterExit=yes ExecStart=/bin/true ExecStop=/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +## Debugging. +StandardOutput=journal+console [Install] WantedBy=multi-user.target From fa579cad8980c8d9231a9e2682267910544be175 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 16:20:48 -0500 Subject: [PATCH 0717/1650] bumped changelog version --- changelog.upstream | 36 ++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 42 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 72f8f40..05ec734 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,39 @@ +commit c9107bb044e3038d837e371aa7467edcedbbdb16 +Author: Patrick Schleizer +Date: Sat Jan 7 16:11:48 2023 -0500 + + debugging + +commit b7bb24f984cb5669d9cc9b3522ee57a05070cef9 +Author: Patrick Schleizer +Date: Sat Jan 7 16:09:11 2023 -0500 + + description + +commit 2bd9cc5bc1ac94d039a7e515d3a839af820fb4be +Author: Patrick Schleizer +Date: Sat Jan 7 16:08:12 2023 -0500 + + output + +commit 2456fed3614268abfb238f3a0783719adb45b711 +Author: Patrick Schleizer +Date: Sat Jan 7 16:00:42 2023 -0500 + + output + +commit c0b5fea6806ea07b667a341b2400aacb7191b27f +Author: Patrick Schleizer +Date: Sat Jan 7 15:59:52 2023 -0500 + + protect against wipe RAM reboot loop + +commit c1b87d250c4e5decd726e7fd67b482ff1eaecbf1 +Author: Patrick Schleizer +Date: Sat Jan 7 15:37:47 2023 -0500 + + bumped changelog version + commit 91aedb234aa7c516dca8016f6b82536cfe25f410 Author: Patrick Schleizer Date: Sat Jan 7 15:36:36 2023 -0500 diff --git a/debian/changelog b/debian/changelog index eb641f9..cc72229 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:27.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 07 Jan 2023 21:20:48 +0000 + security-misc (3:27.1-1) unstable; urgency=medium * New upstream version (local package). From 4fca8f4225f134316e734d5f85d12b9e39b99b0f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 16:28:11 -0500 Subject: [PATCH 0718/1650] comment --- .../dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 11f4dbe..93a9028 100755 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -14,6 +14,8 @@ ram_wipe_check_needshutdown() { if [ "$wipe_action" = "reboot" ]; then info "wipe-ram.sh wiperamexit: reboot..." + ## Why reboot? Why not just continue to boot? + ## To get rid of kernel command line options 'wiperamexit=yes wiperamaction=reboot'? reboot --force elif [ "$wipe_action" = "poweroff" ]; then info "wipe-ram.sh wiperamexit: poweroff..." From 996c6af2d84cf23f323ca80c04fab26beea2aa1b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 16:31:23 -0500 Subject: [PATCH 0719/1650] lower debugging --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index ad81793..fc7af91 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -4,7 +4,7 @@ ## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. -set -x +#set -x set -e ## Get the kernel command-line arguments From e0ded5e69d38a02f9896277a67c0d209e4ee4ad4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 16:34:04 -0500 Subject: [PATCH 0720/1650] comment --- .../dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 93a9028..8c5d9f9 100755 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -16,6 +16,9 @@ ram_wipe_check_needshutdown() { info "wipe-ram.sh wiperamexit: reboot..." ## Why reboot? Why not just continue to boot? ## To get rid of kernel command line options 'wiperamexit=yes wiperamaction=reboot'? + ## Also RAM wipe using sdmem leads to an OOM and the following error: + ## [FAILED] Failed to start dracut pre-udev hook. + ## In other words, the system might not boot up cleanly. reboot --force elif [ "$wipe_action" = "poweroff" ]; then info "wipe-ram.sh wiperamexit: poweroff..." From 3777ecba8568cf5458b05b3eeedf98f0ba51cd69 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 16:34:19 -0500 Subject: [PATCH 0721/1650] comment --- .../dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 8c5d9f9..efbf386 100755 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -16,7 +16,7 @@ ram_wipe_check_needshutdown() { info "wipe-ram.sh wiperamexit: reboot..." ## Why reboot? Why not just continue to boot? ## To get rid of kernel command line options 'wiperamexit=yes wiperamaction=reboot'? - ## Also RAM wipe using sdmem leads to an OOM and the following error: + ## Also RAM wipe using sdmem leads to an OOM and the following error as seen in serial console: ## [FAILED] Failed to start dracut pre-udev hook. ## In other words, the system might not boot up cleanly. reboot --force From 2e833b40a1af1f194ec392ff0c05b0060bb27fe8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 16:43:09 -0500 Subject: [PATCH 0722/1650] prevent "wait: pid 55 is not a child of this shell" --- .../dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index efbf386..61c47e4 100755 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -8,10 +8,6 @@ ram_wipe_check_needshutdown() { local wipe_action wipe_action=$(getarg wiperamaction) - ## TODO: disable - wait $(pgrep sdmem) - info "wipe-ram.sh wiperamexit: DONE WAITING..." - if [ "$wipe_action" = "reboot" ]; then info "wipe-ram.sh wiperamexit: reboot..." ## Why reboot? Why not just continue to boot? From ab89d0e06e68fa47fa4058416a6c8700551f1b9a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 16:59:00 -0500 Subject: [PATCH 0723/1650] cleanup --- .../40cold-boot-attack-defense/wipe-ram-needshutdown.sh | 7 ------- 1 file changed, 7 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh index 1876294..8a6e001 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh @@ -7,16 +7,11 @@ type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh ram_wipe_check_needshutdown() { - local OLD_DRACUT_QUIET - OLD_DRACUT_QUIET="$DRACUT_QUIET" - DRACUT_QUIET='no' - local kernel_wiperam_setting kernel_wiperam_setting=$(getarg wiperam) if [ "$kernel_wiperam_setting" = "skip" ]; then info "wipe-ram-needshutdown.sh: Skip, because wiperam=skip kernel parameter detected, OK." - DRACUT_QUIET="$OLD_DRACUT_QUIET" return 0 fi @@ -29,7 +24,6 @@ ram_wipe_check_needshutdown() { info "wipe-ram-needshutdown.sh: detect_virt_exit_code: '$detect_virt_exit_code'" if [ "$detect_virt_exit_code" = "0" ]; then info "wipe-ram-needshutdown.sh: Skip, because running inside a VM detected and not using wiperam=force kernel parameter, OK." - DRACUT_QUIET="$OLD_DRACUT_QUIET" return 0 fi info "wipe-ram-needshutdown.sh: Bare metal (not running inside a VM) detected, OK." @@ -38,7 +32,6 @@ ram_wipe_check_needshutdown() { info "wipe-ram-needshutdown.sh: Calling dracut function need_shutdown to drop back into initramfs at shutdown, OK." need_shutdown - DRACUT_QUIET="$OLD_DRACUT_QUIET" return 0 } From abbaea582de898e48a852a0a153fe336341afe17 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 17:16:23 -0500 Subject: [PATCH 0724/1650] bumped changelog version --- changelog.upstream | 42 ++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 48 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 05ec734..7973c2f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,45 @@ +commit ab89d0e06e68fa47fa4058416a6c8700551f1b9a +Author: Patrick Schleizer +Date: Sat Jan 7 16:59:00 2023 -0500 + + cleanup + +commit 2e833b40a1af1f194ec392ff0c05b0060bb27fe8 +Author: Patrick Schleizer +Date: Sat Jan 7 16:43:09 2023 -0500 + + prevent "wait: pid 55 is not a child of this shell" + +commit 3777ecba8568cf5458b05b3eeedf98f0ba51cd69 +Author: Patrick Schleizer +Date: Sat Jan 7 16:34:19 2023 -0500 + + comment + +commit e0ded5e69d38a02f9896277a67c0d209e4ee4ad4 +Author: Patrick Schleizer +Date: Sat Jan 7 16:34:04 2023 -0500 + + comment + +commit 996c6af2d84cf23f323ca80c04fab26beea2aa1b +Author: Patrick Schleizer +Date: Sat Jan 7 16:31:23 2023 -0500 + + lower debugging + +commit 4fca8f4225f134316e734d5f85d12b9e39b99b0f +Author: Patrick Schleizer +Date: Sat Jan 7 16:28:11 2023 -0500 + + comment + +commit fa579cad8980c8d9231a9e2682267910544be175 +Author: Patrick Schleizer +Date: Sat Jan 7 16:20:48 2023 -0500 + + bumped changelog version + commit c9107bb044e3038d837e371aa7467edcedbbdb16 Author: Patrick Schleizer Date: Sat Jan 7 16:11:48 2023 -0500 diff --git a/debian/changelog b/debian/changelog index cc72229..d80904f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:27.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 07 Jan 2023 22:16:23 +0000 + security-misc (3:27.2-1) unstable; urgency=medium * New upstream version (local package). From 02f44459ad194444122e98a9f743c2725edb4e43 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 17:22:45 -0500 Subject: [PATCH 0725/1650] DRACUT_QUIET=no --- .../dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 2 ++ usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh | 2 ++ .../40cold-boot-attack-defense/wipe-ram-needshutdown.sh | 2 ++ usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 2 ++ 4 files changed, 8 insertions(+) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 61c47e4..900f24d 100755 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -4,6 +4,8 @@ ## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. +DRACUT_QUIET=no + ram_wipe_check_needshutdown() { local wipe_action wipe_action=$(getarg wiperamaction) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index 14e01e1..988ed85 100755 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -6,6 +6,8 @@ ## TODO: rename to wipe-ram-exit.sh (so it is different from wipe-ram.sh) +DRACUT_QUIET=no + ram_wipe_action() { local kernel_wiperam_exit kernel_wiperam_exit=$(getarg wiperamexit) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh index 8a6e001..4cf9562 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh @@ -6,6 +6,8 @@ type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh +DRACUT_QUIET=no + ram_wipe_check_needshutdown() { local kernel_wiperam_setting kernel_wiperam_setting=$(getarg wiperam) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index ef0ac06..4744c95 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -8,6 +8,8 @@ ## First version by @friedy10. ## https://github.com/friedy10/dracut/blob/master/modules.d/40sdmem/wipe.sh +DRACUT_QUIET=no + drop_caches() { sync ## https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook From 539156c0dad74c584adb02beacdcf7a3a9b8b982 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 17:23:25 -0500 Subject: [PATCH 0726/1650] drop_caches --- usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index 988ed85..3059910 100755 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -8,6 +8,14 @@ DRACUT_QUIET=no +drop_caches() { + sync + ## https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook + ### Ensure any remaining disk cache is erased by Linux' memory poisoning + echo 3 > /proc/sys/vm/drop_caches + sync +} + ram_wipe_action() { local kernel_wiperam_exit kernel_wiperam_exit=$(getarg wiperamexit) @@ -24,9 +32,9 @@ ram_wipe_action() { info "wipe-ram.sh wiperamexit: wiperamexit=yes, therefore running second RAM wipe..." - ## TODO: drop_caches + drop_caches sdmem -l -l -v - ## TODO: drop_caches + drop_caches info "wipe-ram.sh wiperamexit: Second RAM wipe completed." } From 1d22ebde08984968deb143dab244a2b6e30d45e9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 17:23:35 -0500 Subject: [PATCH 0727/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7973c2f..21e7970 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 539156c0dad74c584adb02beacdcf7a3a9b8b982 +Author: Patrick Schleizer +Date: Sat Jan 7 17:23:25 2023 -0500 + + drop_caches + +commit 02f44459ad194444122e98a9f743c2725edb4e43 +Author: Patrick Schleizer +Date: Sat Jan 7 17:22:45 2023 -0500 + + DRACUT_QUIET=no + +commit abbaea582de898e48a852a0a153fe336341afe17 +Author: Patrick Schleizer +Date: Sat Jan 7 17:16:23 2023 -0500 + + bumped changelog version + commit ab89d0e06e68fa47fa4058416a6c8700551f1b9a Author: Patrick Schleizer Date: Sat Jan 7 16:59:00 2023 -0500 diff --git a/debian/changelog b/debian/changelog index d80904f..a44e885 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:27.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 07 Jan 2023 22:23:35 +0000 + security-misc (3:27.3-1) unstable; urgency=medium * New upstream version (local package). From a07af631559e9c9312c263826969b5b028509a2e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 17:35:56 -0500 Subject: [PATCH 0728/1650] output --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index fc7af91..de65d47 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -39,6 +39,8 @@ else exit 0 fi +echo "$0: INFO: wiperamaction: $wiperamaction" + ## Debugging. echo kexec --load "$kernel" --initrd="$initrd" --reuse-cmdline --append="wiperamexit=$wiperamexit wiperamaction=$wiperamaction" From 8e2db269b01e5d3c28346dd7713074a346fa3e72 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 17:36:51 -0500 Subject: [PATCH 0729/1650] cleanup --- usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 4744c95..5ead246 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -68,8 +68,6 @@ ram_wipe() { if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then info "wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." - ## This should probably be removed in production? - sleep 3 else warn "\ wipe-ram.sh: There are still mounted encrypted disks! RAM wipe failed! From 5689c07f97d2775b9445f75a10554e70875a5636 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 17:37:46 -0500 Subject: [PATCH 0730/1650] comment --- usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 5ead246..35595a3 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -69,6 +69,8 @@ ram_wipe() { if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then info "wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." else + ## dracut should unmount the root encrypted disk cryptsetup luksClose during shutdown + ## https://github.com/dracutdevs/dracut/issues/1888 warn "\ wipe-ram.sh: There are still mounted encrypted disks! RAM wipe failed! From 080abe574ba10b8365587a1c89085efe88f210ee Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 17:48:21 -0500 Subject: [PATCH 0731/1650] output --- .../dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 35595a3..38ec157 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -81,13 +81,13 @@ dmsetup_actual_output: '$dmsetup_actual_output'" sleep 5 fi - info "wipe-ram.sh: Now running kexec --exec..." + info "wipe-ram.sh: Now running 'kexec --exec'..." if kexec --exec ; then - info "wipe-ram.sh: kexec --exec succeeded." + info "wipe-ram.sh: 'kexec --exec' succeeded." return 0 fi - warn "wipe-ram.sh: kexec --exec failed!" + warn "wipe-ram.sh: 'kexec --exec' failed!" sleep 5 } From 921bc3e867411e5a96ca3e4641a7501038cf5139 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 17:49:24 -0500 Subject: [PATCH 0732/1650] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 21e7970..0831611 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit 080abe574ba10b8365587a1c89085efe88f210ee +Author: Patrick Schleizer +Date: Sat Jan 7 17:48:21 2023 -0500 + + output + +commit 5689c07f97d2775b9445f75a10554e70875a5636 +Author: Patrick Schleizer +Date: Sat Jan 7 17:37:46 2023 -0500 + + comment + +commit 8e2db269b01e5d3c28346dd7713074a346fa3e72 +Author: Patrick Schleizer +Date: Sat Jan 7 17:36:51 2023 -0500 + + cleanup + +commit a07af631559e9c9312c263826969b5b028509a2e +Author: Patrick Schleizer +Date: Sat Jan 7 17:35:56 2023 -0500 + + output + +commit 1d22ebde08984968deb143dab244a2b6e30d45e9 +Author: Patrick Schleizer +Date: Sat Jan 7 17:23:35 2023 -0500 + + bumped changelog version + commit 539156c0dad74c584adb02beacdcf7a3a9b8b982 Author: Patrick Schleizer Date: Sat Jan 7 17:23:25 2023 -0500 diff --git a/debian/changelog b/debian/changelog index a44e885..ba2d83f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:27.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 07 Jan 2023 22:49:24 +0000 + security-misc (3:27.4-1) unstable; urgency=medium * New upstream version (local package). From 2fd302f580509842d290b2b0a27079dca445d5cd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 18:02:21 -0500 Subject: [PATCH 0733/1650] output --- usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 38ec157..a025d05 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -72,7 +72,7 @@ ram_wipe() { ## dracut should unmount the root encrypted disk cryptsetup luksClose during shutdown ## https://github.com/dracutdevs/dracut/issues/1888 warn "\ -wipe-ram.sh: There are still mounted encrypted disks! RAM wipe failed! +wipe-ram.sh: There are still mounted encrypted disks! RAM wipe incomplete! debugging information: dmsetup_expected_output: '$dmsetup_expected_output' From 0b1310a21944939d94de18d8ac6d494446d23d0c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 18:05:47 -0500 Subject: [PATCH 0734/1650] output --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index de65d47..a49ef52 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -39,11 +39,11 @@ else exit 0 fi -echo "$0: INFO: wiperamaction: $wiperamaction" +echo "INFO: wiperamaction: $wiperamaction" ## Debugging. echo kexec --load "$kernel" --initrd="$initrd" --reuse-cmdline --append="wiperamexit=$wiperamexit wiperamaction=$wiperamaction" kexec --load "$kernel" --initrd="$initrd" --reuse-cmdline --append="wiperamexit=$wiperamexit wiperamaction=$wiperamaction" -echo "$0: OK." +echo "OK." From 938b87d26c195b6804796d4fa6050a453278700c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 18:06:10 -0500 Subject: [PATCH 0735/1650] comment --- usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index a49ef52..2a81f97 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -35,6 +35,7 @@ elif systemctl list-jobs --no-legend | grep "halt.target" | grep -q "start"; the wiperamaction="halt" else ## Could be kexec.target. + ## Could be run during package installation. echo "$0: INFO: Neither poweroff, reboot or halt. Therefore skipping kexec load, ok." exit 0 fi From e81dd6cd25f58871c1f6b4a082f81eec34a518b5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Jan 2023 18:13:57 -0500 Subject: [PATCH 0736/1650] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0831611..d5fcf66 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit 938b87d26c195b6804796d4fa6050a453278700c +Author: Patrick Schleizer +Date: Sat Jan 7 18:06:10 2023 -0500 + + comment + +commit 0b1310a21944939d94de18d8ac6d494446d23d0c +Author: Patrick Schleizer +Date: Sat Jan 7 18:05:47 2023 -0500 + + output + +commit 2fd302f580509842d290b2b0a27079dca445d5cd +Author: Patrick Schleizer +Date: Sat Jan 7 18:02:21 2023 -0500 + + output + +commit 921bc3e867411e5a96ca3e4641a7501038cf5139 +Author: Patrick Schleizer +Date: Sat Jan 7 17:49:24 2023 -0500 + + bumped changelog version + commit 080abe574ba10b8365587a1c89085efe88f210ee Author: Patrick Schleizer Date: Sat Jan 7 17:48:21 2023 -0500 diff --git a/debian/changelog b/debian/changelog index ba2d83f..f8147a4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:27.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 07 Jan 2023 23:13:57 +0000 + security-misc (3:27.5-1) unstable; urgency=medium * New upstream version (local package). From 5b11eecaecdec7487224b90708da82c10ccc4d63 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 8 Jan 2023 06:45:10 -0500 Subject: [PATCH 0737/1650] refactoring --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 2a81f97..0b432fb 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -14,13 +14,13 @@ cmdline=$(cat /proc/cmdline) kernel=$(echo "$cmdline" | grep -o 'BOOT_IMAGE=\S*' | cut -d '=' -f 2) initrd=$(echo "$kernel" | sed "s#vmlinuz#initrd.img#") -if ! test -r "$initrd"; then - echo "$0: ERROR: Initrd File '$initrd' not found or not readable!" +if ! test -r "$kernel"; then + echo "$0: ERROR: Kernel File '$kernel' not found or not readable!" exit 1 fi -if ! test -r "$kernel"; then - echo "$0: ERROR: Kernel File '$kernel' not found or not readable!" +if ! test -r "$initrd"; then + echo "$0: ERROR: Initrd File '$initrd' not found or not readable!" exit 1 fi From da0fc9f5bd5d1551f46fb5625010b317d30274b3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 8 Jan 2023 07:07:43 -0500 Subject: [PATCH 0738/1650] improve kernel and initrd file detection --- .../cold-boot-attack-defense-kexec-prepare | 39 ++++++++++++++++++- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 0b432fb..cfc9219 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -10,9 +10,44 @@ set -e ## Get the kernel command-line arguments cmdline=$(cat /proc/cmdline) -## Get the current boot image -kernel=$(echo "$cmdline" | grep -o 'BOOT_IMAGE=\S*' | cut -d '=' -f 2) +boot_image_full=$(echo "$cmdline" | grep -o 'BOOT_IMAGE=\S*') +## example boot_image_full: +## BOOT_IMAGE=/vmlinuz-5.10.0-20-amd64 +## BOOT_IMAGE=/boot/vmlinuz-5.10.0-20-amd64 + +if [ "$boot_image_full" = "" ]; then + echo "$0: ERROR: /proc/cmdline does not contain BOOT_IMAGE!" + exit 1 +fi + +boot_image=$(echo "$boot_image_full" | cut -d '=' -f 2) +## example boot_image: +## /vmlinuz-5.10.0-20-amd64 +## /boot/vmlinuz-5.10.0-20-amd64 + +if [ "$boot_image" = "" ]; then + echo "$0: ERROR: boot_image detection failed (is empty)!" + exit 1 +fi + +boot_image_without_boot_slash=$(echo "$kernel" | sed "s#boot/##") + +if [ "$boot_image_without_boot_slash" = "" ]; then + echo "$0: ERROR: boot_image_without_boot_slash detection failed (is empty)!" + exit 1 +fi + +if test -r "/boot/$boot_image_without_boot_slash" ; then + kernel="/boot/$boot_image_without_boot_slash" +elif test -r "/$boot_image_without_boot_slash" ; then + kernel="/$boot_image_without_boot_slash" +fi +## example kernel: +## /boot//vmlinuz-5.10.0-20-amd64 + initrd=$(echo "$kernel" | sed "s#vmlinuz#initrd.img#") +## example initrd: +## /boot//initrd.img-5.10.0-20-amd64 if ! test -r "$kernel"; then echo "$0: ERROR: Kernel File '$kernel' not found or not readable!" From 8367b27a0df2e6ea5bc2d57d1520cfdd2f4d35e2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 8 Jan 2023 07:08:18 -0500 Subject: [PATCH 0739/1650] output --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index cfc9219..86153cc 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -71,7 +71,7 @@ elif systemctl list-jobs --no-legend | grep "halt.target" | grep -q "start"; the else ## Could be kexec.target. ## Could be run during package installation. - echo "$0: INFO: Neither poweroff, reboot or halt. Therefore skipping kexec load, ok." + echo "$0: INFO: Neither poweroff, reboot or halt. Therefore skipping 'kexec --load', ok." exit 0 fi From 96d6ca7ae01d537ab972798417b9453d57c03cd7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 8 Jan 2023 07:09:09 -0500 Subject: [PATCH 0740/1650] improve kernel and initrd file detection --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 86153cc..344ad19 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -10,6 +10,11 @@ set -e ## Get the kernel command-line arguments cmdline=$(cat /proc/cmdline) +if [ "$cmdline" = "" ]; then + echo "$0: ERROR: /proc/cmdline is empty!" + exit 1 +fi + boot_image_full=$(echo "$cmdline" | grep -o 'BOOT_IMAGE=\S*') ## example boot_image_full: ## BOOT_IMAGE=/vmlinuz-5.10.0-20-amd64 From f3b84e15be40ef64969b70bc62ab4bf8d40352b6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 8 Jan 2023 07:16:18 -0500 Subject: [PATCH 0741/1650] refactoring --- .../cold-boot-attack-defense-kexec-prepare | 59 +------------------ 1 file changed, 3 insertions(+), 56 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 344ad19..8f8b76f 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -7,62 +7,9 @@ #set -x set -e -## Get the kernel command-line arguments -cmdline=$(cat /proc/cmdline) - -if [ "$cmdline" = "" ]; then - echo "$0: ERROR: /proc/cmdline is empty!" - exit 1 -fi - -boot_image_full=$(echo "$cmdline" | grep -o 'BOOT_IMAGE=\S*') -## example boot_image_full: -## BOOT_IMAGE=/vmlinuz-5.10.0-20-amd64 -## BOOT_IMAGE=/boot/vmlinuz-5.10.0-20-amd64 - -if [ "$boot_image_full" = "" ]; then - echo "$0: ERROR: /proc/cmdline does not contain BOOT_IMAGE!" - exit 1 -fi - -boot_image=$(echo "$boot_image_full" | cut -d '=' -f 2) -## example boot_image: -## /vmlinuz-5.10.0-20-amd64 -## /boot/vmlinuz-5.10.0-20-amd64 - -if [ "$boot_image" = "" ]; then - echo "$0: ERROR: boot_image detection failed (is empty)!" - exit 1 -fi - -boot_image_without_boot_slash=$(echo "$kernel" | sed "s#boot/##") - -if [ "$boot_image_without_boot_slash" = "" ]; then - echo "$0: ERROR: boot_image_without_boot_slash detection failed (is empty)!" - exit 1 -fi - -if test -r "/boot/$boot_image_without_boot_slash" ; then - kernel="/boot/$boot_image_without_boot_slash" -elif test -r "/$boot_image_without_boot_slash" ; then - kernel="/$boot_image_without_boot_slash" -fi -## example kernel: -## /boot//vmlinuz-5.10.0-20-amd64 - -initrd=$(echo "$kernel" | sed "s#vmlinuz#initrd.img#") -## example initrd: -## /boot//initrd.img-5.10.0-20-amd64 - -if ! test -r "$kernel"; then - echo "$0: ERROR: Kernel File '$kernel' not found or not readable!" - exit 1 -fi - -if ! test -r "$initrd"; then - echo "$0: ERROR: Initrd File '$initrd' not found or not readable!" - exit 1 -fi +## provided by helper-scripts +kernel=$(kernel-file-detect) +initrd=$(initrd-file-detect) if systemctl list-jobs --no-legend | grep "poweroff.target" | grep -q "start"; then wiperamexit="yes" From 7fa6946694a997e04b17ecb3a167d767543093a2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 8 Jan 2023 07:17:02 -0500 Subject: [PATCH 0742/1650] bumped changelog version --- changelog.upstream | 36 ++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 42 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d5fcf66..0cd6136 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,39 @@ +commit f3b84e15be40ef64969b70bc62ab4bf8d40352b6 +Author: Patrick Schleizer +Date: Sun Jan 8 07:16:18 2023 -0500 + + refactoring + +commit 96d6ca7ae01d537ab972798417b9453d57c03cd7 +Author: Patrick Schleizer +Date: Sun Jan 8 07:09:09 2023 -0500 + + improve kernel and initrd file detection + +commit 8367b27a0df2e6ea5bc2d57d1520cfdd2f4d35e2 +Author: Patrick Schleizer +Date: Sun Jan 8 07:08:18 2023 -0500 + + output + +commit da0fc9f5bd5d1551f46fb5625010b317d30274b3 +Author: Patrick Schleizer +Date: Sun Jan 8 07:07:43 2023 -0500 + + improve kernel and initrd file detection + +commit 5b11eecaecdec7487224b90708da82c10ccc4d63 +Author: Patrick Schleizer +Date: Sun Jan 8 06:45:10 2023 -0500 + + refactoring + +commit e81dd6cd25f58871c1f6b4a082f81eec34a518b5 +Author: Patrick Schleizer +Date: Sat Jan 7 18:13:57 2023 -0500 + + bumped changelog version + commit 938b87d26c195b6804796d4fa6050a453278700c Author: Patrick Schleizer Date: Sat Jan 7 18:06:10 2023 -0500 diff --git a/debian/changelog b/debian/changelog index f8147a4..40484f3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:27.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 08 Jan 2023 12:17:02 +0000 + security-misc (3:27.6-1) unstable; urgency=medium * New upstream version (local package). From d769099db1dbf90350838430cda2de7196076c5d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 9 Jan 2023 05:34:07 -0500 Subject: [PATCH 0743/1650] use warn instead of info for now because dracut does not show info messages when kernel parameter quiet is set --- .../10ram-wipe-exit/wipe-ram-needshutdown.sh | 8 ++++---- .../modules.d/10ram-wipe-exit/wipe-ram.sh | 8 ++++---- .../wipe-ram-needshutdown.sh | 14 +++++++------- .../40cold-boot-attack-defense/wipe-ram.sh | 18 +++++++++--------- 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 900f24d..c224cc9 100755 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -11,7 +11,7 @@ ram_wipe_check_needshutdown() { wipe_action=$(getarg wiperamaction) if [ "$wipe_action" = "reboot" ]; then - info "wipe-ram.sh wiperamexit: reboot..." + warn "wipe-ram.sh wiperamexit: reboot..." ## Why reboot? Why not just continue to boot? ## To get rid of kernel command line options 'wiperamexit=yes wiperamaction=reboot'? ## Also RAM wipe using sdmem leads to an OOM and the following error as seen in serial console: @@ -19,13 +19,13 @@ ram_wipe_check_needshutdown() { ## In other words, the system might not boot up cleanly. reboot --force elif [ "$wipe_action" = "poweroff" ]; then - info "wipe-ram.sh wiperamexit: poweroff..." + warn "wipe-ram.sh wiperamexit: poweroff..." poweroff --force elif [ "$wipe_action" = "halt" ]; then - info "wipe-ram.sh wiperamexit: halt..." + warn "wipe-ram.sh wiperamexit: halt..." halt --force else - info "wipe-ram.sh wiperamexit: normal boot..." + warn "wipe-ram.sh wiperamexit: normal boot..." fi } diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index 3059910..7046e7b 100755 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -21,22 +21,22 @@ ram_wipe_action() { kernel_wiperam_exit=$(getarg wiperamexit) if [ "$kernel_wiperam_exit" = "no" ]; then - info "wipe-ram.sh wiperamexit: Skip, because wiperamexit=no kernel parameter detected, OK." + warn "wipe-ram.sh wiperamexit: Skip, because wiperamexit=no kernel parameter detected, OK." return 0 fi if [ "$kernel_wiperam_exit" != "yes" ]; then - info "wipe-ram.sh wiperamexit: Skip, because wiperamexit parameter is unset." + warn "wipe-ram.sh wiperamexit: Skip, because wiperamexit parameter is unset." return 0 fi - info "wipe-ram.sh wiperamexit: wiperamexit=yes, therefore running second RAM wipe..." + warn "wipe-ram.sh wiperamexit: wiperamexit=yes, therefore running second RAM wipe..." drop_caches sdmem -l -l -v drop_caches - info "wipe-ram.sh wiperamexit: Second RAM wipe completed." + warn "wipe-ram.sh wiperamexit: Second RAM wipe completed." } ram_wipe_action diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh index 4cf9562..f0a7e0a 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh @@ -13,25 +13,25 @@ ram_wipe_check_needshutdown() { kernel_wiperam_setting=$(getarg wiperam) if [ "$kernel_wiperam_setting" = "skip" ]; then - info "wipe-ram-needshutdown.sh: Skip, because wiperam=skip kernel parameter detected, OK." + warn "wipe-ram-needshutdown.sh: Skip, because wiperam=skip kernel parameter detected, OK." return 0 fi if [ "$kernel_wiperam_setting" = "force" ]; then - info "wipe-ram-needshutdown.sh: wiperam=force detected, OK." + warn "wipe-ram-needshutdown.sh: wiperam=force detected, OK." else detect_virt_output="$(systemd-detect-virt 2>&1)" detect_virt_exit_code="$?" - info "wipe-ram-needshutdown.sh: detect_virt_output: '$detect_virt_output'" - info "wipe-ram-needshutdown.sh: detect_virt_exit_code: '$detect_virt_exit_code'" + warn "wipe-ram-needshutdown.sh: detect_virt_output: '$detect_virt_output'" + warn "wipe-ram-needshutdown.sh: detect_virt_exit_code: '$detect_virt_exit_code'" if [ "$detect_virt_exit_code" = "0" ]; then - info "wipe-ram-needshutdown.sh: Skip, because running inside a VM detected and not using wiperam=force kernel parameter, OK." + warn "wipe-ram-needshutdown.sh: Skip, because running inside a VM detected and not using wiperam=force kernel parameter, OK." return 0 fi - info "wipe-ram-needshutdown.sh: Bare metal (not running inside a VM) detected, OK." + warn "wipe-ram-needshutdown.sh: Bare metal (not running inside a VM) detected, OK." fi - info "wipe-ram-needshutdown.sh: Calling dracut function need_shutdown to drop back into initramfs at shutdown, OK." + warn "wipe-ram-needshutdown.sh: Calling dracut function need_shutdown to drop back into initramfs at shutdown, OK." need_shutdown return 0 diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index a025d05..fe2aa03 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -25,15 +25,15 @@ ram_wipe() { kernel_wiperam_setting=$(getarg wiperam) if [ "$kernel_wiperam_setting" = "skip" ]; then - info "wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." + warn "wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." return 0 fi if [ "$kernel_wiperam_setting" = "force" ]; then - info "wipe-ram.sh: wiperam=force detected, OK." + warn "wipe-ram.sh: wiperam=force detected, OK." else if systemd-detect-virt &>/dev/null ; then - info "wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." + warn "wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." return 0 fi fi @@ -44,7 +44,7 @@ ram_wipe() { return 0 fi - info "wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." + warn "wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." drop_caches @@ -54,20 +54,20 @@ ram_wipe() { drop_caches - info "wipe-ram.sh: RAM wipe completed, OK." + warn "wipe-ram.sh: RAM wipe completed, OK." ## In theory might be better to check this beforehand, but the test is ## really fast. The user has no chance of reading the console output ## without introducing an artificial delay because the sdmem which runs ## after this, results in much more console output. - info "wipe-ram.sh: Checking if there are still mounted encrypted disks..." + warn "wipe-ram.sh: Checking if there are still mounted encrypted disks..." local dmsetup_actual_output dmsetup_expected_output dmsetup_actual_output="$(dmsetup ls --target crypt)" dmsetup_expected_output="No devices found" if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then - info "wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." + warn "wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." else ## dracut should unmount the root encrypted disk cryptsetup luksClose during shutdown ## https://github.com/dracutdevs/dracut/issues/1888 @@ -81,9 +81,9 @@ dmsetup_actual_output: '$dmsetup_actual_output'" sleep 5 fi - info "wipe-ram.sh: Now running 'kexec --exec'..." + warn "wipe-ram.sh: Now running 'kexec --exec'..." if kexec --exec ; then - info "wipe-ram.sh: 'kexec --exec' succeeded." + warn "wipe-ram.sh: 'kexec --exec' succeeded." return 0 fi From 3867acf723f26416a047260010518829adcefc03 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 9 Jan 2023 05:34:48 -0500 Subject: [PATCH 0744/1650] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0cd6136..dcb44e9 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit d769099db1dbf90350838430cda2de7196076c5d +Author: Patrick Schleizer +Date: Mon Jan 9 05:34:07 2023 -0500 + + use warn instead of info for now + + because dracut does not show info messages when kernel parameter quiet is set + +commit 7fa6946694a997e04b17ecb3a167d767543093a2 +Author: Patrick Schleizer +Date: Sun Jan 8 07:17:02 2023 -0500 + + bumped changelog version + commit f3b84e15be40ef64969b70bc62ab4bf8d40352b6 Author: Patrick Schleizer Date: Sun Jan 8 07:16:18 2023 -0500 diff --git a/debian/changelog b/debian/changelog index 40484f3..4a8b558 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:27.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 09 Jan 2023 10:34:48 +0000 + security-misc (3:27.7-1) unstable; urgency=medium * New upstream version (local package). From 87c4e77c017aba7d57ae1fc7cf41a1f3143f1a04 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 9 Jan 2023 06:23:00 -0500 Subject: [PATCH 0745/1650] migrate to ram-wipe package --- debian/security-misc.maintscript | 3 ++ .../grub.d/40_cold_boot_attack_defense.cfg | 29 ------------------- 2 files changed, 3 insertions(+), 29 deletions(-) delete mode 100644 etc/default/grub.d/40_cold_boot_attack_defense.cfg diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 85865a3..5218218 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -37,3 +37,6 @@ rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf ## renamed to /etc/security/limits.d/30_security-misc.conf rm_conffile /etc/security/limits.d/disable-coredumps.conf + +## moved to separate package ram-wipe +/etc/default/grub.d/40_cold_boot_attack_defense.cfg diff --git a/etc/default/grub.d/40_cold_boot_attack_defense.cfg b/etc/default/grub.d/40_cold_boot_attack_defense.cfg deleted file mode 100644 index 1729c14..0000000 --- a/etc/default/grub.d/40_cold_boot_attack_defense.cfg +++ /dev/null @@ -1,29 +0,0 @@ -## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Wiping RAM at shutdown to defeat cold boot attacks. -## -## RAM wipe is enabled by default on host operating systems, real hardware. -## RAM wipe is disabled by in virtual machines (VMs). -## -## Most users should not make any modifications to this config file because -## there is no need for that. -## -## User documentation: -## https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense -## -## Design documentation: -## https://www.kicksecure.com/wiki/Dev/RAM_Wipe - -## RAM wipe is omitted in virtual machines (VMs) by default because it is -## unclear if that could actually lead to the host operating system using -## swap. Through use of kernel parameter wiperam=force it is possible to -## force RAM wipe inside VMs which is useful for testing, development purposes. -## There is no additional security benefit by the wiperam=force setting -## for host operating systems. -#GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT wiperam=force" - -## Kernel parameter wiperam=skip is provided to support disabling RAM wipe -## at shutdown, which might be useful to speed up shutdown or in case should -## there ever be issues. -#GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT wiperam=skip" From ad5d0d4b12e73b74166aafb5c34252f1e1af1854 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 9 Jan 2023 06:37:45 -0500 Subject: [PATCH 0746/1650] disable kexec (revert enabling kexec) remove kexec-utils for ram-wipe since moved to its own package --- debian/control | 2 +- etc/sysctl.d/30_security-misc.conf | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/debian/control b/debian/control index 3889dc9..cff197e 100644 --- a/debian/control +++ b/debian/control @@ -16,7 +16,7 @@ Package: security-misc Architecture: all Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, apparmor-profile-dist, helper-scripts, libpam-modules-bin, - secure-delete, dmsetup, kexec-tools, ${misc:Depends} + secure-delete, dmsetup, ${misc:Depends} Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest Description: Enhances Miscellaneous Security Settings https://github.com/Whonix/security-misc/blob/master/README.md diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index c376779..3862e1d 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -37,8 +37,7 @@ net.core.bpf_jit_harden=2 ## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. ## Disables kexec which can be used to replace the running kernel. -## kexec is required for cold boot attack defense -## kernel.kexec_load_disabled=1 +kernel.kexec_load_disabled=1 ## Hides kernel addresses in various files in /proc. ## Kernel addresses can be very useful in certain exploits. From 6faa050dd8d26bd6436688b32bbc7a6515f9cb14 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 9 Jan 2023 06:54:04 -0500 Subject: [PATCH 0747/1650] migrate ram-wipe to dedicated package --- README.md | 31 ------------------------------- 1 file changed, 31 deletions(-) diff --git a/README.md b/README.md index 0e1cf1b..33cb7d0 100644 --- a/README.md +++ b/README.md @@ -398,37 +398,6 @@ information that shouldn't be accessible to unprivileged users. As this will break many things, it is disabled by default and can optionally be enabled by executing `systemctl enable hide-hardware-info.service` as root. -## Cold Boot Attack Defense - -Wiping RAM at shutdown to defeat cold boot attacks. - -Implemented as `dracut` module `cold-boot-attack-defense`. - -Requires `dracut`. In other words, RAM wipe is incompatible with systems -using `initramfs-tools`. To switch to, install dracut: - - sudo apt update - sudo apt install --no-install-recommends dracut - -`dracut` is intentionally not declared as a dependency of `security-misc` to -avoid making all of `security-misc` dependent on `dracut` only for the sake of -the wipe RAM at shutdown feature. Linux distribution such as Kicksecure are -advised to (and Kicksecure is planning to) install `dracut` instead of -`initramfs-tools` by default. - -Only tested on `systemd` enabled systems. - -User documentation: -https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense - -Design documentation: -https://www.kicksecure.com/wiki/Dev/RAM_Wipe - -Source code: - -* `/usr/lib/dracut/modules.d/40cold-boot-attack-defense` -* `/etc/default/grub.d/40_cold_boot_attack_defense.cfg` - ## miscellaneous * hardened malloc compatibility for haveged workaround From b3d85f115cf486f4a2805d954ba6dd741817dd71 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 9 Jan 2023 07:02:01 -0500 Subject: [PATCH 0748/1650] bumped changelog version --- changelog.upstream | 26 ++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 32 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index dcb44e9..9002332 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,29 @@ +commit 6faa050dd8d26bd6436688b32bbc7a6515f9cb14 +Author: Patrick Schleizer +Date: Mon Jan 9 06:54:04 2023 -0500 + + migrate ram-wipe to dedicated package + +commit ad5d0d4b12e73b74166aafb5c34252f1e1af1854 +Author: Patrick Schleizer +Date: Mon Jan 9 06:37:45 2023 -0500 + + disable kexec (revert enabling kexec) + + remove kexec-utils for ram-wipe since moved to its own package + +commit 87c4e77c017aba7d57ae1fc7cf41a1f3143f1a04 +Author: Patrick Schleizer +Date: Mon Jan 9 06:23:00 2023 -0500 + + migrate to ram-wipe package + +commit 3867acf723f26416a047260010518829adcefc03 +Author: Patrick Schleizer +Date: Mon Jan 9 05:34:48 2023 -0500 + + bumped changelog version + commit d769099db1dbf90350838430cda2de7196076c5d Author: Patrick Schleizer Date: Mon Jan 9 05:34:07 2023 -0500 diff --git a/debian/changelog b/debian/changelog index 4a8b558..a5e274f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:27.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 09 Jan 2023 12:02:01 +0000 + security-misc (3:27.8-1) unstable; urgency=medium * New upstream version (local package). From c50665218776733919845044b39466c57117542d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 9 Jan 2023 07:05:06 -0500 Subject: [PATCH 0749/1650] fix --- debian/security-misc.maintscript | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 5218218..3ad5230 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -39,4 +39,4 @@ rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf rm_conffile /etc/security/limits.d/disable-coredumps.conf ## moved to separate package ram-wipe -/etc/default/grub.d/40_cold_boot_attack_defense.cfg +rm_conffile /etc/default/grub.d/40_cold_boot_attack_defense.cfg From 11d0bb2c006eb7add5f9b0e70a199098972af25e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 9 Jan 2023 07:05:18 -0500 Subject: [PATCH 0750/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 9002332..38a691b 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit c50665218776733919845044b39466c57117542d +Author: Patrick Schleizer +Date: Mon Jan 9 07:05:06 2023 -0500 + + fix + +commit b3d85f115cf486f4a2805d954ba6dd741817dd71 +Author: Patrick Schleizer +Date: Mon Jan 9 07:02:01 2023 -0500 + + bumped changelog version + commit 6faa050dd8d26bd6436688b32bbc7a6515f9cb14 Author: Patrick Schleizer Date: Mon Jan 9 06:54:04 2023 -0500 diff --git a/debian/changelog b/debian/changelog index a5e274f..cd6195c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:28.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 09 Jan 2023 12:05:18 +0000 + security-misc (3:27.9-1) unstable; urgency=medium * New upstream version (local package). From 7bda2ad3e8f30668428e054f57613d7c2ed2a4d6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 24 Jan 2023 06:34:17 -0500 Subject: [PATCH 0751/1650] move ram-wipe scripts to dedicated ram-wipe package --- ...-boot-attack-defense-kexec-prepare.service | 17 ---- .../modules.d/10ram-wipe-exit/module-setup.sh | 48 ---------- .../10ram-wipe-exit/wipe-ram-needshutdown.sh | 32 ------- .../modules.d/10ram-wipe-exit/wipe-ram.sh | 42 --------- .../module-setup.sh | 38 -------- .../wipe-ram-needshutdown.sh | 40 -------- .../40cold-boot-attack-defense/wipe-ram.sh | 94 ------------------- .../cold-boot-attack-defense-kexec-prepare | 37 -------- 8 files changed, 348 deletions(-) delete mode 100644 lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service delete mode 100755 usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh delete mode 100755 usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh delete mode 100755 usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh delete mode 100755 usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh delete mode 100755 usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh delete mode 100755 usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh delete mode 100755 usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare diff --git a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service deleted file mode 100644 index 5e2733c..0000000 --- a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service +++ /dev/null @@ -1,17 +0,0 @@ -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyright (C) 2023 - 2023 Friedrich Doku -## See the file COPYING for copying conditions. - -[Unit] -Description=Cold Boot Attack Defense Reboot RAM Wipe - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/bin/true -ExecStop=/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare -## Debugging. -StandardOutput=journal+console - -[Install] -WantedBy=multi-user.target diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh deleted file mode 100755 index 76d4ac2..0000000 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/bash -# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- -# ex: ts=8 sw=4 sts=4 et filetype=sh - -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyright (C) 2023 - 2023 Friedrich Doku -## See the file COPYING for copying conditions. - -# called by dracut -check() { - require_binaries sync || return 1 - require_binaries sleep || return 1 - require_binaries ls || return 1 - require_binaries halt || return 1 - require_binaries poweroff || return 1 - require_binaries reboot || return 1 - require_binaries cat || return 1 - require_binaries sdmem || return 1 - require_binaries pgrep || return 1 - require_binaries dmsetup || return 1 - return 0 -} - -# called by dracut -depends() { - return 0 -} - -# called by dracut -install() { - inst_multiple sync - inst_multiple sleep - inst_multiple ls - inst_multiple halt - inst_multiple poweroff - inst_multiple reboot - inst_multiple cat - inst_multiple sdmem - inst_multiple pgrep - inst_multiple dmsetup - inst_hook pre-udev 40 "$moddir/wipe-ram.sh" - inst_hook pre-trigger 40 "$moddir/wipe-ram-needshutdown.sh" -} - -# called by dracut -installkernel() { - return 0 -} diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh deleted file mode 100755 index c224cc9..0000000 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyright (C) 2023 - 2023 Friedrich Doku -## See the file COPYING for copying conditions. - -DRACUT_QUIET=no - -ram_wipe_check_needshutdown() { - local wipe_action - wipe_action=$(getarg wiperamaction) - - if [ "$wipe_action" = "reboot" ]; then - warn "wipe-ram.sh wiperamexit: reboot..." - ## Why reboot? Why not just continue to boot? - ## To get rid of kernel command line options 'wiperamexit=yes wiperamaction=reboot'? - ## Also RAM wipe using sdmem leads to an OOM and the following error as seen in serial console: - ## [FAILED] Failed to start dracut pre-udev hook. - ## In other words, the system might not boot up cleanly. - reboot --force - elif [ "$wipe_action" = "poweroff" ]; then - warn "wipe-ram.sh wiperamexit: poweroff..." - poweroff --force - elif [ "$wipe_action" = "halt" ]; then - warn "wipe-ram.sh wiperamexit: halt..." - halt --force - else - warn "wipe-ram.sh wiperamexit: normal boot..." - fi -} - -ram_wipe_check_needshutdown diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh deleted file mode 100755 index 7046e7b..0000000 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyright (C) 2023 - 2023 Friedrich Doku -## See the file COPYING for copying conditions. - -## TODO: rename to wipe-ram-exit.sh (so it is different from wipe-ram.sh) - -DRACUT_QUIET=no - -drop_caches() { - sync - ## https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook - ### Ensure any remaining disk cache is erased by Linux' memory poisoning - echo 3 > /proc/sys/vm/drop_caches - sync -} - -ram_wipe_action() { - local kernel_wiperam_exit - kernel_wiperam_exit=$(getarg wiperamexit) - - if [ "$kernel_wiperam_exit" = "no" ]; then - warn "wipe-ram.sh wiperamexit: Skip, because wiperamexit=no kernel parameter detected, OK." - return 0 - fi - - if [ "$kernel_wiperam_exit" != "yes" ]; then - warn "wipe-ram.sh wiperamexit: Skip, because wiperamexit parameter is unset." - return 0 - fi - - warn "wipe-ram.sh wiperamexit: wiperamexit=yes, therefore running second RAM wipe..." - - drop_caches - sdmem -l -l -v - drop_caches - - warn "wipe-ram.sh wiperamexit: Second RAM wipe completed." -} - -ram_wipe_action diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh deleted file mode 100755 index cb679e8..0000000 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash -# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- -# ex: ts=8 sw=4 sts=4 et filetype=sh - -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyright (C) 2023 - 2023 Friedrich Doku -## See the file COPYING for copying conditions. - -# called by dracut -check() { - require_binaries sync || return 1 - require_binaries sleep || return 1 - require_binaries sdmem || return 1 - require_binaries dmsetup || return 1 - require_binaries systemd-detect-virt || return 1 - return 0 -} - -# called by dracut -depends() { - return 0 -} - -# called by dracut -install() { - inst_multiple sync - inst_multiple sleep - inst_multiple sdmem - inst_multiple dmsetup - inst_multiple systemd-detect-virt - inst_hook shutdown 40 "$moddir/wipe-ram.sh" - inst_hook cleanup 80 "$moddir/wipe-ram-needshutdown.sh" -} - -# called by dracut -installkernel() { - return 0 -} diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh deleted file mode 100755 index f0a7e0a..0000000 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyright (C) 2023 - 2023 Friedrich Doku -## See the file COPYING for copying conditions. - -type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh - -DRACUT_QUIET=no - -ram_wipe_check_needshutdown() { - local kernel_wiperam_setting - kernel_wiperam_setting=$(getarg wiperam) - - if [ "$kernel_wiperam_setting" = "skip" ]; then - warn "wipe-ram-needshutdown.sh: Skip, because wiperam=skip kernel parameter detected, OK." - return 0 - fi - - if [ "$kernel_wiperam_setting" = "force" ]; then - warn "wipe-ram-needshutdown.sh: wiperam=force detected, OK." - else - detect_virt_output="$(systemd-detect-virt 2>&1)" - detect_virt_exit_code="$?" - warn "wipe-ram-needshutdown.sh: detect_virt_output: '$detect_virt_output'" - warn "wipe-ram-needshutdown.sh: detect_virt_exit_code: '$detect_virt_exit_code'" - if [ "$detect_virt_exit_code" = "0" ]; then - warn "wipe-ram-needshutdown.sh: Skip, because running inside a VM detected and not using wiperam=force kernel parameter, OK." - return 0 - fi - warn "wipe-ram-needshutdown.sh: Bare metal (not running inside a VM) detected, OK." - fi - - warn "wipe-ram-needshutdown.sh: Calling dracut function need_shutdown to drop back into initramfs at shutdown, OK." - need_shutdown - - return 0 -} - -ram_wipe_check_needshutdown diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh deleted file mode 100755 index fe2aa03..0000000 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ /dev/null @@ -1,94 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyright (C) 2023 - 2023 Friedrich Doku -## See the file COPYING for copying conditions. - -## Credits: -## First version by @friedy10. -## https://github.com/friedy10/dracut/blob/master/modules.d/40sdmem/wipe.sh - -DRACUT_QUIET=no - -drop_caches() { - sync - ## https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook - ### Ensure any remaining disk cache is erased by Linux' memory poisoning - echo 3 > /proc/sys/vm/drop_caches - sync -} - -ram_wipe() { - local kernel_wiperam_setting - ## getarg returns the last parameter only. - ## if /proc/cmdline contains 'wiperam=skip wiperam=force' the last one wins. - kernel_wiperam_setting=$(getarg wiperam) - - if [ "$kernel_wiperam_setting" = "skip" ]; then - warn "wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." - return 0 - fi - - if [ "$kernel_wiperam_setting" = "force" ]; then - warn "wipe-ram.sh: wiperam=force detected, OK." - else - if systemd-detect-virt &>/dev/null ; then - warn "wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." - return 0 - fi - fi - - kernel_wiperamexit_setting=$(getarg wiperamexit) - if [ "$kernel_wiperamexit_setting" = "yes" ]; then - warn "wipe-ram.sh: Skip, because wiperamexit=yes to avoid RAM wipe reboot loop." - return 0 - fi - - warn "wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." - - drop_caches - - ## TODO: sdmem settings. One pass only. Secure? Configurable? - ## TODO: > /dev/kmsg 2> /dev/kmsg - sdmem -l -l -v - - drop_caches - - warn "wipe-ram.sh: RAM wipe completed, OK." - - ## In theory might be better to check this beforehand, but the test is - ## really fast. The user has no chance of reading the console output - ## without introducing an artificial delay because the sdmem which runs - ## after this, results in much more console output. - warn "wipe-ram.sh: Checking if there are still mounted encrypted disks..." - - local dmsetup_actual_output dmsetup_expected_output - dmsetup_actual_output="$(dmsetup ls --target crypt)" - dmsetup_expected_output="No devices found" - - if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then - warn "wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." - else - ## dracut should unmount the root encrypted disk cryptsetup luksClose during shutdown - ## https://github.com/dracutdevs/dracut/issues/1888 - warn "\ -wipe-ram.sh: There are still mounted encrypted disks! RAM wipe incomplete! - -debugging information: -dmsetup_expected_output: '$dmsetup_expected_output' -dmsetup_actual_output: '$dmsetup_actual_output'" - ## How else could the user be informed that something is wrong? - sleep 5 - fi - - warn "wipe-ram.sh: Now running 'kexec --exec'..." - if kexec --exec ; then - warn "wipe-ram.sh: 'kexec --exec' succeeded." - return 0 - fi - - warn "wipe-ram.sh: 'kexec --exec' failed!" - sleep 5 -} - -ram_wipe diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare deleted file mode 100755 index 8f8b76f..0000000 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyright (C) 2023 - 2023 Friedrich Doku -## See the file COPYING for copying conditions. - -#set -x -set -e - -## provided by helper-scripts -kernel=$(kernel-file-detect) -initrd=$(initrd-file-detect) - -if systemctl list-jobs --no-legend | grep "poweroff.target" | grep -q "start"; then - wiperamexit="yes" - wiperamaction="poweroff" -elif systemctl list-jobs --no-legend | grep "reboot.target" | grep -q "start"; then - wiperamexit="yes" - wiperamaction="reboot" -elif systemctl list-jobs --no-legend | grep "halt.target" | grep -q "start"; then - wiperamexit="yes" - wiperamaction="halt" -else - ## Could be kexec.target. - ## Could be run during package installation. - echo "$0: INFO: Neither poweroff, reboot or halt. Therefore skipping 'kexec --load', ok." - exit 0 -fi - -echo "INFO: wiperamaction: $wiperamaction" - -## Debugging. -echo kexec --load "$kernel" --initrd="$initrd" --reuse-cmdline --append="wiperamexit=$wiperamexit wiperamaction=$wiperamaction" - -kexec --load "$kernel" --initrd="$initrd" --reuse-cmdline --append="wiperamexit=$wiperamexit wiperamaction=$wiperamaction" - -echo "OK." From a4820086508a64156aa222d61d5f0f88bf56fb3e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 24 Jan 2023 07:05:53 -0500 Subject: [PATCH 0752/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 38a691b..454303e 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 7bda2ad3e8f30668428e054f57613d7c2ed2a4d6 +Author: Patrick Schleizer +Date: Tue Jan 24 06:34:17 2023 -0500 + + move ram-wipe scripts to dedicated ram-wipe package + +commit 11d0bb2c006eb7add5f9b0e70a199098972af25e +Author: Patrick Schleizer +Date: Mon Jan 9 07:05:18 2023 -0500 + + bumped changelog version + commit c50665218776733919845044b39466c57117542d Author: Patrick Schleizer Date: Mon Jan 9 07:05:06 2023 -0500 diff --git a/debian/changelog b/debian/changelog index cd6195c..59c2c40 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:28.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 24 Jan 2023 12:05:53 +0000 + security-misc (3:28.0-1) unstable; urgency=medium * New upstream version (local package). From b87d9eb86544a7f06772a0db803711b49ec3f554 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 24 Jan 2023 07:08:13 -0500 Subject: [PATCH 0753/1650] lintian --- usr/share/lintian/overrides/security-misc | 4 ---- 1 file changed, 4 deletions(-) diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index 52893f0..2f70119 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -9,7 +9,3 @@ security-misc: no-manual-page usr/bin/pkexec.security-misc ## Non-ideal but still a good solution. security-misc: file-in-unusual-dir var/cache/security-misc/state-files/placeholder - -## This is how dracut is still implemented. -security-misc: executable-in-usr-lib usr/lib/dracut/modules.d/10ram-wipe-exit/* -security-misc: executable-in-usr-lib usr/lib/dracut/modules.d/40cold-boot-attack-defense/* From 56c7c57b3a3929f57c9173f9156b2b9f7f7f854e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 24 Jan 2023 07:09:40 -0500 Subject: [PATCH 0754/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 454303e..f7de745 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit b87d9eb86544a7f06772a0db803711b49ec3f554 +Author: Patrick Schleizer +Date: Tue Jan 24 07:08:13 2023 -0500 + + lintian + +commit a4820086508a64156aa222d61d5f0f88bf56fb3e +Author: Patrick Schleizer +Date: Tue Jan 24 07:05:53 2023 -0500 + + bumped changelog version + commit 7bda2ad3e8f30668428e054f57613d7c2ed2a4d6 Author: Patrick Schleizer Date: Tue Jan 24 06:34:17 2023 -0500 diff --git a/debian/changelog b/debian/changelog index 59c2c40..de7ce6e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:28.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 24 Jan 2023 12:09:40 +0000 + security-misc (3:28.1-1) unstable; urgency=medium * New upstream version (local package). From 65c29f493b56798bc67de7ea451f8f65d99d3093 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 25 Jan 2023 15:13:19 -0500 Subject: [PATCH 0755/1650] move kexec disabling to dedicated file `/etc/sysctl.d/30_security-misc_kexec-disable.conf` so ram-wipe can `config-package-dev` `hide` this config file --- etc/sysctl.d/30_security-misc.conf | 9 --------- etc/sysctl.d/30_security-misc_kexec-disable.conf | 10 ++++++++++ 2 files changed, 10 insertions(+), 9 deletions(-) create mode 100644 etc/sysctl.d/30_security-misc_kexec-disable.conf diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 3862e1d..e5d1176 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -30,15 +30,6 @@ fs.protected_hardlinks=1 kernel.unprivileged_bpf_disabled=1 net.core.bpf_jit_harden=2 -## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html -## -## kexec_load_disabled: -## -## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. - -## Disables kexec which can be used to replace the running kernel. -kernel.kexec_load_disabled=1 - ## Hides kernel addresses in various files in /proc. ## Kernel addresses can be very useful in certain exploits. ## diff --git a/etc/sysctl.d/30_security-misc_kexec-disable.conf b/etc/sysctl.d/30_security-misc_kexec-disable.conf new file mode 100644 index 0000000..954a947 --- /dev/null +++ b/etc/sysctl.d/30_security-misc_kexec-disable.conf @@ -0,0 +1,10 @@ +## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html +## +## kexec_load_disabled: +## +## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. +## Disables kexec which can be used to replace the running kernel. +kernel.kexec_load_disabled=1 From 8c3204a5e42b0c4dc6ff9c66568ac78abc4dbd47 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 25 Jan 2023 15:20:30 -0500 Subject: [PATCH 0756/1650] comment --- etc/sysctl.d/30_security-misc_kexec-disable.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/sysctl.d/30_security-misc_kexec-disable.conf b/etc/sysctl.d/30_security-misc_kexec-disable.conf index 954a947..39091e9 100644 --- a/etc/sysctl.d/30_security-misc_kexec-disable.conf +++ b/etc/sysctl.d/30_security-misc_kexec-disable.conf @@ -8,3 +8,9 @@ ## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. ## Disables kexec which can be used to replace the running kernel. kernel.kexec_load_disabled=1 + +## Why is this in a dedicated config file? +## Package ram-wipe requires kexec. However, ram-wipe could not ship a config +## file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'. +## This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1' +## it cannot be undone without reboot. This is a upstream Linux security feature. From 1137e6c9104565b8f7546a9a5450ec2c2330efb7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 30 Jan 2023 05:58:47 -0500 Subject: [PATCH 0757/1650] bumped changelog version --- changelog.upstream | 20 ++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 26 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f7de745..59ef174 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,23 @@ +commit 8c3204a5e42b0c4dc6ff9c66568ac78abc4dbd47 +Author: Patrick Schleizer +Date: Wed Jan 25 15:20:30 2023 -0500 + + comment + +commit 65c29f493b56798bc67de7ea451f8f65d99d3093 +Author: Patrick Schleizer +Date: Wed Jan 25 15:13:19 2023 -0500 + + move kexec disabling to dedicated file `/etc/sysctl.d/30_security-misc_kexec-disable.conf` + + so ram-wipe can `config-package-dev` `hide` this config file + +commit 56c7c57b3a3929f57c9173f9156b2b9f7f7f854e +Author: Patrick Schleizer +Date: Tue Jan 24 07:09:40 2023 -0500 + + bumped changelog version + commit b87d9eb86544a7f06772a0db803711b49ec3f554 Author: Patrick Schleizer Date: Tue Jan 24 07:08:13 2023 -0500 diff --git a/debian/changelog b/debian/changelog index de7ce6e..822bd28 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:28.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 30 Jan 2023 10:58:47 +0000 + security-misc (3:28.2-1) unstable; urgency=medium * New upstream version (local package). From 7a4212dd76c866e1db4dd4875e51c0d49bb3574d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 30 Mar 2023 17:08:47 +1100 Subject: [PATCH 0758/1650] Update copyright --- COPYING | 2 +- bin/disabled-bluetooth-by-security-misc | 2 +- bin/disabled-cdrom-by-security-misc | 2 +- bin/disabled-filesys-by-security-misc | 2 +- bin/disabled-firewire-by-security-misc | 2 +- bin/disabled-intelme-by-security-misc | 2 +- bin/disabled-msr-by-security-misc | 2 +- bin/disabled-netfilesys-by-security-misc | 2 +- bin/disabled-network-by-security-misc | 2 +- bin/disabled-thunderbolt-by-security-misc | 2 +- bin/disabled-vivid-by-security-misc | 2 +- debian/control | 2 +- debian/copyright | 2 +- debian/make-helper-overrides.bsh | 2 +- debian/rules | 2 +- debian/security-misc.displace | 2 +- debian/security-misc.install | 2 +- debian/security-misc.maintscript | 2 +- debian/security-misc.postinst | 2 +- debian/security-misc.postrm | 2 +- debian/security-misc.preinst | 2 +- debian/security-misc.prerm | 2 +- debian/security-misc.triggers | 2 +- debian/security-misc.undisplace | 2 +- debian/watch | 2 +- etc/X11/Xsession.d/50panic_on_oops | 2 +- etc/X11/Xsession.d/50security-misc | 2 +- etc/apparmor.d/tunables/home.d/security-misc | 2 +- etc/apt/apt.conf.d/40error-on-any | 2 +- etc/apt/apt.conf.d/40sandbox | 2 +- etc/default/grub.d/40_cpu_mitigations.cfg | 2 +- etc/default/grub.d/40_distrust_bootloader.cfg | 2 +- etc/default/grub.d/40_distrust_cpu.cfg | 2 +- etc/default/grub.d/40_enable_iommu.cfg | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- etc/default/grub.d/41_quiet.cfg | 2 +- etc/hide-hardware-info.d/30_default.conf | 2 +- etc/initramfs-tools/hooks/sysctl-initramfs | 2 +- etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs | 2 +- etc/kernel/postinst.d/30_remove-system-map | 2 +- etc/modprobe.d/30_security-misc.conf | 2 +- etc/permission-hardening.d/25_default_passwd.conf | 2 +- etc/permission-hardening.d/25_default_sudo.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_chromium.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_dbus.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_firejail.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_fuse.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_mount.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_policykit.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_qubes.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_selinux.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_spice.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_sudo.conf | 2 +- .../25_default_whitelist_unix_chkpwd.conf | 2 +- etc/permission-hardening.d/25_default_whitelist_virtualbox.conf | 2 +- etc/permission-hardening.d/30_default.conf | 2 +- etc/security/access-security-misc.conf | 2 +- etc/security/limits.d/30_security-misc.conf | 2 +- etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml | 2 +- etc/sudoers.d/pkexec-security-misc | 2 +- etc/sudoers.d/security-misc | 2 +- etc/sudoers.d/xfce-security-misc | 2 +- etc/sysctl.d/30_security-misc.conf | 2 +- etc/sysctl.d/30_security-misc_kexec-disable.conf | 2 +- etc/sysctl.d/30_silent-kernel-printk.conf | 2 +- etc/thunderbird/pref/40_security-mic.js | 2 +- lib/systemd/system-preset/50-security-misc.preset | 2 +- lib/systemd/system/haveged.service.d/30_security-misc.conf | 2 +- lib/systemd/system/hide-hardware-info.service | 2 +- lib/systemd/system/permission-hardening.service | 2 +- lib/systemd/system/proc-hidepid.service | 2 +- lib/systemd/system/remount-secure.service | 2 +- lib/systemd/system/remove-system-map.service | 2 +- usr/bin/pkexec.security-misc | 2 +- usr/lib/modules-load.d/30_security-misc.conf | 2 +- usr/libexec/security-misc/apt-get-update | 2 +- usr/libexec/security-misc/apt-get-update-sanity-test | 2 +- usr/libexec/security-misc/askpass | 2 +- usr/libexec/security-misc/echo-path | 2 +- usr/libexec/security-misc/hide-hardware-info | 2 +- usr/libexec/security-misc/pam-abort-on-locked-password | 2 +- usr/libexec/security-misc/pam-info | 2 +- usr/libexec/security-misc/pam_faillock_not_if_x | 2 +- usr/libexec/security-misc/pam_only_if_login | 2 +- usr/libexec/security-misc/panic-on-oops | 2 +- usr/libexec/security-misc/permission-hardening | 2 +- usr/libexec/security-misc/permission-hardening-undo | 2 +- usr/libexec/security-misc/permission-lockdown | 2 +- usr/libexec/security-misc/remount-secure | 2 +- usr/libexec/security-misc/remove-system.map | 2 +- usr/libexec/security-misc/virusforget | 2 +- usr/share/lintian/overrides/security-misc | 2 +- usr/share/security-misc/dolphinrc | 2 +- usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf | 2 +- usr/share/security-misc/lkrg/lkrg-virtualbox | 2 +- 96 files changed, 96 insertions(+), 96 deletions(-) diff --git a/COPYING b/COPYING index 50fd69c..4d66db5 100644 --- a/COPYING +++ b/COPYING @@ -1,7 +1,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2022 ENCRYPTED SUPPORT LP +Copyright: 2012 - 2023 ENCRYPTED SUPPORT LP License: GPL-3+-with-additional-terms-1 This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/bin/disabled-bluetooth-by-security-misc b/bin/disabled-bluetooth-by-security-misc index e708783..55b1e63 100755 --- a/bin/disabled-bluetooth-by-security-misc +++ b/bin/disabled-bluetooth-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/bin/disabled-cdrom-by-security-misc b/bin/disabled-cdrom-by-security-misc index 5057e32..9efd765 100755 --- a/bin/disabled-cdrom-by-security-misc +++ b/bin/disabled-cdrom-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/bin/disabled-filesys-by-security-misc b/bin/disabled-filesys-by-security-misc index 9050a8c..50dd638 100755 --- a/bin/disabled-filesys-by-security-misc +++ b/bin/disabled-filesys-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/bin/disabled-firewire-by-security-misc b/bin/disabled-firewire-by-security-misc index 5aa44e3..ca04ab1 100755 --- a/bin/disabled-firewire-by-security-misc +++ b/bin/disabled-firewire-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/bin/disabled-intelme-by-security-misc b/bin/disabled-intelme-by-security-misc index 9c8c96c..108cc81 100755 --- a/bin/disabled-intelme-by-security-misc +++ b/bin/disabled-intelme-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/bin/disabled-msr-by-security-misc b/bin/disabled-msr-by-security-misc index 3cf3937..2c5e6e1 100755 --- a/bin/disabled-msr-by-security-misc +++ b/bin/disabled-msr-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/bin/disabled-netfilesys-by-security-misc b/bin/disabled-netfilesys-by-security-misc index 0dc5672..5c15b39 100755 --- a/bin/disabled-netfilesys-by-security-misc +++ b/bin/disabled-netfilesys-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/bin/disabled-network-by-security-misc b/bin/disabled-network-by-security-misc index 7cb3041..d2ae58c 100755 --- a/bin/disabled-network-by-security-misc +++ b/bin/disabled-network-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/bin/disabled-thunderbolt-by-security-misc b/bin/disabled-thunderbolt-by-security-misc index bfb52e1..e086d4a 100755 --- a/bin/disabled-thunderbolt-by-security-misc +++ b/bin/disabled-thunderbolt-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/bin/disabled-vivid-by-security-misc b/bin/disabled-vivid-by-security-misc index 45c14bd..ed1487f 100755 --- a/bin/disabled-vivid-by-security-misc +++ b/bin/disabled-vivid-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/debian/control b/debian/control index cff197e..7a95366 100644 --- a/debian/control +++ b/debian/control @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. Source: security-misc diff --git a/debian/copyright b/debian/copyright index 50fd69c..4d66db5 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,7 +1,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2022 ENCRYPTED SUPPORT LP +Copyright: 2012 - 2023 ENCRYPTED SUPPORT LP License: GPL-3+-with-additional-terms-1 This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/debian/make-helper-overrides.bsh b/debian/make-helper-overrides.bsh index a3c0434..c43ca87 100755 --- a/debian/make-helper-overrides.bsh +++ b/debian/make-helper-overrides.bsh @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24 diff --git a/debian/rules b/debian/rules index 640ff5c..a1570ba 100755 --- a/debian/rules +++ b/debian/rules @@ -1,6 +1,6 @@ #!/usr/bin/make -f -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #export DH_VERBOSE=1 diff --git a/debian/security-misc.displace b/debian/security-misc.displace index f450715..54c5862 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. /etc/securetty.security-misc diff --git a/debian/security-misc.install b/debian/security-misc.install index 0d542c6..126a525 100644 --- a/debian/security-misc.install +++ b/debian/security-misc.install @@ -1,4 +1,4 @@ -## Copyright (C) 2020 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2020 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This file was generated using 'genmkfile debinstfile'. diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 3ad5230..4be0d9a 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. rm_conffile /etc/sudoers.d/umask-security-misc diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 7518c0a..ff5643e 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.postrm b/debian/security-misc.postrm index c5262bf..ba7563b 100644 --- a/debian/security-misc.postrm +++ b/debian/security-misc.postrm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 67eeb24..43f8e2c 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.prerm b/debian/security-misc.prerm index adbe7ab..78d5f3a 100644 --- a/debian/security-misc.prerm +++ b/debian/security-misc.prerm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index 157a9e6..a53a0f8 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #### meta start diff --git a/debian/security-misc.undisplace b/debian/security-misc.undisplace index e2f7f80..0b23381 100644 --- a/debian/security-misc.undisplace +++ b/debian/security-misc.undisplace @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. /etc/login.defs.security-misc diff --git a/debian/watch b/debian/watch index 086770e..4a80d35 100644 --- a/debian/watch +++ b/debian/watch @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. version=4 diff --git a/etc/X11/Xsession.d/50panic_on_oops b/etc/X11/Xsession.d/50panic_on_oops index 4ebd17e..79646cb 100755 --- a/etc/X11/Xsession.d/50panic_on_oops +++ b/etc/X11/Xsession.d/50panic_on_oops @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -x /usr/libexec/security-misc/panic-on-oops ]; then diff --git a/etc/X11/Xsession.d/50security-misc b/etc/X11/Xsession.d/50security-misc index 561cc30..0d8efce 100755 --- a/etc/X11/Xsession.d/50security-misc +++ b/etc/X11/Xsession.d/50security-misc @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -z "$XDG_CONFIG_DIRS" ]; then diff --git a/etc/apparmor.d/tunables/home.d/security-misc b/etc/apparmor.d/tunables/home.d/security-misc index 5db8ba0..b1aad3d 100644 --- a/etc/apparmor.d/tunables/home.d/security-misc +++ b/etc/apparmor.d/tunables/home.d/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. alias /etc/pam.d/common-session -> /etc/pam.d//etc/pam.d/common-session.security-misc, diff --git a/etc/apt/apt.conf.d/40error-on-any b/etc/apt/apt.conf.d/40error-on-any index e23b155..fbde1db 100644 --- a/etc/apt/apt.conf.d/40error-on-any +++ b/etc/apt/apt.conf.d/40error-on-any @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Make "sudo apt-get update" exit non-zero for transient failures. diff --git a/etc/apt/apt.conf.d/40sandbox b/etc/apt/apt.conf.d/40sandbox index 7a6d44b..eb7ef7a 100644 --- a/etc/apt/apt.conf.d/40sandbox +++ b/etc/apt/apt.conf.d/40sandbox @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702 diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index a54de29..1351206 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Enables all known mitigations for CPU vulnerabilities. diff --git a/etc/default/grub.d/40_distrust_bootloader.cfg b/etc/default/grub.d/40_distrust_bootloader.cfg index 2174db2..36ce183 100644 --- a/etc/default/grub.d/40_distrust_bootloader.cfg +++ b/etc/default/grub.d/40_distrust_bootloader.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Distrusts the bootloader for initial entropy at boot. diff --git a/etc/default/grub.d/40_distrust_cpu.cfg b/etc/default/grub.d/40_distrust_cpu.cfg index 5910d55..107b717 100644 --- a/etc/default/grub.d/40_distrust_cpu.cfg +++ b/etc/default/grub.d/40_distrust_cpu.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Distrusts the CPU for initial entropy at boot as it is not possible to diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg index 8d395d2..579ccca 100644 --- a/etc/default/grub.d/40_enable_iommu.cfg +++ b/etc/default/grub.d/40_enable_iommu.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Enables IOMMU to prevent DMA attacks. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 30dd19a..b673d6d 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. kpkg="linux-image-$(dpkg --print-architecture)" || true diff --git a/etc/default/grub.d/41_quiet.cfg b/etc/default/grub.d/41_quiet.cfg index b557478..b863029 100644 --- a/etc/default/grub.d/41_quiet.cfg +++ b/etc/default/grub.d/41_quiet.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Prevent kernel info leaks in console during boot. diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf index a9931c3..df6952e 100644 --- a/etc/hide-hardware-info.d/30_default.conf +++ b/etc/hide-hardware-info.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Disable the /sys whitelist. diff --git a/etc/initramfs-tools/hooks/sysctl-initramfs b/etc/initramfs-tools/hooks/sysctl-initramfs index 9732633..f1e3589 100755 --- a/etc/initramfs-tools/hooks/sysctl-initramfs +++ b/etc/initramfs-tools/hooks/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index 88c632d..d932fc1 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. PREREQ="" diff --git a/etc/kernel/postinst.d/30_remove-system-map b/etc/kernel/postinst.d/30_remove-system-map index 49e995c..14ac9b6 100755 --- a/etc/kernel/postinst.d/30_remove-system-map +++ b/etc/kernel/postinst.d/30_remove-system-map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if test -x /usr/libexec/security-misc/remove-system.map ; then diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 0b3a84a..128ab9c 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## See the following links for a community discussion and overview regarding the selections diff --git a/etc/permission-hardening.d/25_default_passwd.conf b/etc/permission-hardening.d/25_default_passwd.conf index 19c2a4d..32fd72e 100644 --- a/etc/permission-hardening.d/25_default_passwd.conf +++ b/etc/permission-hardening.d/25_default_passwd.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_sudo.conf b/etc/permission-hardening.d/25_default_sudo.conf index 16cfa2b..67be9ac 100644 --- a/etc/permission-hardening.d/25_default_sudo.conf +++ b/etc/permission-hardening.d/25_default_sudo.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf b/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf index ceb0994..2ffc8c2 100644 --- a/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf +++ b/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_chromium.conf b/etc/permission-hardening.d/25_default_whitelist_chromium.conf index b831db3..1bd3206 100644 --- a/etc/permission-hardening.d/25_default_whitelist_chromium.conf +++ b/etc/permission-hardening.d/25_default_whitelist_chromium.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_dbus.conf b/etc/permission-hardening.d/25_default_whitelist_dbus.conf index 66ffd7d..e1325ff 100644 --- a/etc/permission-hardening.d/25_default_whitelist_dbus.conf +++ b/etc/permission-hardening.d/25_default_whitelist_dbus.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_firejail.conf b/etc/permission-hardening.d/25_default_whitelist_firejail.conf index 99fa4ee..99608df 100644 --- a/etc/permission-hardening.d/25_default_whitelist_firejail.conf +++ b/etc/permission-hardening.d/25_default_whitelist_firejail.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_fuse.conf b/etc/permission-hardening.d/25_default_whitelist_fuse.conf index 7f4dfbb..1293214 100644 --- a/etc/permission-hardening.d/25_default_whitelist_fuse.conf +++ b/etc/permission-hardening.d/25_default_whitelist_fuse.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_mount.conf b/etc/permission-hardening.d/25_default_whitelist_mount.conf index 47bb42b..1557318 100644 --- a/etc/permission-hardening.d/25_default_whitelist_mount.conf +++ b/etc/permission-hardening.d/25_default_whitelist_mount.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_policykit.conf b/etc/permission-hardening.d/25_default_whitelist_policykit.conf index 3c8a0a4..fb4fa86 100644 --- a/etc/permission-hardening.d/25_default_whitelist_policykit.conf +++ b/etc/permission-hardening.d/25_default_whitelist_policykit.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_qubes.conf b/etc/permission-hardening.d/25_default_whitelist_qubes.conf index ad359d6..bb6e951 100644 --- a/etc/permission-hardening.d/25_default_whitelist_qubes.conf +++ b/etc/permission-hardening.d/25_default_whitelist_qubes.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_selinux.conf b/etc/permission-hardening.d/25_default_whitelist_selinux.conf index f643342..f0464b9 100644 --- a/etc/permission-hardening.d/25_default_whitelist_selinux.conf +++ b/etc/permission-hardening.d/25_default_whitelist_selinux.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_spice.conf b/etc/permission-hardening.d/25_default_whitelist_spice.conf index 658a342..1ed1ed2 100644 --- a/etc/permission-hardening.d/25_default_whitelist_spice.conf +++ b/etc/permission-hardening.d/25_default_whitelist_spice.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_sudo.conf b/etc/permission-hardening.d/25_default_whitelist_sudo.conf index 531d922..07051dd 100644 --- a/etc/permission-hardening.d/25_default_whitelist_sudo.conf +++ b/etc/permission-hardening.d/25_default_whitelist_sudo.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf b/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf index e4597bd..c086dab 100644 --- a/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf +++ b/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf b/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf index 1f77896..fc2369e 100644 --- a/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf +++ b/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index a879a4c..e0d310d 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index eefa505..248335c 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## To enable root login, see: diff --git a/etc/security/limits.d/30_security-misc.conf b/etc/security/limits.d/30_security-misc.conf index e37374d..bbbe31d 100644 --- a/etc/security/limits.d/30_security-misc.conf +++ b/etc/security/limits.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Disable coredumps. diff --git a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml index ff6a739..fa9d01d 100644 --- a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +++ b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml @@ -1,6 +1,6 @@ - + diff --git a/etc/sudoers.d/pkexec-security-misc b/etc/sudoers.d/pkexec-security-misc index 061cf75..db5f32f 100644 --- a/etc/sudoers.d/pkexec-security-misc +++ b/etc/sudoers.d/pkexec-security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## REVIEW: is it ok that users can find out the PATH setting of root? diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index 96b9b92..4256683 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops diff --git a/etc/sudoers.d/xfce-security-misc b/etc/sudoers.d/xfce-security-misc index 9bf8083..4e04020 100644 --- a/etc/sudoers.d/xfce-security-misc +++ b/etc/sudoers.d/xfce-security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index e5d1176..5c6cc1a 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. diff --git a/etc/sysctl.d/30_security-misc_kexec-disable.conf b/etc/sysctl.d/30_security-misc_kexec-disable.conf index 39091e9..5cca304 100644 --- a/etc/sysctl.d/30_security-misc_kexec-disable.conf +++ b/etc/sysctl.d/30_security-misc_kexec-disable.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html diff --git a/etc/sysctl.d/30_silent-kernel-printk.conf b/etc/sysctl.d/30_silent-kernel-printk.conf index e2fecc5..e99f0b5 100644 --- a/etc/sysctl.d/30_silent-kernel-printk.conf +++ b/etc/sysctl.d/30_silent-kernel-printk.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Prevent kernel info leaks in console during boot. diff --git a/etc/thunderbird/pref/40_security-mic.js b/etc/thunderbird/pref/40_security-mic.js index 29c1e52..5d849ea 100644 --- a/etc/thunderbird/pref/40_security-mic.js +++ b/etc/thunderbird/pref/40_security-mic.js @@ -1,4 +1,4 @@ -//#### Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +//#### Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP //#### See the file COPYING for copying conditions. //#### meta start diff --git a/lib/systemd/system-preset/50-security-misc.preset b/lib/systemd/system-preset/50-security-misc.preset index 6a277b9..be35459 100644 --- a/lib/systemd/system-preset/50-security-misc.preset +++ b/lib/systemd/system-preset/50-security-misc.preset @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 diff --git a/lib/systemd/system/haveged.service.d/30_security-misc.conf b/lib/systemd/system/haveged.service.d/30_security-misc.conf index d3faa5b..fd79dc8 100644 --- a/lib/systemd/system/haveged.service.d/30_security-misc.conf +++ b/lib/systemd/system/haveged.service.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Service] diff --git a/lib/systemd/system/hide-hardware-info.service b/lib/systemd/system/hide-hardware-info.service index 13fb16c..d1e02fd 100644 --- a/lib/systemd/system/hide-hardware-info.service +++ b/lib/systemd/system/hide-hardware-info.service @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardening.service index f925bac..4987d02 100644 --- a/lib/systemd/system/permission-hardening.service +++ b/lib/systemd/system/permission-hardening.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/lib/systemd/system/proc-hidepid.service b/lib/systemd/system/proc-hidepid.service index 59744ff..8d4d207 100644 --- a/lib/systemd/system/proc-hidepid.service +++ b/lib/systemd/system/proc-hidepid.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service index e8a9aa3..2e08b65 100644 --- a/lib/systemd/system/remount-secure.service +++ b/lib/systemd/system/remount-secure.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/lib/systemd/system/remove-system-map.service b/lib/systemd/system/remove-system-map.service index e8a52ea..1675c77 100644 --- a/lib/systemd/system/remove-system-map.service +++ b/lib/systemd/system/remove-system-map.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc index 10c91db..cb57c9a 100755 --- a/usr/bin/pkexec.security-misc +++ b/usr/bin/pkexec.security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with diff --git a/usr/lib/modules-load.d/30_security-misc.conf b/usr/lib/modules-load.d/30_security-misc.conf index 986d390..072c9b0 100644 --- a/usr/lib/modules-load.d/30_security-misc.conf +++ b/usr/lib/modules-load.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://www.whonix.org/wiki/Dev/Entropy diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 504ec62..39afd9c 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. sigterm_trap() { diff --git a/usr/libexec/security-misc/apt-get-update-sanity-test b/usr/libexec/security-misc/apt-get-update-sanity-test index d0d34ca..d71e680 100755 --- a/usr/libexec/security-misc/apt-get-update-sanity-test +++ b/usr/libexec/security-misc/apt-get-update-sanity-test @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -x diff --git a/usr/libexec/security-misc/askpass b/usr/libexec/security-misc/askpass index 5f7bd34..73f7d40 100755 --- a/usr/libexec/security-misc/askpass +++ b/usr/libexec/security-misc/askpass @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/echo-path b/usr/libexec/security-misc/echo-path index e42dfda..9231d85 100755 --- a/usr/libexec/security-misc/echo-path +++ b/usr/libexec/security-misc/echo-path @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 6719b37..b55441f 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password index 780f741..8e2a575 100755 --- a/usr/libexec/security-misc/pam-abort-on-locked-password +++ b/usr/libexec/security-misc/pam-abort-on-locked-password @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This is only a usability feature to avoid needlessly bumping pam_faillock diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 381bedc..de6a3e0 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## To enable debug log, run: diff --git a/usr/libexec/security-misc/pam_faillock_not_if_x b/usr/libexec/security-misc/pam_faillock_not_if_x index 1c9cf8d..3fcf10f 100755 --- a/usr/libexec/security-misc/pam_faillock_not_if_x +++ b/usr/libexec/security-misc/pam_faillock_not_if_x @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/libexec/security-misc/pam_only_if_login b/usr/libexec/security-misc/pam_only_if_login index feb397b..11f56d4 100755 --- a/usr/libexec/security-misc/pam_only_if_login +++ b/usr/libexec/security-misc/pam_only_if_login @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index b9d6e37..20365df 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/permission-hardening b/usr/libexec/security-misc/permission-hardening index 1a1e13a..16df8d0 100755 --- a/usr/libexec/security-misc/permission-hardening +++ b/usr/libexec/security-misc/permission-hardening @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/disable-suid-binaries/7706 diff --git a/usr/libexec/security-misc/permission-hardening-undo b/usr/libexec/security-misc/permission-hardening-undo index 57d0b7a..981a2a6 100755 --- a/usr/libexec/security-misc/permission-hardening-undo +++ b/usr/libexec/security-misc/permission-hardening-undo @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #set -x diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 19e66b8..615bf6c 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Doing this for all users would create many issues. diff --git a/usr/libexec/security-misc/remount-secure b/usr/libexec/security-misc/remount-secure index e76b66c..57a26ca 100755 --- a/usr/libexec/security-misc/remount-secure +++ b/usr/libexec/security-misc/remount-secure @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## noexec in /tmp and/or /home can break some malware but also legitimate diff --git a/usr/libexec/security-misc/remove-system.map b/usr/libexec/security-misc/remove-system.map index 5ef6e04..a541222 100755 --- a/usr/libexec/security-misc/remove-system.map +++ b/usr/libexec/security-misc/remove-system.map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/usr/libexec/security-misc/virusforget b/usr/libexec/security-misc/virusforget index 84fa48f..785d026 100755 --- a/usr/libexec/security-misc/virusforget +++ b/usr/libexec/security-misc/virusforget @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## VirusForget is inspired by Christopher Laprise. diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index 2f70119..ba9a440 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## The whole point of the package. diff --git a/usr/share/security-misc/dolphinrc b/usr/share/security-misc/dolphinrc index 12cdd99..0d4b739 100644 --- a/usr/share/security-misc/dolphinrc +++ b/usr/share/security-misc/dolphinrc @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions [PreviewSettings] diff --git a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf index be05ab0..1336b2c 100644 --- a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf +++ b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## LKRG VirtualBox host configuration diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox b/usr/share/security-misc/lkrg/lkrg-virtualbox index c600617..022d2dc 100755 --- a/usr/share/security-misc/lkrg/lkrg-virtualbox +++ b/usr/share/security-misc/lkrg/lkrg-virtualbox @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2021 - 2022 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -x From ed5f8be9ebd4f34c8b8de78abe0a8df0775b80aa Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 30 Mar 2023 19:17:43 +1100 Subject: [PATCH 0759/1650] Remove outdated comment about SACK, DSACK, and FACK --- etc/sysctl.d/30_security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index e5d1176..37524fb 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -101,7 +101,7 @@ net.ipv4.conf.all.rp_filter=1 #### meta end -## Disables SACK as it is commonly exploited and likely not needed. +## Previously disabled SACK, DSACK, and FACK. ## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109 #net.ipv4.tcp_sack=0 #net.ipv4.tcp_dsack=0 From 61f63255acdf942e52af35d7f6d1c271a671e6f7 Mon Sep 17 00:00:00 2001 From: Jeremy Rand Date: Fri, 24 Mar 2023 12:32:58 +0000 Subject: [PATCH 0760/1650] vm.mmap_rnd_bits: Fix ppc64le Probably fixes a bunch of other non-x86_64 arches too. --- debian/security-misc.postinst | 3 ++ debian/security-misc.postrm | 2 + debian/security-misc.triggers | 3 ++ etc/sysctl.d/30_security-misc.conf | 4 -- usr/libexec/security-misc/mmap-rnd-bits | 50 +++++++++++++++++++++++++ 5 files changed, 58 insertions(+), 4 deletions(-) create mode 100755 usr/libexec/security-misc/mmap-rnd-bits diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index ff5643e..92f6882 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -32,6 +32,7 @@ case "$1" in triggered) echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'" /usr/share/security-misc/lkrg/lkrg-virtualbox || true + /usr/libexec/security-misc/mmap-rnd-bits exit 0 ;; @@ -57,6 +58,8 @@ you should fix running 'update-grub', otherwise your system might no longer \ boot." >&2 fi +/usr/libexec/security-misc/mmap-rnd-bits + true "INFO: debhelper beginning here." #DEBHELPER# diff --git a/debian/security-misc.postrm b/debian/security-misc.postrm index ba7563b..c40721f 100644 --- a/debian/security-misc.postrm +++ b/debian/security-misc.postrm @@ -18,6 +18,8 @@ true " ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/11 pam-auth-update --package --remove "$DPKG_MAINTSCRIPT_PACKAGE" +rm -f /etc/sysctl.d/30_security-misc_aslr-mmap.conf + true "INFO: debhelper beginning here." #DEBHELPER# diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index a53a0f8..fb8476e 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -15,4 +15,7 @@ activate-noawait update-initramfs ## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox interest-noawait /usr/bin/vboxmanage +## vm.mmap_rnd_bits +interest-noawait /boot + #### meta end diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 564115b..162a9e3 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -36,10 +36,6 @@ net.core.bpf_jit_harden=2 ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak kernel.kptr_restrict=2 -## Improves ASLR effectiveness for mmap. -vm.mmap_rnd_bits=32 -vm.mmap_rnd_compat_bits=16 - ## Restricts the use of ptrace to root. This might break some programs running under WINE. ## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: ## diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits new file mode 100755 index 0000000..820dd15 --- /dev/null +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -0,0 +1,50 @@ +#!/usr/bin/env bash + +set -euo pipefail +shopt -s failglob + +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## This script enforces the maximum ASLR hardening settings for mmap, given the +## installed Linux config. + +## Defaults in case Linux config detection fails. These are likely to work fine +## on x86_64, probably not elsewhere. +BITS_MAX_DEFAULT=32 +COMPAT_BITS_MAX_DEFAULT=16 + +## Find the most recently modified Linux config file. +if CONFIG=$(ls -1 -t /boot/config-* | head -n 1) +then + ## Find the relevant config options. + if ! BITS_MAX=$(grep "CONFIG_ARCH_MMAP_RND_BITS_MAX" "${CONFIG}" | cut -d "=" -f 2) + then + echo "Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX" + BITS_MAX="${BITS_MAX_DEFAULT}" + fi + if ! COMPAT_BITS_MAX=$(grep "CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX" "${CONFIG}" | cut -d "=" -f 2) + then + echo "Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX" + COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" + fi +else + echo "Error detecting Linux config" + BITS_MAX="${BITS_MAX_DEFAULT}" + COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" +fi + +## Generate a sysctl.d conf file. +SYSCTL="## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## This file is automatically generated, do not edit! + +## Improves ASLR effectiveness for mmap. +vm.mmap_rnd_bits=${BITS_MAX} +vm.mmap_rnd_compat_bits=${COMPAT_BITS_MAX}" + +## Write the sysctl.d conf file. +echo "${SYSCTL}" > /etc/sysctl.d/30_security-misc_aslr-mmap.conf + +exit 0 From 2cf105700a98297f65026e43b435fe017a04ba07 Mon Sep 17 00:00:00 2001 From: Jeremy Rand Date: Sat, 22 Apr 2023 04:08:20 +0000 Subject: [PATCH 0761/1650] postinst: Don't fail if mmap-rnd-bits fails --- debian/security-misc.postinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 92f6882..139fa7d 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -32,7 +32,7 @@ case "$1" in triggered) echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'" /usr/share/security-misc/lkrg/lkrg-virtualbox || true - /usr/libexec/security-misc/mmap-rnd-bits + /usr/libexec/security-misc/mmap-rnd-bits || true exit 0 ;; From 76ca8a27f94d89ed783b900257934c0749e631ce Mon Sep 17 00:00:00 2001 From: Jeremy Rand Date: Sat, 22 Apr 2023 04:29:14 +0000 Subject: [PATCH 0762/1650] mmap-rnd-bits: Handle missing kernel config file --- usr/libexec/security-misc/mmap-rnd-bits | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index 820dd15..0ed4d1a 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -15,7 +15,7 @@ BITS_MAX_DEFAULT=32 COMPAT_BITS_MAX_DEFAULT=16 ## Find the most recently modified Linux config file. -if CONFIG=$(ls -1 -t /boot/config-* | head -n 1) +if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1) then ## Find the relevant config options. if ! BITS_MAX=$(grep "CONFIG_ARCH_MMAP_RND_BITS_MAX" "${CONFIG}" | cut -d "=" -f 2) From 434cfb427f739258bd3280ce148cdbe85c800f8a Mon Sep 17 00:00:00 2001 From: Jeremy Rand Date: Sat, 22 Apr 2023 04:36:05 +0000 Subject: [PATCH 0763/1650] mmap-rnd-bits: Check that configs are valid integers --- usr/libexec/security-misc/mmap-rnd-bits | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index 0ed4d1a..88817a1 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -18,12 +18,12 @@ COMPAT_BITS_MAX_DEFAULT=16 if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1) then ## Find the relevant config options. - if ! BITS_MAX=$(grep "CONFIG_ARCH_MMAP_RND_BITS_MAX" "${CONFIG}" | cut -d "=" -f 2) + if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) then echo "Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX" BITS_MAX="${BITS_MAX_DEFAULT}" fi - if ! COMPAT_BITS_MAX=$(grep "CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX" "${CONFIG}" | cut -d "=" -f 2) + if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) then echo "Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX" COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" From 48a68ba237895c0c6c24ebd256ae6a9adec2628f Mon Sep 17 00:00:00 2001 From: Jeremy Rand Date: Sat, 22 Apr 2023 04:43:41 +0000 Subject: [PATCH 0764/1650] mmap-rnd-bits: Handle unwritable /etc/sysctl.d/ --- usr/libexec/security-misc/mmap-rnd-bits | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index 88817a1..edb0fb7 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -45,6 +45,9 @@ vm.mmap_rnd_bits=${BITS_MAX} vm.mmap_rnd_compat_bits=${COMPAT_BITS_MAX}" ## Write the sysctl.d conf file. -echo "${SYSCTL}" > /etc/sysctl.d/30_security-misc_aslr-mmap.conf +if ! echo "${SYSCTL}" | tee /etc/sysctl.d/30_security-misc_aslr-mmap.conf > /dev/null +then + echo "Error writing ASLR map config" +fi exit 0 From d6d79e96c9a3f25b75d92a46dc97d6191d6ac691 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 5 May 2023 14:44:29 +0000 Subject: [PATCH 0765/1650] minor mmap-rnd-bits improvements --- debian/security-misc.postinst | 2 +- debian/security-misc.triggers | 4 +++ usr/libexec/security-misc/mmap-rnd-bits | 33 ++++++++++++------------- 3 files changed, 21 insertions(+), 18 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 139fa7d..d00d8cf 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -58,7 +58,7 @@ you should fix running 'update-grub', otherwise your system might no longer \ boot." >&2 fi -/usr/libexec/security-misc/mmap-rnd-bits +/usr/libexec/security-misc/mmap-rnd-bits || true true "INFO: debhelper beginning here." diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index fb8476e..5dc870f 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -15,6 +15,10 @@ activate-noawait update-initramfs ## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox interest-noawait /usr/bin/vboxmanage +## /usr/libexec/security-misc/mmap-rnd-bits +## auto generates: +## /etc/sysctl.d/30_security-misc_aslr-mmap.conf +## sets: ## vm.mmap_rnd_bits interest-noawait /boot diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index edb0fb7..e356884 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -1,41 +1,39 @@ #!/usr/bin/env bash -set -euo pipefail -shopt -s failglob - ## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This script enforces the maximum ASLR hardening settings for mmap, given the ## installed Linux config. +set -euo pipefail +shopt -s failglob + ## Defaults in case Linux config detection fails. These are likely to work fine ## on x86_64, probably not elsewhere. BITS_MAX_DEFAULT=32 COMPAT_BITS_MAX_DEFAULT=16 ## Find the most recently modified Linux config file. -if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1) -then +if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1) ; then ## Find the relevant config options. - if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) - then - echo "Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX" + if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then + echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAXQ Using built-in default." >&2 BITS_MAX="${BITS_MAX_DEFAULT}" fi - if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) - then - echo "Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX" + if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then + echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX! Using built-in default." >&2 COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" fi else - echo "Error detecting Linux config" + echo "$0: ERROR: Error detecting Linux config! Using built-in defaults." >&2 BITS_MAX="${BITS_MAX_DEFAULT}" COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" fi ## Generate a sysctl.d conf file. -SYSCTL="## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +SYSCTL="\ +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This file is automatically generated, do not edit! @@ -45,9 +43,10 @@ vm.mmap_rnd_bits=${BITS_MAX} vm.mmap_rnd_compat_bits=${COMPAT_BITS_MAX}" ## Write the sysctl.d conf file. -if ! echo "${SYSCTL}" | tee /etc/sysctl.d/30_security-misc_aslr-mmap.conf > /dev/null -then - echo "Error writing ASLR map config" +if echo "${SYSCTL}" | tee /etc/sysctl.d/30_security-misc_aslr-mmap.conf > /dev/null ; then + exit 0 fi -exit 0 +echo "$0: ERROR: Error writing ASLR map config file '/etc/sysctl.d/30_security-misc_aslr-mmap.conf'!" >&2 + +exit 1 From 89168ef40ce713b27974e4e38f6e3e63646d78bc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 5 May 2023 14:49:56 +0000 Subject: [PATCH 0766/1650] minor mmap-rnd-bits improvements --- usr/libexec/security-misc/mmap-rnd-bits | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index e356884..e142281 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -9,6 +9,23 @@ set -euo pipefail shopt -s failglob +exit_with_error() { + echo "$0: SEE ALSO:" >&2 + echo "" >&2 + echo "https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514" >&2 + exit 1 +} + +if ! test -d /etc/sysctl.d ; then + echo "$0: ERROR: Folder /etc/sysctl.d does not exist!" >&2 + exit_with_error +fi + +if ! test -w /etc/sysctl.d/30_security-misc_aslr-mmap.conf ; then + echo "$0: ERROR: File /etc/sysctl.d/30_security-misc_aslr-mmap.conf not writeable! This script is supposed to be run as root." >&2 + exit_with_error +fi + ## Defaults in case Linux config detection fails. These are likely to work fine ## on x86_64, probably not elsewhere. BITS_MAX_DEFAULT=32 @@ -48,5 +65,4 @@ if echo "${SYSCTL}" | tee /etc/sysctl.d/30_security-misc_aslr-mmap.conf > /dev/n fi echo "$0: ERROR: Error writing ASLR map config file '/etc/sysctl.d/30_security-misc_aslr-mmap.conf'!" >&2 - -exit 1 +exit_with_error From 9184e6bb921a9c7356e8d2c7216a1da91f963304 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 5 May 2023 14:51:19 +0000 Subject: [PATCH 0767/1650] fix --- usr/libexec/security-misc/mmap-rnd-bits | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index e142281..76860e8 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -21,8 +21,8 @@ if ! test -d /etc/sysctl.d ; then exit_with_error fi -if ! test -w /etc/sysctl.d/30_security-misc_aslr-mmap.conf ; then - echo "$0: ERROR: File /etc/sysctl.d/30_security-misc_aslr-mmap.conf not writeable! This script is supposed to be run as root." >&2 +if ! test -w /etc/sysctl.d ; then + echo "$0: ERROR: Folder /etc/sysctl.d not writeable! This script is supposed to be run as root." >&2 exit_with_error fi From a8e4121befe19bb7d2f74582655a14bded23a37d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 5 May 2023 14:52:07 +0000 Subject: [PATCH 0768/1650] minor mmap-rnd-bits improvements --- usr/libexec/security-misc/mmap-rnd-bits | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index 76860e8..727847b 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -53,7 +53,9 @@ SYSCTL="\ ## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## This file is automatically generated, do not edit! +## This file is automatically generated by: +## $0 +## Do not edit! ## Improves ASLR effectiveness for mmap. vm.mmap_rnd_bits=${BITS_MAX} From f4fd0f90120e8983b37bc5822cf98a215d25990e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 5 May 2023 14:53:07 +0000 Subject: [PATCH 0769/1650] minor mmap-rnd-bits improvements --- usr/libexec/security-misc/mmap-rnd-bits | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index 727847b..cea1367 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -9,10 +9,12 @@ set -euo pipefail shopt -s failglob +more_info_link="https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514" + exit_with_error() { echo "$0: SEE ALSO:" >&2 echo "" >&2 - echo "https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514" >&2 + echo "$more_info_link" >&2 exit 1 } @@ -56,6 +58,8 @@ SYSCTL="\ ## This file is automatically generated by: ## $0 ## Do not edit! +## See also: +## $more_info_link ## Improves ASLR effectiveness for mmap. vm.mmap_rnd_bits=${BITS_MAX} From 40e940ec58928049bb38b85d15beaead80740192 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 5 May 2023 14:54:24 +0000 Subject: [PATCH 0770/1650] minor mmap-rnd-bits improvements --- usr/libexec/security-misc/mmap-rnd-bits | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index cea1367..b688b9e 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -5,6 +5,8 @@ ## This script enforces the maximum ASLR hardening settings for mmap, given the ## installed Linux config. +## See also: +## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 set -euo pipefail shopt -s failglob From 3dc406f138ee3dc81b54db2c8c4b795fc6b7c9d5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 5 May 2023 15:01:22 +0000 Subject: [PATCH 0771/1650] minor --- usr/libexec/security-misc/mmap-rnd-bits | 42 ++++++++++++------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index b688b9e..3ecfd3d 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -14,20 +14,20 @@ shopt -s failglob more_info_link="https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514" exit_with_error() { - echo "$0: SEE ALSO:" >&2 - echo "" >&2 - echo "$more_info_link" >&2 - exit 1 + echo "$0: SEE ALSO:" >&2 + echo "" >&2 + echo "$more_info_link" >&2 + exit 1 } if ! test -d /etc/sysctl.d ; then - echo "$0: ERROR: Folder /etc/sysctl.d does not exist!" >&2 - exit_with_error + echo "$0: ERROR: Folder /etc/sysctl.d does not exist!" >&2 + exit_with_error fi if ! test -w /etc/sysctl.d ; then - echo "$0: ERROR: Folder /etc/sysctl.d not writeable! This script is supposed to be run as root." >&2 - exit_with_error + echo "$0: ERROR: Folder /etc/sysctl.d not writeable! This script is supposed to be run as root." >&2 + exit_with_error fi ## Defaults in case Linux config detection fails. These are likely to work fine @@ -37,19 +37,19 @@ COMPAT_BITS_MAX_DEFAULT=16 ## Find the most recently modified Linux config file. if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1) ; then - ## Find the relevant config options. - if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then - echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAXQ Using built-in default." >&2 - BITS_MAX="${BITS_MAX_DEFAULT}" - fi - if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then - echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX! Using built-in default." >&2 - COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" - fi + ## Find the relevant config options. + if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then + echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAXQ Using built-in default." >&2 + BITS_MAX="${BITS_MAX_DEFAULT}" + fi + if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then + echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX! Using built-in default." >&2 + COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" + fi else - echo "$0: ERROR: Error detecting Linux config! Using built-in defaults." >&2 - BITS_MAX="${BITS_MAX_DEFAULT}" - COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" + echo "$0: ERROR: Error detecting Linux config! Using built-in defaults." >&2 + BITS_MAX="${BITS_MAX_DEFAULT}" + COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" fi ## Generate a sysctl.d conf file. @@ -69,7 +69,7 @@ vm.mmap_rnd_compat_bits=${COMPAT_BITS_MAX}" ## Write the sysctl.d conf file. if echo "${SYSCTL}" | tee /etc/sysctl.d/30_security-misc_aslr-mmap.conf > /dev/null ; then - exit 0 + exit 0 fi echo "$0: ERROR: Error writing ASLR map config file '/etc/sysctl.d/30_security-misc_aslr-mmap.conf'!" >&2 From ec01c1a99630f44a73763b019a1bad6dc52bbf4e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 5 May 2023 15:02:31 +0000 Subject: [PATCH 0772/1650] minor mmap-rnd-bits improvements --- usr/libexec/security-misc/mmap-rnd-bits | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index 3ecfd3d..0fcd29c 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -47,7 +47,7 @@ if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" fi else - echo "$0: ERROR: Error detecting Linux config! Using built-in defaults." >&2 + echo "$0: INFO: No Linux config file detected in folder /boot/ (starting with 'config-'. Therefore using built-in defaults." >&2 BITS_MAX="${BITS_MAX_DEFAULT}" COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" fi From 014a28ba07406e5d69f86e90ddb8a27b3778c3a8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 5 May 2023 15:04:21 +0000 Subject: [PATCH 0773/1650] comment --- usr/libexec/security-misc/mmap-rnd-bits | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index 0fcd29c..c62bf8c 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -47,6 +47,7 @@ if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" fi else + ## Could be a chroot. echo "$0: INFO: No Linux config file detected in folder /boot/ (starting with 'config-'. Therefore using built-in defaults." >&2 BITS_MAX="${BITS_MAX_DEFAULT}" COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" From b756314eb894dde4d017e0aec5876b56f0178de4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 5 May 2023 15:09:32 +0000 Subject: [PATCH 0774/1650] bumped changelog version --- changelog.upstream | 138 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 144 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 59ef174..c31c8b3 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,141 @@ +commit 014a28ba07406e5d69f86e90ddb8a27b3778c3a8 +Author: Patrick Schleizer +Date: Fri May 5 15:04:21 2023 +0000 + + comment + +commit ec01c1a99630f44a73763b019a1bad6dc52bbf4e +Author: Patrick Schleizer +Date: Fri May 5 15:02:31 2023 +0000 + + minor mmap-rnd-bits improvements + +commit 3dc406f138ee3dc81b54db2c8c4b795fc6b7c9d5 +Author: Patrick Schleizer +Date: Fri May 5 15:01:22 2023 +0000 + + minor + +commit 40e940ec58928049bb38b85d15beaead80740192 +Author: Patrick Schleizer +Date: Fri May 5 14:54:24 2023 +0000 + + minor mmap-rnd-bits improvements + +commit f4fd0f90120e8983b37bc5822cf98a215d25990e +Author: Patrick Schleizer +Date: Fri May 5 14:53:07 2023 +0000 + + minor mmap-rnd-bits improvements + +commit a8e4121befe19bb7d2f74582655a14bded23a37d +Author: Patrick Schleizer +Date: Fri May 5 14:52:07 2023 +0000 + + minor mmap-rnd-bits improvements + +commit 9184e6bb921a9c7356e8d2c7216a1da91f963304 +Author: Patrick Schleizer +Date: Fri May 5 14:51:19 2023 +0000 + + fix + +commit 89168ef40ce713b27974e4e38f6e3e63646d78bc +Author: Patrick Schleizer +Date: Fri May 5 14:49:56 2023 +0000 + + minor mmap-rnd-bits improvements + +commit d6d79e96c9a3f25b75d92a46dc97d6191d6ac691 +Author: Patrick Schleizer +Date: Fri May 5 14:44:29 2023 +0000 + + minor mmap-rnd-bits improvements + +commit 15d0ee100834e01e3f17ee179c3120f37eb3cae5 +Merge: 1137e6c 2d40bbc +Author: Patrick Schleizer +Date: Fri May 5 14:37:34 2023 +0000 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 2d40bbc8fec7ceea47b64fdebc9e751b26e0cf27 +Merge: 5c6db28 48a68ba +Author: Patrick Schleizer +Date: Fri May 5 10:14:43 2023 -0400 + + Merge pull request #120 from JeremyRand/aslr-ppc64le + + vm.mmap_rnd_bits: Fix ppc64le + +commit 48a68ba237895c0c6c24ebd256ae6a9adec2628f +Author: Jeremy Rand +Date: Sat Apr 22 04:43:41 2023 +0000 + + mmap-rnd-bits: Handle unwritable /etc/sysctl.d/ + +commit 434cfb427f739258bd3280ce148cdbe85c800f8a +Author: Jeremy Rand +Date: Sat Apr 22 04:36:05 2023 +0000 + + mmap-rnd-bits: Check that configs are valid integers + +commit 76ca8a27f94d89ed783b900257934c0749e631ce +Author: Jeremy Rand +Date: Sat Apr 22 04:29:14 2023 +0000 + + mmap-rnd-bits: Handle missing kernel config file + +commit 2cf105700a98297f65026e43b435fe017a04ba07 +Author: Jeremy Rand +Date: Sat Apr 22 04:08:20 2023 +0000 + + postinst: Don't fail if mmap-rnd-bits fails + +commit 61f63255acdf942e52af35d7f6d1c271a671e6f7 +Author: Jeremy Rand +Date: Fri Mar 24 12:32:58 2023 +0000 + + vm.mmap_rnd_bits: Fix ppc64le + + Probably fixes a bunch of other non-x86_64 arches too. + +commit 5c6db28881463e8c764872a8cd268c23ac64b8f1 +Merge: 8a34d6c ed5f8be +Author: Patrick Schleizer +Date: Fri Mar 31 04:52:55 2023 -0400 + + Merge pull request #122 from raja-grewal/tcp + + Remove outdated comment about SACK, DSACK, and FACK + +commit 8a34d6c067bdebc513f34cd3c434b0675f118e10 +Merge: 1137e6c 7a4212d +Author: Patrick Schleizer +Date: Fri Mar 31 04:52:18 2023 -0400 + + Merge pull request #121 from raja-grewal/copyright + + Update Copyright + +commit ed5f8be9ebd4f34c8b8de78abe0a8df0775b80aa +Author: Raja Grewal +Date: Thu Mar 30 19:17:43 2023 +1100 + + Remove outdated comment about SACK, DSACK, and FACK + +commit 7a4212dd76c866e1db4dd4875e51c0d49bb3574d +Author: Raja Grewal +Date: Thu Mar 30 17:08:47 2023 +1100 + + Update copyright + +commit 1137e6c9104565b8f7546a9a5450ec2c2330efb7 +Author: Patrick Schleizer +Date: Mon Jan 30 05:58:47 2023 -0500 + + bumped changelog version + commit 8c3204a5e42b0c4dc6ff9c66568ac78abc4dbd47 Author: Patrick Schleizer Date: Wed Jan 25 15:20:30 2023 -0500 diff --git a/debian/changelog b/debian/changelog index 822bd28..2cd775b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:28.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 05 May 2023 15:09:32 +0000 + security-misc (3:28.3-1) unstable; urgency=medium * New upstream version (local package). From 2d465c624975cc2ca308878e0ef1508316d3316e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 6 May 2023 11:51:25 +0000 Subject: [PATCH 0775/1650] refactoring --- usr/libexec/security-misc/mmap-rnd-bits | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index c62bf8c..4dd5432 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -12,6 +12,7 @@ set -euo pipefail shopt -s failglob more_info_link="https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514" +aslr_mmap_config_file="/etc/sysctl.d/30_security-misc_aslr-mmap.conf" exit_with_error() { echo "$0: SEE ALSO:" >&2 @@ -69,9 +70,9 @@ vm.mmap_rnd_bits=${BITS_MAX} vm.mmap_rnd_compat_bits=${COMPAT_BITS_MAX}" ## Write the sysctl.d conf file. -if echo "${SYSCTL}" | tee /etc/sysctl.d/30_security-misc_aslr-mmap.conf > /dev/null ; then +if echo "${SYSCTL}" | tee "$aslr_mmap_config_file" > /dev/null ; then exit 0 fi -echo "$0: ERROR: Error writing ASLR map config file '/etc/sysctl.d/30_security-misc_aslr-mmap.conf'!" >&2 +echo "$0: ERROR: Error writing ASLR map config file '$aslr_mmap_config_file'!" >&2 exit_with_error From 5d4d04a2ebeeea7e096c1680779f2897a03838c6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 6 May 2023 11:54:00 +0000 Subject: [PATCH 0776/1650] output --- usr/libexec/security-misc/mmap-rnd-bits | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index 4dd5432..a79eebd 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -71,8 +71,11 @@ vm.mmap_rnd_compat_bits=${COMPAT_BITS_MAX}" ## Write the sysctl.d conf file. if echo "${SYSCTL}" | tee "$aslr_mmap_config_file" > /dev/null ; then + echo "$0: INFO: Successfully written ASLR map config file: +$aslr_mmap_config_file" exit 0 fi -echo "$0: ERROR: Error writing ASLR map config file '$aslr_mmap_config_file'!" >&2 +echo "$0: ERROR: Error writing ASLR map config file: +$aslr_mmap_config_file" >&2 exit_with_error From a815c9b9867b0ec56737e60eb1dfeec6a57af6f1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 6 May 2023 11:54:31 +0000 Subject: [PATCH 0777/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c31c8b3..fa722cf 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 5d4d04a2ebeeea7e096c1680779f2897a03838c6 +Author: Patrick Schleizer +Date: Sat May 6 11:54:00 2023 +0000 + + output + +commit 2d465c624975cc2ca308878e0ef1508316d3316e +Author: Patrick Schleizer +Date: Sat May 6 11:51:25 2023 +0000 + + refactoring + +commit b756314eb894dde4d017e0aec5876b56f0178de4 +Author: Patrick Schleizer +Date: Fri May 5 15:09:32 2023 +0000 + + bumped changelog version + commit 014a28ba07406e5d69f86e90ddb8a27b3778c3a8 Author: Patrick Schleizer Date: Fri May 5 15:04:21 2023 +0000 diff --git a/debian/changelog b/debian/changelog index 2cd775b..8310643 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:28.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 06 May 2023 11:54:31 +0000 + security-misc (3:28.4-1) unstable; urgency=medium * New upstream version (local package). From 0c10b3f0383d69c2d504b3e346da68b056d1dca8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 6 May 2023 11:59:59 +0000 Subject: [PATCH 0778/1650] output --- usr/libexec/security-misc/mmap-rnd-bits | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index a79eebd..51d96bd 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -49,7 +49,7 @@ if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | fi else ## Could be a chroot. - echo "$0: INFO: No Linux config file detected in folder /boot/ (starting with 'config-'. Therefore using built-in defaults." >&2 + echo "$0: INFO: No Linux config file detected in folder /boot/ (starting with 'config-'). Therefore using built-in defaults." >&2 BITS_MAX="${BITS_MAX_DEFAULT}" COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" fi From 6511dac1d4aea1800ce8e51d1f6cdbae4d31e10c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 6 May 2023 12:00:12 +0000 Subject: [PATCH 0779/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index fa722cf..631bfef 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 0c10b3f0383d69c2d504b3e346da68b056d1dca8 +Author: Patrick Schleizer +Date: Sat May 6 11:59:59 2023 +0000 + + output + +commit a815c9b9867b0ec56737e60eb1dfeec6a57af6f1 +Author: Patrick Schleizer +Date: Sat May 6 11:54:31 2023 +0000 + + bumped changelog version + commit 5d4d04a2ebeeea7e096c1680779f2897a03838c6 Author: Patrick Schleizer Date: Sat May 6 11:54:00 2023 +0000 diff --git a/debian/changelog b/debian/changelog index 8310643..899a67e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:28.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 06 May 2023 12:00:12 +0000 + security-misc (3:28.5-1) unstable; urgency=medium * New upstream version (local package). From 9d23717b6d3f94d8fad5ab00628dcbf41fa2cab5 Mon Sep 17 00:00:00 2001 From: Jeremy Rand Date: Mon, 8 May 2023 13:45:18 +0000 Subject: [PATCH 0780/1650] README: Document mmap-rnd-bits --- README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 33cb7d0..20f5a41 100644 --- a/README.md +++ b/README.md @@ -37,9 +37,6 @@ often abused to exploit use-after-free flaws. * Kexec is disabled as it can be used to load a malicious kernel and gain arbitrary code execution in kernel mode. -* The bits of entropy used for mmap ASLR are increased, therefore improving -its effectiveness. - * Randomises the addresses for mmap base, heap, stack, and VDSO pages. * Prevents unintentional writes to attacker-controlled files. @@ -54,6 +51,13 @@ prevents writing potentially sensitive contents of memory to disk. * TCP timestamps are disabled as it can allow detecting the system time. +### mmap ASLR + +* The bits of entropy used for mmap ASLR are maxed out via +`/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of +`CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` that +the kernel was built with), therefore improving its effectiveness. + ### Boot parameters Boot parameters are outlined in configuration files located in the From 6ab400c9d982bde16271052f181c87255046037e Mon Sep 17 00:00:00 2001 From: Jeremy Rand Date: Tue, 9 May 2023 10:55:31 +0000 Subject: [PATCH 0781/1650] mmap-rnd-bits: Fix typo in error message --- usr/libexec/security-misc/mmap-rnd-bits | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index 51d96bd..17482bf 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -40,7 +40,7 @@ COMPAT_BITS_MAX_DEFAULT=16 if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1) ; then ## Find the relevant config options. if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then - echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAXQ Using built-in default." >&2 + echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX! Using built-in default." >&2 BITS_MAX="${BITS_MAX_DEFAULT}" fi if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then From c921d4e915af50dd1773016b0015be584e1e3f5f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 15 May 2023 11:56:30 +0000 Subject: [PATCH 0782/1650] bumped changelog version --- changelog.upstream | 43 +++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 49 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 631bfef..9ebec64 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,46 @@ +commit 39676395f814007f74ce1edb0aee0ada4d4fa478 +Merge: 6511dac 1f38fcf +Author: Patrick Schleizer +Date: Mon May 15 11:34:57 2023 +0000 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 1f38fcfefa1ccd732e4500522cc0978bda69ab0b +Merge: d66a9ba 6ab400c +Author: Patrick Schleizer +Date: Mon May 15 07:34:16 2023 -0400 + + Merge pull request #125 from JeremyRand/typo + + mmap-rnd-bits: Fix typo in error message + +commit d66a9bac551e7544eed592a69f576d27880e2bf3 +Merge: 6511dac 9d23717 +Author: Patrick Schleizer +Date: Mon May 15 07:34:00 2023 -0400 + + Merge pull request #124 from JeremyRand/doc-aslr + + README: Document mmap-rnd-bits + +commit 6ab400c9d982bde16271052f181c87255046037e +Author: Jeremy Rand +Date: Tue May 9 10:55:31 2023 +0000 + + mmap-rnd-bits: Fix typo in error message + +commit 9d23717b6d3f94d8fad5ab00628dcbf41fa2cab5 +Author: Jeremy Rand +Date: Mon May 8 13:45:18 2023 +0000 + + README: Document mmap-rnd-bits + +commit 6511dac1d4aea1800ce8e51d1f6cdbae4d31e10c +Author: Patrick Schleizer +Date: Sat May 6 12:00:12 2023 +0000 + + bumped changelog version + commit 0c10b3f0383d69c2d504b3e346da68b056d1dca8 Author: Patrick Schleizer Date: Sat May 6 11:59:59 2023 +0000 diff --git a/debian/changelog b/debian/changelog index 899a67e..6211b5b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:28.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 15 May 2023 11:56:30 +0000 + security-misc (3:28.6-1) unstable; urgency=medium * New upstream version (local package). From cf003dfad85434f5a52524fdd97a7f619ba82429 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 16 May 2023 02:11:44 +1000 Subject: [PATCH 0783/1650] Update comments --- README.md | 4 ---- etc/sysctl.d/30_security-misc.conf | 8 ++++++++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 20f5a41..ea335fb 100644 --- a/README.md +++ b/README.md @@ -386,10 +386,6 @@ https://github.com/ioerror/torbirdy/pull/11 Some hardening is opt-in as it causes too much breakage to be enabled by default. -* TCP SACK can be disabled as it is commonly exploited and is rarely used by -uncommenting settings in the `/etc/sysctl.d/30_security-misc.conf` -configuration file. - * An optional systemd service mounts `/proc` with `hidepid=2` at boot to prevent users from seeing another user's processes. This is disabled by default because it is incompatible with `pkexec`. It can be enabled by diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 162a9e3..1fcb0ea 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -36,6 +36,14 @@ net.core.bpf_jit_harden=2 ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak kernel.kptr_restrict=2 +## Improves ASLR effectiveness for mmap. +## Both explicit sysctl are made redundant due to automation +## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 +## Do NOT enable either - displaying only for clarity +## +#vm.mmap_rnd_bits=32 +#vm.mmap_rnd_compat_bits=16 + ## Restricts the use of ptrace to root. This might break some programs running under WINE. ## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: ## From 4e28ace103e11373d1b5cf5de8be6b1f94c567ce Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 15 May 2023 17:31:59 +0000 Subject: [PATCH 0784/1650] bumped changelog version --- changelog.upstream | 28 ++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 9ebec64..b62a2f1 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,31 @@ +commit b11a336b4ff6c748d20aade6e98b25c251bd8c8e +Merge: c921d4e b0b73db +Author: Patrick Schleizer +Date: Mon May 15 16:58:11 2023 +0000 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit b0b73db3c84f8cc7594b6b181e0e495cd7e92571 +Merge: c921d4e cf003df +Author: Patrick Schleizer +Date: Mon May 15 12:57:46 2023 -0400 + + Merge pull request #126 from raja-grewal/Comment + + Update comments + +commit cf003dfad85434f5a52524fdd97a7f619ba82429 +Author: Raja Grewal +Date: Tue May 16 02:11:44 2023 +1000 + + Update comments + +commit c921d4e915af50dd1773016b0015be584e1e3f5f +Author: Patrick Schleizer +Date: Mon May 15 11:56:30 2023 +0000 + + bumped changelog version + commit 39676395f814007f74ce1edb0aee0ada4d4fa478 Merge: 6511dac 1f38fcf Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 6211b5b..f86b988 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:28.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 15 May 2023 17:31:59 +0000 + security-misc (3:28.7-1) unstable; urgency=medium * New upstream version (local package). From 07b3ce0bcdb6ddb72c7064f527ff4d6250b54ad2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 12 Jun 2023 16:22:32 +0000 Subject: [PATCH 0785/1650] Standards-Version: 4.6.1.0 --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 7a95366..a3df26f 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Build-Depends: debhelper (>= 13), debhelper-compat (= 13), config-package-dev, d Homepage: https://github.com/Whonix/security-misc Vcs-Browser: https://github.com/Whonix/security-misc Vcs-Git: https://github.com/Whonix/security-misc.git -Standards-Version: 4.5.1 +Standards-Version: 4.6.1.0 Rules-Requires-Root: no Package: security-misc From be990188f56f059585cf70589de03afb992b9ea2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 12 Jun 2023 18:01:55 +0000 Subject: [PATCH 0786/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b62a2f1..38f1699 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 07b3ce0bcdb6ddb72c7064f527ff4d6250b54ad2 +Author: Patrick Schleizer +Date: Mon Jun 12 16:22:32 2023 +0000 + + Standards-Version: 4.6.1.0 + +commit 4e28ace103e11373d1b5cf5de8be6b1f94c567ce +Author: Patrick Schleizer +Date: Mon May 15 17:31:59 2023 +0000 + + bumped changelog version + commit b11a336b4ff6c748d20aade6e98b25c251bd8c8e Merge: c921d4e b0b73db Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index f86b988..5eff8c5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:28.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 12 Jun 2023 18:01:55 +0000 + security-misc (3:28.8-1) unstable; urgency=medium * New upstream version (local package). From 25760f70246dd07376465d9a4222098fd24b8516 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 13 Jun 2023 08:34:41 +0000 Subject: [PATCH 0787/1650] bookworm --- usr/share/lintian/overrides/security-misc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index ba9a440..b18ab3b 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -2,10 +2,10 @@ ## See the file COPYING for copying conditions. ## The whole point of the package. -security-misc: package-contains-file-in-etc-skel etc/skel/* +security-misc: package-contains-file-in-etc-skel [etc/skel/*] ## Wrapper script. -security-misc: no-manual-page usr/bin/pkexec.security-misc +security-misc: no-manual-page [usr/bin/pkexec.security-misc] ## Non-ideal but still a good solution. -security-misc: file-in-unusual-dir var/cache/security-misc/state-files/placeholder +security-misc: file-in-unusual-dir [var/cache/security-misc/state-files/placeholder] From 63599a09d795d82b0f069f88d73fd607129af0ef Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Jun 2023 09:59:20 +0000 Subject: [PATCH 0788/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 38f1699..2f9b833 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 25760f70246dd07376465d9a4222098fd24b8516 +Author: Patrick Schleizer +Date: Tue Jun 13 08:34:41 2023 +0000 + + bookworm + +commit be990188f56f059585cf70589de03afb992b9ea2 +Author: Patrick Schleizer +Date: Mon Jun 12 18:01:55 2023 +0000 + + bumped changelog version + commit 07b3ce0bcdb6ddb72c7064f527ff4d6250b54ad2 Author: Patrick Schleizer Date: Mon Jun 12 16:22:32 2023 +0000 diff --git a/debian/changelog b/debian/changelog index 5eff8c5..8f2d509 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:29.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 14 Jun 2023 09:59:20 +0000 + security-misc (3:28.9-1) unstable; urgency=medium * New upstream version (local package). From 0c56d3d9d2dd1b40b07226b70d3d1b9343757d1a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 16 Jun 2023 10:49:05 +0000 Subject: [PATCH 0789/1650] readme --- README_generic.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README_generic.md b/README_generic.md index 95a324f..e5c0e76 100644 --- a/README_generic.md +++ b/README_generic.md @@ -14,12 +14,12 @@ https://forums.whonix.org/t/kernel-hardening/7296 1\. Download the APT Signing Key. ``` -wget https://www.kicksecure.com/derivative.asc +wget https://www.kicksecure.com/keys/derivative.asc ``` Users can [check the Signing Key](https://www.kicksecure.com/wiki/Signing_Key) for better security. -2\. Add the APT Signing Key.. +2\. Add the APT Signing Key. ``` sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc @@ -28,7 +28,7 @@ sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc 3\. Add the derivative repository. ``` -echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list +echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list ``` 4\. Update your package lists. @@ -61,7 +61,7 @@ NOTE: Replace `generic-package` with the actual name of this package `security-m ## Contact ## * [Free Forum Support](https://forums.kicksecure.com) -* [Professional Support](https://www.kicksecure.com/wiki/Professional_Support) +* [Premium Support](https://www.kicksecure.com/wiki/Premium_Support) ## Donate ## From b610cdcbcd85ee4c433a3df0662e225b52b592cd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 16 Jun 2023 11:09:02 +0000 Subject: [PATCH 0790/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 2f9b833..ea1b616 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 0c56d3d9d2dd1b40b07226b70d3d1b9343757d1a +Author: Patrick Schleizer +Date: Fri Jun 16 10:49:05 2023 +0000 + + readme + +commit 63599a09d795d82b0f069f88d73fd607129af0ef +Author: Patrick Schleizer +Date: Wed Jun 14 09:59:20 2023 +0000 + + bumped changelog version + commit 25760f70246dd07376465d9a4222098fd24b8516 Author: Patrick Schleizer Date: Tue Jun 13 08:34:41 2023 +0000 diff --git a/debian/changelog b/debian/changelog index 8f2d509..eb93176 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:29.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 16 Jun 2023 11:09:01 +0000 + security-misc (3:29.0-1) unstable; urgency=medium * New upstream version (local package). From 94a326ec7ff8704be224e76b2f3f9c2a12cbd4a7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 Jun 2023 09:11:31 +0000 Subject: [PATCH 0791/1650] bookworm --- debian/control | 2 +- debian/source/lintian-overrides | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/control b/debian/control index a3df26f..1c2f199 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Build-Depends: debhelper (>= 13), debhelper-compat (= 13), config-package-dev, d Homepage: https://github.com/Whonix/security-misc Vcs-Browser: https://github.com/Whonix/security-misc Vcs-Git: https://github.com/Whonix/security-misc.git -Standards-Version: 4.6.1.0 +Standards-Version: 4.6.2 Rules-Requires-Root: no Package: security-misc diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides index 942fd18..c657565 100644 --- a/debian/source/lintian-overrides +++ b/debian/source/lintian-overrides @@ -1,2 +1,2 @@ ## https://phabricator.whonix.org/T277 -debian-watch-does-not-check-gpg-signature +debian-watch-does-not-check-openpgp-signature From 609c8c0697ecf3414e38de9d32dc367a25172802 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 Jun 2023 09:36:44 +0000 Subject: [PATCH 0792/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index ea1b616..a26d836 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 94a326ec7ff8704be224e76b2f3f9c2a12cbd4a7 +Author: Patrick Schleizer +Date: Wed Jun 21 09:11:31 2023 +0000 + + bookworm + +commit b610cdcbcd85ee4c433a3df0662e225b52b592cd +Author: Patrick Schleizer +Date: Fri Jun 16 11:09:02 2023 +0000 + + bumped changelog version + commit 0c56d3d9d2dd1b40b07226b70d3d1b9343757d1a Author: Patrick Schleizer Date: Fri Jun 16 10:49:05 2023 +0000 diff --git a/debian/changelog b/debian/changelog index eb93176..8d6f1f1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:29.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 21 Jun 2023 09:36:44 +0000 + security-misc (3:29.1-1) unstable; urgency=medium * New upstream version (local package). From 8a6baea99017fd971ae4a5e89599b87bc945b276 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Jun 2023 16:16:15 +0000 Subject: [PATCH 0793/1650] comment --- etc/sudoers.d/xfce-security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/sudoers.d/xfce-security-misc b/etc/sudoers.d/xfce-security-misc index 4e04020..be92ce9 100644 --- a/etc/sudoers.d/xfce-security-misc +++ b/etc/sudoers.d/xfce-security-misc @@ -4,7 +4,7 @@ ## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 ## /usr/share/polkit-1/actions/org.xfce.power.policy -## Feel free to out comment this if you are not using xfce4-power-manager or XFCE. +## Feel free to out comment this if you are not using xfce4-power-manager or Xfce. #%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]] #%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]] From 29aaf13c13ec1023d33e84442db0f5afeaa4436d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 23 Jun 2023 08:18:12 +0000 Subject: [PATCH 0794/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index a26d836..cc00b01 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 8a6baea99017fd971ae4a5e89599b87bc945b276 +Author: Patrick Schleizer +Date: Thu Jun 22 16:16:15 2023 +0000 + + comment + +commit 609c8c0697ecf3414e38de9d32dc367a25172802 +Author: Patrick Schleizer +Date: Wed Jun 21 09:36:44 2023 +0000 + + bumped changelog version + commit 94a326ec7ff8704be224e76b2f3f9c2a12cbd4a7 Author: Patrick Schleizer Date: Wed Jun 21 09:11:31 2023 +0000 diff --git a/debian/changelog b/debian/changelog index 8d6f1f1..feb67f5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:29.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 23 Jun 2023 08:18:12 +0000 + security-misc (3:29.2-1) unstable; urgency=medium * New upstream version (local package). From ab56b7ca0cf1a2cb6bc19514750ca618f4ebb7fe Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 17 Jul 2023 11:10:05 -0400 Subject: [PATCH 0795/1650] Kicksecure --- debian/control | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/debian/control b/debian/control index 1c2f199..13d33dc 100644 --- a/debian/control +++ b/debian/control @@ -6,9 +6,9 @@ Section: misc Priority: optional Maintainer: Patrick Schleizer Build-Depends: debhelper (>= 13), debhelper-compat (= 13), config-package-dev, dh-apparmor -Homepage: https://github.com/Whonix/security-misc -Vcs-Browser: https://github.com/Whonix/security-misc -Vcs-Git: https://github.com/Whonix/security-misc.git +Homepage: https://github.com/Kicksecure/security-misc +Vcs-Browser: https://github.com/Kicksecure/security-misc +Vcs-Git: https://github.com/Kicksecure/security-misc.git Standards-Version: 4.6.2 Rules-Requires-Root: no @@ -19,9 +19,9 @@ Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, secure-delete, dmsetup, ${misc:Depends} Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest Description: Enhances Miscellaneous Security Settings - https://github.com/Whonix/security-misc/blob/master/README.md + https://github.com/Kicksecure/security-misc/blob/master/README.md . - https://www.whonix.org/wiki/Security-misc + https://www.kicksecure.com/wiki/Security-misc . Discussion: . From 81ad786dfcdd416056c6ae8a9d02231bda6fcbde Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 17 Jul 2023 11:19:07 -0400 Subject: [PATCH 0796/1650] Kicksecure --- debian/control | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/control b/debian/control index 13d33dc..571050a 100644 --- a/debian/control +++ b/debian/control @@ -1,12 +1,12 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. Source: security-misc Section: misc Priority: optional -Maintainer: Patrick Schleizer +Maintainer: Patrick Schleizer Build-Depends: debhelper (>= 13), debhelper-compat (= 13), config-package-dev, dh-apparmor -Homepage: https://github.com/Kicksecure/security-misc +Homepage: https://www.kicksecure.com/wiki/Security-misc Vcs-Browser: https://github.com/Kicksecure/security-misc Vcs-Git: https://github.com/Kicksecure/security-misc.git Standards-Version: 4.6.2 From 358e4226f1b3db32e560e4bbe1c663828eac7059 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 17 Jul 2023 11:48:35 -0400 Subject: [PATCH 0797/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index cc00b01..0158fba 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 81ad786dfcdd416056c6ae8a9d02231bda6fcbde +Author: Patrick Schleizer +Date: Mon Jul 17 11:19:07 2023 -0400 + + Kicksecure + +commit ab56b7ca0cf1a2cb6bc19514750ca618f4ebb7fe +Author: Patrick Schleizer +Date: Mon Jul 17 11:10:05 2023 -0400 + + Kicksecure + +commit 29aaf13c13ec1023d33e84442db0f5afeaa4436d +Author: Patrick Schleizer +Date: Fri Jun 23 08:18:12 2023 +0000 + + bumped changelog version + commit 8a6baea99017fd971ae4a5e89599b87bc945b276 Author: Patrick Schleizer Date: Thu Jun 22 16:16:15 2023 +0000 diff --git a/debian/changelog b/debian/changelog index feb67f5..e289373 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:29.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 17 Jul 2023 15:48:35 +0000 + security-misc (3:29.3-1) unstable; urgency=medium * New upstream version (local package). From fa820e897895eda93011a0f2bbd915ffffcb1459 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 12 Oct 2023 10:40:27 -0400 Subject: [PATCH 0798/1650] refactoring environment variables loading mechanism --- debian/security-misc.links | 2 ++ debian/security-misc.maintscript | 3 +++ etc/X11/Xsession.d/50security-misc | 9 --------- .../50panic_on_oops => profile.d/security-misc.sh} | 5 +++++ 4 files changed, 10 insertions(+), 9 deletions(-) create mode 100644 debian/security-misc.links delete mode 100755 etc/X11/Xsession.d/50security-misc rename etc/{X11/Xsession.d/50panic_on_oops => profile.d/security-misc.sh} (66%) diff --git a/debian/security-misc.links b/debian/security-misc.links new file mode 100644 index 0000000..97e2e5a --- /dev/null +++ b/debian/security-misc.links @@ -0,0 +1,2 @@ +/etc/profile.d/security-misc.sh /etc/zprofile.d/security-misc.sh +/etc/profile.d/security-misc.sh /etc/X11/Xsession.d/security-misc.sh diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 4be0d9a..177005f 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -40,3 +40,6 @@ rm_conffile /etc/security/limits.d/disable-coredumps.conf ## moved to separate package ram-wipe rm_conffile /etc/default/grub.d/40_cold_boot_attack_defense.cfg + +rm_conffile /etc/X11/Xsession.d/50panic_on_oops +rm_conffile /etc/X11/Xsession.d/50security-misc diff --git a/etc/X11/Xsession.d/50security-misc b/etc/X11/Xsession.d/50security-misc deleted file mode 100755 index 0d8efce..0000000 --- a/etc/X11/Xsession.d/50security-misc +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -if [ -z "$XDG_CONFIG_DIRS" ]; then - XDG_CONFIG_DIRS=/etc/xdg -fi -export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS diff --git a/etc/X11/Xsession.d/50panic_on_oops b/etc/profile.d/security-misc.sh similarity index 66% rename from etc/X11/Xsession.d/50panic_on_oops rename to etc/profile.d/security-misc.sh index 79646cb..51ba00e 100755 --- a/etc/X11/Xsession.d/50panic_on_oops +++ b/etc/profile.d/security-misc.sh @@ -3,6 +3,11 @@ ## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +if [ -z "$XDG_CONFIG_DIRS" ]; then + XDG_CONFIG_DIRS=/etc/xdg +fi +export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS + if [ -x /usr/libexec/security-misc/panic-on-oops ]; then sudo --non-interactive /usr/libexec/security-misc/panic-on-oops fi From e96e6aa38e29888a64fa35f85becc1596118a812 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 12 Oct 2023 10:43:40 -0400 Subject: [PATCH 0799/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0158fba..5e71580 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit fa820e897895eda93011a0f2bbd915ffffcb1459 +Author: Patrick Schleizer +Date: Thu Oct 12 10:40:27 2023 -0400 + + refactoring environment variables loading mechanism + +commit 358e4226f1b3db32e560e4bbe1c663828eac7059 +Author: Patrick Schleizer +Date: Mon Jul 17 11:48:35 2023 -0400 + + bumped changelog version + commit 81ad786dfcdd416056c6ae8a9d02231bda6fcbde Author: Patrick Schleizer Date: Mon Jul 17 11:19:07 2023 -0400 diff --git a/debian/changelog b/debian/changelog index e289373..b54253a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:29.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 12 Oct 2023 14:43:40 +0000 + security-misc (3:29.4-1) unstable; urgency=medium * New upstream version (local package). From 2d4524108445829d7ac80e828e9a1442cf038a6b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 12 Oct 2023 11:37:01 -0400 Subject: [PATCH 0800/1650] avoid duplicate environment variables --- etc/profile.d/security-misc.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/profile.d/security-misc.sh b/etc/profile.d/security-misc.sh index 51ba00e..026a702 100755 --- a/etc/profile.d/security-misc.sh +++ b/etc/profile.d/security-misc.sh @@ -6,7 +6,9 @@ if [ -z "$XDG_CONFIG_DIRS" ]; then XDG_CONFIG_DIRS=/etc/xdg fi -export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS +if ! echo "$XDG_CONFIG_DIRS" | grep --quiet /usr/share/security-misc/ ; then + export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS +fi if [ -x /usr/libexec/security-misc/panic-on-oops ]; then sudo --non-interactive /usr/libexec/security-misc/panic-on-oops From 13a4f37e50805a0e51b8f63808e166318e39a074 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 12 Oct 2023 12:51:37 -0400 Subject: [PATCH 0801/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 5e71580..1355f69 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 2d4524108445829d7ac80e828e9a1442cf038a6b +Author: Patrick Schleizer +Date: Thu Oct 12 11:37:01 2023 -0400 + + avoid duplicate environment variables + +commit e96e6aa38e29888a64fa35f85becc1596118a812 +Author: Patrick Schleizer +Date: Thu Oct 12 10:43:40 2023 -0400 + + bumped changelog version + commit fa820e897895eda93011a0f2bbd915ffffcb1459 Author: Patrick Schleizer Date: Thu Oct 12 10:40:27 2023 -0400 diff --git a/debian/changelog b/debian/changelog index b54253a..959457b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:29.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 12 Oct 2023 16:51:37 +0000 + security-misc (3:29.5-1) unstable; urgency=medium * New upstream version (local package). From 645ee814e4f3dc330dd6fb24ec4fac0e278c4f42 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 13 Oct 2023 15:22:48 -0400 Subject: [PATCH 0802/1650] fix --- etc/profile.d/security-misc.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/profile.d/security-misc.sh b/etc/profile.d/security-misc.sh index 026a702..351d3ed 100755 --- a/etc/profile.d/security-misc.sh +++ b/etc/profile.d/security-misc.sh @@ -11,5 +11,6 @@ if ! echo "$XDG_CONFIG_DIRS" | grep --quiet /usr/share/security-misc/ ; then fi if [ -x /usr/libexec/security-misc/panic-on-oops ]; then - sudo --non-interactive /usr/libexec/security-misc/panic-on-oops + ## Hide output. Otherwise could confuse Qubes UpdatesProxy. + sudo --non-interactive /usr/libexec/security-misc/panic-on-oops 1>/dev/null 2>/dev/null fi From dd43ab634d9ab0a59234798e1b14ba99099c65c9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 13 Oct 2023 15:22:58 -0400 Subject: [PATCH 0803/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1355f69..5f28217 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 645ee814e4f3dc330dd6fb24ec4fac0e278c4f42 +Author: Patrick Schleizer +Date: Fri Oct 13 15:22:48 2023 -0400 + + fix + +commit 13a4f37e50805a0e51b8f63808e166318e39a074 +Author: Patrick Schleizer +Date: Thu Oct 12 12:51:37 2023 -0400 + + bumped changelog version + commit 2d4524108445829d7ac80e828e9a1442cf038a6b Author: Patrick Schleizer Date: Thu Oct 12 11:37:01 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 959457b..aff8c31 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:29.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 13 Oct 2023 19:22:58 +0000 + security-misc (3:29.6-1) unstable; urgency=medium * New upstream version (local package). From d543825d85a5d84274c21cd85db6df777948606e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Oct 2023 12:24:59 -0400 Subject: [PATCH 0804/1650] comments --- debian/security-misc.links | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/security-misc.links b/debian/security-misc.links index 97e2e5a..54eff1b 100644 --- a/debian/security-misc.links +++ b/debian/security-misc.links @@ -1,2 +1,2 @@ /etc/profile.d/security-misc.sh /etc/zprofile.d/security-misc.sh -/etc/profile.d/security-misc.sh /etc/X11/Xsession.d/security-misc.sh +/etc/profile.d/security-misc.sh /etc/X11/Xsession.d/security-misc diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b673d6d..be7c40c 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -59,6 +59,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## Implemented differently: ## /usr/libexec/security-misc/panic-on-oops -## /etc/X11/Xsession.d/50panic_on_oops +## /etc/profile.d/security-misc.sh ## /etc/sudoers.d/security-misc #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" From 43375fa1f4d32f04907edf1297fef737342b49ea Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Oct 2023 12:34:59 -0400 Subject: [PATCH 0805/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 5f28217..1cae316 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit d543825d85a5d84274c21cd85db6df777948606e +Author: Patrick Schleizer +Date: Sat Oct 21 12:24:59 2023 -0400 + + comments + +commit dd43ab634d9ab0a59234798e1b14ba99099c65c9 +Author: Patrick Schleizer +Date: Fri Oct 13 15:22:58 2023 -0400 + + bumped changelog version + commit 645ee814e4f3dc330dd6fb24ec4fac0e278c4f42 Author: Patrick Schleizer Date: Fri Oct 13 15:22:48 2023 -0400 diff --git a/debian/changelog b/debian/changelog index aff8c31..72ca8d0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:29.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Oct 2023 16:34:59 +0000 + security-misc (3:29.7-1) unstable; urgency=medium * New upstream version (local package). From ae2c1c5a7a02a5f3f6a8bcd4a90fdc9e3b512e62 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Oct 2023 14:18:50 -0400 Subject: [PATCH 0806/1650] fix xession environment variable --- debian/security-misc.links | 4 ++-- etc/profile.d/{security-misc.sh => 30_security-misc.sh} | 0 2 files changed, 2 insertions(+), 2 deletions(-) rename etc/profile.d/{security-misc.sh => 30_security-misc.sh} (100%) diff --git a/debian/security-misc.links b/debian/security-misc.links index 54eff1b..308f070 100644 --- a/debian/security-misc.links +++ b/debian/security-misc.links @@ -1,2 +1,2 @@ -/etc/profile.d/security-misc.sh /etc/zprofile.d/security-misc.sh -/etc/profile.d/security-misc.sh /etc/X11/Xsession.d/security-misc +/etc/profile.d/30_security-misc.sh /etc/zprofile.d/30_security-misc.zsh +/etc/profile.d/30_security-misc.sh /etc/X11/Xsession.d/30_security-misc diff --git a/etc/profile.d/security-misc.sh b/etc/profile.d/30_security-misc.sh similarity index 100% rename from etc/profile.d/security-misc.sh rename to etc/profile.d/30_security-misc.sh From ef3f1575733c668f652326cdb4f4fba8c71bf0ed Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Oct 2023 14:19:24 -0400 Subject: [PATCH 0807/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1cae316..b4865b7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit ae2c1c5a7a02a5f3f6a8bcd4a90fdc9e3b512e62 +Author: Patrick Schleizer +Date: Sat Oct 21 14:18:50 2023 -0400 + + fix xession environment variable + +commit 43375fa1f4d32f04907edf1297fef737342b49ea +Author: Patrick Schleizer +Date: Sat Oct 21 12:34:59 2023 -0400 + + bumped changelog version + commit d543825d85a5d84274c21cd85db6df777948606e Author: Patrick Schleizer Date: Sat Oct 21 12:24:59 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 72ca8d0..caebc24 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:29.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Oct 2023 18:19:24 +0000 + security-misc (3:29.8-1) unstable; urgency=medium * New upstream version (local package). From ac63b0eb3db3d168908459fecd6b3275cce015bc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 05:41:11 -0400 Subject: [PATCH 0808/1650] remove duplicate --- lib/systemd/system/remount-secure.service | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service index 2e08b65..831fc3e 100644 --- a/lib/systemd/system/remount-secure.service +++ b/lib/systemd/system/remount-secure.service @@ -16,7 +16,6 @@ After=qubes-sysinit.service Type=oneshot RemainAfterExit=yes ExecStart=/usr/libexec/security-misc/remount-secure -RemainAfterExit=yes [Install] WantedBy=sysinit.target From 59a5fea25d0b0c39a6e7b3b11f9242ebe5eaa462 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 05:41:56 -0400 Subject: [PATCH 0809/1650] documentation --- lib/systemd/system/hide-hardware-info.service | 2 +- lib/systemd/system/permission-hardening.service | 2 +- lib/systemd/system/proc-hidepid.service | 2 +- lib/systemd/system/remount-secure.service | 2 +- lib/systemd/system/remove-system-map.service | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/systemd/system/hide-hardware-info.service b/lib/systemd/system/hide-hardware-info.service index d1e02fd..45c3e90 100644 --- a/lib/systemd/system/hide-hardware-info.service +++ b/lib/systemd/system/hide-hardware-info.service @@ -3,7 +3,7 @@ [Unit] Description=Hide hardware information to unprivileged users -Documentation=https://github.com/Whonix/security-misc +Documentation=https://github.com/Kicksecure/security-misc DefaultDependencies=no Before=sysinit.target Requires=local-fs.target diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardening.service index 4987d02..8e9d81c 100644 --- a/lib/systemd/system/permission-hardening.service +++ b/lib/systemd/system/permission-hardening.service @@ -3,7 +3,7 @@ [Unit] Description=SUID, SGID, Capability and File Permission Hardening -Documentation=https://github.com/Whonix/security-misc +Documentation=https://github.com/Kicksecure/security-misc DefaultDependencies=no Before=sysinit.target diff --git a/lib/systemd/system/proc-hidepid.service b/lib/systemd/system/proc-hidepid.service index 8d4d207..6c989c7 100644 --- a/lib/systemd/system/proc-hidepid.service +++ b/lib/systemd/system/proc-hidepid.service @@ -3,7 +3,7 @@ [Unit] Description=Mounts /proc with hidepid=2 -Documentation=https://github.com/Whonix/security-misc +Documentation=https://github.com/Kicksecure/security-misc DefaultDependencies=no Before=sysinit.target Requires=local-fs.target diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service index 831fc3e..6adfcbc 100644 --- a/lib/systemd/system/remount-secure.service +++ b/lib/systemd/system/remount-secure.service @@ -3,7 +3,7 @@ [Unit] Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) -Documentation=https://github.com/Whonix/security-misc +Documentation=https://github.com/Kicksecure/security-misc DefaultDependencies=no Before=sysinit.target diff --git a/lib/systemd/system/remove-system-map.service b/lib/systemd/system/remove-system-map.service index 1675c77..3614f55 100644 --- a/lib/systemd/system/remove-system-map.service +++ b/lib/systemd/system/remove-system-map.service @@ -3,7 +3,7 @@ [Unit] Description=Removes the System.map files -Documentation=https://github.com/Whonix/security-misc +Documentation=https://github.com/Kicksecure/security-misc DefaultDependencies=no Before=sysinit.target Requires=local-fs.target From abc35927345e14bbe4b9f13d205a648ce7a8bd8d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 06:23:48 -0400 Subject: [PATCH 0810/1650] remount-secure: stricter error handling --- usr/libexec/security-misc/remount-secure | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/remount-secure b/usr/libexec/security-misc/remount-secure index 57a26ca..5bc6c06 100755 --- a/usr/libexec/security-misc/remount-secure +++ b/usr/libexec/security-misc/remount-secure @@ -10,11 +10,14 @@ set -x set -e +set -o pipefail +set -o nounset if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then ## pre.bsh would `source` the following folders: ## /etc/remount-secure_pre.d/*.conf ## /usr/local/etc/remount-secure_pre.d/*.conf + # shellcheck disable=SC1091 source /usr/libexec/helper-scripts/pre.bsh fi @@ -37,10 +40,15 @@ fi mkdir --parents "/var/run/remount-secure" +[[ -v noexec ]] || noexec="" +[[ -v noexec_maybe ]] || noexec_maybe="" + if [ "$noexec" = "true" ]; then noexec_maybe=",noexec" fi +command -v str_replace >/dev/null + exit_code=0 mount_output="$(mount)" @@ -55,7 +63,7 @@ remount_secure() { ## example status_file_full_path: ## /var/run/remount-secure/_home - ## LANG=C str_replace is provided by package helper-scripts. + ## str_replace is provided by package helper-scripts. mount_folder="$(echo "${status_file_name}" | LANG=C str_replace "_" "/")" ## example mount_folder: ## /home From c069c73109b45fbb8fa230ad4f90f4252db730f2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 06:29:38 -0400 Subject: [PATCH 0811/1650] refactoring --- usr/libexec/security-misc/remount-secure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/remount-secure b/usr/libexec/security-misc/remount-secure index 5bc6c06..1b8318d 100755 --- a/usr/libexec/security-misc/remount-secure +++ b/usr/libexec/security-misc/remount-secure @@ -70,7 +70,7 @@ remount_secure() { mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder ")" || true - if echo "$mount_line_of_mount_folder" | grep -q "$new_mount_options" ; then + if echo "$mount_line_of_mount_folder" | grep --quiet "$new_mount_options" ; then echo "INFO: $mount_folder has already intended mount options." return 0 fi @@ -81,7 +81,7 @@ remount_secure() { fi ## BUG: echo: write error: Broken pipe - if echo "$mount_output" | grep -q "$mount_folder " ; then + if echo "$mount_output" | grep --quiet "$mount_folder " ; then ## Already mounted. Using remount. echo mount -o "remount,${new_mount_options}" "$mount_folder" mount -o "remount,${new_mount_options}" "$mount_folder" || exit_code=100 From bc768aa196a08218aac0b6ef1c4ca013f2034122 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 06:31:57 -0400 Subject: [PATCH 0812/1650] output --- usr/libexec/security-misc/remount-secure | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/usr/libexec/security-misc/remount-secure b/usr/libexec/security-misc/remount-secure index 1b8318d..bc3ba7b 100755 --- a/usr/libexec/security-misc/remount-secure +++ b/usr/libexec/security-misc/remount-secure @@ -21,20 +21,26 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then source /usr/libexec/helper-scripts/pre.bsh fi +if test -o xtrace ; then + output_command=true +else + output_command=echo +fi + if [ -e /etc/remount-disable ] || [ -e /usr/local/etc/remount-disable ]; then - echo "INFO: file /etc/remount-disable exists. Doing nothing." + $output_command "INFO: file /etc/remount-disable exists. Doing nothing." exit 0 fi if [ -e /etc/exec ] || [ -e /usr/local/etc/exec ]; then noexec=false - echo "INFO: Will remount with exec because file /etc/exec or /usr/local/etc/exec exists." + $output_command "INFO: Will remount with exec because file /etc/exec or /usr/local/etc/exec exists." else if [ -e /etc/noexec ] || [ -e /usr/local/etc/noexec ]; then noexec=true - echo "INFO: Will remount with noexec because file /etc/noexec or /usr/local/etc/noexec exists." + $output_command "INFO: Will remount with noexec because file /etc/noexec or /usr/local/etc/noexec exists." else - echo "INFO: Will not remount with noexec because file /etc/noexec or /usr/local/etc/noexec does not exist." + $output_command "INFO: Will not remount with noexec because file /etc/noexec or /usr/local/etc/noexec does not exist." fi fi @@ -71,23 +77,23 @@ remount_secure() { mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder ")" || true if echo "$mount_line_of_mount_folder" | grep --quiet "$new_mount_options" ; then - echo "INFO: $mount_folder has already intended mount options." + $output_command "INFO: $mount_folder has already intended mount options." return 0 fi if [ -e "$status_file_full_path" ]; then - echo "INFO: $mount_folder already remounted earlier. Not remounting again." + $output_command "INFO: $mount_folder already remounted earlier. Not remounting again." return 0 fi ## BUG: echo: write error: Broken pipe if echo "$mount_output" | grep --quiet "$mount_folder " ; then ## Already mounted. Using remount. - echo mount -o "remount,${new_mount_options}" "$mount_folder" + $output_command mount -o "remount,${new_mount_options}" "$mount_folder" mount -o "remount,${new_mount_options}" "$mount_folder" || exit_code=100 else ## Not yet mounted. Using mount bind. - echo mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" + $output_command mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi From 6dec5cb1d6b841bc6ea92986d6567902109f5ed0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 06:32:19 -0400 Subject: [PATCH 0813/1650] debugging --- usr/libexec/security-misc/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/remount-secure b/usr/libexec/security-misc/remount-secure index bc3ba7b..5f14c19 100755 --- a/usr/libexec/security-misc/remount-secure +++ b/usr/libexec/security-misc/remount-secure @@ -8,7 +8,7 @@ ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 -set -x +#set -x set -e set -o pipefail set -o nounset From 6f4bf57ff2bc878f03a50d91a5db0afaf897d70e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 06:48:56 -0400 Subject: [PATCH 0814/1650] `remount-secure`: add support for `--force`; output --- usr/libexec/security-misc/remount-secure | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/usr/libexec/security-misc/remount-secure b/usr/libexec/security-misc/remount-secure index 5f14c19..4c51ee6 100755 --- a/usr/libexec/security-misc/remount-secure +++ b/usr/libexec/security-misc/remount-secure @@ -77,23 +77,28 @@ remount_secure() { mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder ")" || true if echo "$mount_line_of_mount_folder" | grep --quiet "$new_mount_options" ; then - $output_command "INFO: $mount_folder has already intended mount options." + $output_command "INFO: $mount_folder has already intended mount options. ($new_mount_options)" return 0 fi - if [ -e "$status_file_full_path" ]; then - $output_command "INFO: $mount_folder already remounted earlier. Not remounting again." - return 0 + ## When this package is upgraded, the systemd unit will run again. + ## If the user meanwhile manually relaxed mount options, this should not be undone. + + if [ "${1:-}" == "--force" ]; then + if [ -e "$status_file_full_path" ]; then + $output_command "INFO: $mount_folder already remounted earlier. Not remounting again. Use --force if this is what you want." + return 0 + fi fi ## BUG: echo: write error: Broken pipe if echo "$mount_output" | grep --quiet "$mount_folder " ; then ## Already mounted. Using remount. - $output_command mount -o "remount,${new_mount_options}" "$mount_folder" + $output_command INFO: Executing: mount -o "remount,${new_mount_options}" "$mount_folder" mount -o "remount,${new_mount_options}" "$mount_folder" || exit_code=100 else ## Not yet mounted. Using mount bind. - $output_command mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" + $output_command INFO: Executing: mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi From ed11c68ac64c1ec4eaa590dbb56734d450c89b04 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 06:51:52 -0400 Subject: [PATCH 0815/1650] move remount-secure to /usr/bin/remount-secure to make it easier to manually run --- lib/systemd/system/remount-secure.service | 2 +- usr/{libexec/security-misc => bin}/remount-secure | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename usr/{libexec/security-misc => bin}/remount-secure (100%) diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service index 6adfcbc..ba6e017 100644 --- a/lib/systemd/system/remount-secure.service +++ b/lib/systemd/system/remount-secure.service @@ -15,7 +15,7 @@ After=qubes-sysinit.service [Service] Type=oneshot RemainAfterExit=yes -ExecStart=/usr/libexec/security-misc/remount-secure +ExecStart=/usr/bin/remount-secure [Install] WantedBy=sysinit.target diff --git a/usr/libexec/security-misc/remount-secure b/usr/bin/remount-secure similarity index 100% rename from usr/libexec/security-misc/remount-secure rename to usr/bin/remount-secure From 27b3ba8bdf2556066a4be02cd1be9a4451a591b2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 07:06:00 -0400 Subject: [PATCH 0816/1650] bumped changelog version --- changelog.upstream | 54 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 60 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b4865b7..f3e844a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,57 @@ +commit ed11c68ac64c1ec4eaa590dbb56734d450c89b04 +Author: Patrick Schleizer +Date: Sun Oct 22 06:51:52 2023 -0400 + + move remount-secure to /usr/bin/remount-secure to make it easier to manually run + +commit 6f4bf57ff2bc878f03a50d91a5db0afaf897d70e +Author: Patrick Schleizer +Date: Sun Oct 22 06:48:56 2023 -0400 + + `remount-secure`: add support for `--force`; output + +commit 6dec5cb1d6b841bc6ea92986d6567902109f5ed0 +Author: Patrick Schleizer +Date: Sun Oct 22 06:32:19 2023 -0400 + + debugging + +commit bc768aa196a08218aac0b6ef1c4ca013f2034122 +Author: Patrick Schleizer +Date: Sun Oct 22 06:31:57 2023 -0400 + + output + +commit c069c73109b45fbb8fa230ad4f90f4252db730f2 +Author: Patrick Schleizer +Date: Sun Oct 22 06:29:38 2023 -0400 + + refactoring + +commit abc35927345e14bbe4b9f13d205a648ce7a8bd8d +Author: Patrick Schleizer +Date: Sun Oct 22 06:23:48 2023 -0400 + + remount-secure: stricter error handling + +commit 59a5fea25d0b0c39a6e7b3b11f9242ebe5eaa462 +Author: Patrick Schleizer +Date: Sun Oct 22 05:41:56 2023 -0400 + + documentation + +commit ac63b0eb3db3d168908459fecd6b3275cce015bc +Author: Patrick Schleizer +Date: Sun Oct 22 05:41:11 2023 -0400 + + remove duplicate + +commit ef3f1575733c668f652326cdb4f4fba8c71bf0ed +Author: Patrick Schleizer +Date: Sat Oct 21 14:19:24 2023 -0400 + + bumped changelog version + commit ae2c1c5a7a02a5f3f6a8bcd4a90fdc9e3b512e62 Author: Patrick Schleizer Date: Sat Oct 21 14:18:50 2023 -0400 diff --git a/debian/changelog b/debian/changelog index caebc24..dd351a2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 11:06:00 +0000 + security-misc (3:29.9-1) unstable; urgency=medium * New upstream version (local package). From e257f2a3806ba7013e8e47005fde1385044bc8d9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 07:50:14 -0400 Subject: [PATCH 0817/1650] remount-secure: no longer use /usr/libexec/helper-scripts/pre.bsh as not simple with dracut --- usr/bin/remount-secure | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 4c51ee6..d76cc8a 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -13,13 +13,13 @@ set -e set -o pipefail set -o nounset -if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then - ## pre.bsh would `source` the following folders: - ## /etc/remount-secure_pre.d/*.conf - ## /usr/local/etc/remount-secure_pre.d/*.conf - # shellcheck disable=SC1091 - source /usr/libexec/helper-scripts/pre.bsh -fi +# if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then +# ## pre.bsh would `source` the following folders: +# ## /etc/remount-secure_pre.d/*.conf +# ## /usr/local/etc/remount-secure_pre.d/*.conf +# # shellcheck disable=SC1091 +# source /usr/libexec/helper-scripts/pre.bsh +# fi if test -o xtrace ; then output_command=true From f0ee470ecd0fc37125165dd6a5cefb47339b14b4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 07:51:05 -0400 Subject: [PATCH 0818/1650] comment --- usr/bin/remount-secure | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index d76cc8a..069fc6d 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -13,6 +13,7 @@ set -e set -o pipefail set -o nounset +## Not simple with dracut. # if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then # ## pre.bsh would `source` the following folders: # ## /etc/remount-secure_pre.d/*.conf From e065f85c8809d04a9a4c041dd8b9b81bacd04e24 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 08:10:48 -0400 Subject: [PATCH 0819/1650] add remount-secure dracut module --- .../20remount-secure/module-setup.sh | 30 +++++++++++++++++++ .../20remount-secure/remount-secure.sh | 17 +++++++++++ 2 files changed, 47 insertions(+) create mode 100755 usr/lib/dracut/modules.d/20remount-secure/module-setup.sh create mode 100755 usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh diff --git a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh new file mode 100755 index 0000000..ca5c44a --- /dev/null +++ b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +# called by dracut +check() { + require_binaries str_replace || return 1 + require_binaries mount || return 1 + require_binaries remount-secure || return 1 + return 0 +} + +# called by dracut +depends() { + return 0 +} + +# called by dracut +install() { + inst_multiple str_replace + inst_multiple mount + inst_multiple remount-secure + inst_hook cleanup 90 "$moddir/remount-secure.sh" +} + +# called by dracut +installkernel() { + return 0 +} diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh new file mode 100755 index 0000000..a05614c --- /dev/null +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +remount_hook() { + local remount_action + remount_action=$(getarg remountsecure) + + if [ ! "$remount_action" = "yes" ]; then + return 0 + fi + + remount-secure +} + +remount_hook From 05e9accf64a3a6bfa24aac7aaa62620f814b05d1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 08:12:30 -0400 Subject: [PATCH 0820/1650] bumped changelog version --- changelog.upstream | 25 +++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 31 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f3e844a..50d2bcc 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,28 @@ +commit e065f85c8809d04a9a4c041dd8b9b81bacd04e24 +Author: Patrick Schleizer +Date: Sun Oct 22 08:10:48 2023 -0400 + + add remount-secure dracut module + +commit f0ee470ecd0fc37125165dd6a5cefb47339b14b4 +Author: Patrick Schleizer +Date: Sun Oct 22 07:51:05 2023 -0400 + + comment + +commit e257f2a3806ba7013e8e47005fde1385044bc8d9 +Author: Patrick Schleizer +Date: Sun Oct 22 07:50:14 2023 -0400 + + remount-secure: + no longer use /usr/libexec/helper-scripts/pre.bsh as not simple with dracut + +commit 27b3ba8bdf2556066a4be02cd1be9a4451a591b2 +Author: Patrick Schleizer +Date: Sun Oct 22 07:06:00 2023 -0400 + + bumped changelog version + commit ed11c68ac64c1ec4eaa590dbb56734d450c89b04 Author: Patrick Schleizer Date: Sun Oct 22 06:51:52 2023 -0400 diff --git a/debian/changelog b/debian/changelog index dd351a2..f3a04b6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 12:12:30 +0000 + security-misc (3:30.0-1) unstable; urgency=medium * New upstream version (local package). From 167683ce763e97838e62950f00313b63d7c968b0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 08:50:57 -0400 Subject: [PATCH 0821/1650] code simplification --- usr/bin/remount-secure | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 069fc6d..e7f8273 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -54,8 +54,6 @@ if [ "$noexec" = "true" ]; then noexec_maybe=",noexec" fi -command -v str_replace >/dev/null - exit_code=0 mount_output="$(mount)" @@ -70,11 +68,6 @@ remount_secure() { ## example status_file_full_path: ## /var/run/remount-secure/_home - ## str_replace is provided by package helper-scripts. - mount_folder="$(echo "${status_file_name}" | LANG=C str_replace "_" "/")" - ## example mount_folder: - ## /home - mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder ")" || true if echo "$mount_line_of_mount_folder" | grep --quiet "$new_mount_options" ; then @@ -107,28 +100,33 @@ remount_secure() { } _home() { + mount_folder="/home" new_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _run() { + mount_folder="/run" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html new_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _dev_shm() { + mount_folder="/dev/shm" new_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _tmp() { + mount_folder="/tmp" new_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 # _lib() { +# mount_folder="/lib" # ## Not using noexec on /lib. # new_mount_options="nosuid,nodev" # remount_secure "$@" From 90f2b5e11c341c38bb0b11db603ceeba28e14b1c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 08:51:37 -0400 Subject: [PATCH 0822/1650] code simplification --- usr/lib/dracut/modules.d/20remount-secure/module-setup.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh index ca5c44a..5cc2c61 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh @@ -5,7 +5,6 @@ # called by dracut check() { - require_binaries str_replace || return 1 require_binaries mount || return 1 require_binaries remount-secure || return 1 return 0 @@ -18,7 +17,6 @@ depends() { # called by dracut install() { - inst_multiple str_replace inst_multiple mount inst_multiple remount-secure inst_hook cleanup 90 "$moddir/remount-secure.sh" From f472ce690ae350085d40cfd5ec46084dc559a51d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 08:57:35 -0400 Subject: [PATCH 0823/1650] comments --- debian/security-misc.triggers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index 5dc870f..f8f1c77 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -2,14 +2,14 @@ ## See the file COPYING for copying conditions. #### meta start -#### project Whonix +#### project Kicksecure #### category security #### description ## Trigger 'activate-noawait update-initramfs' also works with both, ## initramfs-tools as well as dracut. ## - Activate initramfs hook that sets the sysctl values before init is executed. -## - dracut module 40sdmem-security-misc +## - dracut module 20remount-secure activate-noawait update-initramfs ## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox From c409e3221e179437ed0b162dde1e72cd116ba795 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 09:36:03 -0400 Subject: [PATCH 0824/1650] implement remount-secure --- etc/default/grub.d/40_remmount-secure.cfg | 10 +++ usr/bin/remount-secure | 72 ++++++++++--------- .../20remount-secure/remount-secure.sh | 11 ++- 3 files changed, 56 insertions(+), 37 deletions(-) create mode 100644 etc/default/grub.d/40_remmount-secure.cfg diff --git a/etc/default/grub.d/40_remmount-secure.cfg b/etc/default/grub.d/40_remmount-secure.cfg new file mode 100644 index 0000000..29d8718 --- /dev/null +++ b/etc/default/grub.d/40_remmount-secure.cfg @@ -0,0 +1,10 @@ +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure + +## Re-mount with nodev, nosuid. +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" + +## Re-mount with nodev, nosuid, noexec. +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountnoexec=1" diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index e7f8273..b46daec 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -13,51 +13,52 @@ set -e set -o pipefail set -o nounset -## Not simple with dracut. -# if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then -# ## pre.bsh would `source` the following folders: -# ## /etc/remount-secure_pre.d/*.conf -# ## /usr/local/etc/remount-secure_pre.d/*.conf -# # shellcheck disable=SC1091 -# source /usr/libexec/helper-scripts/pre.bsh -# fi - if test -o xtrace ; then output_command=true else output_command=echo fi -if [ -e /etc/remount-disable ] || [ -e /usr/local/etc/remount-disable ]; then - $output_command "INFO: file /etc/remount-disable exists. Doing nothing." - exit 0 -fi - -if [ -e /etc/exec ] || [ -e /usr/local/etc/exec ]; then - noexec=false - $output_command "INFO: Will remount with exec because file /etc/exec or /usr/local/etc/exec exists." -else - if [ -e /etc/noexec ] || [ -e /usr/local/etc/noexec ]; then - noexec=true - $output_command "INFO: Will remount with noexec because file /etc/noexec or /usr/local/etc/noexec exists." - else - $output_command "INFO: Will not remount with noexec because file /etc/noexec or /usr/local/etc/noexec does not exist." - fi -fi - -mkdir --parents "/var/run/remount-secure" - -[[ -v noexec ]] || noexec="" -[[ -v noexec_maybe ]] || noexec_maybe="" - -if [ "$noexec" = "true" ]; then - noexec_maybe=",noexec" -fi +mkdir --parents "/run/remount-secure" exit_code=0 mount_output="$(mount)" +parse_options() { + ## Thanks to: + ## http://mywiki.wooledge.org/BashFAQ/035 + + while : + do + case ${1:-} in + --remountnoexec) + $output_command "INFO: --remountnoexec" + noexec_maybe=",noexec" + shift + ;; + --force) + $output_command "INFO: --force" + option_force=true + shift + ;; + --) + shift + break + ;; + -*) + echo "unknown option: $1" >&2 + exit 1 + ;; + *) + break + ;; + esac + done + + [[ -v noexec_maybe ]] || noexec_maybe="" +} + remount_secure() { ## ${FUNCNAME[1]} is the name of the calling function. I.e. the function ## which called this function. @@ -78,7 +79,7 @@ remount_secure() { ## When this package is upgraded, the systemd unit will run again. ## If the user meanwhile manually relaxed mount options, this should not be undone. - if [ "${1:-}" == "--force" ]; then + if [ "$option_force" == "true" ]; then if [ -e "$status_file_full_path" ]; then $output_command "INFO: $mount_folder already remounted earlier. Not remounting again. Use --force if this is what you want." return 0 @@ -137,6 +138,7 @@ end() { } main() { + parse_options "$@" _home "$@" _run "$@" _dev_shm "$@" diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh index a05614c..bd10974 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -3,15 +3,22 @@ ## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## This script is intended to remount specified mount points with more secure +## options based on kernel command line parameters. + remount_hook() { local remount_action remount_action=$(getarg remountsecure) - if [ ! "$remount_action" = "yes" ]; then + if getargbool 1 remountnoexec; then + remount-secure --remountnoexec return 0 fi - remount-secure + if getargbool 1 remountsecure; then + remount-secure + return 0 + fi } remount_hook From 33d97a2560fe4aaab24f90057e825802541a408b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 09:39:54 -0400 Subject: [PATCH 0825/1650] improve output of remount-secure dracut module --- .../modules.d/20remount-secure/remount-secure.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh index bd10974..7e046be 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -11,14 +11,20 @@ remount_hook() { remount_action=$(getarg remountsecure) if getargbool 1 remountnoexec; then - remount-secure --remountnoexec + if ! remount-secure --remountnoexec ; then + warn "'remount-secure --remountnoexec' failed." + fi return 0 fi if getargbool 1 remountsecure; then - remount-secure + if ! remount-secure ; then + warn "'remount-secure' failed." + fi return 0 fi + + warn "Not using remount-secure." } remount_hook From 84fd41931ce3ba4d6e3785dc8052ee14ce62b80e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 09:44:17 -0400 Subject: [PATCH 0826/1650] /var/run -> /run --- usr/bin/remount-secure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index b46daec..bf3c105 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -65,9 +65,9 @@ remount_secure() { status_file_name="${FUNCNAME[1]}" ## example status_file_name: ## _home - status_file_full_path="/var/run/remount-secure/${status_file_name}" + status_file_full_path="/run/remount-secure/${status_file_name}" ## example status_file_full_path: - ## /var/run/remount-secure/_home + ## /run/remount-secure/_home mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder ")" || true From 181a6424796b1cafc87a8d74aad197135381a389 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:01:38 -0400 Subject: [PATCH 0827/1650] root check --- usr/bin/remount-secure | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index bf3c105..0279e18 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -13,17 +13,22 @@ set -e set -o pipefail set -o nounset -if test -o xtrace ; then - output_command=true -else - output_command=echo -fi +init() { + if test -o xtrace ; then + output_command=true + else + output_command=echo + fi -mkdir --parents "/run/remount-secure" + if [ "$(id -u)" != "0" ]; then + $output_command "ERROR: must be run as root! sudo $0" + exit 1 + fi -exit_code=0 - -mount_output="$(mount)" + mkdir --parents "/run/remount-secure" + exit_code=0 + mount_output="$(mount)" +} parse_options() { ## Thanks to: @@ -138,6 +143,7 @@ end() { } main() { + init "$@" parse_options "$@" _home "$@" _run "$@" From 4f6f45fb3902f6c49d01b5ccb33a4e24804cd02a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:01:54 -0400 Subject: [PATCH 0828/1650] bumped changelog version --- changelog.upstream | 48 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 54 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 50d2bcc..439f2e5 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,51 @@ +commit 181a6424796b1cafc87a8d74aad197135381a389 +Author: Patrick Schleizer +Date: Sun Oct 22 10:01:38 2023 -0400 + + root check + +commit 84fd41931ce3ba4d6e3785dc8052ee14ce62b80e +Author: Patrick Schleizer +Date: Sun Oct 22 09:44:17 2023 -0400 + + /var/run -> /run + +commit 33d97a2560fe4aaab24f90057e825802541a408b +Author: Patrick Schleizer +Date: Sun Oct 22 09:39:54 2023 -0400 + + improve output of remount-secure dracut module + +commit c409e3221e179437ed0b162dde1e72cd116ba795 +Author: Patrick Schleizer +Date: Sun Oct 22 09:36:03 2023 -0400 + + implement remount-secure + +commit f472ce690ae350085d40cfd5ec46084dc559a51d +Author: Patrick Schleizer +Date: Sun Oct 22 08:57:35 2023 -0400 + + comments + +commit 90f2b5e11c341c38bb0b11db603ceeba28e14b1c +Author: Patrick Schleizer +Date: Sun Oct 22 08:51:37 2023 -0400 + + code simplification + +commit 167683ce763e97838e62950f00313b63d7c968b0 +Author: Patrick Schleizer +Date: Sun Oct 22 08:50:57 2023 -0400 + + code simplification + +commit 05e9accf64a3a6bfa24aac7aaa62620f814b05d1 +Author: Patrick Schleizer +Date: Sun Oct 22 08:12:30 2023 -0400 + + bumped changelog version + commit e065f85c8809d04a9a4c041dd8b9b81bacd04e24 Author: Patrick Schleizer Date: Sun Oct 22 08:10:48 2023 -0400 diff --git a/debian/changelog b/debian/changelog index f3a04b6..6d1cbea 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 14:01:54 +0000 + security-misc (3:30.1-1) unstable; urgency=medium * New upstream version (local package). From bb57b1a289cc64cc5b2ab5518c151df5355a9f29 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:10:51 -0400 Subject: [PATCH 0829/1650] fix --- usr/lib/dracut/modules.d/20remount-secure/module-setup.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh index 5cc2c61..2070bd3 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh @@ -5,6 +5,8 @@ # called by dracut check() { + require_binaries grep || return 1 + require_binaries id || return 1 require_binaries mount || return 1 require_binaries remount-secure || return 1 return 0 @@ -17,6 +19,8 @@ depends() { # called by dracut install() { + inst_multiple grep + inst_multiple id inst_multiple mount inst_multiple remount-secure inst_hook cleanup 90 "$moddir/remount-secure.sh" From 292a5c3a8a37bc9dd807913bd76826e57e978b67 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:11:31 -0400 Subject: [PATCH 0830/1650] fix --- usr/bin/remount-secure | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 0279e18..cb6c90a 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -62,6 +62,7 @@ parse_options() { done [[ -v noexec_maybe ]] || noexec_maybe="" + [[ -v option_force ]] || option_force="" } remount_secure() { From b81a991731e912fa0f7d4ca59b0531bafb02a25a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:15:11 -0400 Subject: [PATCH 0831/1650] fix --- usr/lib/dracut/modules.d/20remount-secure/module-setup.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh index 2070bd3..ba127f2 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh @@ -5,6 +5,7 @@ # called by dracut check() { + require_binaries touch || return 1 require_binaries grep || return 1 require_binaries id || return 1 require_binaries mount || return 1 @@ -19,6 +20,7 @@ depends() { # called by dracut install() { + inst_multiple touch inst_multiple grep inst_multiple id inst_multiple mount From 45ce0ff74d8f42d6a424e0742989008403891f8a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:16:43 -0400 Subject: [PATCH 0832/1650] debugging --- usr/bin/remount-secure | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index cb6c90a..63a7eb4 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -28,6 +28,10 @@ init() { mkdir --parents "/run/remount-secure" exit_code=0 mount_output="$(mount)" + + ## Debugging. + $output_command "INFO: mount_output:" + $output_command "$mount_output" } parse_options() { From 1120d0652ddead556801958973d61502b75f9fc7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:16:53 -0400 Subject: [PATCH 0833/1650] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 439f2e5..f532cdc 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit 45ce0ff74d8f42d6a424e0742989008403891f8a +Author: Patrick Schleizer +Date: Sun Oct 22 10:16:43 2023 -0400 + + debugging + +commit b81a991731e912fa0f7d4ca59b0531bafb02a25a +Author: Patrick Schleizer +Date: Sun Oct 22 10:15:11 2023 -0400 + + fix + +commit 292a5c3a8a37bc9dd807913bd76826e57e978b67 +Author: Patrick Schleizer +Date: Sun Oct 22 10:11:31 2023 -0400 + + fix + +commit bb57b1a289cc64cc5b2ab5518c151df5355a9f29 +Author: Patrick Schleizer +Date: Sun Oct 22 10:10:51 2023 -0400 + + fix + +commit 4f6f45fb3902f6c49d01b5ccb33a4e24804cd02a +Author: Patrick Schleizer +Date: Sun Oct 22 10:01:54 2023 -0400 + + bumped changelog version + commit 181a6424796b1cafc87a8d74aad197135381a389 Author: Patrick Schleizer Date: Sun Oct 22 10:01:38 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 6d1cbea..4663ca4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 14:16:53 +0000 + security-misc (3:30.2-1) unstable; urgency=medium * New upstream version (local package). From d5cb7ecec9d10069e2e37a2f88680dff6d3f6eb6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:22:21 -0400 Subject: [PATCH 0834/1650] use findmnt --- usr/bin/remount-secure | 2 +- usr/lib/dracut/modules.d/20remount-secure/module-setup.sh | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 63a7eb4..2b88822 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -79,7 +79,7 @@ remount_secure() { ## example status_file_full_path: ## /run/remount-secure/_home - mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder ")" || true + mount_line_of_mount_folder="$(findmnt --noheadings "$mount_folder")" || true if echo "$mount_line_of_mount_folder" | grep --quiet "$new_mount_options" ; then $output_command "INFO: $mount_folder has already intended mount options. ($new_mount_options)" diff --git a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh index ba127f2..52b5faa 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh @@ -5,6 +5,7 @@ # called by dracut check() { + require_binaries findmnt || return 1 require_binaries touch || return 1 require_binaries grep || return 1 require_binaries id || return 1 @@ -20,6 +21,7 @@ depends() { # called by dracut install() { + inst_multiple findmnt inst_multiple touch inst_multiple grep inst_multiple id From ef69e512bd2e2eba0e292470bfef6336216e2605 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:25:57 -0400 Subject: [PATCH 0835/1650] refactoring --- usr/bin/remount-secure | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 2b88822..326c038 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -79,9 +79,11 @@ remount_secure() { ## example status_file_full_path: ## /run/remount-secure/_home - mount_line_of_mount_folder="$(findmnt --noheadings "$mount_folder")" || true + old_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true + ## example old_mount_options: + ## rw,nosuid,nodev,relatime,discard - if echo "$mount_line_of_mount_folder" | grep --quiet "$new_mount_options" ; then + if echo "$old_mount_options" | grep --quiet "$new_mount_options" ; then $output_command "INFO: $mount_folder has already intended mount options. ($new_mount_options)" return 0 fi From 41077c94fbc1a0c90ee870292fe82e16a70b52f1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:32:24 -0400 Subject: [PATCH 0836/1650] improve remount-secure --- usr/bin/remount-secure | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 326c038..af638df 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -32,6 +32,7 @@ init() { ## Debugging. $output_command "INFO: mount_output:" $output_command "$mount_output" + $output_command "" } parse_options() { @@ -70,6 +71,8 @@ parse_options() { } remount_secure() { + $output_command "" + ## ${FUNCNAME[1]} is the name of the calling function. I.e. the function ## which called this function. status_file_name="${FUNCNAME[1]}" @@ -83,8 +86,10 @@ remount_secure() { ## example old_mount_options: ## rw,nosuid,nodev,relatime,discard - if echo "$old_mount_options" | grep --quiet "$new_mount_options" ; then - $output_command "INFO: $mount_folder has already intended mount options. ($new_mount_options)" + $output_command "INFO: '$mount_folder' old_mount_options: '$old_mount_options'" + + if echo "$old_mount_options" | grep --quiet "$intended_mount_options" ; then + $output_command "INFO: '$mount_folder' has already intended mount options. ($intended_mount_options)" return 0 fi @@ -93,7 +98,7 @@ remount_secure() { if [ "$option_force" == "true" ]; then if [ -e "$status_file_full_path" ]; then - $output_command "INFO: $mount_folder already remounted earlier. Not remounting again. Use --force if this is what you want." + $output_command "INFO: '$mount_folder' already remounted earlier. Not remounting again. Use --force if this is what you want." return 0 fi fi @@ -101,39 +106,42 @@ remount_secure() { ## BUG: echo: write error: Broken pipe if echo "$mount_output" | grep --quiet "$mount_folder " ; then ## Already mounted. Using remount. - $output_command INFO: Executing: mount -o "remount,${new_mount_options}" "$mount_folder" - mount -o "remount,${new_mount_options}" "$mount_folder" || exit_code=100 + $output_command INFO: Executing: mount -o "remount,${intended_mount_options}" "$mount_folder" + mount -o "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 else ## Not yet mounted. Using mount bind. - $output_command INFO: Executing: mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" - mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 + $output_command INFO: Executing: mount -o "$intended_mount_options" --bind "$mount_folder" "$mount_folder" + mount -o "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi + new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true + $output_command "INFO: '$mount_folder' new_mount_options: '$new_mount_options'" + touch "$status_file_full_path" } _home() { mount_folder="/home" - new_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _run() { mount_folder="/run" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html - new_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _dev_shm() { mount_folder="/dev/shm" - new_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _tmp() { mount_folder="/tmp" - new_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } @@ -141,7 +149,7 @@ _tmp() { # _lib() { # mount_folder="/lib" # ## Not using noexec on /lib. -# new_mount_options="nosuid,nodev" +# intended_mount_options="nosuid,nodev" # remount_secure "$@" # } From a05bd3dd0e7319807fa7ea523407ec82ce8aa39c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:37:02 -0400 Subject: [PATCH 0837/1650] /home last because most likely to fail --- usr/bin/remount-secure | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index af638df..6e3f579 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -120,12 +120,6 @@ remount_secure() { touch "$status_file_full_path" } -_home() { - mount_folder="/home" - intended_mount_options="nosuid,nodev${noexec_maybe}" - remount_secure "$@" -} - _run() { mount_folder="/run" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html @@ -153,6 +147,12 @@ _tmp() { # remount_secure "$@" # } +_home() { + mount_folder="/home" + intended_mount_options="nosuid,nodev${noexec_maybe}" + remount_secure "$@" +} + end() { exit $exit_code } @@ -160,11 +160,11 @@ end() { main() { init "$@" parse_options "$@" - _home "$@" _run "$@" _dev_shm "$@" _tmp "$@" #_lib "$@" + _home "$@" end "$@" } From fcba70df2e4e6c71fd29852d6f0b20f80e2e2d5e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:38:48 -0400 Subject: [PATCH 0838/1650] refactoring --- usr/bin/remount-secure | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 6e3f579..fff2cc5 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -106,12 +106,12 @@ remount_secure() { ## BUG: echo: write error: Broken pipe if echo "$mount_output" | grep --quiet "$mount_folder " ; then ## Already mounted. Using remount. - $output_command INFO: Executing: mount -o "remount,${intended_mount_options}" "$mount_folder" - mount -o "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 + $output_command INFO: Executing: mount --options "remount,${intended_mount_options}" "$mount_folder" + mount --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 else ## Not yet mounted. Using mount bind. - $output_command INFO: Executing: mount -o "$intended_mount_options" --bind "$mount_folder" "$mount_folder" - mount -o "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 + $output_command INFO: Executing: mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" + mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true From 24d2e26397e8f1e8e350fb60206ab1c5b597cbe6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:40:19 -0400 Subject: [PATCH 0839/1650] no longer reproducible --- usr/bin/remount-secure | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index fff2cc5..79f42b7 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -103,7 +103,6 @@ remount_secure() { fi fi - ## BUG: echo: write error: Broken pipe if echo "$mount_output" | grep --quiet "$mount_folder " ; then ## Already mounted. Using remount. $output_command INFO: Executing: mount --options "remount,${intended_mount_options}" "$mount_folder" From 3ebe8cf4de5c77f26f93ac40bdc596c0c38451f5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:41:42 -0400 Subject: [PATCH 0840/1650] refactoring --- usr/bin/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 79f42b7..577c2ce 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -103,7 +103,7 @@ remount_secure() { fi fi - if echo "$mount_output" | grep --quiet "$mount_folder " ; then + if findmnt --noheadings "$mount_folder " >/dev/null ; then ## Already mounted. Using remount. $output_command INFO: Executing: mount --options "remount,${intended_mount_options}" "$mount_folder" mount --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 From 233fa4625bb60ef65c707d28e7c8a51ef5a1d66e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:49:53 -0400 Subject: [PATCH 0841/1650] output --- usr/bin/remount-secure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 577c2ce..e22c69e 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -104,11 +104,11 @@ remount_secure() { fi if findmnt --noheadings "$mount_folder " >/dev/null ; then - ## Already mounted. Using remount. + $output_command "INFO: '$mount_folder' already mounted, therefore using remount." $output_command INFO: Executing: mount --options "remount,${intended_mount_options}" "$mount_folder" mount --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 else - ## Not yet mounted. Using mount bind. + $output_command "INFO: '$mount_folder' not yet mounted, therefore using mount bind." $output_command INFO: Executing: mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi From a423b85f81e0c066271ad7db78902ccddbeabb5a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:50:30 -0400 Subject: [PATCH 0842/1650] bumped changelog version --- changelog.upstream | 54 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 60 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f532cdc..2fb7bde 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,57 @@ +commit 233fa4625bb60ef65c707d28e7c8a51ef5a1d66e +Author: Patrick Schleizer +Date: Sun Oct 22 10:49:53 2023 -0400 + + output + +commit 3ebe8cf4de5c77f26f93ac40bdc596c0c38451f5 +Author: Patrick Schleizer +Date: Sun Oct 22 10:41:42 2023 -0400 + + refactoring + +commit 24d2e26397e8f1e8e350fb60206ab1c5b597cbe6 +Author: Patrick Schleizer +Date: Sun Oct 22 10:40:19 2023 -0400 + + no longer reproducible + +commit fcba70df2e4e6c71fd29852d6f0b20f80e2e2d5e +Author: Patrick Schleizer +Date: Sun Oct 22 10:38:48 2023 -0400 + + refactoring + +commit a05bd3dd0e7319807fa7ea523407ec82ce8aa39c +Author: Patrick Schleizer +Date: Sun Oct 22 10:37:02 2023 -0400 + + /home last because most likely to fail + +commit 41077c94fbc1a0c90ee870292fe82e16a70b52f1 +Author: Patrick Schleizer +Date: Sun Oct 22 10:32:24 2023 -0400 + + improve remount-secure + +commit ef69e512bd2e2eba0e292470bfef6336216e2605 +Author: Patrick Schleizer +Date: Sun Oct 22 10:25:57 2023 -0400 + + refactoring + +commit d5cb7ecec9d10069e2e37a2f88680dff6d3f6eb6 +Author: Patrick Schleizer +Date: Sun Oct 22 10:22:21 2023 -0400 + + use findmnt + +commit 1120d0652ddead556801958973d61502b75f9fc7 +Author: Patrick Schleizer +Date: Sun Oct 22 10:16:53 2023 -0400 + + bumped changelog version + commit 45ce0ff74d8f42d6a424e0742989008403891f8a Author: Patrick Schleizer Date: Sun Oct 22 10:16:43 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 4663ca4..7f00386 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 14:50:30 +0000 + security-misc (3:30.3-1) unstable; urgency=medium * New upstream version (local package). From 26826e8398c4d3feed07e8e3e095a87bbde9907a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 11:06:34 -0400 Subject: [PATCH 0843/1650] fix --- usr/bin/remount-secure | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index e22c69e..d1f0569 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -96,7 +96,7 @@ remount_secure() { ## When this package is upgraded, the systemd unit will run again. ## If the user meanwhile manually relaxed mount options, this should not be undone. - if [ "$option_force" == "true" ]; then + if [ ! "$option_force" == "true" ]; then if [ -e "$status_file_full_path" ]; then $output_command "INFO: '$mount_folder' already remounted earlier. Not remounting again. Use --force if this is what you want." return 0 @@ -113,8 +113,8 @@ remount_secure() { mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi - new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true - $output_command "INFO: '$mount_folder' new_mount_options: '$new_mount_options'" + new_mount_options="$(findmnt --noheadings "$mount_folder")" || true + $output_command "INFO: $new_mount_options" touch "$status_file_full_path" } From f1da0ce7461fab2eeb421daa886ddd9856c9fd52 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 11:11:10 -0400 Subject: [PATCH 0844/1650] fix --- usr/bin/remount-secure | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index d1f0569..5c842ad 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -24,14 +24,14 @@ init() { $output_command "ERROR: must be run as root! sudo $0" exit 1 fi + $output_command "START" mkdir --parents "/run/remount-secure" exit_code=0 - mount_output="$(mount)" ## Debugging. - $output_command "INFO: mount_output:" - $output_command "$mount_output" + $output_command "INFO: 'findmnt --list' output at the START." + $output_command "$(findmnt --list)" $output_command "" } @@ -103,7 +103,7 @@ remount_secure() { fi fi - if findmnt --noheadings "$mount_folder " >/dev/null ; then + if findmnt --noheadings "$mount_folder" >/dev/null ; then $output_command "INFO: '$mount_folder' already mounted, therefore using remount." $output_command INFO: Executing: mount --options "remount,${intended_mount_options}" "$mount_folder" mount --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 @@ -153,6 +153,9 @@ _home() { } end() { + ## Debugging. + $output_command "INFO: 'findmnt --list' output at the END." + $output_command "$(findmnt --list)" exit $exit_code } From 8eb4607a0e8c3db10f64e4ed5a02e87fd3ee8903 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 11:12:54 -0400 Subject: [PATCH 0845/1650] improve --- usr/bin/remount-secure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 5c842ad..d19078b 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -113,8 +113,8 @@ remount_secure() { mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi - new_mount_options="$(findmnt --noheadings "$mount_folder")" || true - $output_command "INFO: $new_mount_options" + new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true + $output_command "INFO: '$mount_folder' new_mount_options: $new_mount_options" touch "$status_file_full_path" } From 975a017dec26f671b7869ba4ad94b3a4d2faf999 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 11:13:05 -0400 Subject: [PATCH 0846/1650] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 2fb7bde..f63eee0 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit 8eb4607a0e8c3db10f64e4ed5a02e87fd3ee8903 +Author: Patrick Schleizer +Date: Sun Oct 22 11:12:54 2023 -0400 + + improve + +commit f1da0ce7461fab2eeb421daa886ddd9856c9fd52 +Author: Patrick Schleizer +Date: Sun Oct 22 11:11:10 2023 -0400 + + fix + +commit 26826e8398c4d3feed07e8e3e095a87bbde9907a +Author: Patrick Schleizer +Date: Sun Oct 22 11:06:34 2023 -0400 + + fix + +commit a423b85f81e0c066271ad7db78902ccddbeabb5a +Author: Patrick Schleizer +Date: Sun Oct 22 10:50:30 2023 -0400 + + bumped changelog version + commit 233fa4625bb60ef65c707d28e7c8a51ef5a1d66e Author: Patrick Schleizer Date: Sun Oct 22 10:49:53 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 7f00386..1ce238e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 15:13:05 +0000 + security-misc (3:30.4-1) unstable; urgency=medium * New upstream version (local package). From e7d30955e88b0a052e9159c11f4c1e1a47dadb49 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 11:28:08 -0400 Subject: [PATCH 0847/1650] debugging --- usr/bin/remount-secure | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index d19078b..01b6aec 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -109,6 +109,15 @@ remount_secure() { mount --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 else $output_command "INFO: '$mount_folder' not yet mounted, therefore using mount bind." + + ## Debugging. + ls "$mount_folder" /x >/dev/null || true + if test -d "$mount_folder" ; then + $output_command "INFO: '$mount_folder' folder exists: yes" + else + $output_command "INFO: '$mount_folder' folder exists: no" + fi + $output_command INFO: Executing: mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi From 1696c37251fe6158118ac3a694c2e11439de5c46 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 11:28:18 -0400 Subject: [PATCH 0848/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f63eee0..3f83e87 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit e7d30955e88b0a052e9159c11f4c1e1a47dadb49 +Author: Patrick Schleizer +Date: Sun Oct 22 11:28:08 2023 -0400 + + debugging + +commit 975a017dec26f671b7869ba4ad94b3a4d2faf999 +Author: Patrick Schleizer +Date: Sun Oct 22 11:13:05 2023 -0400 + + bumped changelog version + commit 8eb4607a0e8c3db10f64e4ed5a02e87fd3ee8903 Author: Patrick Schleizer Date: Sun Oct 22 11:12:54 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 1ce238e..0e1192d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 15:28:18 +0000 + security-misc (3:30.5-1) unstable; urgency=medium * New upstream version (local package). From 84ca0ac8a0b6a72a28e030081299b402749b9348 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 12:54:25 -0400 Subject: [PATCH 0849/1650] improve remount-secure --- usr/bin/remount-secure | 72 +++++++++++++++---- .../20remount-secure/module-setup.sh | 2 + 2 files changed, 59 insertions(+), 15 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 01b6aec..270a40e 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -6,6 +6,7 @@ ## noexec in /tmp and/or /home can break some malware but also legitimate ## applications. +## https://www.kicksecure.com/wiki/Dev/remount-secure ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 #set -x @@ -29,10 +30,26 @@ init() { mkdir --parents "/run/remount-secure" exit_code=0 + ## dracut sets NEWROOT=/sysroot + [[ -v NEWROOT ]] || NEWROOT="" + if [ "$NEWROOT" = "" ]; then + $output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'" + else + $output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'" + fi + ## Debugging. $output_command "INFO: 'findmnt --list' output at the START." $output_command "$(findmnt --list)" $output_command "" + + ## Debugging. + #echo "ls -la /root/" + #ls -la / || true + #echo "ls -la /sysroot/" + #ls -la /sysroot/ || true + #echo "env" + #env || true } parse_options() { @@ -103,21 +120,19 @@ remount_secure() { fi fi + if ! test -d "$mount_folder" ; then + $output_command "INFO: '$mount_folder' folder exists: no" + exit_code=102 + return 0 + fi + $output_command "INFO: '$mount_folder' folder exists: yes" + if findmnt --noheadings "$mount_folder" >/dev/null ; then $output_command "INFO: '$mount_folder' already mounted, therefore using remount." $output_command INFO: Executing: mount --options "remount,${intended_mount_options}" "$mount_folder" mount --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 else $output_command "INFO: '$mount_folder' not yet mounted, therefore using mount bind." - - ## Debugging. - ls "$mount_folder" /x >/dev/null || true - if test -d "$mount_folder" ; then - $output_command "INFO: '$mount_folder' folder exists: yes" - else - $output_command "INFO: '$mount_folder' folder exists: no" - fi - $output_command INFO: Executing: mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi @@ -128,35 +143,62 @@ remount_secure() { touch "$status_file_full_path" } -_run() { - mount_folder="/run" +_boot() { + mount_folder="$NEWROOT/boot" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } +_run() { + mount_folder="$NEWROOT/run" + ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html + intended_mount_options="nosuid,nodev${noexec_maybe}" + remount_secure "$@" +} + +## TODO +# _dev() { +# mount_folder="$NEWROOT/dev" +# intended_mount_options="nosuid,${noexec_maybe}" +# remount_secure "$@" +# } + _dev_shm() { - mount_folder="/dev/shm" + mount_folder="$NEWROOT/dev/shm" intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _tmp() { - mount_folder="/tmp" + mount_folder="$NEWROOT/tmp" + intended_mount_options="nosuid,nodev${noexec_maybe}" + remount_secure "$@" +} + +_var() { + mount_folder="$NEWROOT/var" + ## TODO: nodev? noexec? + intended_mount_options="nosuid" + remount_secure "$@" +} + +_var_tmp() { + mount_folder="$NEWROOT/var/tmp" intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 # _lib() { -# mount_folder="/lib" +# mount_folder="$NEWROOT/lib" # ## Not using noexec on /lib. # intended_mount_options="nosuid,nodev" # remount_secure "$@" # } _home() { - mount_folder="/home" + mount_folder="$NEWROOT/home" intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } diff --git a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh index 52b5faa..c48d08c 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh @@ -9,6 +9,7 @@ check() { require_binaries touch || return 1 require_binaries grep || return 1 require_binaries id || return 1 + require_binaries env || return 1 require_binaries mount || return 1 require_binaries remount-secure || return 1 return 0 @@ -25,6 +26,7 @@ install() { inst_multiple touch inst_multiple grep inst_multiple id + inst_multiple env inst_multiple mount inst_multiple remount-secure inst_hook cleanup 90 "$moddir/remount-secure.sh" From 479ab61a1d0c91d26c2cd200d97b39b2b786e073 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 12:55:20 -0400 Subject: [PATCH 0850/1650] remove no longer required remount-service systemd unit --- .../system-preset/50-security-misc.preset | 3 --- lib/systemd/system/remount-secure.service | 21 ------------------- 2 files changed, 24 deletions(-) delete mode 100644 lib/systemd/system/remount-secure.service diff --git a/lib/systemd/system-preset/50-security-misc.preset b/lib/systemd/system-preset/50-security-misc.preset index be35459..aee8b99 100644 --- a/lib/systemd/system-preset/50-security-misc.preset +++ b/lib/systemd/system-preset/50-security-misc.preset @@ -7,8 +7,5 @@ disable hide-hardware-info.service ## Disable for now until development finished / tested. disable permission-hardening.service -## Disable for now until development finished / tested. -disable remount-secure.service - ## Disable due to pkexec issues. disable proc-hidepid.service diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service deleted file mode 100644 index ba6e017..0000000 --- a/lib/systemd/system/remount-secure.service +++ /dev/null @@ -1,21 +0,0 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -[Unit] -Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) -Documentation=https://github.com/Kicksecure/security-misc - -DefaultDependencies=no -Before=sysinit.target -Requires=local-fs.target -After=local-fs.target - -After=qubes-sysinit.service - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/bin/remount-secure - -[Install] -WantedBy=sysinit.target From f70f36e6cfead0038075d715e430e15aedae459f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 12:55:41 -0400 Subject: [PATCH 0851/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3f83e87..93e0a91 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 479ab61a1d0c91d26c2cd200d97b39b2b786e073 +Author: Patrick Schleizer +Date: Sun Oct 22 12:55:20 2023 -0400 + + remove no longer required remount-service systemd unit + +commit 84ca0ac8a0b6a72a28e030081299b402749b9348 +Author: Patrick Schleizer +Date: Sun Oct 22 12:54:25 2023 -0400 + + improve remount-secure + +commit 1696c37251fe6158118ac3a694c2e11439de5c46 +Author: Patrick Schleizer +Date: Sun Oct 22 11:28:18 2023 -0400 + + bumped changelog version + commit e7d30955e88b0a052e9159c11f4c1e1a47dadb49 Author: Patrick Schleizer Date: Sun Oct 22 11:28:08 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 0e1192d..b2e0801 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 16:55:41 +0000 + security-misc (3:30.6-1) unstable; urgency=medium * New upstream version (local package). From 28cb53341d48ece9e042caea03e7159b0f93c2ee Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:11:44 -0400 Subject: [PATCH 0852/1650] remount-secure dracut module: improve output --- usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh index 7e046be..0e85b6a 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -13,7 +13,9 @@ remount_hook() { if getargbool 1 remountnoexec; then if ! remount-secure --remountnoexec ; then warn "'remount-secure --remountnoexec' failed." + return 1 fi + info "'remount-secure --remountnoexec' success." return 0 fi @@ -21,10 +23,12 @@ remount_hook() { if ! remount-secure ; then warn "'remount-secure' failed." fi + info "'remount-secure' success." return 0 fi warn "Not using remount-secure." + return 1 } remount_hook From b0181af099a2bc20a6d8cc20e6e27371ecc50bf1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:12:25 -0400 Subject: [PATCH 0853/1650] fix --- usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh index 0e85b6a..57fbf9c 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -22,6 +22,7 @@ remount_hook() { if getargbool 1 remountsecure; then if ! remount-secure ; then warn "'remount-secure' failed." + return 1 fi info "'remount-secure' success." return 0 From 4288e10554f854d6dd9be092ddbf6a62686b1549 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:25:31 -0400 Subject: [PATCH 0854/1650] fix, rework remount-secure kernel parameters parsing --- etc/default/grub.d/40_remmount-secure.cfg | 2 +- .../modules.d/20remount-secure/remount-secure.sh | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/etc/default/grub.d/40_remmount-secure.cfg b/etc/default/grub.d/40_remmount-secure.cfg index 29d8718..b012d6d 100644 --- a/etc/default/grub.d/40_remmount-secure.cfg +++ b/etc/default/grub.d/40_remmount-secure.cfg @@ -7,4 +7,4 @@ #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" ## Re-mount with nodev, nosuid, noexec. -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountnoexec=1" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=noexec" diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh index 57fbf9c..396ce92 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -7,10 +7,12 @@ ## options based on kernel command line parameters. remount_hook() { - local remount_action - remount_action=$(getarg remountsecure) + local remountsecure_action + ## getarg returns the last parameter only. + ## if /proc/cmdline contains 'remountsecure=0 remountsecure=1 remountsecure=noexec' the last one wins. + remountsecure_action=$(getarg remountsecure) - if getargbool 1 remountnoexec; then + if [ "$remountsecure_action" = "1" ]; then if ! remount-secure --remountnoexec ; then warn "'remount-secure --remountnoexec' failed." return 1 @@ -19,7 +21,7 @@ remount_hook() { return 0 fi - if getargbool 1 remountsecure; then + if [ "$remountsecure_action" = "noexec" ]; then if ! remount-secure ; then warn "'remount-secure' failed." return 1 From 6675a2e93194ea15daeb22bee707cf49563f69fe Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:30:50 -0400 Subject: [PATCH 0855/1650] fix --- usr/bin/remount-secure | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 270a40e..b135b22 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -157,12 +157,11 @@ _run() { remount_secure "$@" } -## TODO -# _dev() { -# mount_folder="$NEWROOT/dev" -# intended_mount_options="nosuid,${noexec_maybe}" -# remount_secure "$@" -# } +_dev() { + mount_folder="$NEWROOT/dev" + intended_mount_options="nosuid,${noexec_maybe}" + remount_secure "$@" +} _dev_shm() { mount_folder="$NEWROOT/dev/shm" @@ -213,9 +212,13 @@ end() { main() { init "$@" parse_options "$@" + _boot "$@" _run "$@" + _dev "$@" _dev_shm "$@" _tmp "$@" + _var "$@" + _var_tmp "$@" #_lib "$@" _home "$@" end "$@" From e689f38ad0ba9727d482dbab25ea5d88e67a8edf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:31:44 -0400 Subject: [PATCH 0856/1650] todo --- usr/bin/remount-secure | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index b135b22..fbbc16d 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -209,18 +209,19 @@ end() { exit $exit_code } +## TODO: need to be tested one by one main() { init "$@" parse_options "$@" _boot "$@" - _run "$@" - _dev "$@" - _dev_shm "$@" - _tmp "$@" - _var "$@" - _var_tmp "$@" + #_run "$@" + #_dev "$@" + #_dev_shm "$@" + #_tmp "$@" + #_var "$@" + #_var_tmp "$@" #_lib "$@" - _home "$@" + #_home "$@" end "$@" } From 3c183294cd8a402418eafc1e657c6524be49c487 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:31:55 -0400 Subject: [PATCH 0857/1650] bumped changelog version --- changelog.upstream | 36 ++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 42 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 93e0a91..2cd61c7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,39 @@ +commit e689f38ad0ba9727d482dbab25ea5d88e67a8edf +Author: Patrick Schleizer +Date: Sun Oct 22 13:31:44 2023 -0400 + + todo + +commit 6675a2e93194ea15daeb22bee707cf49563f69fe +Author: Patrick Schleizer +Date: Sun Oct 22 13:30:50 2023 -0400 + + fix + +commit 4288e10554f854d6dd9be092ddbf6a62686b1549 +Author: Patrick Schleizer +Date: Sun Oct 22 13:25:31 2023 -0400 + + fix, rework remount-secure kernel parameters parsing + +commit b0181af099a2bc20a6d8cc20e6e27371ecc50bf1 +Author: Patrick Schleizer +Date: Sun Oct 22 13:12:25 2023 -0400 + + fix + +commit 28cb53341d48ece9e042caea03e7159b0f93c2ee +Author: Patrick Schleizer +Date: Sun Oct 22 13:11:44 2023 -0400 + + remount-secure dracut module: improve output + +commit f70f36e6cfead0038075d715e430e15aedae459f +Author: Patrick Schleizer +Date: Sun Oct 22 12:55:41 2023 -0400 + + bumped changelog version + commit 479ab61a1d0c91d26c2cd200d97b39b2b786e073 Author: Patrick Schleizer Date: Sun Oct 22 12:55:20 2023 -0400 diff --git a/debian/changelog b/debian/changelog index b2e0801..79b1440 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 17:31:55 +0000 + security-misc (3:30.7-1) unstable; urgency=medium * New upstream version (local package). From 8a592c2e371de1136d566e707ba56ce89309230a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:56:17 -0400 Subject: [PATCH 0858/1650] fix remountsecure kernel parameter logic --- .../20remount-secure/remount-secure.sh | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh index 396ce92..ba1bb61 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -13,16 +13,7 @@ remount_hook() { remountsecure_action=$(getarg remountsecure) if [ "$remountsecure_action" = "1" ]; then - if ! remount-secure --remountnoexec ; then - warn "'remount-secure --remountnoexec' failed." - return 1 - fi - info "'remount-secure --remountnoexec' success." - return 0 - fi - - if [ "$remountsecure_action" = "noexec" ]; then - if ! remount-secure ; then + if ! remount-secure; then warn "'remount-secure' failed." return 1 fi @@ -30,6 +21,15 @@ remount_hook() { return 0 fi + if [ "$remountsecure_action" = "noexec" ]; then + if ! remount-secure --remountnoexec; then + warn "'remount-secure --remountnoexec' failed." + return 1 + fi + info "'remount-secure --remountnoexec' success." + return 0 + fi + warn "Not using remount-secure." return 1 } From 52fa7db0874be85a3db296499ab76f84a5f518db Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:57:38 -0400 Subject: [PATCH 0859/1650] output --- .../modules.d/20remount-secure/remount-secure.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh index ba1bb61..1a5ae15 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -14,23 +14,23 @@ remount_hook() { if [ "$remountsecure_action" = "1" ]; then if ! remount-secure; then - warn "'remount-secure' failed." + warn "$0: ERROR: 'remount-secure' failed." return 1 fi - info "'remount-secure' success." + info "$0: INFO: 'remount-secure' success." return 0 fi if [ "$remountsecure_action" = "noexec" ]; then if ! remount-secure --remountnoexec; then - warn "'remount-secure --remountnoexec' failed." + warn "$0: ERROR: 'remount-secure --remountnoexec' failed." return 1 fi - info "'remount-secure --remountnoexec' success." + info "$0: INFO: 'remount-secure --remountnoexec' success." return 0 fi - warn "Not using remount-secure." + warn "$0: WARNING: Not using remount-secure." return 1 } From 619f1705e13232680f38bc630f19f2ace32f48ad Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:58:55 -0400 Subject: [PATCH 0860/1650] output --- usr/bin/remount-secure | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index fbbc16d..ea54bad 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -25,7 +25,7 @@ init() { $output_command "ERROR: must be run as root! sudo $0" exit 1 fi - $output_command "START" + $output_command "$0: INFO: START" mkdir --parents "/run/remount-secure" exit_code=0 @@ -206,6 +206,7 @@ end() { ## Debugging. $output_command "INFO: 'findmnt --list' output at the END." $output_command "$(findmnt --list)" + $output_command "$0: INFO: END" exit $exit_code } From 245fad09868c2d84bee66d65ecca32704786919b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 14:00:06 -0400 Subject: [PATCH 0861/1650] fix --- usr/bin/remount-secure | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index ea54bad..b4424ae 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -189,12 +189,12 @@ _var_tmp() { } ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 -# _lib() { -# mount_folder="$NEWROOT/lib" -# ## Not using noexec on /lib. -# intended_mount_options="nosuid,nodev" -# remount_secure "$@" -# } +_lib() { + mount_folder="$NEWROOT/lib" + ## Not using noexec on /lib. + intended_mount_options="nosuid,nodev" + remount_secure "$@" +} _home() { mount_folder="$NEWROOT/home" @@ -215,13 +215,20 @@ main() { init "$@" parse_options "$@" _boot "$@" + #_run "$@" + + ## TODO: ? #_dev "$@" + #_dev_shm "$@" #_tmp "$@" #_var "$@" #_var_tmp "$@" + + ## TODO: broken? #_lib "$@" + #_home "$@" end "$@" } From 6198ae317c4d8cbd06d95d5e2a585892f455cab6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 14:29:02 -0400 Subject: [PATCH 0862/1650] fix --- usr/bin/remount-secure | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index b4424ae..cf511e4 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -151,45 +151,46 @@ _boot() { } _run() { - mount_folder="$NEWROOT/run" + mount_folder="/run" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _dev() { - mount_folder="$NEWROOT/dev" + mount_folder="/dev" intended_mount_options="nosuid,${noexec_maybe}" remount_secure "$@" } _dev_shm() { - mount_folder="$NEWROOT/dev/shm" + mount_folder="/dev/shm" intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _tmp() { - mount_folder="$NEWROOT/tmp" + mount_folder="/tmp" intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _var() { - mount_folder="$NEWROOT/var" + mount_folder="/var" ## TODO: nodev? noexec? intended_mount_options="nosuid" remount_secure "$@" } _var_tmp() { - mount_folder="$NEWROOT/var/tmp" + mount_folder="/var/tmp" intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 _lib() { + ## TODO: NEWROOT? mount_folder="$NEWROOT/lib" ## Not using noexec on /lib. intended_mount_options="nosuid,nodev" @@ -216,13 +217,15 @@ main() { parse_options "$@" _boot "$@" - #_run "$@" + _run "$@" ## TODO: ? #_dev "$@" - #_dev_shm "$@" - #_tmp "$@" + _dev_shm "$@" + _tmp "$@" + + ## TODO: ? #_var "$@" #_var_tmp "$@" From b29b626b41545fd49b67631820ae40d0fe000f22 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 14:30:28 -0400 Subject: [PATCH 0863/1650] bumped changelog version --- changelog.upstream | 36 ++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 42 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 2cd61c7..617b65b 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,39 @@ +commit 6198ae317c4d8cbd06d95d5e2a585892f455cab6 +Author: Patrick Schleizer +Date: Sun Oct 22 14:29:02 2023 -0400 + + fix + +commit 245fad09868c2d84bee66d65ecca32704786919b +Author: Patrick Schleizer +Date: Sun Oct 22 14:00:06 2023 -0400 + + fix + +commit 619f1705e13232680f38bc630f19f2ace32f48ad +Author: Patrick Schleizer +Date: Sun Oct 22 13:58:55 2023 -0400 + + output + +commit 52fa7db0874be85a3db296499ab76f84a5f518db +Author: Patrick Schleizer +Date: Sun Oct 22 13:57:38 2023 -0400 + + output + +commit 8a592c2e371de1136d566e707ba56ce89309230a +Author: Patrick Schleizer +Date: Sun Oct 22 13:56:17 2023 -0400 + + fix remountsecure kernel parameter logic + +commit 3c183294cd8a402418eafc1e657c6524be49c487 +Author: Patrick Schleizer +Date: Sun Oct 22 13:31:55 2023 -0400 + + bumped changelog version + commit e689f38ad0ba9727d482dbab25ea5d88e67a8edf Author: Patrick Schleizer Date: Sun Oct 22 13:31:44 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 79b1440..0bb8875 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 18:30:28 +0000 + security-misc (3:30.8-1) unstable; urgency=medium * New upstream version (local package). From 7c0ea4324aa1713f365f7352a3e4db1b703d9750 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 14:39:52 -0400 Subject: [PATCH 0864/1650] fix --- usr/bin/remount-secure | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index cf511e4..fa0ce54 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -227,12 +227,13 @@ main() { ## TODO: ? #_var "$@" - #_var_tmp "$@" + + _var_tmp "$@" ## TODO: broken? #_lib "$@" - #_home "$@" + _home "$@" end "$@" } From c85db586cadbe781704e62405a76e43650046d2c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 14:44:58 -0400 Subject: [PATCH 0865/1650] improve --- usr/bin/remount-secure | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index fa0ce54..d282ad5 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -188,6 +188,18 @@ _var_tmp() { remount_secure "$@" } +_var_log() { + mount_folder="/var/log" + intended_mount_options="nosuid,nodev,noexec" + remount_secure "$@" +} + +_var_log_audit() { + mount_folder="/var/log/audit" + intended_mount_options="nosuid,nodev,noexec" + remount_secure "$@" +} + ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 _lib() { ## TODO: NEWROOT? @@ -230,6 +242,10 @@ main() { _var_tmp "$@" + ## TODO: ? + #_var_log + #_var_log_audit + ## TODO: broken? #_lib "$@" From 7f03c2b13742e583e426c91ff4e111b6c0e7da43 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 14:45:45 -0400 Subject: [PATCH 0866/1650] fix --- usr/bin/remount-secure | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index d282ad5..540a9ce 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -225,32 +225,31 @@ end() { ## TODO: need to be tested one by one main() { - init "$@" + init parse_options "$@" - _boot "$@" - - _run "$@" + _boot + _run ## TODO: ? - #_dev "$@" + #_dev - _dev_shm "$@" - _tmp "$@" + _dev_shm + _tmp ## TODO: ? - #_var "$@" + #_var - _var_tmp "$@" + _var_tmp ## TODO: ? #_var_log #_var_log_audit ## TODO: broken? - #_lib "$@" + #_lib - _home "$@" - end "$@" + _home + end } main "$@" From f44020973897d98fdc21ced748ad64106979829e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 14:46:42 -0400 Subject: [PATCH 0867/1650] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 617b65b..b9bb28c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit 7f03c2b13742e583e426c91ff4e111b6c0e7da43 +Author: Patrick Schleizer +Date: Sun Oct 22 14:45:45 2023 -0400 + + fix + +commit c85db586cadbe781704e62405a76e43650046d2c +Author: Patrick Schleizer +Date: Sun Oct 22 14:44:58 2023 -0400 + + improve + +commit 7c0ea4324aa1713f365f7352a3e4db1b703d9750 +Author: Patrick Schleizer +Date: Sun Oct 22 14:39:52 2023 -0400 + + fix + +commit b29b626b41545fd49b67631820ae40d0fe000f22 +Author: Patrick Schleizer +Date: Sun Oct 22 14:30:28 2023 -0400 + + bumped changelog version + commit 6198ae317c4d8cbd06d95d5e2a585892f455cab6 Author: Patrick Schleizer Date: Sun Oct 22 14:29:02 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 0bb8875..a5be996 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 18:46:42 +0000 + security-misc (3:30.9-1) unstable; urgency=medium * New upstream version (local package). From eb90d38d8ca6d6292dbb8013bb9bca8ec26f4792 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:05:33 -0400 Subject: [PATCH 0868/1650] fix --- usr/bin/remount-secure | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 540a9ce..2d04fd7 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -170,13 +170,13 @@ _dev_shm() { } _tmp() { - mount_folder="/tmp" + mount_folder="$NEWROOT/tmp" intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _var() { - mount_folder="/var" + mount_folder="$NEWROOT/var" ## TODO: nodev? noexec? intended_mount_options="nosuid" remount_secure "$@" @@ -189,20 +189,13 @@ _var_tmp() { } _var_log() { - mount_folder="/var/log" - intended_mount_options="nosuid,nodev,noexec" - remount_secure "$@" -} - -_var_log_audit() { - mount_folder="/var/log/audit" + mount_folder="$NEWROOT/var/log" intended_mount_options="nosuid,nodev,noexec" remount_secure "$@" } ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 _lib() { - ## TODO: NEWROOT? mount_folder="$NEWROOT/lib" ## Not using noexec on /lib. intended_mount_options="nosuid,nodev" @@ -240,10 +233,7 @@ main() { #_var _var_tmp - - ## TODO: ? - #_var_log - #_var_log_audit + _var_log ## TODO: broken? #_lib From f3286cf440992661ba85b5c7e41b92ffaca62cf3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:10:21 -0400 Subject: [PATCH 0869/1650] fix --- usr/bin/remount-secure | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 2d04fd7..282a34a 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -229,8 +229,7 @@ main() { _dev_shm _tmp - ## TODO: ? - #_var + _var _var_tmp _var_log From eec87a0508a6242430a1f0b8ad341f4c3ea43059 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:11:26 -0400 Subject: [PATCH 0870/1650] fix --- usr/bin/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 282a34a..ffd24b0 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -194,10 +194,10 @@ _var_log() { remount_secure "$@" } -## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 _lib() { mount_folder="$NEWROOT/lib" ## Not using noexec on /lib. + ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 intended_mount_options="nosuid,nodev" remount_secure "$@" } From 3731716a497c233127bff3febbe22d5cf088aad8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:14:22 -0400 Subject: [PATCH 0871/1650] fix --- usr/bin/remount-secure | 6 ------ 1 file changed, 6 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index ffd24b0..489b39d 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -228,15 +228,9 @@ main() { _dev_shm _tmp - _var - _var_tmp _var_log - - ## TODO: broken? - #_lib - _home end } From 9b9e9ce1c0feb4ca854189754c47ca826eef1c32 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:27:01 -0400 Subject: [PATCH 0872/1650] fix --- usr/bin/remount-secure | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 489b39d..9feb123 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -159,7 +159,7 @@ _run() { _dev() { mount_folder="/dev" - intended_mount_options="nosuid,${noexec_maybe}" + intended_mount_options="nosuid,noexec" remount_secure "$@" } @@ -177,8 +177,7 @@ _tmp() { _var() { mount_folder="$NEWROOT/var" - ## TODO: nodev? noexec? - intended_mount_options="nosuid" + intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } @@ -216,22 +215,21 @@ end() { exit $exit_code } -## TODO: need to be tested one by one main() { init parse_options "$@" + _boot _run - - ## TODO: ? - #_dev - + _dev _dev_shm _tmp _var - _var_tmp - _var_log + ## /var implies /var/tmp, /var/log and /var/log/audit + #_var_tmp + #_var_log _home + end } From 36f2acb93f65958b27bae030f1d2bd66a278e073 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:28:04 -0400 Subject: [PATCH 0873/1650] bumped changelog version --- changelog.upstream | 36 ++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 42 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b9bb28c..bae8f0a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,39 @@ +commit 9b9e9ce1c0feb4ca854189754c47ca826eef1c32 +Author: Patrick Schleizer +Date: Sun Oct 22 15:27:01 2023 -0400 + + fix + +commit 3731716a497c233127bff3febbe22d5cf088aad8 +Author: Patrick Schleizer +Date: Sun Oct 22 15:14:22 2023 -0400 + + fix + +commit eec87a0508a6242430a1f0b8ad341f4c3ea43059 +Author: Patrick Schleizer +Date: Sun Oct 22 15:11:26 2023 -0400 + + fix + +commit f3286cf440992661ba85b5c7e41b92ffaca62cf3 +Author: Patrick Schleizer +Date: Sun Oct 22 15:10:21 2023 -0400 + + fix + +commit eb90d38d8ca6d6292dbb8013bb9bca8ec26f4792 +Author: Patrick Schleizer +Date: Sun Oct 22 15:05:33 2023 -0400 + + fix + +commit f44020973897d98fdc21ced748ad64106979829e +Author: Patrick Schleizer +Date: Sun Oct 22 14:46:42 2023 -0400 + + bumped changelog version + commit 7f03c2b13742e583e426c91ff4e111b6c0e7da43 Author: Patrick Schleizer Date: Sun Oct 22 14:45:45 2023 -0400 diff --git a/debian/changelog b/debian/changelog index a5be996..cc1f8da 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 19:28:04 +0000 + security-misc (3:31.0-1) unstable; urgency=medium * New upstream version (local package). From 70cbe4daaa5cd857c49f2f9b9241f24e2867ab5a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:33:11 -0400 Subject: [PATCH 0874/1650] fix --- usr/bin/remount-secure | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 9feb123..0e8f704 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -177,7 +177,9 @@ _tmp() { _var() { mount_folder="$NEWROOT/var" - intended_mount_options="nosuid,nodev${noexec_maybe}" + ## noexec: Not possible. Reason: + ## Debian stores executable maintainer scripts in /var/lib/dpkg/info/ folder. + intended_mount_options="nosuid,nodev" remount_secure "$@" } @@ -225,9 +227,8 @@ main() { _dev_shm _tmp _var - ## /var implies /var/tmp, /var/log and /var/log/audit - #_var_tmp - #_var_log + _var_tmp + _var_log _home end From fa0804b7ae46ecfc1e9e82ca83342c9d456aa9c3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:33:21 -0400 Subject: [PATCH 0875/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index bae8f0a..e7039a7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 70cbe4daaa5cd857c49f2f9b9241f24e2867ab5a +Author: Patrick Schleizer +Date: Sun Oct 22 15:33:11 2023 -0400 + + fix + +commit 36f2acb93f65958b27bae030f1d2bd66a278e073 +Author: Patrick Schleizer +Date: Sun Oct 22 15:28:04 2023 -0400 + + bumped changelog version + commit 9b9e9ce1c0feb4ca854189754c47ca826eef1c32 Author: Patrick Schleizer Date: Sun Oct 22 15:27:01 2023 -0400 diff --git a/debian/changelog b/debian/changelog index cc1f8da..dc1c831 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 19:33:21 +0000 + security-misc (3:31.1-1) unstable; urgency=medium * New upstream version (local package). From ce0babce215dc4ec08101cff5e0d25ad6ec87e70 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:35:03 -0400 Subject: [PATCH 0876/1650] comment --- usr/bin/remount-secure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 0e8f704..5fa177b 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -159,6 +159,8 @@ _run() { _dev() { mount_folder="/dev" + ## /dev should be nosuid,noexec as per: + ## https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1991975 intended_mount_options="nosuid,noexec" remount_secure "$@" } From f80b5fe3767502f6890bdfb7bc32a602c94828d6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:36:16 -0400 Subject: [PATCH 0877/1650] fix --- usr/bin/remount-secure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 5fa177b..9f81d30 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -146,7 +146,7 @@ remount_secure() { _boot() { mount_folder="$NEWROOT/boot" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html - intended_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev,noexec" remount_secure "$@" } @@ -199,7 +199,7 @@ _var_log() { _lib() { mount_folder="$NEWROOT/lib" - ## Not using noexec on /lib. + ## Cannot use noexec on /lib as per: ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 intended_mount_options="nosuid,nodev" remount_secure "$@" From 7112eac3be014938f757e0c0def74bb04dc72d2f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:37:21 -0400 Subject: [PATCH 0878/1650] output --- usr/bin/remount-secure | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 9f81d30..ab25e33 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -215,6 +215,7 @@ end() { ## Debugging. $output_command "INFO: 'findmnt --list' output at the END." $output_command "$(findmnt --list)" + $output_command "INFO: exit_code: $exit_code" $output_command "$0: INFO: END" exit $exit_code } From a7629b98cf4e7f86bab07c2b75fa712adcd63ee5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:40:49 -0400 Subject: [PATCH 0879/1650] fix --- usr/bin/remount-secure | 2 +- usr/share/lintian/overrides/security-misc | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index ab25e33..130042c 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -180,7 +180,7 @@ _tmp() { _var() { mount_folder="$NEWROOT/var" ## noexec: Not possible. Reason: - ## Debian stores executable maintainer scripts in /var/lib/dpkg/info/ folder. + ## Debian stores executable maintainer scripts in /var/lib/dpkg/info folder. intended_mount_options="nosuid,nodev" remount_secure "$@" } diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index b18ab3b..a82ad23 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -9,3 +9,6 @@ security-misc: no-manual-page [usr/bin/pkexec.security-misc] ## Non-ideal but still a good solution. security-misc: file-in-unusual-dir [var/cache/security-misc/state-files/placeholder] + +## False-positive. Just a comment mentioning dpkg's folder. +security-misc: uses-dpkg-database-directly [usr/bin/remount-secure] From 316282952f7d2470c89f268beea01b8bac9bb4bb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:40:59 -0400 Subject: [PATCH 0880/1650] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index e7039a7..4244acb 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit a7629b98cf4e7f86bab07c2b75fa712adcd63ee5 +Author: Patrick Schleizer +Date: Sun Oct 22 15:40:49 2023 -0400 + + fix + +commit 7112eac3be014938f757e0c0def74bb04dc72d2f +Author: Patrick Schleizer +Date: Sun Oct 22 15:37:21 2023 -0400 + + output + +commit f80b5fe3767502f6890bdfb7bc32a602c94828d6 +Author: Patrick Schleizer +Date: Sun Oct 22 15:36:16 2023 -0400 + + fix + +commit ce0babce215dc4ec08101cff5e0d25ad6ec87e70 +Author: Patrick Schleizer +Date: Sun Oct 22 15:35:03 2023 -0400 + + comment + +commit fa0804b7ae46ecfc1e9e82ca83342c9d456aa9c3 +Author: Patrick Schleizer +Date: Sun Oct 22 15:33:21 2023 -0400 + + bumped changelog version + commit 70cbe4daaa5cd857c49f2f9b9241f24e2867ab5a Author: Patrick Schleizer Date: Sun Oct 22 15:33:11 2023 -0400 diff --git a/debian/changelog b/debian/changelog index dc1c831..36a49b9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 19:40:59 +0000 + security-misc (3:31.2-1) unstable; urgency=medium * New upstream version (local package). From a88c0a3ad2d83fe72612faf97866e255c5527384 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:44:30 -0400 Subject: [PATCH 0881/1650] fix --- usr/bin/remount-secure | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 130042c..1c1d5b1 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -147,14 +147,14 @@ _boot() { mount_folder="$NEWROOT/boot" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html intended_mount_options="nosuid,nodev,noexec" - remount_secure "$@" + remount_secure } _run() { mount_folder="/run" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html intended_mount_options="nosuid,nodev${noexec_maybe}" - remount_secure "$@" + remount_secure } _dev() { @@ -162,19 +162,19 @@ _dev() { ## /dev should be nosuid,noexec as per: ## https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1991975 intended_mount_options="nosuid,noexec" - remount_secure "$@" + remount_secure } _dev_shm() { mount_folder="/dev/shm" intended_mount_options="nosuid,nodev${noexec_maybe}" - remount_secure "$@" + remount_secure } _tmp() { mount_folder="$NEWROOT/tmp" intended_mount_options="nosuid,nodev${noexec_maybe}" - remount_secure "$@" + remount_secure } _var() { @@ -182,19 +182,19 @@ _var() { ## noexec: Not possible. Reason: ## Debian stores executable maintainer scripts in /var/lib/dpkg/info folder. intended_mount_options="nosuid,nodev" - remount_secure "$@" + remount_secure } _var_tmp() { mount_folder="/var/tmp" intended_mount_options="nosuid,nodev${noexec_maybe}" - remount_secure "$@" + remount_secure } _var_log() { mount_folder="$NEWROOT/var/log" intended_mount_options="nosuid,nodev,noexec" - remount_secure "$@" + remount_secure } _lib() { @@ -202,13 +202,13 @@ _lib() { ## Cannot use noexec on /lib as per: ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 intended_mount_options="nosuid,nodev" - remount_secure "$@" + remount_secure } _home() { mount_folder="$NEWROOT/home" intended_mount_options="nosuid,nodev${noexec_maybe}" - remount_secure "$@" + remount_secure } end() { From 555d83792df9aa599ae9e0e7c41af49b0601c1c1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:44:47 -0400 Subject: [PATCH 0882/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 4244acb..baff0ea 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit a88c0a3ad2d83fe72612faf97866e255c5527384 +Author: Patrick Schleizer +Date: Sun Oct 22 15:44:30 2023 -0400 + + fix + +commit 316282952f7d2470c89f268beea01b8bac9bb4bb +Author: Patrick Schleizer +Date: Sun Oct 22 15:40:59 2023 -0400 + + bumped changelog version + commit a7629b98cf4e7f86bab07c2b75fa712adcd63ee5 Author: Patrick Schleizer Date: Sun Oct 22 15:40:49 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 36a49b9..3dda809 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 19:44:47 +0000 + security-misc (3:31.3-1) unstable; urgency=medium * New upstream version (local package). From 5182d7502b34a95fd751c69c4bc3f01d5f5e02b9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 16:08:21 -0400 Subject: [PATCH 0883/1650] improve remount-secure --- usr/bin/remount-secure | 86 +++++++++++++++---- .../20remount-secure/remount-secure.sh | 26 ++---- 2 files changed, 75 insertions(+), 37 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 1c1d5b1..412cebe 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -21,11 +21,12 @@ init() { output_command=echo fi + $output_command "$0: INFO: START" + if [ "$(id -u)" != "0" ]; then $output_command "ERROR: must be run as root! sudo $0" exit 1 fi - $output_command "$0: INFO: START" mkdir --parents "/run/remount-secure" exit_code=0 @@ -33,16 +34,11 @@ init() { ## dracut sets NEWROOT=/sysroot [[ -v NEWROOT ]] || NEWROOT="" if [ "$NEWROOT" = "" ]; then - $output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'" + $output_command "INFO: dracut detected: no" else $output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'" fi - ## Debugging. - $output_command "INFO: 'findmnt --list' output at the START." - $output_command "$(findmnt --list)" - $output_command "" - ## Debugging. #echo "ls -la /root/" #ls -la / || true @@ -59,9 +55,30 @@ parse_options() { while : do case ${1:-} in - --remountnoexec) - $output_command "INFO: --remountnoexec" - noexec_maybe=",noexec" + 0) + $output_command "WARNING: Not using remount-secure." + exit 0 + shift + ;; + 1) + $output_command "INFO: level 1/3 (low)" + most_noexec_maybe="" + home_noexec_maybe="" + parsed=true + shift + ;; + 2) + $output_command "INFO: level 2/3 (medium)" + most_noexec_maybe=",noexec" + home_noexec_maybe="" + parsed=true + shift + ;; + 3) + $output_command "INFO: level 3/3 (high)" + most_noexec_maybe=",noexec" + home_noexec_maybe=",noexec" + parsed=true shift ;; --force) @@ -74,7 +91,7 @@ parse_options() { break ;; -*) - echo "unknown option: $1" >&2 + echo "ERROR: unknown option: $1" >&2 exit 1 ;; *) @@ -83,8 +100,38 @@ parse_options() { esac done - [[ -v noexec_maybe ]] || noexec_maybe="" [[ -v option_force ]] || option_force="" + [[ -v parsed ]] || parsed=false + [[ -v home_noexec_maybe ]] || home_noexec_maybe="" + [[ -v most_noexec_maybe ]] || most_noexec_maybe="" + + $output_command "INFO: using nosuid,nodev: yes" + + if [ "$home_noexec_maybe" = "" ]; then + $output_command "INFO: using noexec for all: no" + else + $output_command "INFO: using noexec for all: yes" + return 0 + fi + + if [ "$most_noexec_maybe" = "" ]; then + $output_command "INFO: using noexec for most: no" + else + $output_command "INFO: using noexec for most (not all): yes" + return 0 + fi + + if [ "$parsed" = "true" ]; then + return 0 + fi + + $output_command "ERROR: syntax error. use either: +$0 0 +$0 1 +$0 2 +$0 3" + + exit 1 } remount_secure() { @@ -153,7 +200,7 @@ _boot() { _run() { mount_folder="/run" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html - intended_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } @@ -167,13 +214,13 @@ _dev() { _dev_shm() { mount_folder="/dev/shm" - intended_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } _tmp() { mount_folder="$NEWROOT/tmp" - intended_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } @@ -187,7 +234,7 @@ _var() { _var_tmp() { mount_folder="/var/tmp" - intended_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } @@ -207,7 +254,7 @@ _lib() { _home() { mount_folder="$NEWROOT/home" - intended_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${home_noexec_maybe}" remount_secure } @@ -224,6 +271,11 @@ main() { init parse_options "$@" + ## Debugging. + $output_command "INFO: 'findmnt --list' output at the START." + $output_command "$(findmnt --list)" + $output_command "" + _boot _run _dev diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh index 1a5ae15..b742dda 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -9,29 +9,15 @@ remount_hook() { local remountsecure_action ## getarg returns the last parameter only. - ## if /proc/cmdline contains 'remountsecure=0 remountsecure=1 remountsecure=noexec' the last one wins. + ## If /proc/cmdline contains 'remountsecure=0 remountsecure=1' the last one wins. remountsecure_action=$(getarg remountsecure) - if [ "$remountsecure_action" = "1" ]; then - if ! remount-secure; then - warn "$0: ERROR: 'remount-secure' failed." - return 1 - fi - info "$0: INFO: 'remount-secure' success." - return 0 + if ! remount-secure $remountsecure_action; then + warn "$0: ERROR: 'remount-secure $remountsecure_action' failed." + return 1 fi - - if [ "$remountsecure_action" = "noexec" ]; then - if ! remount-secure --remountnoexec; then - warn "$0: ERROR: 'remount-secure --remountnoexec' failed." - return 1 - fi - info "$0: INFO: 'remount-secure --remountnoexec' success." - return 0 - fi - - warn "$0: WARNING: Not using remount-secure." - return 1 + info "$0: INFO: 'remount-secure $remountsecure_action' success." + return 0 } remount_hook From 11382881b56556741fad5f0291ccb57a24e9c617 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 16:12:26 -0400 Subject: [PATCH 0884/1650] comments --- etc/default/grub.d/40_remmount-secure.cfg | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/etc/default/grub.d/40_remmount-secure.cfg b/etc/default/grub.d/40_remmount-secure.cfg index b012d6d..76e9f45 100644 --- a/etc/default/grub.d/40_remmount-secure.cfg +++ b/etc/default/grub.d/40_remmount-secure.cfg @@ -3,8 +3,14 @@ ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure -## Re-mount with nodev, nosuid. -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" +## Disable Remount Secure. +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure="0" -## Re-mount with nodev, nosuid, noexec. -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=noexec" +## Re-mount with nodev, nosuid only. +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure="1" + +## Re-mount with nodev, nosuid and most with noexec except for /home. +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure="2" + +## Re-mount with nodev, nosuid and all with noexec including /home. +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure="3" From 9a649ddd091b116c9091f3fa582d411b5186375a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 16:16:40 -0400 Subject: [PATCH 0885/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index baff0ea..cea6f6d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 11382881b56556741fad5f0291ccb57a24e9c617 +Author: Patrick Schleizer +Date: Sun Oct 22 16:12:26 2023 -0400 + + comments + +commit 5182d7502b34a95fd751c69c4bc3f01d5f5e02b9 +Author: Patrick Schleizer +Date: Sun Oct 22 16:08:21 2023 -0400 + + improve remount-secure + +commit 555d83792df9aa599ae9e0e7c41af49b0601c1c1 +Author: Patrick Schleizer +Date: Sun Oct 22 15:44:47 2023 -0400 + + bumped changelog version + commit a88c0a3ad2d83fe72612faf97866e255c5527384 Author: Patrick Schleizer Date: Sun Oct 22 15:44:30 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 3dda809..566a64c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 20:16:40 +0000 + security-misc (3:31.4-1) unstable; urgency=medium * New upstream version (local package). From f6d1346e2bde51cd70bc60246c0bfba923c00c3d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 16:22:08 -0400 Subject: [PATCH 0886/1650] fix --- etc/default/grub.d/40_remmount-secure.cfg | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/default/grub.d/40_remmount-secure.cfg b/etc/default/grub.d/40_remmount-secure.cfg index 76e9f45..845ca46 100644 --- a/etc/default/grub.d/40_remmount-secure.cfg +++ b/etc/default/grub.d/40_remmount-secure.cfg @@ -4,13 +4,13 @@ ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure ## Disable Remount Secure. -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure="0" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0" ## Re-mount with nodev, nosuid only. -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure="1" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" ## Re-mount with nodev, nosuid and most with noexec except for /home. -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure="2" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2" ## Re-mount with nodev, nosuid and all with noexec including /home. -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure="3" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" From a1c3b87fcee07496af4b42e387b46488b58b73a0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 16:29:08 -0400 Subject: [PATCH 0887/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index cea6f6d..5c0eb8f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit f6d1346e2bde51cd70bc60246c0bfba923c00c3d +Author: Patrick Schleizer +Date: Sun Oct 22 16:22:08 2023 -0400 + + fix + +commit 9a649ddd091b116c9091f3fa582d411b5186375a +Author: Patrick Schleizer +Date: Sun Oct 22 16:16:40 2023 -0400 + + bumped changelog version + commit 11382881b56556741fad5f0291ccb57a24e9c617 Author: Patrick Schleizer Date: Sun Oct 22 16:12:26 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 566a64c..a555ebd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 20:29:08 +0000 + security-misc (3:31.5-1) unstable; urgency=medium * New upstream version (local package). From 0e80acf38d430784fbb779f4f10c81bfe8a3813f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 16:45:10 -0400 Subject: [PATCH 0888/1650] fix --- usr/bin/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 412cebe..a998c36 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -233,7 +233,7 @@ _var() { } _var_tmp() { - mount_folder="/var/tmp" + mount_folder="$NEWROOT/var/tmp" intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } From d521662d04892fb6d5477fa4450fb5488892a87a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 16:49:36 -0400 Subject: [PATCH 0889/1650] comment --- usr/bin/remount-secure | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index a998c36..152ed26 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -248,6 +248,9 @@ _lib() { mount_folder="$NEWROOT/lib" ## Cannot use noexec on /lib as per: ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 + ## There are many executables in /lib. To check: + ## sudo find /var/lib -type f -executable + ## sudo find /var/lib -type f -executable ! -type l intended_mount_options="nosuid,nodev" remount_secure } From ee15f749bb4e68350498e52e8505bed43c98cbaf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 16:54:58 -0400 Subject: [PATCH 0890/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 5c0eb8f..10fb2b9 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit d521662d04892fb6d5477fa4450fb5488892a87a +Author: Patrick Schleizer +Date: Sun Oct 22 16:49:36 2023 -0400 + + comment + +commit 0e80acf38d430784fbb779f4f10c81bfe8a3813f +Author: Patrick Schleizer +Date: Sun Oct 22 16:45:10 2023 -0400 + + fix + +commit a1c3b87fcee07496af4b42e387b46488b58b73a0 +Author: Patrick Schleizer +Date: Sun Oct 22 16:29:08 2023 -0400 + + bumped changelog version + commit f6d1346e2bde51cd70bc60246c0bfba923c00c3d Author: Patrick Schleizer Date: Sun Oct 22 16:22:08 2023 -0400 diff --git a/debian/changelog b/debian/changelog index a555ebd..8d23929 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 20:54:58 +0000 + security-misc (3:31.6-1) unstable; urgency=medium * New upstream version (local package). From e7aafd64d4418d43426b310653861f9024a54255 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 19:16:12 -0400 Subject: [PATCH 0891/1650] refactoring --- usr/bin/remount-secure | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 152ed26..102af4f 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -134,6 +134,14 @@ $0 3" exit 1 } +preparation() { + ## Debugging. + $output_command "INFO: 'findmnt --list' output at the START." + $output_command "$(findmnt --list)" + $output_command "" + true +} + remount_secure() { $output_command "" @@ -273,11 +281,7 @@ end() { main() { init parse_options "$@" - - ## Debugging. - $output_command "INFO: 'findmnt --list' output at the START." - $output_command "$(findmnt --list)" - $output_command "" + preparation _boot _run From d2e8a6dad3b94d574cb9c043303160b06893ab97 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 19:21:51 -0400 Subject: [PATCH 0892/1650] debugging --- usr/bin/remount-secure | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 102af4f..9c5bb55 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -136,9 +136,9 @@ $0 3" preparation() { ## Debugging. - $output_command "INFO: 'findmnt --list' output at the START." - $output_command "$(findmnt --list)" - $output_command "" + #$output_command "INFO: 'findmnt --list' output at the START." + #$output_command "$(findmnt --list)" + #$output_command "" true } @@ -271,8 +271,9 @@ _home() { end() { ## Debugging. - $output_command "INFO: 'findmnt --list' output at the END." - $output_command "$(findmnt --list)" + #$output_command "INFO: 'findmnt --list' output at the END." + #$output_command "$(findmnt --list)" + $output_command "INFO: exit_code: $exit_code" $output_command "$0: INFO: END" exit $exit_code From f3b40f12cb4bad0f2f00d4ba2dec59fb315c0798 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 19:23:22 -0400 Subject: [PATCH 0893/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 10fb2b9..287788a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit d2e8a6dad3b94d574cb9c043303160b06893ab97 +Author: Patrick Schleizer +Date: Sun Oct 22 19:21:51 2023 -0400 + + debugging + +commit e7aafd64d4418d43426b310653861f9024a54255 +Author: Patrick Schleizer +Date: Sun Oct 22 19:16:12 2023 -0400 + + refactoring + +commit ee15f749bb4e68350498e52e8505bed43c98cbaf +Author: Patrick Schleizer +Date: Sun Oct 22 16:54:58 2023 -0400 + + bumped changelog version + commit d521662d04892fb6d5477fa4450fb5488892a87a Author: Patrick Schleizer Date: Sun Oct 22 16:49:36 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 8d23929..c5fe8ac 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 23:23:22 +0000 + security-misc (3:31.7-1) unstable; urgency=medium * New upstream version (local package). From f0857fd5608525115bd8a96c2f75368263f6f830 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Mon, 23 Oct 2023 15:33:05 +0000 Subject: [PATCH 0894/1650] Fix double mount issue for /var/log and /var/tmp Mounting var with bind and mounting a subdirectory causes /var/tmp and /var/log bind mounted twice each. can be checked with lsblk. When we bind mount var only after having mounted the subdirectories, everything is mounted only one. --- usr/bin/remount-secure | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 9c5bb55..e38e837 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -232,14 +232,6 @@ _tmp() { remount_secure } -_var() { - mount_folder="$NEWROOT/var" - ## noexec: Not possible. Reason: - ## Debian stores executable maintainer scripts in /var/lib/dpkg/info folder. - intended_mount_options="nosuid,nodev" - remount_secure -} - _var_tmp() { mount_folder="$NEWROOT/var/tmp" intended_mount_options="nosuid,nodev${most_noexec_maybe}" @@ -252,6 +244,14 @@ _var_log() { remount_secure } +_var() { + mount_folder="$NEWROOT/var" + ## noexec: Not possible. Reason: + ## Debian stores executable maintainer scripts in /var/lib/dpkg/info folder. + intended_mount_options="nosuid,nodev" + remount_secure +} + _lib() { mount_folder="$NEWROOT/lib" ## Cannot use noexec on /lib as per: @@ -289,9 +289,9 @@ main() { _dev _dev_shm _tmp - _var _var_tmp _var_log + _var _home end From 89381fe7abcc2f4418b95c3eb290c975bf6d612c Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Mon, 23 Oct 2023 16:38:23 +0000 Subject: [PATCH 0895/1650] rename --- etc/sysctl.d/{30_security-misc.conf => security-misc.conf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename etc/sysctl.d/{30_security-misc.conf => security-misc.conf} (100%) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/security-misc.conf similarity index 100% rename from etc/sysctl.d/30_security-misc.conf rename to etc/sysctl.d/security-misc.conf From 9dda6f69a7df792966005f9c6feb057483cd9ea4 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Mon, 23 Oct 2023 16:38:40 +0000 Subject: [PATCH 0896/1650] more rename --- .../{30_silent-kernel-printk.conf => silent-kernel-printk.conf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename etc/sysctl.d/{30_silent-kernel-printk.conf => silent-kernel-printk.conf} (100%) diff --git a/etc/sysctl.d/30_silent-kernel-printk.conf b/etc/sysctl.d/silent-kernel-printk.conf similarity index 100% rename from etc/sysctl.d/30_silent-kernel-printk.conf rename to etc/sysctl.d/silent-kernel-printk.conf From 1f489719efb37492b9c040ba4e332e8dd70fde1f Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Mon, 23 Oct 2023 16:38:58 +0000 Subject: [PATCH 0897/1650] rename --- ...y-misc_kexec-disable.conf => security-misc_kexec-disable.conf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename etc/sysctl.d/{30_security-misc_kexec-disable.conf => security-misc_kexec-disable.conf} (100%) diff --git a/etc/sysctl.d/30_security-misc_kexec-disable.conf b/etc/sysctl.d/security-misc_kexec-disable.conf similarity index 100% rename from etc/sysctl.d/30_security-misc_kexec-disable.conf rename to etc/sysctl.d/security-misc_kexec-disable.conf From 3317332cb431115f81d832ba974181c74427c884 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 24 Oct 2023 05:51:11 -0400 Subject: [PATCH 0898/1650] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 287788a..1da6ca6 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit 42c802cd1eca3d2586abde871e4842cdf83490c4 +Merge: f3b40f1 5320c11 +Author: Patrick Schleizer +Date: Tue Oct 24 05:30:15 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 5320c11f3f92b66b7dcab7ca1f67fcba2de5deba +Merge: f3b40f1 f0857fd +Author: Patrick Schleizer +Date: Tue Oct 24 05:22:33 2023 -0400 + + Merge pull request #134 from monsieuremre/patch-1 + + Fix double mount issue for /var/log and /var/tmp + +commit f0857fd5608525115bd8a96c2f75368263f6f830 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Mon Oct 23 15:33:05 2023 +0000 + + Fix double mount issue for /var/log and /var/tmp + + Mounting var with bind and mounting a subdirectory causes /var/tmp and /var/log bind mounted twice each. can be checked with lsblk. When we bind mount var only after having mounted the subdirectories, everything is mounted only one. + +commit f3b40f12cb4bad0f2f00d4ba2dec59fb315c0798 +Author: Patrick Schleizer +Date: Sun Oct 22 19:23:22 2023 -0400 + + bumped changelog version + commit d2e8a6dad3b94d574cb9c043303160b06893ab97 Author: Patrick Schleizer Date: Sun Oct 22 19:21:51 2023 -0400 diff --git a/debian/changelog b/debian/changelog index c5fe8ac..2c14996 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 24 Oct 2023 09:51:11 +0000 + security-misc (3:31.8-1) unstable; urgency=medium * New upstream version (local package). From ee6716e178806912da08b671ae31504ed2f3ac56 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Tue, 24 Oct 2023 20:43:10 +0000 Subject: [PATCH 0899/1650] security-misc.maintscript --- debian/security-misc.maintscript | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 177005f..2061445 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -43,3 +43,9 @@ rm_conffile /etc/default/grub.d/40_cold_boot_attack_defense.cfg rm_conffile /etc/X11/Xsession.d/50panic_on_oops rm_conffile /etc/X11/Xsession.d/50security-misc + +## renamed to remove the trailing 30_ for bug fix +rm_conffile /etc/sysctl.d/30_security-misc.conf +rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf +rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf + From b7c52800f4c16b1573e372089704a68fd47c5906 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 25 Oct 2023 17:28:43 -0400 Subject: [PATCH 0900/1650] renamed: etc/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/30_security-misc.conf renamed: etc/sysctl.d/30_security-misc_kexec-disable.conf -> usr/lib/sysctl.d/30_security-misc_kexec-disable.conf renamed: etc/sysctl.d/30_silent-kernel-printk.conf -> usr/lib/sysctl.d/30_silent-kernel-printk.conf --- {etc => usr/lib}/sysctl.d/30_security-misc.conf | 0 {etc => usr/lib}/sysctl.d/30_security-misc_kexec-disable.conf | 0 {etc => usr/lib}/sysctl.d/30_silent-kernel-printk.conf | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename {etc => usr/lib}/sysctl.d/30_security-misc.conf (100%) rename {etc => usr/lib}/sysctl.d/30_security-misc_kexec-disable.conf (100%) rename {etc => usr/lib}/sysctl.d/30_silent-kernel-printk.conf (100%) diff --git a/etc/sysctl.d/30_security-misc.conf b/usr/lib/sysctl.d/30_security-misc.conf similarity index 100% rename from etc/sysctl.d/30_security-misc.conf rename to usr/lib/sysctl.d/30_security-misc.conf diff --git a/etc/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf similarity index 100% rename from etc/sysctl.d/30_security-misc_kexec-disable.conf rename to usr/lib/sysctl.d/30_security-misc_kexec-disable.conf diff --git a/etc/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf similarity index 100% rename from etc/sysctl.d/30_silent-kernel-printk.conf rename to usr/lib/sysctl.d/30_silent-kernel-printk.conf From 6a22351d298e475ecae22bb99249a308b294ff9a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 25 Oct 2023 17:30:07 -0400 Subject: [PATCH 0901/1650] renamed: usr/lib/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/990-security-misc.conf --- .../sysctl.d/{30_security-misc.conf => 990-security-misc.conf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename usr/lib/sysctl.d/{30_security-misc.conf => 990-security-misc.conf} (100%) diff --git a/usr/lib/sysctl.d/30_security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf similarity index 100% rename from usr/lib/sysctl.d/30_security-misc.conf rename to usr/lib/sysctl.d/990-security-misc.conf From b7e2d49f5f3f49fab2e1c0647f10bda1921e0a80 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 25 Oct 2023 17:41:05 -0400 Subject: [PATCH 0902/1650] comment --- debian/security-misc.maintscript | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 2061445..f1664ee 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -44,7 +44,7 @@ rm_conffile /etc/default/grub.d/40_cold_boot_attack_defense.cfg rm_conffile /etc/X11/Xsession.d/50panic_on_oops rm_conffile /etc/X11/Xsession.d/50security-misc -## renamed to remove the trailing 30_ for bug fix +## moved to /usr/lib/sysctl.d rm_conffile /etc/sysctl.d/30_security-misc.conf rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf From 8557e0963ed6159f7f6c816ad4e009cc7323a760 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 25 Oct 2023 17:55:37 -0400 Subject: [PATCH 0903/1650] bumped changelog version --- changelog.upstream | 66 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 72 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1da6ca6..9532789 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,51 @@ +commit b7e2d49f5f3f49fab2e1c0647f10bda1921e0a80 +Author: Patrick Schleizer +Date: Wed Oct 25 17:41:05 2023 -0400 + + comment + +commit 5d71217e597aa3366658524ec5395c9f76dd527b +Merge: 6a22351 a2f811a +Author: Patrick Schleizer +Date: Wed Oct 25 17:40:13 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 6a22351d298e475ecae22bb99249a308b294ff9a +Author: Patrick Schleizer +Date: Wed Oct 25 17:30:07 2023 -0400 + + renamed: usr/lib/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/990-security-misc.conf + +commit b7c52800f4c16b1573e372089704a68fd47c5906 +Author: Patrick Schleizer +Date: Wed Oct 25 17:28:43 2023 -0400 + + renamed: etc/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/30_security-misc.conf + renamed: etc/sysctl.d/30_security-misc_kexec-disable.conf -> usr/lib/sysctl.d/30_security-misc_kexec-disable.conf + renamed: etc/sysctl.d/30_silent-kernel-printk.conf -> usr/lib/sysctl.d/30_silent-kernel-printk.conf + +commit a2f811aff0cb4e73c3975093012c223127495707 +Merge: 3317332 ee6716e +Author: Patrick Schleizer +Date: Wed Oct 25 17:26:46 2023 -0400 + + Merge pull request #135 from monsieuremre/kernel-fix + + Kernel hardening fix + +commit ee6716e178806912da08b671ae31504ed2f3ac56 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Tue Oct 24 20:43:10 2023 +0000 + + security-misc.maintscript + +commit 3317332cb431115f81d832ba974181c74427c884 +Author: Patrick Schleizer +Date: Tue Oct 24 05:51:11 2023 -0400 + + bumped changelog version + commit 42c802cd1eca3d2586abde871e4842cdf83490c4 Merge: f3b40f1 5320c11 Author: Patrick Schleizer @@ -14,6 +62,24 @@ Date: Tue Oct 24 05:22:33 2023 -0400 Fix double mount issue for /var/log and /var/tmp +commit 1f489719efb37492b9c040ba4e332e8dd70fde1f +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Mon Oct 23 16:38:58 2023 +0000 + + rename + +commit 9dda6f69a7df792966005f9c6feb057483cd9ea4 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Mon Oct 23 16:38:40 2023 +0000 + + more rename + +commit 89381fe7abcc2f4418b95c3eb290c975bf6d612c +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Mon Oct 23 16:38:23 2023 +0000 + + rename + commit f0857fd5608525115bd8a96c2f75368263f6f830 Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Mon Oct 23 15:33:05 2023 +0000 diff --git a/debian/changelog b/debian/changelog index 2c14996..8febf32 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 25 Oct 2023 21:55:37 +0000 + security-misc (3:31.9-1) unstable; urgency=medium * New upstream version (local package). From e5d989af5ac2899985c48d60311856fb86e0ddeb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 26 Oct 2023 12:04:13 -0400 Subject: [PATCH 0904/1650] comment --- usr/lib/sysctl.d/990-security-misc.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 1fcb0ea..718d64b 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -1,6 +1,12 @@ ## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## NOTE: +## This file has a weird file name so /usr/lib/sysctl.d/99-protect-links.conf +## is parsed first and /usr/lib/sysctl.d/990-security-misc.conf is parsed +## afterwards. See also: +## https://github.com/Kicksecure/security-misc/pull/135 + ## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. ## security-misc also disables coredumps in other ways. kernel.core_pattern=|/bin/false From 5f4222c1c3d7fa057b31bba7b0b5c2e83c92a7be Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 26 Oct 2023 12:20:48 -0400 Subject: [PATCH 0905/1650] enable SUID Disabler and Permission Hardener by default https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706 --- debian/security-misc.postinst | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index d00d8cf..04410d9 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -15,6 +15,20 @@ true " ##################################################################### " +permission_hardening() { + echo "" + echo "Running SUID Disabler and Permission Hardener... See also:" + echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener" + echo "" + echo "$0: INFO: run: /usr/libexec/security-misc/permission-hardening" + if ! /usr/libexec/security-misc/permission-hardening ; then + echo "$0: ERROR: Permission hardening failed." >&2 + return 0 + fi + echo "$0: INFO: Permission hardening success." + echo "" +} + case "$1" in configure) if [ -d /etc/skel/.gnupg ]; then @@ -45,6 +59,7 @@ esac pam-auth-update --package /usr/libexec/security-misc/permission-lockdown +permission_hardening ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: From ca9603af1713ff37392662c9d1b4251052e7b983 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 26 Oct 2023 12:23:48 -0400 Subject: [PATCH 0906/1650] bumped changelog version --- changelog.upstream | 22 ++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 28 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 9532789..489df89 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit 5f4222c1c3d7fa057b31bba7b0b5c2e83c92a7be +Author: Patrick Schleizer +Date: Thu Oct 26 12:20:48 2023 -0400 + + enable SUID Disabler and Permission Hardener by default + + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener + + https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706 + +commit e5d989af5ac2899985c48d60311856fb86e0ddeb +Author: Patrick Schleizer +Date: Thu Oct 26 12:04:13 2023 -0400 + + comment + +commit 8557e0963ed6159f7f6c816ad4e009cc7323a760 +Author: Patrick Schleizer +Date: Wed Oct 25 17:55:37 2023 -0400 + + bumped changelog version + commit b7e2d49f5f3f49fab2e1c0647f10bda1921e0a80 Author: Patrick Schleizer Date: Wed Oct 25 17:41:05 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 8febf32..0039b1d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 26 Oct 2023 16:23:48 +0000 + security-misc (3:32.0-1) unstable; urgency=medium * New upstream version (local package). From 99355c616974d167e3a5424d63cd56b1f64f0eaf Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 26 Oct 2023 17:45:28 +0000 Subject: [PATCH 0907/1650] new lines 30_default.conf --- etc/permission-hardening.d/30_default.conf | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index e0d310d..f4cb332 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -67,12 +67,32 @@ ###################################################################### /home/ 0755 root root -/home/user/ 0700 user user /root/ 0700 root root /boot/ 0700 root root /etc/permission-hardening.d 0600 root root /usr/local/etc/permission-hardening.d 0600 root root /lib/modules/ 0700 root root +/usr/src 0700 root root +/etc/cups/cupsd.conf 0400 root root +/boot/grub/grub.cfg 0600 root root +/etc/syslog.conf 0600 root root +/etc/crontab 0600 root root +/root/.ssh 0700 root root +/etc/cron.d 0700 root root +/etc/cron.daily 0700 root root +/etc/sudoers.d 0700 root root +/etc/cron.hourly 0700 root root +/etc/cron.weekly 0700 root root +/etc/cron.monthly 0700 root root +/etc/group 0644 root root +/etc/group- 0644 root root +/etc/hosts.allow 0644 root root +/etc/hosts.deny 0644 root root +/etc/issue 0644 root root +/etc/issue.net 0644 root root +/etc/motd 0644 root root +/etc/passwd 0644 root root +/etc/passwd- 0644 root root ###################################################################### # SUID/SGID Removal From d9f10c221a2b6794f0a3c5bcd1c15e2a4f352751 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 26 Oct 2023 18:17:50 +0000 Subject: [PATCH 0908/1650] new permission-lockdown --- usr/libexec/security-misc/permission-lockdown | 45 ++++++++----------- 1 file changed, 19 insertions(+), 26 deletions(-) diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 615bf6c..eab53b0 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -32,35 +32,28 @@ # /usr/libexec/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue" home_folder_access_rights_lockdown() { - shopt -s nullglob + # Each users home directory to himself + for user in $(dir /home); do # lists directories only + if [ grep -q "$user" /etc/passwd ]; then # check if user actually exists, and this is not some random directory + if [ -f /var/cache/security-misc/state-files/$user ] + continue # only doing once + fi + touch "/var/cache/security-misc/state-files/$user # so that we know we did this one + dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user itself + find /home/$user -type d | while read directory; # doing this to all directories in the users home + do + chown $user $directory + chmod 700 $directory + done - ## Not using dotglob. - ## touch /var/cache/security-misc/state-files//home/.Trash - ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory - - local folder_name base_name - - for folder_name in /home/* ; do - base_name="$(basename "$folder_name")" - if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then - continue +# not doing it because this sets all files to non executable +# find /home/$user -type f | while read file; # doing this to all files in the users home +# do +# chown $user $file +# chmod 600 $file +# done fi - if [ ! -d "$folder_name" ]; then - continue - fi - if [ "$folder_name" = "/home/" ]; then - continue - fi - mkdir -p /var/cache/security-misc/state-files - echo "$0: chmod o-rwx \"$folder_name\"" - chmod o-rwx "$folder_name" - ## Create a state-file so we do this only once. - ## Therefore a user who will manually undo this, will not get - ## annoyed by this being done over and over again. - touch "/var/cache/security-misc/state-files/$base_name" done - - shopt -u nullglob } home_folder_access_rights_lockdown From 88cd5a905d8aa0f6033ac4ba72903fbad4a90b4b Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 26 Oct 2023 19:25:24 +0000 Subject: [PATCH 0909/1650] strip unnecessary --- usr/libexec/security-misc/permission-lockdown | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index eab53b0..8e807ff 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -38,21 +38,8 @@ home_folder_access_rights_lockdown() { if [ -f /var/cache/security-misc/state-files/$user ] continue # only doing once fi - touch "/var/cache/security-misc/state-files/$user # so that we know we did this one dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user itself - find /home/$user -type d | while read directory; # doing this to all directories in the users home - do - chown $user $directory - chmod 700 $directory - done - -# not doing it because this sets all files to non executable -# find /home/$user -type f | while read file; # doing this to all files in the users home -# do -# chown $user $file -# chmod 600 $file -# done - fi + touch /var/cache/security-misc/state-files/$user # so that we know we did this one done } From f487752ba1b469eb0b2f85657e2ee0860f58496b Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 26 Oct 2023 19:30:58 +0000 Subject: [PATCH 0910/1650] not limiting ourselves. we do not do this not just once. --- usr/libexec/security-misc/permission-lockdown | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 8e807ff..372fc2f 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -35,11 +35,9 @@ home_folder_access_rights_lockdown() { # Each users home directory to himself for user in $(dir /home); do # lists directories only if [ grep -q "$user" /etc/passwd ]; then # check if user actually exists, and this is not some random directory - if [ -f /var/cache/security-misc/state-files/$user ] - continue # only doing once - fi dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user itself - touch /var/cache/security-misc/state-files/$user # so that we know we did this one + echo "Permission updated: chmod go-rwx /home/$user" + fi done } From b5ba03247a5b5bb1f4e010130e4a575ad1397117 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 26 Oct 2023 19:31:25 +0000 Subject: [PATCH 0911/1650] readability --- usr/libexec/security-misc/permission-lockdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 372fc2f..4449608 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -34,7 +34,7 @@ home_folder_access_rights_lockdown() { # Each users home directory to himself for user in $(dir /home); do # lists directories only - if [ grep -q "$user" /etc/passwd ]; then # check if user actually exists, and this is not some random directory + if [ grep --quiet "$user" /etc/passwd ]; then # check if user actually exists, and this is not some random directory dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user itself echo "Permission updated: chmod go-rwx /home/$user" fi From 88f396264ca9d072e4e5de4e1acaee54f3b39749 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 26 Oct 2023 19:35:59 +0000 Subject: [PATCH 0912/1650] avoiding /etc/passwd --- usr/libexec/security-misc/permission-lockdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 4449608..dfe0176 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -34,7 +34,7 @@ home_folder_access_rights_lockdown() { # Each users home directory to himself for user in $(dir /home); do # lists directories only - if [ grep --quiet "$user" /etc/passwd ]; then # check if user actually exists, and this is not some random directory + if [ $(id --user $user) ]; then # check if user actually exists, and this is not some random directory dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user itself echo "Permission updated: chmod go-rwx /home/$user" fi From 91c445244c47c163e2466f8c4dff710eda20c337 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 26 Oct 2023 19:41:07 +0000 Subject: [PATCH 0913/1650] actually we do it once indeed --- usr/libexec/security-misc/permission-lockdown | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index dfe0176..a89e1ec 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -34,9 +34,13 @@ home_folder_access_rights_lockdown() { # Each users home directory to himself for user in $(dir /home); do # lists directories only + if [ -f /var/cache/security-misc/state-files/$user ]; then + continue + fi if [ $(id --user $user) ]; then # check if user actually exists, and this is not some random directory - dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user itself + dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user echo "Permission updated: chmod go-rwx /home/$user" + touch /var/cache/security-misc/state-files/$user # so that we know we did this one fi done } From 1123d23114201988ac3f5f50ab6e74a5307d3d52 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 26 Oct 2023 18:45:07 -0400 Subject: [PATCH 0914/1650] remount-secure: disable debugging to save space in initrd --- usr/bin/remount-secure | 9 ++++++--- .../modules.d/20remount-secure/module-setup.sh | 14 ++++++++++---- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index e38e837..a81f43f 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -23,9 +23,12 @@ init() { $output_command "$0: INFO: START" - if [ "$(id -u)" != "0" ]; then - $output_command "ERROR: must be run as root! sudo $0" - exit 1 + ## dracut does not have id. Saving space in initial ramdisk. + if command -v id &>/dev/null ; then + if [ "$(id -u)" != "0" ]; then + $output_command "ERROR: must be run as root! sudo $0" + exit 1 + fi fi mkdir --parents "/run/remount-secure" diff --git a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh index c48d08c..ce0a67b 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh @@ -5,11 +5,14 @@ # called by dracut check() { + ## For debugging only. + ## Saving space in initial ramdisk. + #require_binaries id || return 1 + #require_binaries env || return 1 + require_binaries findmnt || return 1 require_binaries touch || return 1 require_binaries grep || return 1 - require_binaries id || return 1 - require_binaries env || return 1 require_binaries mount || return 1 require_binaries remount-secure || return 1 return 0 @@ -22,11 +25,14 @@ depends() { # called by dracut install() { + ## For debugging only. + ## Saving space in initial ramdisk. + #inst_multiple id + #inst_multiple env + inst_multiple findmnt inst_multiple touch inst_multiple grep - inst_multiple id - inst_multiple env inst_multiple mount inst_multiple remount-secure inst_hook cleanup 90 "$moddir/remount-secure.sh" From a330a9fd75314931639e7e873adc31c5cc65d555 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 26 Oct 2023 19:20:21 -0400 Subject: [PATCH 0915/1650] refactor permission-lockdown --- usr/libexec/security-misc/permission-lockdown | 25 +++++++++++++------ 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index a89e1ec..1035450 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -32,16 +32,25 @@ # /usr/libexec/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue" home_folder_access_rights_lockdown() { - # Each users home directory to himself - for user in $(dir /home); do # lists directories only - if [ -f /var/cache/security-misc/state-files/$user ]; then + mkdir --parents /var/cache/security-misc/state-files + local user + for user in $(dir /home); do ## lists directories only + if [ -f "/var/cache/security-misc/state-files/$user" ]; then continue fi - if [ $(id --user $user) ]; then # check if user actually exists, and this is not some random directory - dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user - echo "Permission updated: chmod go-rwx /home/$user" - touch /var/cache/security-misc/state-files/$user # so that we know we did this one - fi + folder_name="/home/$user" + ## chmod: + ## The 'g' for 'group' is not needed. + ## Debian by default uses USERGROUPS=yes in /etc/adduser.conf. + ## The group which the user is being added to has the same name as the user. + ## If the username is user then the name of the group is also user. + ## Some background information here: + ## https://unix.stackexchange.com/questions/156473/reasons-behind-the-default-groups-and-users-on-linux + ## In short, this is useful for "file sharing". A if user1 wants to share data with user2 the command + ## required to run is sudo addgroup user1 user2. + echo "$0: chmod o-rwx \"$folder_name\"" + chmod o-rwx "$folder_name" + touch "/var/cache/security-misc/state-files/$user" done } From 7cff267002485fd0abca98d12b0024e061f4ba51 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 26 Oct 2023 19:31:14 -0400 Subject: [PATCH 0916/1650] remove duplicates --- etc/permission-hardening.d/30_default.conf | 2 -- 1 file changed, 2 deletions(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index f4cb332..bbb08ae 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -74,10 +74,8 @@ /lib/modules/ 0700 root root /usr/src 0700 root root /etc/cups/cupsd.conf 0400 root root -/boot/grub/grub.cfg 0600 root root /etc/syslog.conf 0600 root root /etc/crontab 0600 root root -/root/.ssh 0700 root root /etc/cron.d 0700 root root /etc/cron.daily 0700 root root /etc/sudoers.d 0700 root root From 7d576842fb6f3c124db2b6deb5abfc095974a67f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 26 Oct 2023 20:08:41 -0400 Subject: [PATCH 0917/1650] bumped changelog version --- changelog.upstream | 98 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++ 2 files changed, 104 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 489df89..db21f0d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,101 @@ +commit 7cff267002485fd0abca98d12b0024e061f4ba51 +Author: Patrick Schleizer +Date: Thu Oct 26 19:31:14 2023 -0400 + + remove duplicates + +commit 928cdb81d43dfd337c82917182d2914d9c9d0915 +Merge: a330a9f 39fed05 +Author: Patrick Schleizer +Date: Thu Oct 26 19:29:55 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 39fed058f4734029b303fac4ea9a1b11f652fab4 +Merge: 92a6ecc 99355c6 +Author: Patrick Schleizer +Date: Thu Oct 26 19:27:41 2023 -0400 + + Merge pull request #140 from monsieuremre/patch-3 + + New lines in default permission config + +commit a330a9fd75314931639e7e873adc31c5cc65d555 +Author: Patrick Schleizer +Date: Thu Oct 26 19:20:21 2023 -0400 + + refactor permission-lockdown + +commit 8bf5ff82be706599f33228ecd6df42be0dc29f39 +Merge: 1123d23 92a6ecc +Author: Patrick Schleizer +Date: Thu Oct 26 19:15:04 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 92a6ecc40a4d3bd4d8f3cec7dd9b1334c72399dc +Merge: ca9603a 91c4452 +Author: Patrick Schleizer +Date: Thu Oct 26 19:13:34 2023 -0400 + + Merge pull request #141 from monsieuremre/patch-4 + + New permission-lockdown + +commit 1123d23114201988ac3f5f50ab6e74a5307d3d52 +Author: Patrick Schleizer +Date: Thu Oct 26 18:45:07 2023 -0400 + + remount-secure: disable debugging to save space in initrd + +commit 91c445244c47c163e2466f8c4dff710eda20c337 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:41:07 2023 +0000 + + actually we do it once indeed + +commit 88f396264ca9d072e4e5de4e1acaee54f3b39749 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:35:59 2023 +0000 + + avoiding /etc/passwd + +commit b5ba03247a5b5bb1f4e010130e4a575ad1397117 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:31:25 2023 +0000 + + readability + +commit f487752ba1b469eb0b2f85657e2ee0860f58496b +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:30:58 2023 +0000 + + not limiting ourselves. we do not do this not just once. + +commit 88cd5a905d8aa0f6033ac4ba72903fbad4a90b4b +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:25:24 2023 +0000 + + strip unnecessary + +commit d9f10c221a2b6794f0a3c5bcd1c15e2a4f352751 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 18:17:50 2023 +0000 + + new permission-lockdown + +commit 99355c616974d167e3a5424d63cd56b1f64f0eaf +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 17:45:28 2023 +0000 + + new lines 30_default.conf + +commit ca9603af1713ff37392662c9d1b4251052e7b983 +Author: Patrick Schleizer +Date: Thu Oct 26 12:23:48 2023 -0400 + + bumped changelog version + commit 5f4222c1c3d7fa057b31bba7b0b5c2e83c92a7be Author: Patrick Schleizer Date: Thu Oct 26 12:20:48 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 0039b1d..11027e3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 27 Oct 2023 00:08:41 +0000 + security-misc (3:32.1-1) unstable; urgency=medium * New upstream version (local package). From f2c23a28319e359c642da2dde424456a1064763f Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 27 Oct 2023 10:53:45 +0000 Subject: [PATCH 0918/1650] ssh config --- etc/permission-hardening.d/30_default.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index bbb08ae..0396c4b 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -75,6 +75,7 @@ /usr/src 0700 root root /etc/cups/cupsd.conf 0400 root root /etc/syslog.conf 0600 root root +/etc/ssh/sshd_config 0600 root root /etc/crontab 0600 root root /etc/cron.d 0700 root root /etc/cron.daily 0700 root root From c975c3c0ff7cc5a1e29b651c2db6c27e3f952870 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 27 Oct 2023 11:07:53 +0000 Subject: [PATCH 0919/1650] new lines 990-security-misc.conf added new recommended hardening settings with comments --- usr/lib/sysctl.d/990-security-misc.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 718d64b..547dbeb 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -14,6 +14,14 @@ kernel.core_pattern=|/bin/false ## Restricts the kernel log to root only. kernel.dmesg_restrict=1 +## Does not set coredump name to 'core' which is default. Defense in depth. +kernel.core_uses_pid=1 + +## A martian packet is a one with a source address which is blatantly wrong +## Recommended to keep a log of these to identify these suspicious packets +net.ipv4.conf.all.log_martians=1 +net.ipv4.conf.default.log_martians=1 + ## Don't allow writes to files that we don't own ## in world writable sticky directories, unless ## they are owned by the owner of the directory. From 604d839537c409604ed2c4c88992ea1a31368f6f Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 27 Oct 2023 12:30:26 +0000 Subject: [PATCH 0920/1650] 99_ipv6-privacy-extensions.conf --- etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf diff --git a/etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf b/etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf new file mode 100644 index 0000000..b44948d --- /dev/null +++ b/etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf @@ -0,0 +1,2 @@ +[Network] +IPv6PrivacyExtensions=kernel From e90f62eaabfeee7483af573ef8e9d015ba1977dc Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 27 Oct 2023 12:34:15 +0000 Subject: [PATCH 0921/1650] 99_randomize_mac.conf --- etc/NetworkManager/conf.d/99_randomize_mac.conf | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 etc/NetworkManager/conf.d/99_randomize_mac.conf diff --git a/etc/NetworkManager/conf.d/99_randomize_mac.conf b/etc/NetworkManager/conf.d/99_randomize_mac.conf new file mode 100644 index 0000000..1601800 --- /dev/null +++ b/etc/NetworkManager/conf.d/99_randomize_mac.conf @@ -0,0 +1,6 @@ +[device-mac-randomization] +wifi.scan-rand-mac-address=yes + +[connection-mac-randomization] +ethernet.cloned-mac-address=random +wifi.cloned-mac-address=random From 3d4b04fddc16067ed345074683281e74f41eeadf Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 27 Oct 2023 12:35:39 +0000 Subject: [PATCH 0922/1650] 99_ipv6-privacy.conf --- etc/NetworkManager/conf.d/99_ipv6-privacy.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/NetworkManager/conf.d/99_ipv6-privacy.conf diff --git a/etc/NetworkManager/conf.d/99_ipv6-privacy.conf b/etc/NetworkManager/conf.d/99_ipv6-privacy.conf new file mode 100644 index 0000000..a70549a --- /dev/null +++ b/etc/NetworkManager/conf.d/99_ipv6-privacy.conf @@ -0,0 +1,2 @@ +[connection] +ipv6.ip6-privacy=2 From b298d152fc10c66892698d9dcae769a44a32037b Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 27 Oct 2023 14:32:08 +0000 Subject: [PATCH 0923/1650] 30_security-misc.conf --- etc/bluetooth/30_security-misc.conf | 30 +++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 etc/bluetooth/30_security-misc.conf diff --git a/etc/bluetooth/30_security-misc.conf b/etc/bluetooth/30_security-misc.conf new file mode 100644 index 0000000..d3410f2 --- /dev/null +++ b/etc/bluetooth/30_security-misc.conf @@ -0,0 +1,30 @@ +[General] +# How long to stay in pairable mode before going back to non-discoverable +# The value is in seconds. Default is 0. +# 0 = disable timer, i.e. stay pairable forever +PairableTimeout = 30 + +# How long to stay in discoverable mode before going back to non-discoverable +# The value is in seconds. Default is 180, i.e. 3 minutes. +# 0 = disable timer, i.e. stay discoverable forever +DiscoverableTimeout = 30 + +# Maximum number of controllers allowed to be exposed to the system. +# Default=0 (unlimited) +MaxControllers=1 + +# How long to keep temporary devices around +# The value is in seconds. Default is 30. +# 0 = disable timer, i.e. never keep temporary devices +TemporaryTimeout = 0 + +[Policy] +# AutoEnable defines option to enable all controllers when they are found. +# This includes adapters present on start as well as adapters that are plugged +# in later on. Defaults to 'true'. +AutoEnable=false + +# network/on: A device will only accept advertising packets from peer +# devices that contain private addresses. It may not be compatible with some +# legacy devices since it requires the use of RPA(s) all the time. +Privacy=network/on From 13b4ddbb627d2279b41d1dcbe5c8ce1ac384b088 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 27 Oct 2023 14:34:21 +0000 Subject: [PATCH 0924/1650] 30_security-misc.conf --- etc/modprobe.d/30_security-misc.conf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 128ab9c..a01ed81 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -11,8 +11,11 @@ options nf_conntrack nf_conntrack_helper=0 ## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -install bluetooth /bin/disabled-bluetooth-by-security-misc -install btusb /bin/disabled-bluetooth-by-security-misc +# +## Now replaced by a privacy and security preserving default bluetooth configuration for better usability +# +# install bluetooth /bin/disabled-bluetooth-by-security-misc +# install btusb /bin/disabled-bluetooth-by-security-misc ## Disable thunderbolt and firewire modules to prevent some DMA attacks install thunderbolt /bin/disabled-thunderbolt-by-security-misc From 90a88225a4fde2f09cc14b24f8467bb1ded90c9d Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 27 Oct 2023 14:38:31 +0000 Subject: [PATCH 0925/1650] security-misc.maintscript --- debian/security-misc.maintscript | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index f1664ee..50c1252 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -49,3 +49,6 @@ rm_conffile /etc/sysctl.d/30_security-misc.conf rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf +## replaced with privacy conscious configurations for bluetooth +## not to hinder day to day usage +rm_conffile /bin/disabled-bluetooth-by-security-misc From fc8e201e84e4c777c087fd113c539ca368fd3a31 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 27 Oct 2023 14:49:24 +0000 Subject: [PATCH 0926/1650] rename --- .../conf.d/{99_randomize_mac.conf => 99_randomize-mac.conf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename etc/NetworkManager/conf.d/{99_randomize_mac.conf => 99_randomize-mac.conf} (100%) diff --git a/etc/NetworkManager/conf.d/99_randomize_mac.conf b/etc/NetworkManager/conf.d/99_randomize-mac.conf similarity index 100% rename from etc/NetworkManager/conf.d/99_randomize_mac.conf rename to etc/NetworkManager/conf.d/99_randomize-mac.conf From 5ed2a5ce4a24a1a9c3e722a30aa9c6af1dc5d78a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 1 Nov 2023 11:10:36 -0400 Subject: [PATCH 0927/1650] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index db21f0d..92adf11 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit bb1161986b6d108c4fc5a16a48cdac55f98ab35d +Merge: 7d57684 b7cddd6 +Author: Patrick Schleizer +Date: Wed Nov 1 10:31:04 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit b7cddd6e552cb5f5139de91ef2aeae6fde691136 +Merge: 7d57684 c975c3c +Author: Patrick Schleizer +Date: Wed Nov 1 10:30:26 2023 -0400 + + Merge pull request #143 from monsieuremre/patch-6 + + new lines 990-security-misc.conf + +commit c975c3c0ff7cc5a1e29b651c2db6c27e3f952870 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 11:07:53 2023 +0000 + + new lines 990-security-misc.conf + + added new recommended hardening settings with comments + +commit 7d576842fb6f3c124db2b6deb5abfc095974a67f +Author: Patrick Schleizer +Date: Thu Oct 26 20:08:41 2023 -0400 + + bumped changelog version + commit 7cff267002485fd0abca98d12b0024e061f4ba51 Author: Patrick Schleizer Date: Thu Oct 26 19:31:14 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 11027e3..6e02c44 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 01 Nov 2023 15:10:36 +0000 + security-misc (3:32.2-1) unstable; urgency=medium * New upstream version (local package). From a768f1f1ebfc29b0c0105f2965a4290f8dfd8e63 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 1 Nov 2023 12:26:21 -0400 Subject: [PATCH 0928/1650] bumped changelog version --- changelog.upstream | 28 ++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 92adf11..649843f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit bb14a058520b13e242fea9f3022c439c4677bd1d +Merge: 5ed2a5c 44906e8 +Author: Patrick Schleizer +Date: Wed Nov 1 11:11:54 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 44906e8f398aae6e9565b131b82124e738e2d0d1 +Merge: 5ed2a5c f2c23a2 +Author: Patrick Schleizer +Date: Wed Nov 1 11:11:27 2023 -0400 + + Merge pull request #142 from monsieuremre/patch-5 + + ssh config + +commit 5ed2a5ce4a24a1a9c3e722a30aa9c6af1dc5d78a +Author: Patrick Schleizer +Date: Wed Nov 1 11:10:36 2023 -0400 + + bumped changelog version + commit bb1161986b6d108c4fc5a16a48cdac55f98ab35d Merge: 7d57684 b7cddd6 Author: Patrick Schleizer @@ -22,6 +44,12 @@ Date: Fri Oct 27 11:07:53 2023 +0000 added new recommended hardening settings with comments +commit f2c23a28319e359c642da2dde424456a1064763f +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 10:53:45 2023 +0000 + + ssh config + commit 7d576842fb6f3c124db2b6deb5abfc095974a67f Author: Patrick Schleizer Date: Thu Oct 26 20:08:41 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 6e02c44..9064482 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 01 Nov 2023 16:26:21 +0000 + security-misc (3:32.3-1) unstable; urgency=medium * New upstream version (local package). From 76e684cc0ac0544219d200eeefae1356864fe702 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 1 Nov 2023 17:51:27 +0000 Subject: [PATCH 0929/1650] Update and rename etc/NetworkManager/conf.d/99_ipv6-privacy.conf to usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf --- {etc => usr/lib}/NetworkManager/conf.d/99_ipv6-privacy.conf | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {etc => usr/lib}/NetworkManager/conf.d/99_ipv6-privacy.conf (100%) diff --git a/etc/NetworkManager/conf.d/99_ipv6-privacy.conf b/usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf similarity index 100% rename from etc/NetworkManager/conf.d/99_ipv6-privacy.conf rename to usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf From 1049298e7bfa4ca0e8f02b4086f8aa086d51c725 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 1 Nov 2023 17:52:40 +0000 Subject: [PATCH 0930/1650] Update and rename etc/NetworkManager/conf.d/99_randomize-mac.conf to usr/lib/NetworkManager/conf.d/99_randomize-mac.conf --- {etc => usr/lib}/NetworkManager/conf.d/99_randomize-mac.conf | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {etc => usr/lib}/NetworkManager/conf.d/99_randomize-mac.conf (100%) diff --git a/etc/NetworkManager/conf.d/99_randomize-mac.conf b/usr/lib/NetworkManager/conf.d/99_randomize-mac.conf similarity index 100% rename from etc/NetworkManager/conf.d/99_randomize-mac.conf rename to usr/lib/NetworkManager/conf.d/99_randomize-mac.conf From 229032d691c614a926cf3cf96b44752364e4e087 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 1 Nov 2023 17:54:05 +0000 Subject: [PATCH 0931/1650] Rename etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf to usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf --- .../lib}/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {etc => usr/lib}/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf (100%) diff --git a/etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf b/usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf similarity index 100% rename from etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf rename to usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf From 5a583ca48ce608fee4fe55c1d6948505e83a98d8 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 2 Nov 2023 08:30:26 +0000 Subject: [PATCH 0932/1650] typo in file name --- etc/thunderbird/pref/{40_security-mic.js => 40_security-misc.js} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename etc/thunderbird/pref/{40_security-mic.js => 40_security-misc.js} (100%) diff --git a/etc/thunderbird/pref/40_security-mic.js b/etc/thunderbird/pref/40_security-misc.js similarity index 100% rename from etc/thunderbird/pref/40_security-mic.js rename to etc/thunderbird/pref/40_security-misc.js From 1abac794b564d178df37a385cf0d25bac5842c3c Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 2 Nov 2023 09:15:20 +0000 Subject: [PATCH 0933/1650] very secure and private defaults --- etc/thunderbird/pref/40_security-misc.js | 48 ++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/etc/thunderbird/pref/40_security-misc.js b/etc/thunderbird/pref/40_security-misc.js index 5d849ea..b0586e8 100644 --- a/etc/thunderbird/pref/40_security-misc.js +++ b/etc/thunderbird/pref/40_security-misc.js @@ -9,3 +9,51 @@ // https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 pref("network.IDN_show_punycode", true); + +// Disable all and any kind of telemetry by default +pref("toolkit.telemetry.enabled", false); +pref("toolkit.telemetry.unified", false); +pref("toolkit.telemetry.shutdownPingSender.enabled", false); +pref("toolkit.telemetry.updatePing.enabled", false); +pref("toolkit.telemetry.archive.enabled", false); +pref("toolkit.telemetry.bhrPing.enabled", false); +pref("toolkit.telemetry.firstShutdownPing.enabled", false); +pref("toolkit.telemetry.newProfilePing.enabled", false); +pref("toolkit.telemetry.server", ""); // Defense in depth +pref("toolkit.telemetry.server_owner", ""); // Defense in depth +pref("datareporting.healthreport.uploadEnabled", false); +pref("datareporting.policy.dataSubmissionEnabled", false); +pref("toolkit.telemetry.coverage.opt-out", true); // from Firefox +pref("toolkit.coverage.opt-out", true); // from Firefox + +// Disable implicit outbound traffic +pref("network.connectivity-service.enabled", false); +pref("network.prefetch-next", false); +pref("network.dns.disablePrefetch", true); +pref("network.predictor.enabled", false); + +// No need to explain the problems with javascript +// If you want javascript, use your browser +// Thunderbird needs no javascript +// pref("javascript.enabled", false); // Will break setting up services that require redirecting to their javascripted webpage for login, like gmail etc. So commented out for now. + +// Disable scripting when viewing pdf files +user_pref("pdfjs.enableScripting", false); + +// If you want cookies, use your browser +pref("network.cookie.cookieBehavior", 2); + +// Do not send user agent information +// For email clients, this is more like a relic of the past +// Completely not necessary and just exposes a lot of information about the client +// Since v115.0 Thunderbird already minimizes the user agent +// But we want it gone for good for no information leak at all +// https://hg.mozilla.org/comm-central/rev/cbbbc8d93cd7 +pref("mailnews.headers.sendUserAgent", false); + +// Normally we send emails after marking them with a time stamp +// That includes our local time zone +// This option makes our local time zone appear as UTC +// And rounds the time stamp to the closes minute +// https://hg.mozilla.org/comm-central/rev/98aa0bf2e719 +pref("mail.sanitize_date_header", true); From 3ee4be652b28201ba208757ce5144e51c453ad70 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 2 Nov 2023 09:36:58 +0000 Subject: [PATCH 0934/1650] depend on libpam-tmpdir --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 571050a..7761ab3 100644 --- a/debian/control +++ b/debian/control @@ -15,7 +15,7 @@ Rules-Requires-Root: no Package: security-misc Architecture: all Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, - apparmor-profile-dist, helper-scripts, libpam-modules-bin, + apparmor-profile-dist, helper-scripts, libpam-modules-bin, libpam-tmpdir, secure-delete, dmsetup, ${misc:Depends} Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest Description: Enhances Miscellaneous Security Settings From 3e604618a8ba2531553af4f9af00470bd9629615 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 2 Nov 2023 10:24:35 +0000 Subject: [PATCH 0935/1650] harden-module-loading.service --- lib/systemd/system/harden-module-loading.service | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 lib/systemd/system/harden-module-loading.service diff --git a/lib/systemd/system/harden-module-loading.service b/lib/systemd/system/harden-module-loading.service new file mode 100644 index 0000000..fb6f6fe --- /dev/null +++ b/lib/systemd/system/harden-module-loading.service @@ -0,0 +1,13 @@ +[Unit] +Description=Disable the loading of modules to the kernel after startup. This could be malicious. +After=systemd-modules-load.service +# This functionality is implemented with this and not directly in the sysctl config is +# to allow systemd-modules-load.service to load the modules with no problem but +# to disallow anyone else do the same after the system boots up. + +[Service] +Type=oneshot +ExecStart=/usr/libexec/security-misc/disable-kernel-module-loading + +[Install] +WantedBy=sysinit.target From 9f063584c1f96267b04f8f7fe0eee773f9345370 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 2 Nov 2023 10:28:41 +0000 Subject: [PATCH 0936/1650] disable-kernel-module-loading --- usr/libexec/security-misc/disable-kernel-module-loading | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 usr/libexec/security-misc/disable-kernel-module-loading diff --git a/usr/libexec/security-misc/disable-kernel-module-loading b/usr/libexec/security-misc/disable-kernel-module-loading new file mode 100644 index 0000000..47b5f71 --- /dev/null +++ b/usr/libexec/security-misc/disable-kernel-module-loading @@ -0,0 +1,5 @@ +#!/bin/bash + +sysctl -w kernel.modules_disabled=1 + +echo "The loading of new modules to the kernel has been disabled by security-misc" >&2 From 07882f61a8003026a9e4c135a6e18a8fd204060f Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 2 Nov 2023 10:44:19 +0000 Subject: [PATCH 0937/1650] enable service on install not sure if this would be the right way to do it --- debian/security-misc.postinst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 04410d9..3c9bcb2 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -61,6 +61,8 @@ pam-auth-update --package /usr/libexec/security-misc/permission-lockdown permission_hardening +systemctl enable disable-module-loading.service + ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: ## https://bugs.debian.org/481542 From ac224b270a3a0945d187202f8cca89af0e71a166 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 2 Nov 2023 13:01:55 +0000 Subject: [PATCH 0938/1650] disable sysrq --- usr/lib/sysctl.d/990-security-misc.conf | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 547dbeb..41f39e2 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -137,11 +137,8 @@ net.ipv4.tcp_timestamps=0 #### meta end -## Only allow the SysRq key to be used for shutdowns and the -## Secure Attention Key (SAK). -## -## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/ -kernel.sysrq=132 +## Disable SysRq key +kernel.sysrq=0 ## Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent ## unprivileged attackers from loading vulnerable line disciplines From cd216095eb8d9387437e653d7764ec765ce42a10 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 09:12:24 -0400 Subject: [PATCH 0939/1650] set default umask to 027 using package libpam-umask https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#id-1.5.14.19 https://github.com/Kicksecure/security-misc/pull/151 --- debian/control | 2 +- usr/share/pam-configs/umask-security-misc | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 usr/share/pam-configs/umask-security-misc diff --git a/debian/control b/debian/control index 571050a..2e633aa 100644 --- a/debian/control +++ b/debian/control @@ -14,7 +14,7 @@ Rules-Requires-Root: no Package: security-misc Architecture: all -Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, +Depends: python3, libglib2.0-bin, libpam-runtime, libpam-umask, sudo, adduser, libcap2-bin, apparmor-profile-dist, helper-scripts, libpam-modules-bin, secure-delete, dmsetup, ${misc:Depends} Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc new file mode 100644 index 0000000..6dfe387 --- /dev/null +++ b/usr/share/pam-configs/umask-security-misc @@ -0,0 +1,7 @@ +Name: Restrict umask to 027 (by package security-misc) +Default: yes +Priority: 100 +Session-Type: Additional +Session-Interactive-Only: yes +Session: + optional pam_umask.so umask=027 From 43bd789c30a562aa60349d019107277a428aece8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 09:28:08 -0400 Subject: [PATCH 0940/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 649843f..0ba9ff7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit cd216095eb8d9387437e653d7764ec765ce42a10 +Author: Patrick Schleizer +Date: Fri Nov 3 09:12:24 2023 -0400 + + set default umask to 027 + + using package libpam-umask + + https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#id-1.5.14.19 + + https://github.com/Kicksecure/security-misc/pull/151 + +commit a768f1f1ebfc29b0c0105f2965a4290f8dfd8e63 +Author: Patrick Schleizer +Date: Wed Nov 1 12:26:21 2023 -0400 + + bumped changelog version + commit bb14a058520b13e242fea9f3022c439c4677bd1d Merge: 5ed2a5c 44906e8 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 9064482..62218f6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 13:28:08 +0000 + security-misc (3:32.4-1) unstable; urgency=medium * New upstream version (local package). From f8913ceb2e2fdd274011377c41b5d08e7459e4af Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 09:43:44 -0400 Subject: [PATCH 0941/1650] Revert "set default umask to 027" This reverts commit cd216095eb8d9387437e653d7764ec765ce42a10. --- debian/control | 2 +- usr/share/pam-configs/umask-security-misc | 7 ------- 2 files changed, 1 insertion(+), 8 deletions(-) delete mode 100644 usr/share/pam-configs/umask-security-misc diff --git a/debian/control b/debian/control index 2e633aa..571050a 100644 --- a/debian/control +++ b/debian/control @@ -14,7 +14,7 @@ Rules-Requires-Root: no Package: security-misc Architecture: all -Depends: python3, libglib2.0-bin, libpam-runtime, libpam-umask, sudo, adduser, libcap2-bin, +Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, apparmor-profile-dist, helper-scripts, libpam-modules-bin, secure-delete, dmsetup, ${misc:Depends} Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc deleted file mode 100644 index 6dfe387..0000000 --- a/usr/share/pam-configs/umask-security-misc +++ /dev/null @@ -1,7 +0,0 @@ -Name: Restrict umask to 027 (by package security-misc) -Default: yes -Priority: 100 -Session-Type: Additional -Session-Interactive-Only: yes -Session: - optional pam_umask.so umask=027 From 07540db90d60b10cbd10881b0024d8e8871330de Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 09:45:12 -0400 Subject: [PATCH 0942/1650] Revert "Revert "set default umask to 027"" This reverts commit f8913ceb2e2fdd274011377c41b5d08e7459e4af. --- debian/control | 2 +- usr/share/pam-configs/umask-security-misc | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 usr/share/pam-configs/umask-security-misc diff --git a/debian/control b/debian/control index 571050a..2e633aa 100644 --- a/debian/control +++ b/debian/control @@ -14,7 +14,7 @@ Rules-Requires-Root: no Package: security-misc Architecture: all -Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, +Depends: python3, libglib2.0-bin, libpam-runtime, libpam-umask, sudo, adduser, libcap2-bin, apparmor-profile-dist, helper-scripts, libpam-modules-bin, secure-delete, dmsetup, ${misc:Depends} Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc new file mode 100644 index 0000000..6dfe387 --- /dev/null +++ b/usr/share/pam-configs/umask-security-misc @@ -0,0 +1,7 @@ +Name: Restrict umask to 027 (by package security-misc) +Default: yes +Priority: 100 +Session-Type: Additional +Session-Interactive-Only: yes +Session: + optional pam_umask.so umask=027 From b85d48eb83005da8fd9edc658c71493f407e3670 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 10:31:59 -0400 Subject: [PATCH 0943/1650] do not change default umask for root since this causes permission issues in `/etc/` https://github.com/Kicksecure/security-misc/pull/151 --- usr/share/pam-configs/umask-security-misc | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc index 6dfe387..6436a56 100644 --- a/usr/share/pam-configs/umask-security-misc +++ b/usr/share/pam-configs/umask-security-misc @@ -4,4 +4,5 @@ Priority: 100 Session-Type: Additional Session-Interactive-Only: yes Session: + [success=1 default=ignore] pam_succeed_if.so uid eq 0 optional pam_umask.so umask=027 From 8326aecdb460fffa450bbf3ec0b051010f87ee2a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 10:33:02 -0400 Subject: [PATCH 0944/1650] bumped changelog version --- changelog.upstream | 32 ++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 38 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0ba9ff7..1730ff3 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,35 @@ +commit b85d48eb83005da8fd9edc658c71493f407e3670 +Author: Patrick Schleizer +Date: Fri Nov 3 10:31:59 2023 -0400 + + do not change default umask for root + + since this causes permission issues in `/etc/` + + https://github.com/Kicksecure/security-misc/pull/151 + +commit 07540db90d60b10cbd10881b0024d8e8871330de +Author: Patrick Schleizer +Date: Fri Nov 3 09:45:12 2023 -0400 + + Revert "Revert "set default umask to 027"" + + This reverts commit f8913ceb2e2fdd274011377c41b5d08e7459e4af. + +commit f8913ceb2e2fdd274011377c41b5d08e7459e4af +Author: Patrick Schleizer +Date: Fri Nov 3 09:43:44 2023 -0400 + + Revert "set default umask to 027" + + This reverts commit cd216095eb8d9387437e653d7764ec765ce42a10. + +commit 43bd789c30a562aa60349d019107277a428aece8 +Author: Patrick Schleizer +Date: Fri Nov 3 09:28:08 2023 -0400 + + bumped changelog version + commit cd216095eb8d9387437e653d7764ec765ce42a10 Author: Patrick Schleizer Date: Fri Nov 3 09:12:24 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 62218f6..17e6553 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 14:33:02 +0000 + security-misc (3:32.5-1) unstable; urgency=medium * New upstream version (local package). From d71ac03d96c9861513ff56c68aec9090ef5c50bb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 10:36:15 -0400 Subject: [PATCH 0945/1650] comment --- usr/libexec/security-misc/permission-lockdown | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 1035450..973c70d 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -48,6 +48,8 @@ home_folder_access_rights_lockdown() { ## https://unix.stackexchange.com/questions/156473/reasons-behind-the-default-groups-and-users-on-linux ## In short, this is useful for "file sharing". A if user1 wants to share data with user2 the command ## required to run is sudo addgroup user1 user2. + ## See also: user private groups UPGs + ## https://wiki.debian.org/UserPrivateGroups echo "$0: chmod o-rwx \"$folder_name\"" chmod o-rwx "$folder_name" touch "/var/cache/security-misc/state-files/$user" From c33a3d9aadcc4c0ff90f330239eff4b7c905a022 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 10:44:48 -0400 Subject: [PATCH 0946/1650] readme --- README.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/README.md b/README.md index ea335fb..8ca39df 100644 --- a/README.md +++ b/README.md @@ -314,6 +314,8 @@ See: ### Strong user account separation +#### Permission Lockdown + Read, write and execute access for "others" are removed during package installation, upgrade or PAM `mkhomedir` for all users who have home folders in `/home` by running, for example: @@ -333,6 +335,30 @@ See: * `/usr/libexec/security-misc/permission-lockdown` * `/usr/share/pam-configs/mkhomedir-security-misc` +#### umask + +Default `umask` is set to `027` for files created by non-root users +such as for example user `user`. + +This is doing using pam module `pam_mkhomedir.so umask=027`. + +This means, files created by non-root users cannot be read by other +non-root users by default. While Permission Lockdown already protects +the `/home` folder, this protects other folders such as `/tmp`. + +`group` read permissions are not removed. +This is unnecessary due to Debian's use of User Private Groups (UPGs). +See also: https://wiki.debian.org/UserPrivateGroups + +Default `umask` is unchanged for root, because then configuration files +created in `/etc` by the system administrator would be unreadable by +"others" and break applications. Examples include `/etc/firefox-esr` and +`/etc/thunderbird`. + +See: + +* `/usr/share/pam-configs/umask-security-misc` + ### SUID / SGID removal and permission hardening Not enabled by default yet. From cdd66ee3762c441843d421a9e6b11a20580ed7ac Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 10:48:46 -0400 Subject: [PATCH 0947/1650] wrap-and-sort --- debian/control | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/debian/control b/debian/control index 2e633aa..77d5704 100644 --- a/debian/control +++ b/debian/control @@ -5,7 +5,10 @@ Source: security-misc Section: misc Priority: optional Maintainer: Patrick Schleizer -Build-Depends: debhelper (>= 13), debhelper-compat (= 13), config-package-dev, dh-apparmor +Build-Depends: config-package-dev, + debhelper (>= 13), + debhelper-compat (= 13), + dh-apparmor Homepage: https://www.kicksecure.com/wiki/Security-misc Vcs-Browser: https://github.com/Kicksecure/security-misc Vcs-Git: https://github.com/Kicksecure/security-misc.git @@ -14,10 +17,20 @@ Rules-Requires-Root: no Package: security-misc Architecture: all -Depends: python3, libglib2.0-bin, libpam-runtime, libpam-umask, sudo, adduser, libcap2-bin, - apparmor-profile-dist, helper-scripts, libpam-modules-bin, - secure-delete, dmsetup, ${misc:Depends} -Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest +Depends: adduser, + apparmor-profile-dist, + dmsetup, + helper-scripts, + libcap2-bin, + libglib2.0-bin, + libpam-modules-bin, + libpam-runtime, + libpam-umask, + python3, + secure-delete, + sudo, + ${misc:Depends} +Replaces: anon-gpg-tweaks, swappiness-lowest, tcp-timestamps-disable Description: Enhances Miscellaneous Security Settings https://github.com/Kicksecure/security-misc/blob/master/README.md . From ceffd2b3ee453122e66f594ec31dde6ec3bb7187 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 12:06:43 -0400 Subject: [PATCH 0948/1650] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1730ff3..fcca49d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit cdd66ee3762c441843d421a9e6b11a20580ed7ac +Author: Patrick Schleizer +Date: Fri Nov 3 10:48:46 2023 -0400 + + wrap-and-sort + +commit c33a3d9aadcc4c0ff90f330239eff4b7c905a022 +Author: Patrick Schleizer +Date: Fri Nov 3 10:44:48 2023 -0400 + + readme + +commit d71ac03d96c9861513ff56c68aec9090ef5c50bb +Author: Patrick Schleizer +Date: Fri Nov 3 10:36:15 2023 -0400 + + comment + +commit 8326aecdb460fffa450bbf3ec0b051010f87ee2a +Author: Patrick Schleizer +Date: Fri Nov 3 10:33:02 2023 -0400 + + bumped changelog version + commit b85d48eb83005da8fd9edc658c71493f407e3670 Author: Patrick Schleizer Date: Fri Nov 3 10:31:59 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 17e6553..0405737 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 16:06:43 +0000 + security-misc (3:32.6-1) unstable; urgency=medium * New upstream version (local package). From 7dc99d54c0358842745ee48c7cc24f589fd63d14 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 12:09:39 -0400 Subject: [PATCH 0949/1650] fix --- debian/control | 1 - 1 file changed, 1 deletion(-) diff --git a/debian/control b/debian/control index 385ce36..9a57d45 100644 --- a/debian/control +++ b/debian/control @@ -17,7 +17,6 @@ Rules-Requires-Root: no Package: security-misc Architecture: all -Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest Depends: adduser, apparmor-profile-dist, dmsetup, From 04b210ee88589ef9e6e214d3a5a614780244abc9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 12:10:48 -0400 Subject: [PATCH 0950/1650] bumped changelog version --- changelog.upstream | 41 +++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 47 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index fcca49d..c8d0647 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,38 @@ +commit 5e73f78ed9282bf0895b01d44d9c261ea0050cce +Merge: ceffd2b 8e66a41 +Author: Patrick Schleizer +Date: Fri Nov 3 12:10:33 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 8e66a4177868ee7b51dafdb06062b0cb7cbc7415 +Merge: ceffd2b 7dc99d5 +Author: Patrick Schleizer +Date: Fri Nov 3 12:10:00 2023 -0400 + + Merge pull request #147 from monsieuremre/PAM-tmp-files-hardening + + Depend on libpam-tmpdir for very solid extra security + +commit 7dc99d54c0358842745ee48c7cc24f589fd63d14 +Author: Patrick Schleizer +Date: Fri Nov 3 12:09:39 2023 -0400 + + fix + +commit 2a602e78d6ca0f87f11de9a30ae2114468243075 +Merge: 3ee4be6 ceffd2b +Author: Patrick Schleizer +Date: Fri Nov 3 12:08:50 2023 -0400 + + Merge branch 'master' into PAM-tmp-files-hardening + +commit ceffd2b3ee453122e66f594ec31dde6ec3bb7187 +Author: Patrick Schleizer +Date: Fri Nov 3 12:06:43 2023 -0400 + + bumped changelog version + commit cdd66ee3762c441843d421a9e6b11a20580ed7ac Author: Patrick Schleizer Date: Fri Nov 3 10:48:46 2023 -0400 @@ -66,6 +101,12 @@ Date: Fri Nov 3 09:12:24 2023 -0400 https://github.com/Kicksecure/security-misc/pull/151 +commit 3ee4be652b28201ba208757ce5144e51c453ad70 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Nov 2 09:36:58 2023 +0000 + + depend on libpam-tmpdir + commit a768f1f1ebfc29b0c0105f2965a4290f8dfd8e63 Author: Patrick Schleizer Date: Wed Nov 1 12:26:21 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 0405737..2eb1001 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 16:10:48 +0000 + security-misc (3:32.7-1) unstable; urgency=medium * New upstream version (local package). From b6d53f698d0ad21a31da6bf74a44577a0c8869fc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 12:17:00 -0400 Subject: [PATCH 0951/1650] Revert "allow loading unsigned modules due to issues" This reverts commit 661bcd8603425934188cf139f33e20675ff4b765. --- debian/security-misc.maintscript | 3 --- etc/default/grub.d/40_only_allow_signed_modules.cfg | 4 ++++ 2 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 etc/default/grub.d/40_only_allow_signed_modules.cfg diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index f1664ee..1c4ea5e 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -3,9 +3,6 @@ rm_conffile /etc/sudoers.d/umask-security-misc -## https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23 -rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg - ## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079 rm_conffile /etc/sysctl.d/sysrq.conf diff --git a/etc/default/grub.d/40_only_allow_signed_modules.cfg b/etc/default/grub.d/40_only_allow_signed_modules.cfg new file mode 100644 index 0000000..5441292 --- /dev/null +++ b/etc/default/grub.d/40_only_allow_signed_modules.cfg @@ -0,0 +1,4 @@ +## Requires every module to be signed before being loaded. +## Any module that is unsigned or signed with an invalid key cannot be loaded. +## This makes it harder to load a malicious module. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" From 48adb44c6fd157673cdf7fab3b86ecf7c6b31966 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 12:17:24 -0400 Subject: [PATCH 0952/1650] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c8d0647..2ff85d2 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit b6d53f698d0ad21a31da6bf74a44577a0c8869fc +Author: Patrick Schleizer +Date: Fri Nov 3 12:17:00 2023 -0400 + + Revert "allow loading unsigned modules due to issues" + + This reverts commit 661bcd8603425934188cf139f33e20675ff4b765. + +commit 04b210ee88589ef9e6e214d3a5a614780244abc9 +Author: Patrick Schleizer +Date: Fri Nov 3 12:10:48 2023 -0400 + + bumped changelog version + commit 5e73f78ed9282bf0895b01d44d9c261ea0050cce Merge: ceffd2b 8e66a41 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 2eb1001..43a26d7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 16:17:24 +0000 + security-misc (3:32.8-1) unstable; urgency=medium * New upstream version (local package). From d1b5a3ffd525ec92554ffc9c666f8007c8522aac Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 12:55:34 -0400 Subject: [PATCH 0953/1650] /usr/sbin/pam-tmpdir-helper exactwhitelist https://github.com/Kicksecure/security-misc/pull/147 --- etc/permission-hardening.d/25_default_whitelist_pam.conf | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 etc/permission-hardening.d/25_default_whitelist_pam.conf diff --git a/etc/permission-hardening.d/25_default_whitelist_pam.conf b/etc/permission-hardening.d/25_default_whitelist_pam.conf new file mode 100644 index 0000000..0c13f5d --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_pam.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## Without this, Xfce fails to start with a dbus-launch error. +/usr/sbin/pam-tmpdir-helper exactwhitelist From 0242c04dc26638dc1250e3f681b46d15459cf8aa Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 14:51:14 -0400 Subject: [PATCH 0954/1650] port to DKMS drop-in folder undisplace /etc/dkms/framework.conf.security-misc moved to /etc/dkms/framework.conf.d/30_security-misc.conf --- debian/security-misc.displace | 1 - debian/security-misc.undisplace | 1 + .../30_security-misc.conf} | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename etc/dkms/{framework.conf.security-misc => framework.conf.d/30_security-misc.conf} (100%) diff --git a/debian/security-misc.displace b/debian/security-misc.displace index 54c5862..d80a247 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -3,4 +3,3 @@ /etc/securetty.security-misc /etc/security/faillock.conf.security-misc -/etc/dkms/framework.conf.security-misc diff --git a/debian/security-misc.undisplace b/debian/security-misc.undisplace index 0b23381..4aed27c 100644 --- a/debian/security-misc.undisplace +++ b/debian/security-misc.undisplace @@ -3,3 +3,4 @@ /etc/login.defs.security-misc /usr/bin/pkexec.security-misc +/etc/dkms/framework.conf.security-misc diff --git a/etc/dkms/framework.conf.security-misc b/etc/dkms/framework.conf.d/30_security-misc.conf similarity index 100% rename from etc/dkms/framework.conf.security-misc rename to etc/dkms/framework.conf.d/30_security-misc.conf From 978e3e4abd8f55a877dfe0d6e39b45ee9f58ba6d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 14:53:40 -0400 Subject: [PATCH 0955/1650] readme --- README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8ca39df..96cab41 100644 --- a/README.md +++ b/README.md @@ -90,7 +90,17 @@ TLB invalidation so devices will never be able to access stale data contents. * Distrust the 'randomly' generated CPU and bootloader seeds. -### Disables and blacklists kernel modules +### Kernel Modules +#### Kernel Module Signature Verification + +Not yet due to issues: +https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 + +See: + +* `/etc/default/grub.d/40_only_allow_signed_modules.cfg` + +#### Disables and blacklists kernel modules Certain kernel modules are disabled and blacklisted by default to reduce attack surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file. From 97054b2b1076d6d428996967304b29620923eff4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 15:55:17 -0400 Subject: [PATCH 0956/1650] revert enabling kernel module signature enforcement due to issues https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63 https://github.com/dell/dkms/issues/359 --- README.md | 4 +++- etc/default/grub.d/40_only_allow_signed_modules.cfg | 6 +++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 96cab41..21ea2fe 100644 --- a/README.md +++ b/README.md @@ -94,7 +94,9 @@ TLB invalidation so devices will never be able to access stale data contents. #### Kernel Module Signature Verification Not yet due to issues: -https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 + +* https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 +* https://github.com/dell/dkms/issues/359 See: diff --git a/etc/default/grub.d/40_only_allow_signed_modules.cfg b/etc/default/grub.d/40_only_allow_signed_modules.cfg index 5441292..5d1a357 100644 --- a/etc/default/grub.d/40_only_allow_signed_modules.cfg +++ b/etc/default/grub.d/40_only_allow_signed_modules.cfg @@ -1,4 +1,8 @@ ## Requires every module to be signed before being loaded. ## Any module that is unsigned or signed with an invalid key cannot be loaded. ## This makes it harder to load a malicious module. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" +## +## Not enabled by default yet due to issues: +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61 +## https://github.com/dell/dkms/issues/359 +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" From fbd9e5d017c4b00d838e9f225c7748c4b362f023 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sat, 4 Nov 2023 14:33:35 +0000 Subject: [PATCH 0957/1650] README.md --- README.md | 63 +++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 52 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 21ea2fe..1862005 100644 --- a/README.md +++ b/README.md @@ -42,15 +42,21 @@ arbitrary code execution in kernel mode. * Prevents unintentional writes to attacker-controlled files. * Prevents common symlink and hardlink TOCTOU races. - + +* Disables SysRq completely. + * The kernel is only allowed to swap if it is absolutely necessary. This prevents writing potentially sensitive contents of memory to disk. * TCP timestamps are disabled as it can allow detecting the system time. +* Enforces the logging of martian packets, those with a source address which is blatantly wrong. + +* Set coredump file name based on core_pattern value instead of the default of naming it 'core'. + ### mmap ASLR * The bits of entropy used for mmap ASLR are maxed out via @@ -102,6 +108,10 @@ See: * `/etc/default/grub.d/40_only_allow_signed_modules.cfg` +#### Disables the loading of new modules to the kernel after the fact + +A systemd service dynamically sets the kernel parameter ```modules_disabled``` to 1, preventing new modules from being loaded. Since this isn't configured directly within systemctl, it does not break the loading of legitimate and necessary modules for the user, like drivers etc., given they are plugged in on startup. + #### Disables and blacklists kernel modules Certain kernel modules are disabled and blacklisted by default to reduce attack surface via the @@ -111,9 +121,6 @@ Certain kernel modules are disabled and blacklisted by default to reduce attack increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. Hence, this feature is disabled. -* Bluetooth is disabled to reduce attack surface. Bluetooth has -a lengthy history of security concerns. - * Thunderbolt and numerous FireWire kernel modules are also disabled as they are often vulnerable to DMA attacks. @@ -170,7 +177,7 @@ of multiple vulnerabilities so it is disabled. * Incorporates much of [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) default blacklist of modules to be blocked from automatically loading. However, they are still permitted to load. * Blocks automatic loading of the modules needed to use of CD-ROM devices by default. Not completely disabled yet. - + ### Other * A systemd service clears the System.map file on boot as these contain kernel @@ -199,7 +206,7 @@ this is not needed for `dracut` because `dracut` does that by default, at least on `systemd` enabled systems. Not researched for non-`systemd` systems by the author of this part of the readme. -## Network hardening +## Network & Bluetooth hardening * TCP syncookies are enabled to prevent SYN flood attacks. @@ -216,6 +223,14 @@ dropping RST packets for sockets in the time-wait state. * Reverse path filtering is enabled to prevent IP spoofing and mitigate vulnerabilities such as CVE-2019-14899. +* Unlike version 4, IPv6 addresses can provide information not only about the originating network, but also the originating device. + We prevent this from happening by enabling the respective privacy extensions for IPv6. + +* In addition, we deny the capability to track the originating device in the network at all, by using randomized MAC addresses per connection per default. + +* Bluetooth is left enabled but users are highly discouraged from ever turning it on, due to its history of numerous security vulnurabilities. Unlike the default settings, +we start the system with bluetooth turned off. We also enforce private addresses and strict timeout settings for discoverability and visibility. + ## Entropy collection improvements * The `jitterentropy_rng` kernel module is loaded as early as possible @@ -230,6 +245,11 @@ audit, may contain weaknesses or a backdoor. For references, see: ## Restrictive mount options +A systemd service is triggered on boot to remount all sensitive partitions and directories with significantly more secure hardened mount options. +Since this would require manual tuning for a given specific system, we handle it by creating a very solid configuration file for that very system on package install. + + ## Root access restrictions * `su` is restricted to only users within the group `sudo` which prevents @@ -373,6 +393,22 @@ See: ### SUID / SGID removal and permission hardening +#### SUID / SGID removal + +A systemd service removes SUID / SGID bits from non-essential binaries as +these are often used in privilege escalation attacks. + +#### File permission hardening + +Various file permissions are reset with more secure and hardened defaults. These include but are not limited to: + +* Limiting ```/home``` and ```/root``` to the root only. +* Limiting crontab to root as well as all the configuration files for cron. +* Limiting the configuration for cups and ssh. +* Protecting the information of sudoers from others. +* Protecting various system relevant files and modules. + + ## Application-specific hardening * Enables "`apt-get --error-on=any`" which makes apt exit non-zero for @@ -410,8 +446,13 @@ See: * Deactivates previews in Nautilus - `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. * Deactivates thumbnails in Thunar. -* Displays domain names in punycode (`network.IDN_show_punycode`) in -Thunderbird to prevent IDN homograph attacks (a form of phishing). +* Thunderbird is hardened with the following options: + * Displays domain names in punycode to prevent IDN homograph attacks (a form of phishing). + * Strips email client information for sent email headers. + * Stripts user time information from sent email headers by replacing the originating time zone with UTC and rounding the timestamp to the nearest minute. + * Disables scripting when viewing pdf files. + * Disables implicit outgoing connections. + * Disables all and any kind of telemetry. * Security and privacy enhancements for gnupg's config file `/etc/skel/.gnupg/gpg.conf`. See also: From a187d23c4187fd08611e5cba85d09666dfd9f735 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sat, 4 Nov 2023 20:56:08 +0000 Subject: [PATCH 0958/1650] big fix --- lib/systemd/system/harden-module-loading.service | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/systemd/system/harden-module-loading.service b/lib/systemd/system/harden-module-loading.service index fb6f6fe..703658c 100644 --- a/lib/systemd/system/harden-module-loading.service +++ b/lib/systemd/system/harden-module-loading.service @@ -1,6 +1,7 @@ [Unit] Description=Disable the loading of modules to the kernel after startup. This could be malicious. After=systemd-modules-load.service +Before=sysinit.target # This functionality is implemented with this and not directly in the sysctl config is # to allow systemd-modules-load.service to load the modules with no problem but # to disallow anyone else do the same after the system boots up. From 19eceaa8108879ee5477b157fb2175993c487959 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sat, 4 Nov 2023 20:56:46 +0000 Subject: [PATCH 0959/1650] more fix --- usr/libexec/security-misc/disable-kernel-module-loading | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/disable-kernel-module-loading b/usr/libexec/security-misc/disable-kernel-module-loading index 47b5f71..6d4d25d 100644 --- a/usr/libexec/security-misc/disable-kernel-module-loading +++ b/usr/libexec/security-misc/disable-kernel-module-loading @@ -2,4 +2,4 @@ sysctl -w kernel.modules_disabled=1 -echo "The loading of new modules to the kernel has been disabled by security-misc" >&2 +echo "The loading of new modules to the kernel has been disabled by security-misc" From 2e64d89b042227fe5f38bb6d6a859deb4c5183b7 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sat, 4 Nov 2023 21:18:45 +0000 Subject: [PATCH 0960/1650] undo unnecessary manual activation --- debian/security-misc.postinst | 2 -- 1 file changed, 2 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 3c9bcb2..04410d9 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -61,8 +61,6 @@ pam-auth-update --package /usr/libexec/security-misc/permission-lockdown permission_hardening -systemctl enable disable-module-loading.service - ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: ## https://bugs.debian.org/481542 From f6bf69b41fa3e1168c2c49884197770e1a78b888 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 5 Nov 2023 11:31:09 -0500 Subject: [PATCH 0961/1650] update link --- debian/security-misc.preinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 43f8e2c..82fa257 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -100,7 +100,7 @@ sudo_users_check () { echo "sudo adduser user console" >&2 echo "" >&2 echo "$0: ERROR: See also installation instructions:" >&2 - echo "https://www.whonix.org/wiki/security-misc#install" >&2 + echo "https://www.kicksecure.com/wiki/security-misc#install" >&2 if [ "$SECURITY_MISC_INSTALL" = "force" ]; then output_skip_checks "Environment variable SECURITY_MISC_INSTALL is set to 'force'." From dcead44cc6d4272b0966562046f9dab1792845b6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 5 Nov 2023 11:32:46 -0500 Subject: [PATCH 0962/1650] output --- debian/security-misc.preinst | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 82fa257..dc032b1 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -95,6 +95,7 @@ sudo_users_check () { ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2 echo "$0: ERROR: You probably want to run:" >&2 + echo "$0: NOTE: Replace user 'user' with your actual Linux user account name." >&2 echo "" >&2 echo "sudo adduser user sudo" >&2 echo "sudo adduser user console" >&2 From 93437952b4f64866dfe6067d8caf19415112418d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 5 Nov 2023 14:41:01 -0500 Subject: [PATCH 0963/1650] readme --- README.md | 31 +++++++++---------------------- 1 file changed, 9 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 1862005..a88b7f3 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,7 @@ arbitrary code execution in kernel mode. Secure Attention Key. --> * Disables SysRq completely. - + * The kernel is only allowed to swap if it is absolutely necessary. This prevents writing potentially sensitive contents of memory to disk. @@ -177,7 +177,7 @@ of multiple vulnerabilities so it is disabled. * Incorporates much of [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) default blacklist of modules to be blocked from automatically loading. However, they are still permitted to load. * Blocks automatic loading of the modules needed to use of CD-ROM devices by default. Not completely disabled yet. - + ### Other * A systemd service clears the System.map file on boot as these contain kernel @@ -206,7 +206,7 @@ this is not needed for `dracut` because `dracut` does that by default, at least on `systemd` enabled systems. Not researched for non-`systemd` systems by the author of this part of the readme. -## Network & Bluetooth hardening +## Network hardening * TCP syncookies are enabled to prevent SYN flood attacks. @@ -225,11 +225,13 @@ vulnerabilities such as CVE-2019-14899. * Unlike version 4, IPv6 addresses can provide information not only about the originating network, but also the originating device. We prevent this from happening by enabling the respective privacy extensions for IPv6. - + * In addition, we deny the capability to track the originating device in the network at all, by using randomized MAC addresses per connection per default. -* Bluetooth is left enabled but users are highly discouraged from ever turning it on, due to its history of numerous security vulnurabilities. Unlike the default settings, -we start the system with bluetooth turned off. We also enforce private addresses and strict timeout settings for discoverability and visibility. +## Network & Bluetooth hardening + +* Not done yet, pending, see: https://github.com/Kicksecure/security-misc/pull/145 + * planned: Bluetooth is left enabled but users are highly discouraged from ever turning it on, due to its history of numerous security vulnerabilities. Unlike the default settings, we start the system with bluetooth turned off. We also enforce private addresses and strict timeout settings for discoverability and visibility. ## Entropy collection improvements @@ -248,25 +250,10 @@ audit, may contain weaknesses or a backdoor. For references, see: A systemd service is triggered on boot to remount all sensitive partitions and directories with significantly more secure hardened mount options. Since this would require manual tuning for a given specific system, we handle it by creating a very solid configuration file for that very system on package install. - ## Root access restrictions * `su` is restricted to only users within the group `sudo` which prevents @@ -407,7 +394,7 @@ Various file permissions are reset with more secure and hardened defaults. These * Limiting the configuration for cups and ssh. * Protecting the information of sudoers from others. * Protecting various system relevant files and modules. - + -* Disables SysRq completely. +- Prevents common symlink and hardlink TOCTOU races. ``{=html} -* The kernel is only allowed to swap if it is absolutely necessary. This -prevents writing potentially sensitive contents of memory to disk. +- Disables SysRq completely. -* TCP timestamps are disabled as it can allow detecting the system time. +- The kernel is only allowed to swap if it is absolutely necessary. This + prevents writing potentially sensitive contents of memory to disk. -* Enforces the logging of martian packets, those with a source address which is blatantly wrong. +- TCP timestamps are disabled as it can allow detecting the system time. -* Set coredump file name based on core_pattern value instead of the default of naming it 'core'. +- Enforces the logging of martian packets, those with a source address which + is blatantly wrong. + +- Set coredump file name based on core_pattern value instead of the default of + naming it 'core'. ### mmap ASLR -* The bits of entropy used for mmap ASLR are maxed out via -`/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of -`CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` that -the kernel was built with), therefore improving its effectiveness. +- The bits of entropy used for mmap ASLR are maxed out via + `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of + `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` + that the kernel was built with), therefore improving its effectiveness. ### Boot parameters Boot parameters are outlined in configuration files located in the `etc/default/grub.d/` directory. -* Slab merging is disabled which significantly increases the difficulty of -heap exploitation by preventing overwriting objects from merged caches and -by making it harder to influence slab cache layout. +- Slab merging is disabled which significantly increases the difficulty of + heap exploitation by preventing overwriting objects from merged caches and + by making it harder to influence slab cache layout. -* Memory zeroing at allocation and free time is enabled to mitigate some -use-after-free vulnerabilities and erase sensitive information in memory. +- Memory zeroing at allocation and free time is enabled to mitigate some + use-after-free vulnerabilities and erase sensitive information in memory. -* Page allocator freelist randomization is enabled. +- Page allocator freelist randomization is enabled. -* Kernel Page Table Isolation is enabled to mitigate Meltdown and increase -KASLR effectiveness. +- Kernel Page Table Isolation is enabled to mitigate Meltdown and increase + KASLR effectiveness. -* vsyscalls are disabled as they are obsolete, are at fixed addresses and thus, -are a potential target for ROP. +- vsyscalls are disabled as they are obsolete, are at fixed addresses and + thus, are a potential target for ROP. -* The kernel panics on oopses to thwart certain kernel exploits. +- The kernel panics on oopses to thwart certain kernel exploits. -* Enables randomisation of the kernel stack offset on syscall entries. +- Enables randomisation of the kernel stack offset on syscall entries. -* All mitigations for known CPU vulnerabilities are enabled and SMT is -disabled. +- All mitigations for known CPU vulnerabilities are enabled and SMT is + disabled. -* IOMMU is enabled to prevent DMA attacks along with strict enforcement of IOMMU -TLB invalidation so devices will never be able to access stale data contents. +- IOMMU is enabled to prevent DMA attacks along with strict enforcement of + IOMMU TLB invalidation so devices will never be able to access stale data + contents. -* Distrust the 'randomly' generated CPU and bootloader seeds. +- Distrust the 'randomly' generated CPU and bootloader seeds. ### Kernel Modules + #### Kernel Module Signature Verification Not yet due to issues: -* https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 -* https://github.com/dell/dkms/issues/359 +- https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 +- https://github.com/dell/dkms/issues/359 See: -* `/etc/default/grub.d/40_only_allow_signed_modules.cfg` +- `/etc/default/grub.d/40_only_allow_signed_modules.cfg` #### Disables the loading of new modules to the kernel after the fact Not yet due to issues: -* https://github.com/Kicksecure/security-misc/pull/152 +- https://github.com/Kicksecure/security-misc/pull/152 -A systemd service dynamically sets the kernel parameter ```modules_disabled``` to 1, preventing new modules from being loaded. Since this isn't configured directly within systemctl, it does not break the loading of legitimate and necessary modules for the user, like drivers etc., given they are plugged in on startup. +A systemd service dynamically sets the kernel parameter `modules_disabled` to 1, +preventing new modules from being loaded. Since this isn't configured directly +within systemctl, it does not break the loading of legitimate and necessary +modules for the user, like drivers etc., given they are plugged in on startup. #### Disables and blacklists kernel modules -Certain kernel modules are disabled and blacklisted by default to reduce attack surface via the -`/etc/modprobe.d/30_security-misc.conf` configuration file. +Certain kernel modules are disabled and blacklisted by default to reduce attack +surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file. -* Deactivates Netfilter's connection tracking helper - this module -increases kernel attack surface by enabling superfluous functionality -such as IRC parsing in the kernel. Hence, this feature is disabled. +- Deactivates Netfilter's connection tracking helper - this module increases + kernel attack surface by enabling superfluous functionality such as IRC + parsing in the kernel. Hence, this feature is disabled. -* Thunderbolt and numerous FireWire kernel modules are also disabled as they are -often vulnerable to DMA attacks. +- Thunderbolt and numerous FireWire kernel modules are also disabled as they + are often vulnerable to DMA attacks. -* The MSR kernel module is disabled to prevent CPU MSRs from being -abused to write to arbitrary memory. +- The MSR kernel module is disabled to prevent CPU MSRs from being abused to + write to arbitrary memory. -* Uncommon network protocols are blacklisted. This includes: +- Uncommon network protocols are blacklisted. This includes: - DCCP - Datagram Congestion Control Protocol +DCCP - Datagram Congestion Control Protocol - SCTP - Stream Control Transmission Protocol +SCTP - Stream Control Transmission Protocol - RDS - Reliable Datagram Sockets +RDS - Reliable Datagram Sockets - TIPC - Transparent Inter-process Communication +TIPC - Transparent Inter-process Communication - HDLC - High-Level Data Link Control +HDLC - High-Level Data Link Control - AX25 - Amateur X.25 +AX25 - Amateur X.25 - NetRom +NetRom - X25 +X25 - ROSE +ROSE - DECnet +DECnet - Econet +Econet - af_802154 - IEEE 802.15.4 +af_802154 - IEEE 802.15.4 - IPX - Internetwork Packet Exchange +IPX - Internetwork Packet Exchange - AppleTalk +AppleTalk - PSNAP - Subnetwork Access Protocol +PSNAP - Subnetwork Access Protocol - p8023 - Novell raw IEEE 802.3 +p8023 - Novell raw IEEE 802.3 - p8022 - IEEE 802.2 +p8022 - IEEE 802.2 - CAN - Controller Area Network +CAN - Controller Area Network - ATM +ATM -* Disables a large array of uncommon file systems and network file systems that reduces the attack surface especially against legacy approaches. +- Disables a large array of uncommon file systems and network file systems + that reduces the attack surface especially against legacy approaches. -* The vivid kernel module is only required for testing and has been the cause -of multiple vulnerabilities so it is disabled. +- The vivid kernel module is only required for testing and has been the cause + of multiple vulnerabilities so it is disabled. -* Provides some disabling of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS. +- Provides some disabling of the interface between the [Intel Management + Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) + and the OS. -* Incorporates much of [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) default blacklist of modules to be blocked from automatically loading. However, they are still permitted to load. +- Incorporates much of + [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) + default blacklist of modules to be blocked from automatically loading. + However, they are still permitted to load. -* Blocks automatic loading of the modules needed to use of CD-ROM devices by default. Not completely disabled yet. +- Blocks automatic loading of the modules needed to use of CD-ROM devices by + default. Not completely disabled yet. ### Other -* A systemd service clears the System.map file on boot as these contain kernel -pointers. The file is completely overwritten with zeroes to ensure it cannot -be recovered. See: +- A systemd service clears the System.map file on boot as these contain kernel + pointers. The file is completely overwritten with zeroes to ensure it cannot + be recovered. See: `/etc/kernel/postinst.d/30_remove-system-map` @@ -194,8 +208,8 @@ be recovered. See: `/usr/libexec/security-misc/remove-system.map` -* Coredumps are disabled as they may contain important information such as -encryption keys or passwords. See: +- Coredumps are disabled as they may contain important information such as + encryption keys or passwords. See: `/etc/security/limits.d/30_security-misc.conf` @@ -203,119 +217,128 @@ encryption keys or passwords. See: `/lib/systemd/coredump.conf.d/30_security-misc.conf` -* An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and -`/etc/sysctl.d` before init is executed so sysctl hardening is enabled -as early as possible. This is implemented for `initramfs-tools` only because -this is not needed for `dracut` because `dracut` does that by default, at least -on `systemd` enabled systems. Not researched for non-`systemd` systems by the -author of this part of the readme. +- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and + `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as + early as possible. This is implemented for `initramfs-tools` only because + this is not needed for `dracut` because `dracut` does that by default, at + least on `systemd` enabled systems. Not researched for non-`systemd` systems + by the author of this part of the readme. ## Network hardening -* TCP syncookies are enabled to prevent SYN flood attacks. +- TCP syncookies are enabled to prevent SYN flood attacks. -* ICMP redirect acceptance, ICMP redirect sending, source routing and -IPv6 router advertisements are disabled to prevent man-in-the-middle attacks. +- ICMP redirect acceptance, ICMP redirect sending, source routing and IPv6 + router advertisements are disabled to prevent man-in-the-middle attacks. -* The kernel is configured to ignore all ICMP requests to avoid Smurf attacks, -make the device more difficult to enumerate on the network and prevent clock -fingerprinting through ICMP timestamps. +- The kernel is configured to ignore all ICMP requests to avoid Smurf attacks, + make the device more difficult to enumerate on the network and prevent clock + fingerprinting through ICMP timestamps. -* RFC1337 is enabled to protect against time-wait assassination attacks by -dropping RST packets for sockets in the time-wait state. +- RFC1337 is enabled to protect against time-wait assassination attacks by + dropping RST packets for sockets in the time-wait state. -* Reverse path filtering is enabled to prevent IP spoofing and mitigate -vulnerabilities such as CVE-2019-14899. +- Reverse path filtering is enabled to prevent IP spoofing and mitigate + vulnerabilities such as CVE-2019-14899. -* Unlike version 4, IPv6 addresses can provide information not only about the originating network, but also the originating device. - We prevent this from happening by enabling the respective privacy extensions for IPv6. +- Unlike version 4, IPv6 addresses can provide information not only about the + originating network, but also the originating device. We prevent this from + happening by enabling the respective privacy extensions for IPv6. -* In addition, we deny the capability to track the originating device in the network at all, by using randomized MAC addresses per connection per default. +- In addition, we deny the capability to track the originating device in the + network at all, by using randomized MAC addresses per connection per + default. See: -* `/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf` -* `/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf` -* `/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf` +- `/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf` +- `/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf` +- `/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf` ## Network & Bluetooth hardening -* Bluetooth is 'enabled' for the system. Unlike the usual default behavior, we start -bluetooth turned off on system start and it stays that way unless the user -explicitly chooses to turn bluetooth on. The user is left with the freedom to easily -switch bluetooth on and off the usual way with his own discretion. We set significantly -more private defaults for bluetooth connections by enforcing private addresses and -strict timeout settings for discoverability and visibility. That being said, the most -secure and private bluetooth connection might inherently come with risks by its nature -and may be prone to exploits, as it has a history of having new security vulnurabilities -often. So users are recommended to choose not to use bluetooth when given the option. +- Bluetooth is 'enabled' for the system. Unlike the usual default behavior, we + start bluetooth turned off on system start and it stays that way unless the + user explicitly chooses to turn bluetooth on. The user is left with the + freedom to easily switch bluetooth on and off the usual way with his own + discretion. We set significantly more private defaults for bluetooth + connections by enforcing private addresses and strict timeout settings for + discoverability and visibility. That being said, the most secure and private + bluetooth connection might inherently come with risks by its nature and may + be prone to exploits, as it has a history of having new security + vulnurabilities often. So users are recommended to choose not to use + bluetooth when given the option. See: -* `/etc/bluetooth/30_security-misc.conf` -* https://github.com/Kicksecure/security-misc/pull/145 +- `/etc/bluetooth/30_security-misc.conf` +- https://github.com/Kicksecure/security-misc/pull/145 ## Entropy collection improvements -* The `jitterentropy_rng` kernel module is loaded as early as possible -during boot to gather more entropy via the -`/usr/lib/modules-load.d/30_security-misc.conf` configuration file. +- The `jitterentropy_rng` kernel module is loaded as early as possible during + boot to gather more entropy via the + `/usr/lib/modules-load.d/30_security-misc.conf` configuration file. -* Distrusts the CPU for initial entropy at boot as it is not possible to -audit, may contain weaknesses or a backdoor. For references, see: -`/etc/default/grub.d/40_distrust_cpu.cfg` +- Distrusts the CPU for initial entropy at boot as it is not possible to + audit, may contain weaknesses or a backdoor. For references, see: + `/etc/default/grub.d/40_distrust_cpu.cfg` -* Gathers more entropy during boot if using the linux-hardened kernel patch. +- Gathers more entropy during boot if using the linux-hardened kernel patch. ## Restrictive mount options -A systemd service is triggered on boot to remount all sensitive partitions and directories with significantly more secure hardened mount options. -Since this would require manual tuning for a given specific system, we handle it by creating a very solid configuration file for that very system on package install. +A systemd service is triggered on boot to remount all sensitive partitions and +directories with significantly more secure hardened mount options. Since this +would require manual tuning for a given specific system, we handle it by +creating a very solid configuration file for that very system on package +install. Not enabled by default yet. In development. Help welcome. -* https://github.com/Kicksecure/security-misc/pull/152 -* https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ +- https://github.com/Kicksecure/security-misc/pull/152 +- https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ ## Root access restrictions -* `su` is restricted to only users within the group `sudo` which prevents -users from using `su` to gain root access or to switch user accounts - -`/usr/share/pam-configs/wheel-security-misc` -(which results in a change in file `/etc/pam.d/common-auth`). +- `su` is restricted to only users within the group `sudo` which prevents + users from using `su` to gain root access or to switch user accounts - + `/usr/share/pam-configs/wheel-security-misc` (which results in a change in + file `/etc/pam.d/common-auth`). -* Add user `root` to group `sudo`. This is required due to the above restriction so -that logging in from a virtual console is still possible - `debian/security-misc.postinst` +- Add user `root` to group `sudo`. This is required due to the above + restriction so that logging in from a virtual console is still possible - + `debian/security-misc.postinst` -* Abort login for users with locked passwords - -`/usr/libexec/security-misc/pam-abort-on-locked-password`. +- Abort login for users with locked passwords - + `/usr/libexec/security-misc/pam-abort-on-locked-password`. -* Logging into the root account from a virtual, serial, whatnot console is -prevented by shipping an existing and empty `/etc/securetty` file -(deletion of `/etc/securetty` has a different effect). +- Logging into the root account from a virtual, serial, whatnot console is + prevented by shipping an existing and empty `/etc/securetty` file (deletion + of `/etc/securetty` has a different effect). -This package does not yet automatically lock the root account password. It -is not clear if this would be sane in such a package although, it is recommended -to lock and expire the root account. +This package does not yet automatically lock the root account password. It is +not clear if this would be sane in such a package although, it is recommended to +lock and expire the root account. In new Kicksecure builds, root account will be locked by package dist-base-files. See: -* https://www.kicksecure.com/wiki/Root -* https://www.kicksecure.com/wiki/Dev/Permissions -* https://forums.whonix.org/t/restrict-root-access/7658 +- https://www.kicksecure.com/wiki/Root +- https://www.kicksecure.com/wiki/Dev/Permissions +- https://forums.whonix.org/t/restrict-root-access/7658 However, a locked root password will break rescue and emergency shell. -Therefore, this package enables passwordless rescue and emergency shell. -This is the same solution that Debian will likely adapt for Debian -installer: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 +Therefore, this package enables passwordless rescue and emergency shell. This is +the same solution that Debian will likely adapt for Debian installer: +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 See: -* `/etc/systemd/system/emergency.service.d/override.conf` -* `/etc/systemd/system/rescue.service.d/override.conf` +- `/etc/systemd/system/emergency.service.d/override.conf` +- `/etc/systemd/system/rescue.service.d/override.conf` Adverse security effects can be prevented by setting up BIOS password protection, GRUB password protection and/or full disk encryption. @@ -324,16 +347,16 @@ protection, GRUB password protection and/or full disk encryption. This uses pam_access to allow members of group `console` to use console but restrict everyone else (except members of group `console-unrestricted`) from -using console with ancient, unpopular login methods such as `/bin/login` -over networks as this might be exploitable. (CVE-2001-0797) +using console with ancient, unpopular login methods such as `/bin/login` over +networks as this might be exploitable. (CVE-2001-0797) -This is not enabled by default in this package since this package does not -know which users shall be added to group 'console' and thus, would break console. +This is not enabled by default in this package since this package does not know +which users shall be added to group 'console' and thus, would break console. See: -* `/usr/share/pam-configs/console-lockdown-security-misc` -* `/etc/security/access-security-misc.conf` +- `/usr/share/pam-configs/console-lockdown-security-misc` +- `/etc/security/access-security-misc.conf` ## Brute force attack protection @@ -341,16 +364,16 @@ User accounts are locked after 50 failed login attempts using `pam_faillock`. Informational output during Linux PAM: -* Show failed and remaining password attempts. -* Document unlock procedure if Linux user account got locked. -* Point out that there is no password feedback for `su`. -* Explain locked root account if locked. +- Show failed and remaining password attempts. +- Document unlock procedure if Linux user account got locked. +- Point out that there is no password feedback for `su`. +- Explain locked root account if locked. See: -* `/usr/share/pam-configs/tally2-security-misc` -* `/usr/libexec/security-misc/pam-info` -* `/usr/libexec/security-misc/pam-abort-on-locked-password` +- `/usr/share/pam-configs/tally2-security-misc` +- `/usr/libexec/security-misc/pam-info` +- `/usr/libexec/security-misc/pam-abort-on-locked-password` ## Access rights restrictions @@ -359,65 +382,64 @@ See: #### Permission Lockdown Read, write and execute access for "others" are removed during package -installation, upgrade or PAM `mkhomedir` for all users who have home -folders in `/home` by running, for example: +installation, upgrade or PAM `mkhomedir` for all users who have home folders in +`/home` by running, for example: -``` -chmod o-rwx /home/user -``` + chmod o-rwx /home/user -This will be done only once per folder in `/home` so users who wish to -relax file permissions are free to do so. This is to protect files in a -home folder that were previously created with lax file permissions prior -to the installation of this package. +This will be done only once per folder in `/home` so users who wish to relax +file permissions are free to do so. This is to protect files in a home folder +that were previously created with lax file permissions prior to the installation +of this package. See: -* `debian/security-misc.postinst` -* `/usr/libexec/security-misc/permission-lockdown` -* `/usr/share/pam-configs/mkhomedir-security-misc` +- `debian/security-misc.postinst` +- `/usr/libexec/security-misc/permission-lockdown` +- `/usr/share/pam-configs/mkhomedir-security-misc` #### umask -Default `umask` is set to `027` for files created by non-root users -such as for example user `user`. +Default `umask` is set to `027` for files created by non-root users such as for +example user `user`. This is doing using pam module `pam_mkhomedir.so umask=027`. -This means, files created by non-root users cannot be read by other -non-root users by default. While Permission Lockdown already protects -the `/home` folder, this protects other folders such as `/tmp`. +This means, files created by non-root users cannot be read by other non-root +users by default. While Permission Lockdown already protects the `/home` folder, +this protects other folders such as `/tmp`. -`group` read permissions are not removed. -This is unnecessary due to Debian's use of User Private Groups (UPGs). -See also: https://wiki.debian.org/UserPrivateGroups +`group` read permissions are not removed. This is unnecessary due to Debian's +use of User Private Groups (UPGs). See also: +https://wiki.debian.org/UserPrivateGroups -Default `umask` is unchanged for root, because then configuration files -created in `/etc` by the system administrator would be unreadable by -"others" and break applications. Examples include `/etc/firefox-esr` and -`/etc/thunderbird`. +Default `umask` is unchanged for root, because then configuration files created +in `/etc` by the system administrator would be unreadable by "others" and break +applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`. See: -* `/usr/share/pam-configs/umask-security-misc` +- `/usr/share/pam-configs/umask-security-misc` ### SUID / SGID removal and permission hardening #### SUID / SGID removal -A systemd service removes SUID / SGID bits from non-essential binaries as -these are often used in privilege escalation attacks. +A systemd service removes SUID / SGID bits from non-essential binaries as these +are often used in privilege escalation attacks. #### File permission hardening -Various file permissions are reset with more secure and hardened defaults. These include but are not limited to: +Various file permissions are reset with more secure and hardened defaults. These +include but are not limited to: -* Limiting ```/home``` and ```/root``` to the root only. -* Limiting crontab to root as well as all the configuration files for cron. -* Limiting the configuration for cups and ssh. -* Protecting the information of sudoers from others. -* Protecting various system relevant files and modules. +- Limiting `/home` and `/root` to the root only. +- Limiting crontab to root as well as all the configuration files for cron. +- Limiting the configuration for cups and ssh. +- Protecting the information of sudoers from others. +- Protecting various system relevant files and modules. +```{=html} +``` ## Application-specific hardening -* Enables "`apt-get --error-on=any`" which makes apt exit non-zero for - transient failures. - `/etc/apt/apt.conf.d/40error-on-any`. -* Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`. -* Deactivates previews in Dolphin. -* Deactivates previews in Nautilus - -`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. -* Deactivates thumbnails in Thunar. -* Thunderbird is hardened with the following options: - * Displays domain names in punycode to prevent IDN homograph attacks (a form of phishing). - * Strips email client information for sent email headers. - * Stripts user time information from sent email headers by replacing the originating time zone with UTC and rounding the timestamp to the nearest minute. - * Disables scripting when viewing pdf files. - * Disables implicit outgoing connections. - * Disables all and any kind of telemetry. -* Security and privacy enhancements for gnupg's config file -`/etc/skel/.gnupg/gpg.conf`. See also: - * https://raw.github.com/ioerror/torbirdy/master/gpg.conf - * https://github.com/ioerror/torbirdy/pull/11 +- Enables "`apt-get --error-on=any`" which makes apt exit non-zero for + transient failures. - `/etc/apt/apt.conf.d/40error-on-any`. +- Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`. +- Deactivates previews in Dolphin. +- Deactivates previews in Nautilus - + `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. +- Deactivates thumbnails in Thunar. +- Thunderbird is hardened with the following options: + - Displays domain names in punycode to prevent IDN homograph attacks (a + form of phishing). + - Strips email client information for sent email headers. + - Stripts user time information from sent email headers by replacing the + originating time zone with UTC and rounding the timestamp to the nearest + minute. + - Disables scripting when viewing pdf files. + - Disables implicit outgoing connections. + - Disables all and any kind of telemetry. +- Security and privacy enhancements for gnupg's config file + `/etc/skel/.gnupg/gpg.conf`. See also: + - https://raw.github.com/ioerror/torbirdy/master/gpg.conf + - https://github.com/ioerror/torbirdy/pull/11 ### project scope of application-specific hardening Added in December 2023. -Before sending pull requests to harden arbitrary applications, please note the scope of security-misc is limited to default installed applications in Kicksecure, Whonix. This includes: +Before sending pull requests to harden arbitrary applications, please note the +scope of security-misc is limited to default installed applications in +Kicksecure, Whonix. This includes: -* Thunderbird, VLC Media Player, KeepassXC -* Debian Specific System Components (APT, DPKG) -* System Services (NetworkManager IPv6 privacy options, MAC address randomization) -* Actually used development utilities such as `git`. +- Thunderbird, VLC Media Player, KeepassXC +- Debian Specific System Components (APT, DPKG) +- System Services (NetworkManager IPv6 privacy options, MAC address + randomization) +- Actually used development utilities such as `git`. -It will not be possible to review and merge "1500" settings profiles for arbitrary applications outside of this context. +It will not be possible to review and merge "1500" settings profiles for +arbitrary applications outside of this context. -The main objective of security-misc is to harden Kicksecure and its derivatives, such as Whonix, by implementing robust security settings. It's designed to be compatible with Debian, reflecting a commitment to clean implementation and sound design principles. However, it's important to note that security-misc is a component of Kicksecure, not a substitute for it. The intention isn't to recreate Kicksecure within security-misc. Instead, specific security enhancements, like for example recommending a curated list of security-focused default packages (e.g., `libpam-tmpdir`), should be integrated directly into those appropriate areas of Kicksecure (e.g. `kicksecure-meta-packages`). +The main objective of security-misc is to harden Kicksecure and its derivatives, +such as Whonix, by implementing robust security settings. It's designed to be +compatible with Debian, reflecting a commitment to clean implementation and +sound design principles. However, it's important to note that security-misc is a +component of Kicksecure, not a substitute for it. The intention isn't to +recreate Kicksecure within security-misc. Instead, specific security +enhancements, like for example recommending a curated list of security-focused +default packages (e.g., `libpam-tmpdir`), should be integrated directly into +those appropriate areas of Kicksecure (e.g. `kicksecure-meta-packages`). -Discussion: -https://github.com/Kicksecure/security-misc/issues/154 +Discussion: https://github.com/Kicksecure/security-misc/issues/154 ### development philosophy Added in December 2023. -"Maintainability is a key priority [1]. Before modifying settings in the downstream security-misc, it's essential to first engage with upstream developers to propose these changes as defaults. This step should only be bypassed if there's a clear, prior indication from upstream that such changes won't be accepted. Additionally, before implementing any workarounds, consulting with upstream is necessary to future unmaintainable complexity. +"Maintainability is a key priority \[1\]. Before modifying settings in the +downstream security-misc, it's essential to first engage with upstream +developers to propose these changes as defaults. This step should only be +bypassed if there's a clear, prior indication from upstream that such changes +won't be accepted. Additionally, before implementing any workarounds, consulting +with upstream is necessary to future unmaintainable complexity. -If debugging features are disabled, pull requests won't be merged until there is a corresponding pull request for the debug-misc package to re-enable these. This is to avoid configuring the system into a corner where it can be no longer debugged. +If debugging features are disabled, pull requests won't be merged until there is +a corresponding pull request for the debug-misc package to re-enable these. This +is to avoid configuring the system into a corner where it can be no longer +debugged. -[1] https://www.kicksecure.com/wiki/Dev/maintainability +\[1\] https://www.kicksecure.com/wiki/Dev/maintainability ## Opt-in hardening Some hardening is opt-in as it causes too much breakage to be enabled by default. -* An optional systemd service mounts `/proc` with `hidepid=2` at boot to -prevent users from seeing another user's processes. This is disabled by -default because it is incompatible with `pkexec`. It can be enabled by -executing `systemctl enable proc-hidepid.service` as root. +- An optional systemd service mounts `/proc` with `hidepid=2` at boot to + prevent users from seeing another user's processes. This is disabled by + default because it is incompatible with `pkexec`. It can be enabled by + executing `systemctl enable proc-hidepid.service` as root. -* A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and -`/sys` to the root user. This hides a lot of hardware identifiers from -unprivileged users and increases security as `/sys` exposes a lot of -information that shouldn't be accessible to unprivileged users. As this will -break many things, it is disabled by default and can optionally be enabled by -executing `systemctl enable hide-hardware-info.service` as root. +- A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and + `/sys` to the root user. This hides a lot of hardware identifiers from + unprivileged users and increases security as `/sys` exposes a lot of + information that shouldn't be accessible to unprivileged users. As this will + break many things, it is disabled by default and can optionally be enabled + by executing `systemctl enable hide-hardware-info.service` as root. ## miscellaneous -* hardened malloc compatibility for haveged workaround -`/lib/systemd/system/haveged.service.d/30_security-misc.conf` +- hardened malloc compatibility for haveged workaround + `/lib/systemd/system/haveged.service.d/30_security-misc.conf` -* set `dracut` `reproducible=yes` setting +- set `dracut` `reproducible=yes` setting ## legal @@ -528,14 +573,14 @@ https://github.com/Kicksecure/security-misc/pull/167 ## Related -* Linux Kernel Runtime Guard (LKRG) -* tirdad - TCP ISN CPU Information Leak Protection. -* Kicksecure (TM) - a security-hardened Linux Distribution -* And more. -* https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG -* https://github.com/Kicksecure/tirdad -* https://www.kicksecure.com -* https://github.com/Kicksecure +- Linux Kernel Runtime Guard (LKRG) +- tirdad - TCP ISN CPU Information Leak Protection. +- Kicksecure (TM) - a security-hardened Linux Distribution +- And more. +- https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG +- https://github.com/Kicksecure/tirdad +- https://www.kicksecure.com +- https://github.com/Kicksecure ## Discussion @@ -551,20 +596,23 @@ See https://www.kicksecure.com/wiki/Security-misc#install Can be build using standard Debian package build tools such as: -``` -dpkg-buildpackage -b -``` + dpkg-buildpackage -b -See instructions. (Replace `generic-package` with the actual name of this package `security-misc`.) +See instructions. (Replace `generic-package` with the actual name of this +package `security-misc`.) -* **A)** [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy), _OR_ -* **B)** [including verifying software signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package) +- **A)** + [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy), + *OR* +- **B)** [including verifying software + signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package) ## Contact -* [Free Forum Support](https://forums.kicksecure.com) -* [Professional Support](https://www.kicksecure.com/wiki/Professional_Support) +- [Free Forum Support](https://forums.kicksecure.com) +- [Professional Support](https://www.kicksecure.com/wiki/Professional_Support) ## Donate -`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to stay alive! +`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to +stay alive! From 79f398d219b9c4cdf8ea0f9e3135a08fa32659a8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 08:45:20 -0500 Subject: [PATCH 1045/1650] formatting --- README.md | 56 +++++++++++++++++++------------------------------------ 1 file changed, 19 insertions(+), 37 deletions(-) diff --git a/README.md b/README.md index 65b89ef..6506a92 100644 --- a/README.md +++ b/README.md @@ -140,43 +140,25 @@ surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file. - Uncommon network protocols are blacklisted. This includes: -DCCP - Datagram Congestion Control Protocol - -SCTP - Stream Control Transmission Protocol - -RDS - Reliable Datagram Sockets - -TIPC - Transparent Inter-process Communication - -HDLC - High-Level Data Link Control - -AX25 - Amateur X.25 - -NetRom - -X25 - -ROSE - -DECnet - -Econet - -af_802154 - IEEE 802.15.4 - -IPX - Internetwork Packet Exchange - -AppleTalk - -PSNAP - Subnetwork Access Protocol - -p8023 - Novell raw IEEE 802.3 - -p8022 - IEEE 802.2 - -CAN - Controller Area Network - -ATM + - DCCP - Datagram Congestion Control Protocol + - SCTP - Stream Control Transmission Protocol + - RDS - Reliable Datagram Sockets + - TIPC - Transparent Inter-process Communication + - HDLC - High-Level Data Link Control + - AX25 - Amateur X.25 + - NetRom + - X25 + - ROSE + - DECnet + - Econet + - af_802154 - IEEE 802.15.4 + - IPX - Internetwork Packet Exchange + - AppleTalk + - PSNAP - Subnetwork Access Protocol + - p8023 - Novell raw IEEE 802.3 + - p8022 - IEEE 802.2 + - CAN - Controller Area Network + - ATM - Disables a large array of uncommon file systems and network file systems that reduces the attack surface especially against legacy approaches. From 37b4ab15a823134e616a2a0fe1dda18d5ebfa3c0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:04:10 -0500 Subject: [PATCH 1046/1650] readme --- README.md | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 6506a92..a8b8bbf 100644 --- a/README.md +++ b/README.md @@ -41,12 +41,11 @@ configuration file. - Prevents unintentional writes to attacker-controlled files. -- Prevents common symlink and hardlink TOCTOU races. ``{=html} +- Prevents common symlink and hardlink TOCTOU races. -- Disables SysRq completely. +- Disables SysRq key completely. + * Therefore Secure Attention Key (SAK) cannot be used. + * https://www.kicksecure.com/wiki/SysRq - The kernel is only allowed to swap if it is absolutely necessary. This prevents writing potentially sensitive contents of memory to disk. @@ -278,7 +277,7 @@ install. Not enabled by default yet. In development. Help welcome. -- https://github.com/Kicksecure/security-misc/pull/152 +- https://github.com/Kicksecure/security-misc/issues/157 - https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ ## Root access restrictions @@ -421,18 +420,21 @@ include but are not limited to: - Protecting the information of sudoers from others. - Protecting various system relevant files and modules. -```{=html} - -``` + ## Application-specific hardening - Enables "`apt-get --error-on=any`" which makes apt exit non-zero for From 0810c1ce3c9e19c745b8f0d2cd9410353b172779 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:10:31 -0500 Subject: [PATCH 1047/1650] fix bluetooth in readme fixes https://github.com/Kicksecure/security-misc/issues/180 --- README.md | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index a8b8bbf..48e285e 100644 --- a/README.md +++ b/README.md @@ -236,24 +236,34 @@ See: - `/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf` - `/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf` -## Network & Bluetooth hardening +## Bluetooth Hardening -- Bluetooth is 'enabled' for the system. Unlike the usual default behavior, we - start bluetooth turned off on system start and it stays that way unless the - user explicitly chooses to turn bluetooth on. The user is left with the - freedom to easily switch bluetooth on and off the usual way with his own - discretion. We set significantly more private defaults for bluetooth - connections by enforcing private addresses and strict timeout settings for - discoverability and visibility. That being said, the most secure and private - bluetooth connection might inherently come with risks by its nature and may - be prone to exploits, as it has a history of having new security - vulnurabilities often. So users are recommended to choose not to use - bluetooth when given the option. +### Bluetooth Status: Enabled but Defaulted to Off -See: +- **Default Behavior**: Although Bluetooth capability is 'enabled' in the kernel, security-misc deviates from the usual behavior by starting with Bluetooth turned off at system start. This setting remains until the user explicitly opts to activate Bluetooth. -- `/etc/bluetooth/30_security-misc.conf` -- https://github.com/Kicksecure/security-misc/pull/145 +- **User Control**: Users have the freedom to easily switch Bluetooth on and off in the usual way, exercising their own discretion. This can be done via the Bluetooth toggle through the usual way, that is either through GUI settings application or command line commands. + +- **Enhanced Privacy Settings**: We enforce more private defaults for Bluetooth connections. This includes the use of private addresses and strict timeout settings for discoverability and visibility. + +- **Security Considerations**: Despite these measures, it's important to note that Bluetooth technology, by its nature, may still be prone to exploits due to its history of security vulnerabilities. Thus, we recommend users to opt-out of using Bluetooth when possible. + +### Configuration Details + +- See configuration: `/etc/bluetooth/30_security-misc.conf` +- For more information and discussion: [GitHub Pull Request](https://github.com/Kicksecure/security-misc/pull/145) + +### Understanding Bluetooth Terms + +- **Disabling Bluetooth**: This means the absence of the Bluetooth kernel module. When disabled, Bluetooth is non-existent in the system - it cannot be seen, set, configured, or interacted with in any way. + +- **Turning Bluetooth On/Off**: This refers to a software toggle. Normally, on Debian systems, Bluetooth is 'on' when the system boots up. It actively searches for known devices to auto-connect and may be discoverable or visible under certain conditions. Our default ensures that Bluetooth is off on startup. However, it remains 'enabled' in the kernel, meaning the kernel can use the Bluetooth protocol and has the necessary modules. + +### Quick Toggle Guide + +- **Turning Bluetooth On**: Simply click the Bluetooth button in the settings application or on the tray, and switch the toggle. It's a straightforward action that can be completed in less than a second. + +- **Turning Bluetooth Off**: Follow the same procedure as turning it on but switch the toggle to the off position. ## Entropy collection improvements From 269fada14a616c53d7421e88e662f6893eb1fd88 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:25:14 -0500 Subject: [PATCH 1048/1650] combine bind lines https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 35 +++++++++++----------------- 1 file changed, 13 insertions(+), 22 deletions(-) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index 2cae2ad..15c6228 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -1,41 +1,32 @@ # -/dev/disk/by-uuid/26ada0c0-1165-4098-884d-aafd2220c2c6 / auto defaults,errors=remount-ro 0 1 +/dev/disk/by-uuid/26ada0c0-1165-4098-884d-aafd2220c2c6 / auto defaults,errors=remount-ro 0 1 -proc /proc proc defaults 0 0 +proc /proc proc defaults 0 0 -/dev /dev none bind 0 0 -/dev /dev none remount,nosuid,noexec 0 0 +/dev /dev none bind,remount,nosuid,noexec 0 0 ## noexec optional -/dev/shm /dev/shm tmpfs nosuid,nodev,noexec 0 0 +/dev/shm /dev/shm tmpfs nosuid,nodev,noexec 0 0 -/dev/cdrom /mnt/cdrom0 iso9660 ro,user,noauto 0 0 +/dev/cdrom /mnt/cdrom0 iso9660 ro,user,noauto 0 0 -/boot /boot none bind 0 0 -/boot /boot none remount,nosuid,nodev,noexec 0 0 +/boot /boot none bind,remount,nosuid,nodev,noexec 0 0 -/lib /lib none bind 0 0 -/lib /lib none remount,nosuid,nodev 0 0 +/lib /lib none bind,remount,nosuid,nodev 0 0 ## noexec optional -/tmp /tmp none bind 0 0 -/tmp /tmp none remount,nosuid,nodev,noexec 0 0 +/tmp /tmp none bind,remount,nosuid,nodev,noexec 0 0 -/var /var none bind 0 0 -/var /var none remount,nosuid,nodev 0 0 +/var /var none bind,remount,nosuid,nodev 0 0 ## noexec optional -/var/tmp /var/tmp none bind 0 0 -/var/tmp /var/tmp none remount,nosuid,nodev,noexec 0 0 +/var/tmp /var/tmp none bind,remount,nosuid,nodev,noexec 0 0 -/var/log /var/log none bind 0 0 -/var/log /var/log none remount,nosuid,nodev,noexec 0 0 +/var/log /var/log none bind,remount,nosuid,nodev,noexec 0 0 ## noexec optional -/run /run none bind 0 0 -/run /run none remount,nosuid,nodev,noexec 0 0 +/run /run none bind,remount,nosuid,nodev,noexec 0 0 ## noexec optional -/home /home none bind 0 0 -/home /home none remount,nosuid,nodev,noexec 0 0 +/home /home none bind,remount,nosuid,nodev,noexec 0 0 From b0dd967611c27f5b8e2472bb74a664aead7a229e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:27:45 -0500 Subject: [PATCH 1049/1650] usrmerge https://github.com/Kicksecure/security-misc/issues/157 --- usr/bin/remount-secure | 11 ----------- usr/share/doc/security-misc/fstab-vm | 2 -- 2 files changed, 13 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index a81f43f..0a0c38e 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -255,17 +255,6 @@ _var() { remount_secure } -_lib() { - mount_folder="$NEWROOT/lib" - ## Cannot use noexec on /lib as per: - ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 - ## There are many executables in /lib. To check: - ## sudo find /var/lib -type f -executable - ## sudo find /var/lib -type f -executable ! -type l - intended_mount_options="nosuid,nodev" - remount_secure -} - _home() { mount_folder="$NEWROOT/home" intended_mount_options="nosuid,nodev${home_noexec_maybe}" diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index 15c6228..25c9593 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -13,8 +13,6 @@ proc /proc pr /boot /boot none bind,remount,nosuid,nodev,noexec 0 0 -/lib /lib none bind,remount,nosuid,nodev 0 0 - ## noexec optional /tmp /tmp none bind,remount,nosuid,nodev,noexec 0 0 From 55709b3aa0acd6cad0c9fedb8782c49fbea79689 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:30:57 -0500 Subject: [PATCH 1050/1650] /tmp tmpfs https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index 25c9593..829dd0d 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -14,7 +14,7 @@ proc /proc pr /boot /boot none bind,remount,nosuid,nodev,noexec 0 0 ## noexec optional -/tmp /tmp none bind,remount,nosuid,nodev,noexec 0 0 +/tmp /tmp tmpfs bind,remount,nosuid,nodev,noexec 0 0 /var /var none bind,remount,nosuid,nodev 0 0 From 00f9ab43947795c1144d797547968c7c149d6f21 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:36:05 -0500 Subject: [PATCH 1051/1650] /dev devtmpfs https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index 829dd0d..e2df094 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -4,7 +4,7 @@ proc /proc proc defaults 0 0 -/dev /dev none bind,remount,nosuid,noexec 0 0 +/dev /dev devtmpfs bind,remount,nosuid,noexec 0 0 ## noexec optional /dev/shm /dev/shm tmpfs nosuid,nodev,noexec 0 0 From 0d9e9780daca563a726470a3a5d6fa8c20487240 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:37:14 -0500 Subject: [PATCH 1052/1650] formatting https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index e2df094..ef56409 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -1,4 +1,4 @@ -# +# /dev/disk/by-uuid/26ada0c0-1165-4098-884d-aafd2220c2c6 / auto defaults,errors=remount-ro 0 1 From 2b7aeedb4a543d0a43a35918999338097d13bb16 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:44:51 -0500 Subject: [PATCH 1053/1650] mount /dev/cdrom to /mnt/cdrom (instead of /mnt/cdrom0) and nodev,nosuid,noexec as per: https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index ef56409..cbd240c 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -9,7 +9,8 @@ proc /proc pr ## noexec optional /dev/shm /dev/shm tmpfs nosuid,nodev,noexec 0 0 -/dev/cdrom /mnt/cdrom0 iso9660 ro,user,noauto 0 0 +## https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html +/dev/cdrom /mnt/cdrom iso9660 ro,users,nodev,nosuid,noexec 0 0 /boot /boot none bind,remount,nosuid,nodev,noexec 0 0 From 4aa645f29ff741b6e5cdf629deade1923fdcc234 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:46:33 -0500 Subject: [PATCH 1054/1650] comment https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index cbd240c..ee704c4 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -9,6 +9,7 @@ proc /proc pr ## noexec optional /dev/shm /dev/shm tmpfs nosuid,nodev,noexec 0 0 +## nodev,nosuid,noexec as per: ## https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html /dev/cdrom /mnt/cdrom iso9660 ro,users,nodev,nosuid,noexec 0 0 From 40fd8cb6081512e2bc0ef1a7a1ee17cd317024c2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:51:09 -0500 Subject: [PATCH 1055/1650] no `nofail` mount option to avoid breaking the boot of a system unit testing belongs elsewhere https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index ee704c4..84ab4ad 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -1,32 +1,32 @@ -# +# -/dev/disk/by-uuid/26ada0c0-1165-4098-884d-aafd2220c2c6 / auto defaults,errors=remount-ro 0 1 +/dev/disk/by-uuid/26ada0c0-1165-4098-884d-aafd2220c2c6 / auto nofail,defaults,errors=remount-ro 0 1 -proc /proc proc defaults 0 0 +proc /proc proc nofail,defaults 0 0 -/dev /dev devtmpfs bind,remount,nosuid,noexec 0 0 +/dev /dev devtmpfs nofail,bind,remount,nosuid,noexec 0 0 ## noexec optional -/dev/shm /dev/shm tmpfs nosuid,nodev,noexec 0 0 +/dev/shm /dev/shm tmpfs nofail,nosuid,nodev,noexec 0 0 ## nodev,nosuid,noexec as per: ## https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html -/dev/cdrom /mnt/cdrom iso9660 ro,users,nodev,nosuid,noexec 0 0 +/dev/cdrom /mnt/cdrom iso9660 nofail,ro,users,nodev,nosuid,noexec 0 0 -/boot /boot none bind,remount,nosuid,nodev,noexec 0 0 +/boot /boot none nofail,bind,remount,nosuid,nodev,noexec 0 0 ## noexec optional -/tmp /tmp tmpfs bind,remount,nosuid,nodev,noexec 0 0 +/tmp /tmp tmpfs nofail,bind,remount,nosuid,nodev,noexec 0 0 -/var /var none bind,remount,nosuid,nodev 0 0 +/var /var none nofail,bind,remount,nosuid,nodev 0 0 ## noexec optional -/var/tmp /var/tmp none bind,remount,nosuid,nodev,noexec 0 0 +/var/tmp /var/tmp none nofail,bind,remount,nosuid,nodev,noexec 0 0 -/var/log /var/log none bind,remount,nosuid,nodev,noexec 0 0 +/var/log /var/log none nofail,bind,remount,nosuid,nodev,noexec 0 0 ## noexec optional -/run /run none bind,remount,nosuid,nodev,noexec 0 0 +/run /run none nofail,bind,remount,nosuid,nodev,noexec 0 0 ## noexec optional -/home /home none bind,remount,nosuid,nodev,noexec 0 0 +/home /home none nofail,bind,remount,nosuid,nodev,noexec 0 0 From 9fce67fcd942a7e3e0dd2e874226fcdab5e33ba3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 10:28:47 -0500 Subject: [PATCH 1056/1650] remove superfluous, broken `remount` mount option https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index 84ab4ad..a6b8ba7 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -13,20 +13,20 @@ proc /proc pr ## https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html /dev/cdrom /mnt/cdrom iso9660 nofail,ro,users,nodev,nosuid,noexec 0 0 -/boot /boot none nofail,bind,remount,nosuid,nodev,noexec 0 0 +/boot /boot none nofail,bind,nosuid,nodev,noexec 0 0 ## noexec optional -/tmp /tmp tmpfs nofail,bind,remount,nosuid,nodev,noexec 0 0 +/tmp /tmp tmpfs nofail,bind,nosuid,nodev,noexec 0 0 -/var /var none nofail,bind,remount,nosuid,nodev 0 0 +/var /var none nofail,bind,nosuid,nodev 0 0 ## noexec optional -/var/tmp /var/tmp none nofail,bind,remount,nosuid,nodev,noexec 0 0 +/var/tmp /var/tmp none nofail,bind,nosuid,nodev,noexec 0 0 -/var/log /var/log none nofail,bind,remount,nosuid,nodev,noexec 0 0 +/var/log /var/log none nofail,bind,nosuid,nodev,noexec 0 0 ## noexec optional -/run /run none nofail,bind,remount,nosuid,nodev,noexec 0 0 +/run /run none nofail,bind,nosuid,nodev,noexec 0 0 ## noexec optional -/home /home none nofail,bind,remount,nosuid,nodev,noexec 0 0 +/home /home none nofail,bind,nosuid,nodev,noexec 0 0 From 971ff687b1423499c54495a03e5e6fafcbfefb2a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 10:30:35 -0500 Subject: [PATCH 1057/1650] do not mount /dev/cdrom by default https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index a6b8ba7..81eb612 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -11,7 +11,9 @@ proc /proc pr ## nodev,nosuid,noexec as per: ## https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html -/dev/cdrom /mnt/cdrom iso9660 nofail,ro,users,nodev,nosuid,noexec 0 0 +## Commented out by default to prevent warning: +## mount: /mnt/cdrom: mount point does not exist. +#/dev/cdrom /mnt/cdrom iso9660 nofail,ro,users,nodev,nosuid,noexec 0 0 /boot /boot none nofail,bind,nosuid,nodev,noexec 0 0 From c86c83cef760906a0d1c56ee8a8c744b2e07f212 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 10:31:58 -0500 Subject: [PATCH 1058/1650] formatting https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index 81eb612..cec3399 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -15,20 +15,20 @@ proc /proc pr ## mount: /mnt/cdrom: mount point does not exist. #/dev/cdrom /mnt/cdrom iso9660 nofail,ro,users,nodev,nosuid,noexec 0 0 -/boot /boot none nofail,bind,nosuid,nodev,noexec 0 0 +/boot /boot none nofail,bind,nosuid,nodev,noexec 0 0 ## noexec optional -/tmp /tmp tmpfs nofail,bind,nosuid,nodev,noexec 0 0 +/tmp /tmp tmpfs nofail,bind,nosuid,nodev,noexec 0 0 -/var /var none nofail,bind,nosuid,nodev 0 0 +/var /var none nofail,bind,nosuid,nodev 0 0 ## noexec optional -/var/tmp /var/tmp none nofail,bind,nosuid,nodev,noexec 0 0 +/var/tmp /var/tmp none nofail,bind,nosuid,nodev,noexec 0 0 -/var/log /var/log none nofail,bind,nosuid,nodev,noexec 0 0 +/var/log /var/log none nofail,bind,nosuid,nodev,noexec 0 0 ## noexec optional -/run /run none nofail,bind,nosuid,nodev,noexec 0 0 +/run /run none nofail,bind,nosuid,nodev,noexec 0 0 ## noexec optional -/home /home none nofail,bind,nosuid,nodev,noexec 0 0 +/home /home none nofail,bind,nosuid,nodev,noexec 0 0 From f64a869bfdd4c746afd206367885851946deb692 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 11:03:22 -0500 Subject: [PATCH 1059/1650] readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 48e285e..4ac4fb6 100644 --- a/README.md +++ b/README.md @@ -512,7 +512,7 @@ component of Kicksecure, not a substitute for it. The intention isn't to recreate Kicksecure within security-misc. Instead, specific security enhancements, like for example recommending a curated list of security-focused default packages (e.g., `libpam-tmpdir`), should be integrated directly into -those appropriate areas of Kicksecure (e.g. `kicksecure-meta-packages`). +those appropriate areas of Kicksecure (e.g.`kicksecure-meta-packages`). Discussion: https://github.com/Kicksecure/security-misc/issues/154 From e15596e7af6fc645dd652c043397baaa91954915 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 16:28:10 +0000 Subject: [PATCH 1060/1650] bumped changelog version --- changelog.upstream | 148 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 154 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 2cf4a5b..5280bc6 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,151 @@ +commit f64a869bfdd4c746afd206367885851946deb692 +Author: Patrick Schleizer +Date: Mon Dec 25 11:03:22 2023 -0500 + + readme + +commit c86c83cef760906a0d1c56ee8a8c744b2e07f212 +Author: Patrick Schleizer +Date: Mon Dec 25 10:31:58 2023 -0500 + + formatting + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 971ff687b1423499c54495a03e5e6fafcbfefb2a +Author: Patrick Schleizer +Date: Mon Dec 25 10:30:35 2023 -0500 + + do not mount /dev/cdrom by default + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 9fce67fcd942a7e3e0dd2e874226fcdab5e33ba3 +Author: Patrick Schleizer +Date: Mon Dec 25 10:28:47 2023 -0500 + + remove superfluous, broken `remount` mount option + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 40fd8cb6081512e2bc0ef1a7a1ee17cd317024c2 +Author: Patrick Schleizer +Date: Mon Dec 25 09:51:09 2023 -0500 + + no `nofail` mount option to avoid breaking the boot of a system + + unit testing belongs elsewhere + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 4aa645f29ff741b6e5cdf629deade1923fdcc234 +Author: Patrick Schleizer +Date: Mon Dec 25 09:46:33 2023 -0500 + + comment + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 2b7aeedb4a543d0a43a35918999338097d13bb16 +Author: Patrick Schleizer +Date: Mon Dec 25 09:44:51 2023 -0500 + + mount /dev/cdrom to /mnt/cdrom (instead of /mnt/cdrom0) and + nodev,nosuid,noexec + + as per: + https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 0d9e9780daca563a726470a3a5d6fa8c20487240 +Author: Patrick Schleizer +Date: Mon Dec 25 09:37:14 2023 -0500 + + formatting + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 00f9ab43947795c1144d797547968c7c149d6f21 +Author: Patrick Schleizer +Date: Mon Dec 25 09:36:05 2023 -0500 + + /dev devtmpfs + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 55709b3aa0acd6cad0c9fedb8782c49fbea79689 +Author: Patrick Schleizer +Date: Mon Dec 25 09:30:57 2023 -0500 + + /tmp tmpfs + + https://github.com/Kicksecure/security-misc/issues/157 + +commit b0dd967611c27f5b8e2472bb74a664aead7a229e +Author: Patrick Schleizer +Date: Mon Dec 25 09:27:45 2023 -0500 + + usrmerge + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 269fada14a616c53d7421e88e662f6893eb1fd88 +Author: Patrick Schleizer +Date: Mon Dec 25 09:25:14 2023 -0500 + + combine bind lines + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 0810c1ce3c9e19c745b8f0d2cd9410353b172779 +Author: Patrick Schleizer +Date: Mon Dec 25 09:10:31 2023 -0500 + + fix bluetooth in readme + + fixes https://github.com/Kicksecure/security-misc/issues/180 + +commit 37b4ab15a823134e616a2a0fe1dda18d5ebfa3c0 +Author: Patrick Schleizer +Date: Mon Dec 25 09:04:10 2023 -0500 + + readme + +commit 79f398d219b9c4cdf8ea0f9e3135a08fa32659a8 +Author: Patrick Schleizer +Date: Mon Dec 25 08:45:20 2023 -0500 + + formatting + +commit c90ada3c398205227d906e2b2108d36d92edcf3c +Author: Patrick Schleizer +Date: Mon Dec 25 08:37:23 2023 -0500 + + pandoc -f markdown -t markdown --wrap=auto --columns=80 README.md -o README.md + +commit 34bf297bd17af2adf59804bd133a00b7dc1942b7 +Author: Patrick Schleizer +Date: Mon Dec 25 08:32:34 2023 -0500 + + formatting + +commit d5fc9f620169b6975c8d3ef685f47e62cb6b9262 +Author: Patrick Schleizer +Date: Mon Dec 25 08:26:03 2023 -0500 + + improve bluetooth in readme + + as suggested by @monsieuremre + + https://github.com/Kicksecure/security-misc/issues/180 + +commit 7fa597deca7ff2b2932a5f5fad56be57bd78b6cf +Author: Patrick Schleizer +Date: Fri Dec 22 16:31:58 2023 +0000 + + bumped changelog version + commit f70a034da2b4b615855504e7080baf1a7e7b461c Author: Patrick Schleizer Date: Fri Dec 22 08:31:58 2023 -0500 diff --git a/debian/changelog b/debian/changelog index 74ad652..a99c2c3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:34.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 25 Dec 2023 16:28:09 +0000 + security-misc (3:34.6-1) unstable; urgency=medium * New upstream version (local package). From 5b36599c0ce35857239c82459828db1ec4215411 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 29 Dec 2023 14:57:38 -0500 Subject: [PATCH 1061/1650] /dev/, /dev/shm, /tmp https://github.com/Kicksecure/security-misc/issues/157#issuecomment-1869073716 --- usr/share/doc/security-misc/fstab-vm | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index cec3399..e02a087 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -5,9 +5,11 @@ proc /proc proc nofail,defaults 0 0 /dev /dev devtmpfs nofail,bind,remount,nosuid,noexec 0 0 +#udev /dev devtmpfs defaults,nosuid,noexec 0 0 ## noexec optional /dev/shm /dev/shm tmpfs nofail,nosuid,nodev,noexec 0 0 +#tmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec 0 0 ## nodev,nosuid,noexec as per: ## https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html @@ -19,6 +21,7 @@ proc /proc pr ## noexec optional /tmp /tmp tmpfs nofail,bind,nosuid,nodev,noexec 0 0 +#tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec 0 0 /var /var none nofail,bind,nosuid,nodev 0 0 @@ -32,3 +35,6 @@ proc /proc pr ## noexec optional /home /home none nofail,bind,nosuid,nodev,noexec 0 0 + +## TODO: +#/sys From 94c0e26a082f61f71e89b1fb7386a58166ffa411 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 29 Dec 2023 20:15:50 +0000 Subject: [PATCH 1062/1650] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 5280bc6..00f98f1 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit 5b36599c0ce35857239c82459828db1ec4215411 +Author: Patrick Schleizer +Date: Fri Dec 29 14:57:38 2023 -0500 + + /dev/, /dev/shm, /tmp + + https://github.com/Kicksecure/security-misc/issues/157#issuecomment-1869073716 + +commit e15596e7af6fc645dd652c043397baaa91954915 +Author: Patrick Schleizer +Date: Mon Dec 25 16:28:10 2023 +0000 + + bumped changelog version + commit f64a869bfdd4c746afd206367885851946deb692 Author: Patrick Schleizer Date: Mon Dec 25 11:03:22 2023 -0500 diff --git a/debian/changelog b/debian/changelog index a99c2c3..5c393ca 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:34.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 29 Dec 2023 20:15:50 +0000 + security-misc (3:34.7-1) unstable; urgency=medium * New upstream version (local package). From f138cf0f78c03e3952801d01d25d5f8065ff1457 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Tue, 2 Jan 2024 12:17:16 +0100 Subject: [PATCH 1063/1650] Refactor permission-hardener - Organize comments from default configuration; - Apply and undo changes from a single file controlled by parameters; - Arrays should be evaluated as arrays and not normal variables; - Quote variables; - Brackets around variables; - Standardize test cases to "test" command; - Test against empty or non-empty variables with "-z" and "-n"; - Show a usage message when necessary; - Require root to run the script with informative message; - Permit the user to see the help message without running as root; - Do not create root directories without passing root check; - Use long options for "set" command; --- etc/permission-hardening.d/30_default.conf | 31 +- usr/bin/permission-hardening | 1043 +++++++++++--------- usr/bin/permission-hardening-undo | 136 --- 3 files changed, 615 insertions(+), 595 deletions(-) delete mode 100755 usr/bin/permission-hardening-undo diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 8ff51c9..b6e4aeb 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or @@ -9,10 +9,8 @@ ## ## Syntax: ## [filename] [mode] [owner] [group] [capability] +## [filename] [exactwhitelist|matchwhitelist|disablewhitelist|nosuid] ## -## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" -## argument. - ## TODO: white spaces inside file name untested and probably will not work. ###################################################################### @@ -22,13 +20,9 @@ #whitelists_disable_all=true ###################################################################### -# SUID disablewhitelist +# SUID disables below (or in lexically higher) files: disablewhitelist ###################################################################### -## disablewhitelist disables below (or in lexically higher) files -## exactwhitelist and matchwhitelist. Add these here (discouraged) or better -## in file "/etc/permission-hardening.d/20_user.conf". - ## For example, if you are not using SELinux the following might make sense to ## enable. TODO: research #/utempter/utempter disablewhitelist @@ -37,7 +31,7 @@ #/fusermount disablewhitelist ###################################################################### -# SUID exact match whitelist +# SUID whitelist matches full path: exactwhitelist ###################################################################### ## In case you need to use 'su'. See also: @@ -45,10 +39,6 @@ #/bin/su exactwhitelist #/usr/bin/su exactwhitelist -###################################################################### -# SUID exact match whitelist -###################################################################### - ## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html ## https://lwn.net/Articles/590315/ ## http://forums.whonix.org/t/permission-hardening/8655/25 @@ -56,12 +46,12 @@ #/lib/xorg/Xorg.wrap whitelist ###################################################################### -# SUID regex match whitelist +# SUID whitelist matches in any section of the path: matchwhitelist ###################################################################### -###################################################################### -# SUID regex match whitelist -###################################################################### +## Examples below are already configured: +#ssh-agent matchwhitelist +#/lib/openssh matchwhitelist ###################################################################### # Permission Hardening @@ -95,9 +85,12 @@ /etc/passwd- 0644 root root ###################################################################### -# SUID/SGID Removal +# SUID/SGID Removal: nosuid ###################################################################### +## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" +## argument. +## ## Remove all SUID/SGID binaries/libraries. /bin/ nosuid diff --git a/usr/bin/permission-hardening b/usr/bin/permission-hardening index aa95cbf..7673dd7 100755 --- a/usr/bin/permission-hardening +++ b/usr/bin/permission-hardening @@ -1,510 +1,673 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/disable-suid-binaries/7706 ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 ## To undo: -## sudo /usr/libexec/security-misc/permission-hardening-undo +## sudo permission-hardening disable -#set -x -set -e -set -o pipefail +set -o errexit -o nounset -o pipefail exit_code=0 - -mkdir --parents /var/lib/permission-hardening/private -mkdir --parents /var/lib/permission-hardening/existing_mode -mkdir --parents /var/lib/permission-hardening/new_mode -dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode" -dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode" +store_dir="/var/lib/permission-hardening" +dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" +dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" echo_wrapper_ignore() { - echo "run: $@" - "$@" 2>/dev/null || true + echo "run: $*" + "$@" 2>/dev/null || true } echo_wrapper_silent_ignore() { - #echo "run: $@" - "$@" 2>/dev/null || true + #echo "run: $@" + "$@" 2>/dev/null || true } echo_wrapper_audit() { - echo "run: $@" - return_code=0 - "$@" || \ - { \ - return_code="$?" ; \ - exit_code=203 ; \ - echo "ERROR: above command failed with exit code '$return_code'! calling function name: '${FUNCNAME[1]}'" >&2 ; \ - }; + echo "run: $*" + return_code=0 + "$@" || + { + return_code="$?" + exit_code=203 + echo "ERROR: above command failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 + } } echo_wrapper_silent_audit() { - #echo "run (debugging): $@" - return_code=0 - "$@" || \ - { \ - return_code="$?" ; \ - exit_code=204 ; \ - echo "ERROR: above command '$@' failed with exit code '$return_code'! calling function name: '${FUNCNAME[1]}'" >&2 ; \ - }; + #echo "run (debugging): $@" + return_code=0 + "$@" || + { + return_code="$?" + exit_code=204 + echo "ERROR: above command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 + } +} + +make_store_dir(){ + mkdir --parents "${store_dir}/private" + mkdir --parents "${store_dir}/existing_mode" + mkdir --parents "${store_dir}/new_mode" } sanity_tests() { - echo_wrapper_silent_audit which \ - capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null + echo_wrapper_silent_audit which \ + capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null } add_nosuid_statoverride_entry() { - local fso_to_process - fso_to_process="$fso" - local should_be_counter - should_be_counter="$(find "$fso_to_process" -perm /u=s,g=s | wc -l)" || true - local counter_actual - counter_actual=0 + local fso_to_process + fso_to_process="${fso}" + local should_be_counter + should_be_counter="$(find "${fso_to_process}" -perm /u=s,g=s | wc -l)" || true + local counter_actual + counter_actual=0 - local line - while read -r line; do - true "line: $line" - counter_actual="$(( counter_actual + 1 ))" + local line + while read -r line; do + true "line: ${line}" + counter_actual="$((counter_actual + 1))" + + local arr file_name existing_mode existing_owner existing_group + IFS=" " read -r -a arr <<< "${line}" + file_name="${arr[0]}" + existing_mode="${arr[1]}" + existing_owner="${arr[2]}" + existing_group="${arr[3]}" + + if test "${#arr[@]}" = 0; then + echo "ERROR: arr is empty. line: '${line}'" >&2 + continue + fi + if test -z "${file_name}"; then + echo "ERROR: file_name is empty. line: '${line}'" >&2 + continue + fi + if test -z "${existing_mode}"; then + echo "ERROR: existing_mode is empty. line: '${line}'" >&2 + continue + fi + if test -z "${existing_owner}"; then + echo "ERROR: existing_owner is empty. line: '${line}'" >&2 + continue + fi + if test -z "${existing_group}"; then + echo "ERROR: existing_group is empty. line: '${line}'" >&2 + continue + fi + + ## -h file True if file is a symbolic Link. + ## -u file True if file has its set-user-id bit set. + ## -g file True if file has its set-group-id bit set. + + if test -h "${file_name}"; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 + true "skip symlink: ${file_name}" + continue + fi + + if test -d "${file_name}"; then + true "skip directory: ${file_name}" + continue + fi + + local setuid setuid_output setsgid setsgid_output + setuid="" + setuid_output="" + if test -u "${file_name}"; then + setuid=true + setuid_output="set-user-id" + fi + setsgid="" + setsgid_output="" + if test -g "${file_name}"; then + setsgid=true + setsgid_output="set-group-id" + fi + + local setuid_or_setsgid + setuid_or_setsgid="" + if test "${setuid}" = "true" || test "${setsgid}" = "true"; then + setuid_or_setsgid=true + fi + if test -z "${setuid_or_setsgid}"; then + continue + fi + + ## Remove suid / gid and execute permission for 'group' and 'others'. + ## Similar to: chmod og-ugx /path/to/filename + ## Removing execution permission is useful to make binaries such as 'su' + ## fail closed rather than fail open if suid was removed from these. + ## Do not remove read access since no security benefit and easier to + ## manually undo for users. + ## Are there suid or sgid binaries which are still useful if suid / sgid + ## has been removed from these? + new_mode="744" + + local is_exact_whitelisted + is_exact_whitelisted="" + for white_list_entry in ${exact_white_list}; do + if test "${file_name}" = "${white_list_entry}"; then + is_exact_whitelisted="true" + ## Stop looping through the whitelist. + break + fi + done + + local is_match_whitelisted + is_match_whitelisted="" + for matchwhite_list_entry in ${match_white_list}; do + if echo "${file_name}" | grep --quiet --fixed-strings "${matchwhite_list_entry}"; then + is_match_whitelisted="true" + ## Stop looping through the match_white_list. + break + fi + done + + local is_disable_whitelisted + is_disable_whitelisted="" + for disablematch_list_entry in ${disable_white_list:-}; do + if echo "${file_name}" | grep --quiet --fixed-strings "${disablematch_list_entry}"; then + is_disable_whitelisted="true" + ## Stop looping through the disablewhitelist. + break + fi + done + + if test "${whitelists_disable_all:-}" = "true"; then + true "INFO: whitelists_disable_all=true - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}'" + elif test "${is_disable_whitelisted}" = "true"; then + true "INFO: white list disabled - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}'" + else + if test "${is_exact_whitelisted}" = "true"; then + true "INFO: SKIP whitelisted - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}'" + continue + fi + if test "${is_match_whitelisted}" = "true"; then + true "INFO: SKIP matchwhitelisted - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}' | matchwhite_list_entry: '${matchwhite_list_entry}'" + continue + fi + fi + + echo "INFO: ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}' | new_mode: '${new_mode}'" + + # shellcheck disable=SC2086 + if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${file_name}" >/dev/null; then + true "OK Existing mode already saved previously. Not saving again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + # shellcheck disable=SC2086 + echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${file_name}" + fi + + ## No need to check "dpkg-statoverride --list" for existing entries. + ## If existing_mode was correct already, we would not have reached this + ## point. Since existing_mode is incorrect, remove from dpkg-statoverride + ## and re-add. + + ## Remove from real database. + echo_wrapper_silent_ignore dpkg-statoverride --remove "${file_name}" + + ## Remove from separate database. + # shellcheck disable=SC2086 + echo_wrapper_silent_ignore dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" + + ## Add to real database and use --update to make changes on disk. + echo_wrapper_audit dpkg-statoverride --add --update "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" + + ## Not using --update as this is only for recording. + # shellcheck disable=SC2086 + echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" + + ## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'. + ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 + done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {}) + + ## Sanity test. + if test ! "${should_be_counter}" = "${counter_actual}"; then + echo "INFO: fso_to_process: '${fso_to_process}' | counter_actual : '${counter_actual}'" + echo "INFO: fso_to_process: '${fso_to_process}' | should_be_counter: '${should_be_counter}'" + exit_code=202 + echo "ERROR: counter does not check out." >&2 + fi +} + +set_file_perms() { + true "INFO: START parsing config_file: '${config_file}'" + local line + while read -r line || test -n "${line}"; do + if test -z "${line}"; then + continue + fi + + if [[ "${line}" =~ ^# ]]; then + continue + fi + + if [[ "${line}" =~ [0-9a-zA-Z/] ]]; then + true "OK line contains only white listed characters." + else + exit_code=200 + echo "ERROR: cannot parse line with invalid character. line: '${line}'" >&2 + ## Safer to exit with error in this case. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 + exit "${exit_code}" + fi + + if test "${line}" = 'whitelists_disable_all=true'; then + whitelists_disable_all=true + echo "INFO: whitelists_disable_all=true - all whitelists disabled." + continue + fi + + #global fso + local mode_from_config owner_from_config group_from_config capability_from_config + if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<<"${line}"; then + exit_code=201 + echo "ERROR: cannot parse. line: '${line}'" >&2 + ## Debugging. + du -hs /tmp || true + echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true + ## Safer to exit with error in this case. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 + exit "${exit_code}" + fi + + ## Debugging. + #echo "line: '${line}'" + #echo "fso: '${fso}'" + #echo "mode_from_config: '${mode_from_config}'" + #echo "owner_from_config: '${owner_from_config}'" + + local fso_without_trailing_slash + fso_without_trailing_slash="${fso%/}" + + if test "${mode_from_config}" = "disablewhitelist"; then + ## TODO: test/add white spaces inside file name support + disable_white_list+="${fso} " + continue + fi + + if test "${mode_from_config}" = "exactwhitelist"; then + ## TODO: test/add white spaces inside file name support + exact_white_list+="${fso} " + continue + fi + + if test "${mode_from_config}" = "matchwhitelist"; then + ## TODO: test/add white spaces inside file name support + match_white_list+="${fso} " + continue + fi + + if test ! -e "${fso}"; then + true "INFO: fso: '${fso}' - does not exist. This is likely normal." + continue + fi + + ## Use dpkg-statoverride so permissions are not reset during upgrades. + + if test "${mode_from_config}" = "nosuid"; then + ## If mode_from_config is "nosuid" the config does not set owner and + ## group. Therefore do not enforce owner/group check. + add_nosuid_statoverride_entry + else + local string_length_of_mode_from_config + string_length_of_mode_from_config="${#mode_from_config}" + if test "${string_length_of_mode_from_config}" -gt "4"; then + echo "ERROR: Mode '${mode_from_config}' is invalid!" >&2 + continue + fi + if test "${string_length_of_mode_from_config}" -lt "3"; then + echo "ERROR: Mode '${mode_from_config}' is invalid!" >&2 + continue + fi + + if ! grep --quiet --fixed-strings "${owner_from_config}:" "${store_dir}/private/passwd"; then + echo "ERROR: owner_from_config '${owner_from_config}' does not exist!" >&2 + continue + fi + + if ! grep --quiet --fixed-strings "${group_from_config}:" "${store_dir}/private/group"; then + echo "ERROR: group_from_config '${group_from_config}' does not exist!" >&2 + continue + fi + + local mode_for_grep + mode_for_grep="${mode_from_config}" + first_character_of_mode_from_config="${mode_from_config::1}" + if test "${first_character_of_mode_from_config}" = "0"; then + ## Remove leading '0'. + mode_for_grep="${mode_from_config:1}" + fi + + local stat_output + stat_output="" + if ! stat_output="$(stat -c "%n %a %U %G" "${fso_without_trailing_slash}")"; then + echo "ERROR: failed to run 'stat' for fso_without_trailing_slash: '${fso_without_trailing_slash}'!" >&2 + continue + fi local arr file_name existing_mode existing_owner existing_group - arr=($line) + IFS=" " read -r -a arr <<< "${stat_output}" file_name="${arr[0]}" existing_mode="${arr[1]}" existing_owner="${arr[2]}" existing_group="${arr[3]}" - if [ "$arr" = "" ]; then - echo "ERROR: arr is empty. line: '$line'" >&2 - continue + if test "${#arr[@]}" = 0; then + echo "ERROR: arr is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + continue fi - if [ "$file_name" = "" ]; then - echo "ERROR: file_name is empty. line: '$line'" >&2 - continue + if test -z "${file_name}"; then + echo "ERROR: file_name is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + continue fi - if [ "$existing_mode" = "" ]; then - echo "ERROR: existing_mode is empty. line: '$line'" >&2 - continue + if test -z "${existing_mode}"; then + echo "ERROR: existing_mode is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + continue fi - if [ "$existing_owner" = "" ]; then - echo "ERROR: existing_owner is empty. line: '$line'" >&2 - continue + if test -z "${existing_owner}"; then + echo "ERROR: existing_owner is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + continue fi - if [ "$existing_group" = "" ]; then - echo "ERROR: existing_group is empty. line: '$line'" >&2 - continue + if test -z "${existing_group}"; then + echo "ERROR: ${existing_group} is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + continue fi - ## -h file True if file is a symbolic Link. - ## -u file True if file has its set-user-id bit set. - ## -g file True if file has its set-group-id bit set. + ## Check there is an entry for the fso. + ## + ## example: dpkg-statoverride --list | grep /home + ## output: + ## root root 755 /home + ## + ## dpkg-statoverride does not show leading '0'. + local dpkg_statoverride_list_output="" + local dpkg_statoverride_list_exit_code=0 + dpkg_statoverride_list_output="$(dpkg-statoverride --list "${fso_without_trailing_slash}")" || { + dpkg_statoverride_list_exit_code=$? + true + } - if test -h "$file_name" ; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - true "skip symlink: $file_name" - continue - fi + if test "${dpkg_statoverride_list_exit_code}" = "0"; then + true "There is an fso entry. Check if owner/group/mode match." + local grep_line + grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" + if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings "${grep_line}"; then + true "OK The owner/group/mode matches. No further action required." + else + true "The owner/group/mode do not match, therefore remove and re-add the entry to update it." + ## fso_without_trailing_slash instead of fso to prevent + ## "dpkg-statoverride: warning: stripping trailing /" - if test -d "$file_name" ; then - true "skip directory: $file_name" - continue - fi + # shellcheck disable=SC2086 + if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then + true "OK Existing mode already saved previously. No need to save again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + # shellcheck disable=SC2086 + echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" + fi - local setuid setuid_output setsgid setsgid_output - setuid="" - setuid_output="" - if test -u "$file_name" ; then - setuid=true - setuid_output="set-user-id" - fi - setsgid="" - setsgid_output="" - if test -g "$file_name" ; then - setsgid=true - setsgid_output="set-group-id" - fi + # shellcheck disable=SC2086 + echo_wrapper_silent_ignore dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${fso_without_trailing_slash}" - local setuid_or_setsgid - setuid_or_setsgid="" - if [ "$setuid" = "true" ] || [ "$setsgid" = "true" ]; then - setuid_or_setsgid=true - fi - if [ "$setuid_or_setsgid" = "" ]; then - continue - fi + ## Remove from and add to real database. + echo_wrapper_silent_ignore dpkg-statoverride --remove "${fso_without_trailing_slash}" + echo_wrapper_audit dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" - ## Remove suid / gid and execute permission for 'group' and 'others'. - ## Similar to: chmod og-ugx /path/to/filename - ## Removing execution permission is useful to make binaries such as 'su' fail closed rather - ## than fail open if suid was removed from these. - ## Do not remove read access since no security benefit and easier to manually undo for users. - ## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these? - new_mode="744" - - local is_exact_whitelisted - is_exact_whitelisted="" - for white_list_entry in $exact_white_list ; do - if [ "$file_name" = "$white_list_entry" ]; then - is_exact_whitelisted="true" - ## Stop looping through the whitelist. - break - fi - done - - local is_match_whitelisted - is_match_whitelisted="" - for matchwhite_list_entry in $match_white_list ; do - if echo "$file_name" | grep --quiet --fixed-strings "$matchwhite_list_entry" ; then - is_match_whitelisted="true" - ## Stop looping through the match_white_list. - break - fi - done - - local is_disable_whitelisted - is_disable_whitelisted="" - for disablematch_list_entry in $disable_white_list ; do - if echo "$file_name" | grep --quiet --fixed-strings "$disablematch_list_entry" ; then - is_disable_whitelisted="true" - ## Stop looping through the disablewhitelist. - break - fi - done - - if [ "$whitelists_disable_all" = "true" ]; then - true "INFO: whitelists_disable_all=true - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" - elif [ "$is_disable_whitelisted" = "true" ]; then - true "INFO: white list disabled - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" + ## Save in separate database. + ## Not using --update as this is only for saving. + # shellcheck disable=SC2086 + echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + fi else - if [ "$is_exact_whitelisted" = "true" ]; then - true "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" - continue - fi - if [ "$is_match_whitelisted" = "true" ]; then - true "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'" - continue - fi + true "There is no fso entry. Therefore add one." + + # shellcheck disable=SC2086 + if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then + true "OK Existing mode already saved previously. No need to save again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + # shellcheck disable=SC2086 + echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" + fi + + ## Add to real database. + echo_wrapper_audit dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + + ## Save in separate database. + ## Not using --update as this is only for saving. + # shellcheck disable=SC2086 + echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + fi + fi + if test -z "${capability_from_config}"; then + continue + fi + + if test "${capability_from_config}" = "none"; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/45 + ## sudo setcap -r /bin/ping 2>/dev/null + ## Failed to set capabilities on file '/bin/ping' (No data available) + ## The value of the capability argument is not permitted for a file. Or + ## the file is not a regular (non-symlink) file + ## Therefore use echo_wrapper_ignore. + echo_wrapper_ignore setcap -r "${fso}" + getcap_output="$(getcap "${fso}")" + if test -n "${getcap_output}"; then + exit_code=205 + echo "ERROR: removing capabilities for fso '${fso}' failed!" >&2 + continue + fi + else + if ! capsh --print | grep --fixed-strings "Bounding set" | grep --quiet "${capability_from_config}"; then + echo "ERROR: capability_from_config '${capability_from_config}' does not exist!" >&2 + continue fi - echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" - - if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$file_name" >/dev/null ; then - true "OK Existing mode already saved previously. No need to save again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$file_name" - fi - - ## No need to check "dpkg-statoverride --list" for existing entries. - ## If existing_mode was correct already, we would not have reached this point. - ## Since existing_mode is incorrect, remove from dpkg-statoverride and re-add. - - ## Remove from real database. - echo_wrapper_silent_ignore dpkg-statoverride --remove "$file_name" - - ## Remove from separate database. - echo_wrapper_silent_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" - - ## Add to real database and use --update to make changes on disk. - echo_wrapper_audit dpkg-statoverride --add --update "$existing_owner" "$existing_group" "$new_mode" "$file_name" - - ## Not using --update as this is only for recording. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$existing_owner" "$existing_group" "$new_mode" "$file_name" - - ## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'. - ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 - done < <( find "$fso_to_process" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} ) - - ## Sanity test. - if [ ! "$should_be_counter" = "$counter_actual" ]; then - echo "INFO: fso_to_process: '$fso_to_process' | counter_actual : '$counter_actual'" - echo "INFO: fso_to_process: '$fso_to_process' | should_be_counter: '$should_be_counter'" - exit_code=202 - echo "ERROR: counter does not check out." >&2 - fi -} - -set_file_perms() { - true "INFO: START parsing config_file: '$config_file'" - local line - while read -r line || [[ -n "${line}" ]]; do - if [ "$line" = "" ]; then - continue - fi - - if [[ "$line" =~ ^# ]]; then - continue - fi - - if [[ "$line" =~ [0-9a-zA-Z/] ]]; then - true "OK line contains only white listed characters." - else - exit_code=200 - echo "ERROR: cannot parse line with invalid character. line: '$line'" >&2 - ## Safer to exit with error in this case. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 - exit "$exit_code" - fi - - if [ "$line" = 'whitelists_disable_all=true' ]; then - whitelists_disable_all=true - echo "INFO: whitelists_disable_all=true - all whitelists disabled." - continue - fi - - #global fso - local mode_from_config owner_from_config group_from_config capability_from_config - if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then - exit_code=201 - echo "ERROR: cannot parse. line: '$line'" >&2 - ## Debugging. - du -hs /tmp || true - echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true - ## Safer to exit with error in this case. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 - exit "$exit_code" - fi - - ## Debugging. - #echo "line: '$line'" - #echo "fso: '$fso'" - #echo "mode_from_config: '$mode_from_config'" - #echo "owner_from_config: '$owner_from_config'" - - local fso_without_trailing_slash - fso_without_trailing_slash="${fso%/}" - - if [ "$mode_from_config" = "disablewhitelist" ]; then - ## TODO: test/add white spaces inside file name support - disable_white_list+="$fso " - continue - fi - - if [ "$mode_from_config" = "exactwhitelist" ]; then - ## TODO: test/add white spaces inside file name support - exact_white_list+="$fso " - continue - fi - - if [ "$mode_from_config" = "matchwhitelist" ]; then - ## TODO: test/add white spaces inside file name support - match_white_list+="$fso " - continue - fi - - if [ ! -e "$fso" ]; then - true "INFO: fso: '$fso' - does not exist. This is likely normal." - continue - fi - - ## Use dpkg-statoverride so permissions are not reset during upgrades. - - if [ "$mode_from_config" = "nosuid" ]; then - ## If mode_from_config is "nosuid" the config does not set owner and - ## group. Therefore do not enforce owner/group check. - - add_nosuid_statoverride_entry - else - local string_length_of_mode_from_config - string_length_of_mode_from_config="${#mode_from_config}" - if [ "$string_length_of_mode_from_config" -gt "4" ]; then - echo "ERROR: Mode '$mode_from_config' is invalid!" >&2 - continue - fi - if [ "$string_length_of_mode_from_config" -lt "3" ]; then - echo "ERROR: Mode '$mode_from_config' is invalid!" >&2 - continue - fi - - if ! grep --quiet --fixed-strings "${owner_from_config}:" /var/lib/permission-hardening/private/passwd ; then - echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2 - continue - fi - - if ! grep --quiet --fixed-strings "${group_from_config}:" /var/lib/permission-hardening/private/group ; then - echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2 - continue - fi - - local mode_for_grep - mode_for_grep="$mode_from_config" - first_character_of_mode_from_config="${mode_from_config::1}" - if [ "$first_character_of_mode_from_config" = "0" ]; then - ## Remove leading '0'. - mode_for_grep="${mode_from_config:1}" - fi - - local stat_output - stat_output="" - if ! stat_output="$(stat -c "%n %a %U %G" "$fso_without_trailing_slash")" ; then - echo "ERROR: failed to run 'stat' for fso_without_trailing_slash: '$fso_without_trailing_slash'!" >&2 - continue - fi - - local arr file_name existing_mode existing_owner existing_group - arr=($stat_output) - file_name="${arr[0]}" - existing_mode="${arr[1]}" - existing_owner="${arr[2]}" - existing_group="${arr[3]}" - - if [ "$arr" = "" ]; then - echo "ERROR: arr is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - if [ "$file_name" = "" ]; then - echo "ERROR: file_name is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - if [ "$existing_mode" = "" ]; then - echo "ERROR: existing_mode is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - if [ "$existing_owner" = "" ]; then - echo "ERROR: existing_owner is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - if [ "$existing_group" = "" ]; then - echo "ERROR: $existing_group is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - - ## Check there is an entry for the fso. - ## - ## example: dpkg-statoverride --list | grep /home - ## output: - ## root root 755 /home - ## - ## dpkg-statoverride does not show leading '0'. - local dpkg_statoverride_list_output="" - local dpkg_statoverride_list_exit_code=0 - dpkg_statoverride_list_output="$(dpkg-statoverride --list "$fso_without_trailing_slash")" || { dpkg_statoverride_list_exit_code=$? ; true; }; - - if [ "$dpkg_statoverride_list_exit_code" = "0" ]; then - true "There is an fso entry. Check if owner/group/mode match." - local grep_line - grep_line="$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash" - if echo "$dpkg_statoverride_list_output" | grep --quiet --fixed-strings "$grep_line" ; then - true "OK The owner/group/mode matches. No further action required." - else - true "The owner/group/mode do not match, therefore remove and re-add the entry to update it." - ## fso_without_trailing_slash instead of fso to prevent - ## "dpkg-statoverride: warning: stripping trailing /" - - if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then - true "OK Existing mode already saved previously. No need to save again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" - fi - - echo_wrapper_silent_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$fso_without_trailing_slash" - - ## Remove from and add to real database. - echo_wrapper_silent_ignore dpkg-statoverride --remove "$fso_without_trailing_slash" - echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" - - ## Save in separate database. - ## Not using --update as this is only for saving. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" - fi - else - true "There is no fso entry. Therefore add one." - - if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then - true "OK Existing mode already saved previously. No need to save again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" - fi - - ## Add to real database. - echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" - - ## Save in separate database. - ## Not using --update as this is only for saving. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" - fi - fi - if [ "$capability_from_config" = "" ]; then - continue - fi - - if [ "$capability_from_config" = "none" ]; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/45 - # sudo setcap -r /bin/ping 2>/dev/null - # Failed to set capabilities on file '/bin/ping' (No data available) - # The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file - ## Therefore use echo_wrapper_ignore. - echo_wrapper_ignore setcap -r "$fso" - getcap_output="$(getcap "$fso")" - if [ ! "$getcap_output" = "" ]; then - exit_code=205 - echo "ERROR: removing capabilities for fso '$fso' failed!" >&2 - continue - fi - else - if ! capsh --print | grep --fixed-strings "Bounding set" | grep --quiet "$capability_from_config" ; then - echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2 - continue - fi - - ## feature request: dpkg-statoverride: support for capabilities - ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 - echo_wrapper_audit setcap "${capability_from_config}+ep" "$fso" - fi - done < "$config_file" - true "INFO: END parsing config_file: '$config_file'" + ## feature request: dpkg-statoverride: support for capabilities + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 + echo_wrapper_audit setcap "${capability_from_config}+ep" "${fso}" + fi + done <"${config_file}" + true "INFO: END parsing config_file: '${config_file}'" } parse_config_folder() { - touch /var/lib/permission-hardening/private/passwd - chmod og-rwx /var/lib/permission-hardening/private/passwd - touch /var/lib/permission-hardening/private/group - chmod og-rwx /var/lib/permission-hardening/private/group + touch "${store_dir}/private/passwd" + chmod og-rwx "${store_dir}/private/passwd" + touch "${store_dir}/private/group" + chmod og-rwx "${store_dir}/private/group" local passwd_file_contents_temp - # Query contents of password and group databases only once and buffer them - # - # If we don't buffer we sometimes get incorrect results when checking for entries using - # 'if getent passwd | grep --quiet '^root:'; ...' since 'grep' exits after the first match in - # this case causing 'getent' to receive SIGPIPE, which then fails the pipeline since - # 'set -o pipefail' is set for this script. + ## Query contents of password and group databases only once and buffer them + ## + ## If we don't buffer we sometimes get incorrect results when checking for + ## entries using 'if getent passwd | grep --quiet '^root:'; ...' since + ## 'grep' exits after the first match in this case causing 'getent' to + ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is + ## set for this script. passwd_file_contents_temp=$(getent passwd) - echo "$passwd_file_contents_temp" | tee /var/lib/permission-hardening/private/passwd >/dev/null + echo "${passwd_file_contents_temp}" | tee "${store_dir}/private/passwd" >/dev/null group_file_contents_temp=$(getent group) - echo "$group_file_contents_temp" | tee /var/lib/permission-hardening/private/group >/dev/null + echo "${group_file_contents_temp}" | tee "${store_dir}/private/group" >/dev/null - passwd_file_contents=$(cat /var/lib/permission-hardening/private/passwd) - group_file_contents=$(cat /var/lib/permission-hardening/private/group) + passwd_file_contents="$(cat "${store_dir}/private/passwd")" + group_file_contents="$(cat "${store_dir}/private/group")" shopt -s nullglob - for config_file in /etc/permission-hardening.d/*.conf /usr/local/etc/permission-hardening.d/*.conf; do + for config_file in \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do set_file_perms done } -sanity_tests -parse_config_folder +apply() { + check_root + make_store_dir + sanity_tests + parse_config_folder -echo "\ + echo "\ INFO: To compare the current and previous permission modes: -1. Install 'meld' (or similar) for an easier comparison of file changes: - sudo apt install --no-install-recommends meld + Install 'meld' (or preferred diff tool) for comparison of file mode changes: + sudo apt install --no-install-recommends meld -2. Use 'meld' to view the differences: - meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride" + Use 'meld' or another diff tool to view the differences: + meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" +} -if [ ! "$exit_code" = "0" ]; then - echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2 +spare() { + check_root + make_store_dir + + remove_file="${1}" + exit_code=0 + dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" + dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" + + if test ! -f "${store_dir}/existing_mode/statoverride"; then + return 0 + fi + + local line + while read -r line; do + ## example line: + ## root root 4755 /usr/lib/eject/dmcrypt-get-device + + local owner group mode file_name + if ! read -r owner group mode file_name <<< "${line}"; then + exit_code=201 + echo "ERROR: cannot parse line: ${line}" >&2 + continue + fi + true "owner: '${owner}' group: '${group}' mode: '${mode}' file_name: '${file_name}'" + + if test "${remove_file}" = "all"; then + proceed=true + verbose="" + remove_one=false + else + if test "${remove_file}" = "${file_name}"; then + proceed=true + verbose="--verbose" + remove_one=true + else + proceed=false + verbose="" + fi + fi + + if test "${proceed}" = "false"; then + continue + fi + + if test "${remove_one}" = "true"; then + set -o xtrace + fi + + if test -e "${file_name}"; then + chown ${verbose} "${owner}:${group}" "${file_name}" || exit_code=202 + ## chmod need to be run after chown since chown removes suid. + ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature + chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 + else + echo "INFO: file_name: '${file_name}' - does not exist. This is likely normal." + fi + + dpkg-statoverride --remove "${file_name}" &>/dev/null || true + # shellcheck disable=SC2086 + dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --remove "${file_name}" &>/dev/null || true + # shellcheck disable=SC2086 + dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" &>/dev/null || true + + if test "${remove_one}" = "true"; then + set +o xtrace + break + fi + + done < "${store_dir}/existing_mode/statoverride" + + if test ! "${remove_file}" = "all"; then + if test ! "${remove_one}" = "true"; then + echo "INFO: no file removed. + + File '${remove_file}' has not removed from SUID Disabler and Permission Hardener during this invocation of this program. + + Note: This is expected if already done earlier. + + Note: This program expects the full path to the file. Example: + $0 disable /usr/bin/newgrp + + The following syntax will not work: + $0 disable program-name + + The following example will not work: + $0 disable newgrp + + To remove all: + $0 disable all + + This change might not be permanent (because of the permission-hardening.service systemd unit). For full instructions, see: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener + + To view list of changed by SUID Disabler and Permission Hardener: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener + + For re-enabling any specific SUID binary: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries + + For completely disabling SUID Disabler and Permission Hardener: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" + fi + fi +} + +check_root(){ + if test "$(id -u)" != "0"; then + echo "ERROR: Not running as root, aborting." + exit 1 + fi +} + +usage(){ + echo "Usage: ${0##*/} enable + ${0##*/} disable [FILE|all] + +Examples: + ${0##*/} enable + ${0##*/} disable all + ${0##*/} disable /usr/bin/newgrp" >&2 + exit "${1}" +} + +case "${1:-}" in + enable) shift; apply "$@";; + disable) + shift + case "${1:-}" in + "") usage;; + *) spare "${1}";; + esac + ;; + -h|--help) usage 0;; + *) usage 1;; +esac + +if test "${exit_code}" != "0"; then + echo "ERROR: Exiting with non-zero exit code: '${exit_code}'" >&2 fi -exit "$exit_code" +exit "${exit_code}" diff --git a/usr/bin/permission-hardening-undo b/usr/bin/permission-hardening-undo deleted file mode 100755 index ca22500..0000000 --- a/usr/bin/permission-hardening-undo +++ /dev/null @@ -1,136 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -#set -x -set -e -set -o pipefail - -if [ "$1" = "all" ]; then - remove_file="all" -elif [ ! "$1" = "" ]; then - remove_file="$1" -else - echo "ERROR: need to give parameter 'all' or a filename. - -examples: - -$0 all - -$0 /usr/bin/newgrp - " >&2 -fi - -exit_code=0 - -dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode" -dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode" - -undo_permission_hardening() { - if [ ! -f /var/lib/permission-hardening/existing_mode/statoverride ]; then - return 0 - fi - - local line - - while read -r line; do - ## example line: - ## root root 4755 /usr/lib/eject/dmcrypt-get-device - - local owner group mode file_name - if ! read -r owner group mode file_name <<< "$line" ; then - exit_code=201 - echo "ERROR: cannot parse line: $line" >&2 - continue - fi - true "owner: '$owner' group: '$group' mode: '$mode' file_name: '$file_name'" - - if [ "$remove_file" = "all" ]; then - do_proceed=true - verbose_maybe="" - else - if [ "$remove_file" = "$file_name" ]; then - do_proceed=true - verbose_maybe="--verbose" - remove_one=true - else - do_proceed=false - verbose_maybe="" - fi - fi - - if [ "$do_proceed" = "false" ]; then - continue - fi - - if [ "$remove_one" = "true" ]; then - set -x - fi - - if test -e "$file_name" ; then - chown $verbose_maybe "${owner}:${group}" "$file_name" || exit_code=202 - ## chmod need to be run after chown since chown removes suid. - ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature - chmod $verbose_maybe "$mode" "$file_name" || exit_code=203 - else - echo "INFO: file_name: '$file_name' - does not exist. This is likely normal." - fi - - dpkg-statoverride --remove "$file_name" &>/dev/null || true - dpkg-statoverride $dpkg_admindir_parameter_existing_mode --remove "$file_name" &>/dev/null || true - dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" &>/dev/null || true - - if [ "$remove_one" = "true" ]; then - set +x - break - fi - - done < "/var/lib/permission-hardening/existing_mode/statoverride" -} - -undo_permission_hardening - -if [ ! "$remove_file" = "all" ]; then - if [ ! "$remove_one" = "true" ]; then - echo "INFO: none removed. - -File '$remove_file' has not removed from SUID Disabler and Permission Hardener during this invocation of this program. - -Note: This is expected if already done earlier. - -Note: This program expects the full path to the file. Example: - -$0 /usr/bin/newgrp - -The following syntax will not work: - -$0 program-name - -The following example will not work: - -$0 newgrp - -To remove all: - -$0 all - -This change might not be permanent (because of the permission-hardening.service systemd unit). For full instructions, see: -https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener - -To view list of changed by SUID Disabler and Permission Hardener: -https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener - -For re-enabling any specific SUID binary: -https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries - -For completely disabling SUID Disabler and Permission Hardener: -https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" - fi -fi - -if [ ! "$exit_code" = "0" ]; then - echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2 -fi - -exit "$exit_code" From abf72c2ee4286ec069f75e66acf05a42f3645c89 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Tue, 2 Jan 2024 13:34:29 +0100 Subject: [PATCH 1064/1650] Rename file permission hardening script Hardener as the script is the agent that is hardening the file permissions. --- README.md | 10 +++++----- debian/security-misc.postinst | 6 +++--- .../25_default_passwd.conf | 4 ++-- .../25_default_sudo.conf | 4 ++-- .../25_default_whitelist_bubblewrap.conf | 4 ++-- .../25_default_whitelist_chromium.conf | 4 ++-- .../25_default_whitelist_dbus.conf | 4 ++-- .../25_default_whitelist_firejail.conf | 4 ++-- .../25_default_whitelist_fuse.conf | 4 ++-- .../25_default_whitelist_hardened_malloc.conf | 4 ++-- .../25_default_whitelist_mount.conf | 4 ++-- .../25_default_whitelist_pam.conf | 4 ++-- .../25_default_whitelist_policykit.conf | 4 ++-- .../25_default_whitelist_qubes.conf | 4 ++-- .../25_default_whitelist_selinux.conf | 4 ++-- .../25_default_whitelist_spice.conf | 4 ++-- .../25_default_whitelist_ssh.conf | 4 ++-- .../25_default_whitelist_sudo.conf | 4 ++-- .../25_default_whitelist_unix_chkpwd.conf | 4 ++-- .../25_default_whitelist_virtualbox.conf | 4 ++-- .../30_default.conf | 8 ++++---- lib/systemd/system-preset/50-security-misc.preset | 2 +- ...n-hardening.service => permission-hardener.service} | 2 +- usr/bin/{permission-hardening => permission-hardener} | 9 ++++----- 24 files changed, 54 insertions(+), 55 deletions(-) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_passwd.conf (80%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_sudo.conf (89%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_bubblewrap.conf (66%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_chromium.conf (63%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_dbus.conf (64%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_firejail.conf (74%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_fuse.conf (72%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_hardened_malloc.conf (68%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_mount.conf (81%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_pam.conf (69%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_policykit.conf (79%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_qubes.conf (81%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_selinux.conf (64%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_spice.conf (65%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_ssh.conf (69%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_sudo.conf (65%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_unix_chkpwd.conf (74%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_virtualbox.conf (77%) rename etc/{permission-hardening.d => permission-hardener.d}/30_default.conf (94%) rename lib/systemd/system/{permission-hardening.service => permission-hardener.service} (93%) rename usr/bin/{permission-hardening => permission-hardener} (99%) diff --git a/README.md b/README.md index 4ac4fb6..a46b30a 100644 --- a/README.md +++ b/README.md @@ -430,23 +430,23 @@ include but are not limited to: - Protecting the information of sudoers from others. - Protecting various system relevant files and modules. -##### permission-hardening ##### +##### permission-hardener ##### `permission-hardener` removes SUID / SGID bits from non-essential binaries as these are often used in privilege escalation attacks. It runs at package installation and upgrade time. There is also an optional systemd unit which does the same at boot time that -can be enabled by running `systemctl enable permission-hardening.service` as +can be enabled by running `systemctl enable permission-hardener.service` as root. The hardening at boot time is not the default because this slows down the boot too much. See: -* `/usr/bin/permission-hardening` +* `/usr/bin/permission-hardener` * `debian/security-misc.postinst` -* `/lib/systemd/system/permission-hardening.service` -* `/etc/permission-hardening.d` +* `/lib/systemd/system/permission-hardener.service` +* `/etc/permission-hardener.d` * https://forums.whonix.org/t/disable-suid-binaries/7706 * https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 7cd54c2..da358e3 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -20,8 +20,8 @@ permission_hardening() { echo "Running SUID Disabler and Permission Hardener... See also:" echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener" echo "" - echo "$0: INFO: running: permission-hardening" - if ! permission-hardening ; then + echo "$0: INFO: running: permission-hardener" + if ! permission-hardener ; then echo "$0: ERROR: Permission hardening failed." >&2 return 0 fi @@ -59,7 +59,7 @@ esac pam-auth-update --package /usr/libexec/security-misc/permission-lockdown -permission_hardening +permission_hardener ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: diff --git a/etc/permission-hardening.d/25_default_passwd.conf b/etc/permission-hardener.d/25_default_passwd.conf similarity index 80% rename from etc/permission-hardening.d/25_default_passwd.conf rename to etc/permission-hardener.d/25_default_passwd.conf index 32fd72e..dcd403f 100644 --- a/etc/permission-hardening.d/25_default_passwd.conf +++ b/etc/permission-hardener.d/25_default_passwd.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. # Keep the `passwd` utility executable to prevent issues with the diff --git a/etc/permission-hardening.d/25_default_sudo.conf b/etc/permission-hardener.d/25_default_sudo.conf similarity index 89% rename from etc/permission-hardening.d/25_default_sudo.conf rename to etc/permission-hardener.d/25_default_sudo.conf index 67be9ac..6a1cf21 100644 --- a/etc/permission-hardening.d/25_default_sudo.conf +++ b/etc/permission-hardener.d/25_default_sudo.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## https://forums.whonix.org/t/restrict-root-access/7658/116 diff --git a/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf b/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf similarity index 66% rename from etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf rename to etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf index 2ffc8c2..071e724 100644 --- a/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf +++ b/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. /usr/bin/bwrap exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_chromium.conf b/etc/permission-hardener.d/25_default_whitelist_chromium.conf similarity index 63% rename from etc/permission-hardening.d/25_default_whitelist_chromium.conf rename to etc/permission-hardener.d/25_default_whitelist_chromium.conf index 5244b2c..db6f8ea 100644 --- a/etc/permission-hardening.d/25_default_whitelist_chromium.conf +++ b/etc/permission-hardener.d/25_default_whitelist_chromium.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. chrome-sandbox matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_dbus.conf b/etc/permission-hardener.d/25_default_whitelist_dbus.conf similarity index 64% rename from etc/permission-hardening.d/25_default_whitelist_dbus.conf rename to etc/permission-hardener.d/25_default_whitelist_dbus.conf index e1325ff..2997915 100644 --- a/etc/permission-hardening.d/25_default_whitelist_dbus.conf +++ b/etc/permission-hardener.d/25_default_whitelist_dbus.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. dbus-daemon-launch-helper matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_firejail.conf b/etc/permission-hardener.d/25_default_whitelist_firejail.conf similarity index 74% rename from etc/permission-hardening.d/25_default_whitelist_firejail.conf rename to etc/permission-hardener.d/25_default_whitelist_firejail.conf index 99608df..a56cb23 100644 --- a/etc/permission-hardening.d/25_default_whitelist_firejail.conf +++ b/etc/permission-hardener.d/25_default_whitelist_firejail.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## There is a controversy about firejail but those who choose to install it diff --git a/etc/permission-hardening.d/25_default_whitelist_fuse.conf b/etc/permission-hardener.d/25_default_whitelist_fuse.conf similarity index 72% rename from etc/permission-hardening.d/25_default_whitelist_fuse.conf rename to etc/permission-hardener.d/25_default_whitelist_fuse.conf index 1293214..4affc6a 100644 --- a/etc/permission-hardening.d/25_default_whitelist_fuse.conf +++ b/etc/permission-hardener.d/25_default_whitelist_fuse.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## required for AppImages such as electrum Bitcoin wallet diff --git a/etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf b/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf similarity index 68% rename from etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf rename to etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf index 4934ff0..6cc01fe 100644 --- a/etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf +++ b/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. libhardened_malloc.so matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_mount.conf b/etc/permission-hardener.d/25_default_whitelist_mount.conf similarity index 81% rename from etc/permission-hardening.d/25_default_whitelist_mount.conf rename to etc/permission-hardener.d/25_default_whitelist_mount.conf index 1557318..ce7d014 100644 --- a/etc/permission-hardening.d/25_default_whitelist_mount.conf +++ b/etc/permission-hardener.d/25_default_whitelist_mount.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 diff --git a/etc/permission-hardening.d/25_default_whitelist_pam.conf b/etc/permission-hardener.d/25_default_whitelist_pam.conf similarity index 69% rename from etc/permission-hardening.d/25_default_whitelist_pam.conf rename to etc/permission-hardener.d/25_default_whitelist_pam.conf index bf518ff..7348e0c 100644 --- a/etc/permission-hardening.d/25_default_whitelist_pam.conf +++ b/etc/permission-hardener.d/25_default_whitelist_pam.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## Without this, Xfce fails to start with a dbus-launch error. diff --git a/etc/permission-hardening.d/25_default_whitelist_policykit.conf b/etc/permission-hardener.d/25_default_whitelist_policykit.conf similarity index 79% rename from etc/permission-hardening.d/25_default_whitelist_policykit.conf rename to etc/permission-hardener.d/25_default_whitelist_policykit.conf index fb4fa86..032c6b2 100644 --- a/etc/permission-hardening.d/25_default_whitelist_policykit.conf +++ b/etc/permission-hardener.d/25_default_whitelist_policykit.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. /usr/bin/pkexec exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_qubes.conf b/etc/permission-hardener.d/25_default_whitelist_qubes.conf similarity index 81% rename from etc/permission-hardening.d/25_default_whitelist_qubes.conf rename to etc/permission-hardener.d/25_default_whitelist_qubes.conf index 7a5c968..ad8592a 100644 --- a/etc/permission-hardening.d/25_default_whitelist_qubes.conf +++ b/etc/permission-hardener.d/25_default_whitelist_qubes.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## TODO: research diff --git a/etc/permission-hardening.d/25_default_whitelist_selinux.conf b/etc/permission-hardener.d/25_default_whitelist_selinux.conf similarity index 64% rename from etc/permission-hardening.d/25_default_whitelist_selinux.conf rename to etc/permission-hardener.d/25_default_whitelist_selinux.conf index f0464b9..2a5686a 100644 --- a/etc/permission-hardening.d/25_default_whitelist_selinux.conf +++ b/etc/permission-hardener.d/25_default_whitelist_selinux.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. /utempter/utempter matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_spice.conf b/etc/permission-hardener.d/25_default_whitelist_spice.conf similarity index 65% rename from etc/permission-hardening.d/25_default_whitelist_spice.conf rename to etc/permission-hardener.d/25_default_whitelist_spice.conf index 394b173..a8b7f7a 100644 --- a/etc/permission-hardening.d/25_default_whitelist_spice.conf +++ b/etc/permission-hardener.d/25_default_whitelist_spice.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. spice-client-glib-usb-acl-helper matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_ssh.conf b/etc/permission-hardener.d/25_default_whitelist_ssh.conf similarity index 69% rename from etc/permission-hardening.d/25_default_whitelist_ssh.conf rename to etc/permission-hardener.d/25_default_whitelist_ssh.conf index 678b2f6..f7ef445 100644 --- a/etc/permission-hardening.d/25_default_whitelist_ssh.conf +++ b/etc/permission-hardener.d/25_default_whitelist_ssh.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## TODO: research diff --git a/etc/permission-hardening.d/25_default_whitelist_sudo.conf b/etc/permission-hardener.d/25_default_whitelist_sudo.conf similarity index 65% rename from etc/permission-hardening.d/25_default_whitelist_sudo.conf rename to etc/permission-hardener.d/25_default_whitelist_sudo.conf index 07051dd..a7b0fd2 100644 --- a/etc/permission-hardening.d/25_default_whitelist_sudo.conf +++ b/etc/permission-hardener.d/25_default_whitelist_sudo.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. /usr/bin/sudo exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf b/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf similarity index 74% rename from etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf rename to etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf index c086dab..dc1fb5a 100644 --- a/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf +++ b/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## required for performing password validation from unprivileged user diff --git a/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf b/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf similarity index 77% rename from etc/permission-hardening.d/25_default_whitelist_virtualbox.conf rename to etc/permission-hardener.d/25_default_whitelist_virtualbox.conf index dbd5737..17701d9 100644 --- a/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf +++ b/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## TODO: research diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardener.d/30_default.conf similarity index 94% rename from etc/permission-hardening.d/30_default.conf rename to etc/permission-hardener.d/30_default.conf index b6e4aeb..2ba3dee 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardener.d/30_default.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## File permission hardening. @@ -60,8 +60,8 @@ /home/ 0755 root root /root/ 0700 root root /boot/ 0700 root root -/etc/permission-hardening.d 0600 root root -/usr/local/etc/permission-hardening.d 0600 root root +/etc/permission-hardener.d 0600 root root +/usr/local/etc/permission-hardener.d 0600 root root /lib/modules/ 0700 root root /usr/src 0700 root root /etc/cups/cupsd.conf 0400 root root diff --git a/lib/systemd/system-preset/50-security-misc.preset b/lib/systemd/system-preset/50-security-misc.preset index 201369d..a852419 100644 --- a/lib/systemd/system-preset/50-security-misc.preset +++ b/lib/systemd/system-preset/50-security-misc.preset @@ -5,7 +5,7 @@ disable hide-hardware-info.service ## Disable for now until development finished / tested. -disable permission-hardening.service +disable permission-hardener.service ## Disable for now until development finished / tested. ## https://github.com/Kicksecure/security-misc/pull/152 diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardener.service similarity index 93% rename from lib/systemd/system/permission-hardening.service rename to lib/systemd/system/permission-hardener.service index 9891b72..912e6c7 100644 --- a/lib/systemd/system/permission-hardening.service +++ b/lib/systemd/system/permission-hardener.service @@ -13,7 +13,7 @@ After=local-fs.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart=permission-hardening +ExecStart=permission-hardener [Install] WantedBy=sysinit.target diff --git a/usr/bin/permission-hardening b/usr/bin/permission-hardener similarity index 99% rename from usr/bin/permission-hardening rename to usr/bin/permission-hardener index 7673dd7..d2a7ccc 100755 --- a/usr/bin/permission-hardening +++ b/usr/bin/permission-hardener @@ -6,13 +6,10 @@ ## https://forums.whonix.org/t/disable-suid-binaries/7706 ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 -## To undo: -## sudo permission-hardening disable - set -o errexit -o nounset -o pipefail exit_code=0 -store_dir="/var/lib/permission-hardening" +store_dir="/var/lib/permission-hardener" dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" @@ -507,6 +504,8 @@ parse_config_folder() { shopt -s nullglob for config_file in \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ /etc/permission-hardening.d/*.conf \ /usr/local/etc/permission-hardening.d/*.conf do @@ -620,7 +619,7 @@ spare() { To remove all: $0 disable all - This change might not be permanent (because of the permission-hardening.service systemd unit). For full instructions, see: + This change might not be permanent (because of the permission-hardener.service systemd unit). For full instructions, see: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener To view list of changed by SUID Disabler and Permission Hardener: From db0503e71d5c37865cbb0a01cb8fa00af2a4e574 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 2 Jan 2024 14:55:13 +0000 Subject: [PATCH 1065/1650] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 00f98f1..7cd78ce 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit a94f2a3f4626a9292660bc7f98a6513f34d0f5b2 +Merge: 94c0e26 8daf97a +Author: Patrick Schleizer +Date: Tue Jan 2 05:30:49 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 8daf97ab0181a9cbb9e9dec57f1f00270dbb3a50 +Merge: 94c0e26 f055fe5 +Author: Patrick Schleizer +Date: Tue Jan 2 05:29:35 2024 -0500 + + Merge pull request #178 from raja-grewal/io_uring + + Disable asynchronous I/O + +commit 94c0e26a082f61f71e89b1fb7386a58166ffa411 +Author: Patrick Schleizer +Date: Fri Dec 29 20:15:50 2023 +0000 + + bumped changelog version + commit 5b36599c0ce35857239c82459828db1ec4215411 Author: Patrick Schleizer Date: Fri Dec 29 14:57:38 2023 -0500 @@ -168,6 +190,14 @@ Date: Fri Dec 22 08:31:58 2023 -0500 fixes https://github.com/Kicksecure/security-misc/issues/179 +commit f055fe5da2219b68f46c3c577d79fcfd7e79cfc6 +Author: Raja Grewal +Date: Fri Dec 15 08:33:36 2023 +0000 + + Disable asynchronous I/O + + io_uring creation is disabled for all processes. io_uring_setup always fails with -EPERM. Existing io_uring instances can still be used. + commit 99f2edd4f685cdc9a47b32107125408e12a294c2 Author: Patrick Schleizer Date: Tue Dec 12 16:51:21 2023 +0000 diff --git a/debian/changelog b/debian/changelog index 5c393ca..1a3638c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:34.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 02 Jan 2024 14:55:13 +0000 + security-misc (3:34.8-1) unstable; urgency=medium * New upstream version (local package). From bc02c72018d6458d4c1852dd441287b277421514 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Tue, 2 Jan 2024 17:08:45 +0100 Subject: [PATCH 1066/1650] Fix unbound variable - Run messages preceded by INFO; - Comment unknown unused variables; - Remove unnecessary variables; and - Deal with unbound variable due to subshell by writing to a file; --- usr/bin/permission-hardener | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index d2a7ccc..2e3fcbc 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -14,17 +14,17 @@ dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" echo_wrapper_ignore() { - echo "run: $*" + echo "INFO: run: $*" "$@" 2>/dev/null || true } echo_wrapper_silent_ignore() { - #echo "run: $@" + #echo "INFO: run: $@" "$@" 2>/dev/null || true } echo_wrapper_audit() { - echo "run: $*" + echo "INFO: run: $*" return_code=0 "$@" || { @@ -499,8 +499,8 @@ parse_config_folder() { group_file_contents_temp=$(getent group) echo "${group_file_contents_temp}" | tee "${store_dir}/private/group" >/dev/null - passwd_file_contents="$(cat "${store_dir}/private/passwd")" - group_file_contents="$(cat "${store_dir}/private/group")" + #passwd_file_contents="$(cat "${store_dir}/private/passwd")" + #group_file_contents="$(cat "${store_dir}/private/group")" shopt -s nullglob for config_file in \ @@ -555,32 +555,29 @@ spare() { true "owner: '${owner}' group: '${group}' mode: '${mode}' file_name: '${file_name}'" if test "${remove_file}" = "all"; then - proceed=true verbose="" remove_one=false else if test "${remove_file}" = "${file_name}"; then - proceed=true verbose="--verbose" remove_one=true + echo "${remove_one}" | tee "${store_dir}/remove_one" >/dev/null else - proceed=false - verbose="" + echo "false" | tee "${store_dir}/remove_one" >/dev/null + continue fi fi - if test "${proceed}" = "false"; then - continue - fi - if test "${remove_one}" = "true"; then set -o xtrace fi if test -e "${file_name}"; then + # shellcheck disable=SC2086 chown ${verbose} "${owner}:${group}" "${file_name}" || exit_code=202 ## chmod need to be run after chown since chown removes suid. ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature + # shellcheck disable=SC2086 chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 else echo "INFO: file_name: '${file_name}' - does not exist. This is likely normal." @@ -600,10 +597,10 @@ spare() { done < "${store_dir}/existing_mode/statoverride" if test ! "${remove_file}" = "all"; then - if test ! "${remove_one}" = "true"; then - echo "INFO: no file removed. + if test "$(cat "${store_dir}/remove_one")" = "false"; then + echo "INFO: no file was removed. - File '${remove_file}' has not removed from SUID Disabler and Permission Hardener during this invocation of this program. + File '${remove_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation of this program. Note: This is expected if already done earlier. @@ -657,7 +654,7 @@ case "${1:-}" in disable) shift case "${1:-}" in - "") usage;; + "") usage 1;; *) spare "${1}";; esac ;; From 74afcc9c63ad064f20778ad2870690925c3cee81 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 3 Jan 2024 17:52:23 +1100 Subject: [PATCH 1067/1650] Clarify validity of disabling io_uring --- usr/lib/sysctl.d/990-security-misc.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index f660d54..321f3b8 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -68,6 +68,9 @@ kernel.unprivileged_bpf_disabled=1 net.core.bpf_jit_harden=2 ## Disable asynchronous I/O for all processes. +## Valid only for linux kernel version >= 6.6. +## Command is retained here for future-proofing and completeness. +## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890/6 kernel.io_uring_disabled=2 #### meta start From e8f8dcd0fb1c23a62974849f55516da9dce5948e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 4 Jan 2024 02:03:26 +0000 Subject: [PATCH 1068/1650] bumped changelog version --- changelog.upstream | 28 ++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7cd78ce..6d7ee2a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,31 @@ +commit 70a86fa994c0a894643e876fc86226ad0443a741 +Merge: db0503e 71060f1 +Author: Patrick Schleizer +Date: Wed Jan 3 05:12:48 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 71060f1f53ca7a275f10c4b6ab3e6c25585d5440 +Merge: db0503e 74afcc9 +Author: Patrick Schleizer +Date: Wed Jan 3 05:00:41 2024 -0500 + + Merge pull request #182 from raja-grewal/io_uring + + Clarify validity of disabling io_uring + +commit 74afcc9c63ad064f20778ad2870690925c3cee81 +Author: Raja Grewal +Date: Wed Jan 3 17:52:23 2024 +1100 + + Clarify validity of disabling io_uring + +commit db0503e71d5c37865cbb0a01cb8fa00af2a4e574 +Author: Patrick Schleizer +Date: Tue Jan 2 14:55:13 2024 +0000 + + bumped changelog version + commit a94f2a3f4626a9292660bc7f98a6513f34d0f5b2 Merge: 94c0e26 8daf97a Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 1a3638c..bf047db 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 04 Jan 2024 02:03:26 +0000 + security-misc (3:34.9-1) unstable; urgency=medium * New upstream version (local package). From 3f1304403fbf04f15dac01963c66f82cd84452d4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 6 Jan 2024 08:15:31 -0500 Subject: [PATCH 1069/1650] disable MAC randomization in Network Manager (NM) because it breaks VirtualBox DHCP https://github.com/Kicksecure/security-misc/issues/184 --- usr/lib/NetworkManager/conf.d/80_randomize-mac.conf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf index 1601800..428c0e2 100644 --- a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf +++ b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf @@ -1,6 +1,6 @@ -[device-mac-randomization] -wifi.scan-rand-mac-address=yes +#[device-mac-randomization] +#wifi.scan-rand-mac-address=yes -[connection-mac-randomization] -ethernet.cloned-mac-address=random -wifi.cloned-mac-address=random +#[connection-mac-randomization] +#ethernet.cloned-mac-address=random +#wifi.cloned-mac-address=random From 86f91e3030ef0b08000fc28a3a172e6a47918e4e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 6 Jan 2024 09:10:45 -0500 Subject: [PATCH 1070/1650] revert umask 027 by default because broken because this also happens for root while it should not https://github.com/Kicksecure/security-misc/issues/185 --- README.md | 4 +++- usr/share/pam-configs/umask-security-misc | 8 -------- 2 files changed, 3 insertions(+), 9 deletions(-) delete mode 100644 usr/share/pam-configs/umask-security-misc diff --git a/README.md b/README.md index 4ac4fb6..2463c66 100644 --- a/README.md +++ b/README.md @@ -392,7 +392,9 @@ See: #### umask Default `umask` is set to `027` for files created by non-root users such as for -example user `user`. +example user `user`. Broken. Disabled. See: + +* https://github.com/Kicksecure/security-misc/issues/184 This is doing using pam module `pam_mkhomedir.so umask=027`. diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc deleted file mode 100644 index 6436a56..0000000 --- a/usr/share/pam-configs/umask-security-misc +++ /dev/null @@ -1,8 +0,0 @@ -Name: Restrict umask to 027 (by package security-misc) -Default: yes -Priority: 100 -Session-Type: Additional -Session-Interactive-Only: yes -Session: - [success=1 default=ignore] pam_succeed_if.so uid eq 0 - optional pam_umask.so umask=027 From df0f9d3267644c4aea87add2dcade86044c496f0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 6 Jan 2024 09:19:57 -0500 Subject: [PATCH 1071/1650] README --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 2463c66..86f1a43 100644 --- a/README.md +++ b/README.md @@ -287,6 +287,7 @@ install. Not enabled by default yet. In development. Help welcome. +- https://www.kicksecure.com/wiki/Dev/remount-secure - https://github.com/Kicksecure/security-misc/issues/157 - https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ From 128bb01b35d20e97351dfb53768f35482f9756a2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 7 Jan 2024 06:36:25 -0500 Subject: [PATCH 1072/1650] undo IPv6 privacy due to potential server issues https://github.com/Kicksecure/security-misc/issues/184 --- .../systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf index b44948d..ad1e947 100644 --- a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf +++ b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf @@ -1,2 +1,2 @@ -[Network] -IPv6PrivacyExtensions=kernel +#[Network] +#IPv6PrivacyExtensions=kernel From 1199871d7bbc7316a7e5822d77eee0666b55b203 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 7 Jan 2024 06:37:34 -0500 Subject: [PATCH 1073/1650] undo IPv6 privacy due to potential server issues https://github.com/Kicksecure/security-misc/issues/184 --- usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf index a70549a..bc2280c 100644 --- a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf +++ b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf @@ -1,2 +1,2 @@ -[connection] -ipv6.ip6-privacy=2 +#[connection] +#ipv6.ip6-privacy=2 From dc8d9eece32dec06e63c580c886a240019b3f33e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 9 Jan 2024 05:52:49 +0000 Subject: [PATCH 1074/1650] bumped changelog version --- changelog.upstream | 46 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 52 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 6d7ee2a..61d1e59 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,49 @@ +commit 1199871d7bbc7316a7e5822d77eee0666b55b203 +Author: Patrick Schleizer +Date: Sun Jan 7 06:37:34 2024 -0500 + + undo IPv6 privacy due to potential server issues + + https://github.com/Kicksecure/security-misc/issues/184 + +commit 128bb01b35d20e97351dfb53768f35482f9756a2 +Author: Patrick Schleizer +Date: Sun Jan 7 06:36:25 2024 -0500 + + undo IPv6 privacy due to potential server issues + + https://github.com/Kicksecure/security-misc/issues/184 + +commit df0f9d3267644c4aea87add2dcade86044c496f0 +Author: Patrick Schleizer +Date: Sat Jan 6 09:19:57 2024 -0500 + + README + +commit 86f91e3030ef0b08000fc28a3a172e6a47918e4e +Author: Patrick Schleizer +Date: Sat Jan 6 09:10:45 2024 -0500 + + revert umask 027 by default + + because broken because this also happens for root while it should not + + https://github.com/Kicksecure/security-misc/issues/185 + +commit 3f1304403fbf04f15dac01963c66f82cd84452d4 +Author: Patrick Schleizer +Date: Sat Jan 6 08:15:31 2024 -0500 + + disable MAC randomization in Network Manager (NM) because it breaks VirtualBox DHCP + + https://github.com/Kicksecure/security-misc/issues/184 + +commit e8f8dcd0fb1c23a62974849f55516da9dce5948e +Author: Patrick Schleizer +Date: Thu Jan 4 02:03:26 2024 +0000 + + bumped changelog version + commit 70a86fa994c0a894643e876fc86226ad0443a741 Merge: db0503e 71060f1 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index bf047db..2624404 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 09 Jan 2024 05:52:48 +0000 + security-misc (3:35.0-1) unstable; urgency=medium * New upstream version (local package). From a90cd43631216f28a18a1b3f066b9f6ef3301ac4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 08:32:52 -0500 Subject: [PATCH 1075/1650] fix postinst for new permission-hardener https://github.com/Kicksecure/security-misc/pull/181 --- debian/security-misc.postinst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index da358e3..68ea720 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -20,8 +20,8 @@ permission_hardening() { echo "Running SUID Disabler and Permission Hardener... See also:" echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener" echo "" - echo "$0: INFO: running: permission-hardener" - if ! permission-hardener ; then + echo "$0: INFO: running: permission-hardener enable" + if ! permission-hardener enable ; then echo "$0: ERROR: Permission hardening failed." >&2 return 0 fi @@ -59,7 +59,7 @@ esac pam-auth-update --package /usr/libexec/security-misc/permission-lockdown -permission_hardener +permission_hardening ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: From ed7c09fc46b26440439adf748f597da277a3f1e4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 08:45:13 -0500 Subject: [PATCH 1076/1650] permission-hardening -> permission-hardener migration mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener https://github.com/Kicksecure/security-misc/pull/181 --- debian/security-misc.postinst | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 68ea720..a3fa5f2 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -15,6 +15,16 @@ true " ##################################################################### " +permission_hardening_legacy() { + if test -d /var/lib/permission-hardener ; then + return 0 + fi + if ! test -d /var/lib/permission-hardening ; then + return 0 + fi + mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener +} + permission_hardening() { echo "" echo "Running SUID Disabler and Permission Hardener... See also:" @@ -59,6 +69,7 @@ esac pam-auth-update --package /usr/libexec/security-misc/permission-lockdown +permission_hardening_legacy permission_hardening ## https://phabricator.whonix.org/T377 From 4f7973bc5628cdc24f5224bd98858249307635d3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 08:56:26 -0500 Subject: [PATCH 1077/1650] comment --- etc/permission-hardener.d/30_default.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/permission-hardener.d/30_default.conf b/etc/permission-hardener.d/30_default.conf index 2ba3dee..0d5ea8a 100644 --- a/etc/permission-hardener.d/30_default.conf +++ b/etc/permission-hardener.d/30_default.conf @@ -41,7 +41,7 @@ ## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html ## https://lwn.net/Articles/590315/ -## http://forums.whonix.org/t/permission-hardening/8655/25 +## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/35 #/usr/lib/xorg/Xorg.wrap whitelist #/lib/xorg/Xorg.wrap whitelist From fa53848b5cda135fbb8a3855e8508692084fc7e9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 13:58:55 +0000 Subject: [PATCH 1078/1650] bumped changelog version --- changelog.upstream | 76 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 82 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 61d1e59..0e3b363 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,40 @@ +commit 4f7973bc5628cdc24f5224bd98858249307635d3 +Author: Patrick Schleizer +Date: Tue Jan 16 08:56:26 2024 -0500 + + comment + +commit ed7c09fc46b26440439adf748f597da277a3f1e4 +Author: Patrick Schleizer +Date: Tue Jan 16 08:45:13 2024 -0500 + + permission-hardening -> permission-hardener migration + + mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener + + https://github.com/Kicksecure/security-misc/pull/181 + +commit a90cd43631216f28a18a1b3f066b9f6ef3301ac4 +Author: Patrick Schleizer +Date: Tue Jan 16 08:32:52 2024 -0500 + + fix postinst for new permission-hardener + + https://github.com/Kicksecure/security-misc/pull/181 + +commit 862bf6b5ab29917138325023eb3507f5fbd5653c +Merge: dc8d9ee bc02c72 +Author: Patrick Schleizer +Date: Tue Jan 16 08:19:28 2024 -0500 + + Merge remote-tracking branch 'ben-grande/clean' + +commit dc8d9eece32dec06e63c580c886a240019b3f33e +Author: Patrick Schleizer +Date: Tue Jan 9 05:52:49 2024 +0000 + + bumped changelog version + commit 1199871d7bbc7316a7e5822d77eee0666b55b203 Author: Patrick Schleizer Date: Sun Jan 7 06:37:34 2024 -0500 @@ -66,12 +103,51 @@ Date: Wed Jan 3 17:52:23 2024 +1100 Clarify validity of disabling io_uring +commit bc02c72018d6458d4c1852dd441287b277421514 +Author: Ben Grande +Date: Tue Jan 2 17:08:45 2024 +0100 + + Fix unbound variable + + - Run messages preceded by INFO; + - Comment unknown unused variables; + - Remove unnecessary variables; and + - Deal with unbound variable due to subshell by writing to a file; + commit db0503e71d5c37865cbb0a01cb8fa00af2a4e574 Author: Patrick Schleizer Date: Tue Jan 2 14:55:13 2024 +0000 bumped changelog version +commit abf72c2ee4286ec069f75e66acf05a42f3645c89 +Author: Ben Grande +Date: Tue Jan 2 13:34:29 2024 +0100 + + Rename file permission hardening script + + Hardener as the script is the agent that is hardening the file + permissions. + +commit f138cf0f78c03e3952801d01d25d5f8065ff1457 +Author: Ben Grande +Date: Tue Jan 2 12:17:16 2024 +0100 + + Refactor permission-hardener + + - Organize comments from default configuration; + - Apply and undo changes from a single file controlled by parameters; + - Arrays should be evaluated as arrays and not normal variables; + - Quote variables; + - Brackets around variables; + - Standardize test cases to "test" command; + - Test against empty or non-empty variables with "-z" and "-n"; + - Show a usage message when necessary; + - Require root to run the script with informative message; + - Permit the user to see the help message without running as root; + - Do not create root directories without passing root check; + - Use long options for "set" command; + commit a94f2a3f4626a9292660bc7f98a6513f34d0f5b2 Merge: 94c0e26 8daf97a Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 2624404..4a87862 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 16 Jan 2024 13:58:54 +0000 + security-misc (3:35.1-1) unstable; urgency=medium * New upstream version (local package). From 9cafd78fe21baa3c2a36853f57e0638b2facfe5c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 09:05:09 -0500 Subject: [PATCH 1079/1650] rm_conffile /etc/permission-hardening.d https://github.com/Kicksecure/security-misc/pull/181 --- debian/security-misc.maintscript | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index c6ba935..7e44c41 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -45,3 +45,24 @@ rm_conffile /etc/X11/Xsession.d/50security-misc rm_conffile /etc/sysctl.d/30_security-misc.conf rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf + +## moved to etc/permission-hardener.d +rm_conffile /etc/permission-hardening.d/25_default_passwd.conf +rm_conffile /etc/permission-hardening.d/25_default_sudo.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_chromium.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_dbus.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_firejail.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_fuse.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_mount.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_pam.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_policykit.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_qubes.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_selinux.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_spice.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_ssh.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf +rm_conffile /etc/permission-hardening.d/30_default.conf From 6aa55698ab2a0f3771d28293d7ad14da2763a16f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 09:10:59 -0500 Subject: [PATCH 1080/1650] delete legacy folder /etc/permission-hardening.d if empty https://github.com/Kicksecure/security-misc/pull/181 --- debian/security-misc.postinst | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index a3fa5f2..5e83b03 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -15,7 +15,7 @@ true " ##################################################################### " -permission_hardening_legacy() { +permission_hardening_legacy_state_files() { if test -d /var/lib/permission-hardener ; then return 0 fi @@ -25,6 +25,13 @@ permission_hardening_legacy() { mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener } +permission_hardening_legacy_config_folder() { + if ! test -d /etc/permission-hardening.d ; then + return 0 + fi + rmdir --verbose --ignore-fail-on-non-empty /etc/permission-hardening.d || true +} + permission_hardening() { echo "" echo "Running SUID Disabler and Permission Hardener... See also:" @@ -69,7 +76,8 @@ esac pam-auth-update --package /usr/libexec/security-misc/permission-lockdown -permission_hardening_legacy +permission_hardening_legacy_state_files + permission_hardening ## https://phabricator.whonix.org/T377 @@ -92,6 +100,8 @@ true "INFO: debhelper beginning here." true "INFO: Done with debhelper." +permission_hardening_legacy_config_folder + true " ##################################################################### ## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ From 186f6015da7b3314c95c2833032c6fe953a71afd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 14:14:18 +0000 Subject: [PATCH 1081/1650] bumped changelog version --- changelog.upstream | 22 ++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 28 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0e3b363..f930bfe 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit 6aa55698ab2a0f3771d28293d7ad14da2763a16f +Author: Patrick Schleizer +Date: Tue Jan 16 09:10:59 2024 -0500 + + delete legacy folder /etc/permission-hardening.d if empty + + https://github.com/Kicksecure/security-misc/pull/181 + +commit 9cafd78fe21baa3c2a36853f57e0638b2facfe5c +Author: Patrick Schleizer +Date: Tue Jan 16 09:05:09 2024 -0500 + + rm_conffile /etc/permission-hardening.d + + https://github.com/Kicksecure/security-misc/pull/181 + +commit fa53848b5cda135fbb8a3855e8508692084fc7e9 +Author: Patrick Schleizer +Date: Tue Jan 16 13:58:55 2024 +0000 + + bumped changelog version + commit 4f7973bc5628cdc24f5224bd98858249307635d3 Author: Patrick Schleizer Date: Tue Jan 16 08:56:26 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 4a87862..ca572b8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 16 Jan 2024 14:14:18 +0000 + security-misc (3:35.2-1) unstable; urgency=medium * New upstream version (local package). From 3ba8fe586e1abe133bd41076278f8663aba7e641 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 09:23:54 -0500 Subject: [PATCH 1082/1650] update permission-hardener.service Which is now only an additional opt-in systemd unit, because permission-hardener is run by default at security-misc package installation time. https://github.com/Kicksecure/security-misc/pull/181 --- lib/systemd/system/permission-hardener.service | 4 ++-- usr/bin/permission-hardener | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/systemd/system/permission-hardener.service b/lib/systemd/system/permission-hardener.service index 912e6c7..94ddd6b 100644 --- a/lib/systemd/system/permission-hardener.service +++ b/lib/systemd/system/permission-hardener.service @@ -2,7 +2,7 @@ ## See the file COPYING for copying conditions. [Unit] -Description=SUID, SGID, Capability and File Permission Hardening +Description=Permission Hardener at Boot Time (opt-in in addition to security-misc package installation time hardening) Documentation=https://github.com/Kicksecure/security-misc DefaultDependencies=no @@ -13,7 +13,7 @@ After=local-fs.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart=permission-hardener +ExecStart=permission-hardener enable [Install] WantedBy=sysinit.target diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 2e3fcbc..4831581 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -616,7 +616,7 @@ spare() { To remove all: $0 disable all - This change might not be permanent (because of the permission-hardener.service systemd unit). For full instructions, see: + This change might not be permanent. For full instructions, see: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener To view list of changed by SUID Disabler and Permission Hardener: From 0d78ecaee37536379ad2f230f45904f57425cb19 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 09:26:21 -0500 Subject: [PATCH 1083/1650] README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fec808e..e47754f 100644 --- a/README.md +++ b/README.md @@ -436,8 +436,8 @@ include but are not limited to: ##### permission-hardener ##### `permission-hardener` removes SUID / SGID bits from non-essential binaries as -these are often used in privilege escalation attacks. It runs at package -installation and upgrade time. +these are often used in privilege escalation attacks. It is enabled by default +and applied at security-misc package installation and upgrade time. There is also an optional systemd unit which does the same at boot time that can be enabled by running `systemctl enable permission-hardener.service` as From 66e6371221c3395a0523e30e8ef1a051d3e6cdd0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 14:26:34 +0000 Subject: [PATCH 1084/1650] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f930bfe..316c98d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit 0d78ecaee37536379ad2f230f45904f57425cb19 +Author: Patrick Schleizer +Date: Tue Jan 16 09:26:21 2024 -0500 + + README + +commit 3ba8fe586e1abe133bd41076278f8663aba7e641 +Author: Patrick Schleizer +Date: Tue Jan 16 09:23:54 2024 -0500 + + update permission-hardener.service + + Which is now only an additional opt-in systemd unit, + because permission-hardener is run by default at security-misc + package installation time. + + https://github.com/Kicksecure/security-misc/pull/181 + +commit 186f6015da7b3314c95c2833032c6fe953a71afd +Author: Patrick Schleizer +Date: Tue Jan 16 14:14:18 2024 +0000 + + bumped changelog version + commit 6aa55698ab2a0f3771d28293d7ad14da2763a16f Author: Patrick Schleizer Date: Tue Jan 16 09:10:59 2024 -0500 diff --git a/debian/changelog b/debian/changelog index ca572b8..cbf6a0b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 16 Jan 2024 14:26:34 +0000 + security-misc (3:35.3-1) unstable; urgency=medium * New upstream version (local package). From 18a06935e0cca3dc090643aad406d861e4583085 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jan 2024 13:23:20 -0500 Subject: [PATCH 1085/1650] run permission hardener when new packages are install files to /usr or /opt (basically anywhere) fixes https://github.com/Kicksecure/security-misc/issues/189 --- debian/security-misc.postinst | 6 +++--- debian/security-misc.triggers | 26 +++----------------------- 2 files changed, 6 insertions(+), 26 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 5e83b03..b3aaae8 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -33,17 +33,16 @@ permission_hardening_legacy_config_folder() { } permission_hardening() { - echo "" echo "Running SUID Disabler and Permission Hardener... See also:" echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener" - echo "" echo "$0: INFO: running: permission-hardener enable" + echo "" if ! permission-hardener enable ; then echo "$0: ERROR: Permission hardening failed." >&2 return 0 fi - echo "$0: INFO: Permission hardening success." echo "" + echo "$0: INFO: Permission hardening success." } case "$1" in @@ -64,6 +63,7 @@ case "$1" in echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'" /usr/share/security-misc/lkrg/lkrg-virtualbox || true /usr/libexec/security-misc/mmap-rnd-bits || true + permission_hardening exit 0 ;; diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index f8f1c77..bcfd1c5 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -1,25 +1,5 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -#### meta start -#### project Kicksecure -#### category security -#### description - -## Trigger 'activate-noawait update-initramfs' also works with both, -## initramfs-tools as well as dracut. -## - Activate initramfs hook that sets the sysctl values before init is executed. -## - dracut module 20remount-secure -activate-noawait update-initramfs - -## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox -interest-noawait /usr/bin/vboxmanage - -## /usr/libexec/security-misc/mmap-rnd-bits -## auto generates: -## /etc/sysctl.d/30_security-misc_aslr-mmap.conf -## sets: -## vm.mmap_rnd_bits -interest-noawait /boot - -#### meta end +interest-await /usr +interest-await /opt From 0efee2f50fd38feade7700c2f033cc3d4c200d34 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jan 2024 13:39:56 -0500 Subject: [PATCH 1086/1650] usrmerge fixes https://github.com/Kicksecure/security-misc/issues/190 --- debian/security-misc.install | 1 - etc/initramfs-tools/hooks/sysctl-initramfs | 2 +- etc/modprobe.d/30_security-misc.conf | 102 +++++++++--------- etc/permission-hardener.d/30_default.conf | 20 ++-- .../bin}/disabled-bluetooth-by-security-misc | 0 .../bin}/disabled-cdrom-by-security-misc | 0 .../bin}/disabled-filesys-by-security-misc | 0 .../bin}/disabled-firewire-by-security-misc | 0 .../bin}/disabled-intelme-by-security-misc | 0 .../bin}/disabled-msr-by-security-misc | 0 .../bin}/disabled-netfilesys-by-security-misc | 0 .../bin}/disabled-network-by-security-misc | 0 .../disabled-thunderbolt-by-security-misc | 0 .../bin}/disabled-vivid-by-security-misc | 0 usr/bin/permission-hardener | 2 +- .../coredump.conf.d/30_security-misc.conf | 0 .../system-preset/50-security-misc.preset | 0 .../system/harden-module-loading.service | 0 .../haveged.service.d/30_security-misc.conf | 0 .../systemd/system/hide-hardware-info.service | 0 .../system/permission-hardener.service | 0 .../lib}/systemd/system/proc-hidepid.service | 0 .../systemd/system/remount-secure.service | 0 .../systemd/system/remove-system-map.service | 0 .../lib}/systemd/system/sysinit-post.target | 0 .../systemd/system/user@.service.d/sysfs.conf | 0 .../lkrg/30-lkrg-virtualbox.conf | 4 +- 27 files changed, 65 insertions(+), 66 deletions(-) rename {bin => usr/bin}/disabled-bluetooth-by-security-misc (100%) rename {bin => usr/bin}/disabled-cdrom-by-security-misc (100%) rename {bin => usr/bin}/disabled-filesys-by-security-misc (100%) rename {bin => usr/bin}/disabled-firewire-by-security-misc (100%) rename {bin => usr/bin}/disabled-intelme-by-security-misc (100%) rename {bin => usr/bin}/disabled-msr-by-security-misc (100%) rename {bin => usr/bin}/disabled-netfilesys-by-security-misc (100%) rename {bin => usr/bin}/disabled-network-by-security-misc (100%) rename {bin => usr/bin}/disabled-thunderbolt-by-security-misc (100%) rename {bin => usr/bin}/disabled-vivid-by-security-misc (100%) rename {lib => usr/lib}/systemd/coredump.conf.d/30_security-misc.conf (100%) rename {lib => usr/lib}/systemd/system-preset/50-security-misc.preset (100%) rename {lib => usr/lib}/systemd/system/harden-module-loading.service (100%) rename {lib => usr/lib}/systemd/system/haveged.service.d/30_security-misc.conf (100%) rename {lib => usr/lib}/systemd/system/hide-hardware-info.service (100%) rename {lib => usr/lib}/systemd/system/permission-hardener.service (100%) rename {lib => usr/lib}/systemd/system/proc-hidepid.service (100%) rename {lib => usr/lib}/systemd/system/remount-secure.service (100%) rename {lib => usr/lib}/systemd/system/remove-system-map.service (100%) rename {lib => usr/lib}/systemd/system/sysinit-post.target (100%) rename {lib => usr/lib}/systemd/system/user@.service.d/sysfs.conf (100%) diff --git a/debian/security-misc.install b/debian/security-misc.install index 126a525..ea6d791 100644 --- a/debian/security-misc.install +++ b/debian/security-misc.install @@ -5,6 +5,5 @@ bin/* etc/* -lib/* usr/* var/* diff --git a/etc/initramfs-tools/hooks/sysctl-initramfs b/etc/initramfs-tools/hooks/sysctl-initramfs index f1e3589..1a80c8f 100755 --- a/etc/initramfs-tools/hooks/sysctl-initramfs +++ b/etc/initramfs-tools/hooks/sysctl-initramfs @@ -18,4 +18,4 @@ prereqs) esac . /usr/share/initramfs-tools/hook-functions -copy_exec /sbin/sysctl /sbin +copy_exec /usr/sbin/sysctl /usr/sbin diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index a01ed81..24ee928 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -14,78 +14,78 @@ options nf_conntrack nf_conntrack_helper=0 # ## Now replaced by a privacy and security preserving default bluetooth configuration for better usability # -# install bluetooth /bin/disabled-bluetooth-by-security-misc -# install btusb /bin/disabled-bluetooth-by-security-misc +# install bluetooth /usr/bin/disabled-bluetooth-by-security-misc +# install btusb /usr/bin/disabled-bluetooth-by-security-misc ## Disable thunderbolt and firewire modules to prevent some DMA attacks -install thunderbolt /bin/disabled-thunderbolt-by-security-misc -install firewire-core /bin/disabled-firewire-by-security-misc -install firewire_core /bin/disabled-firewire-by-security-misc -install firewire-ohci /bin/disabled-firewire-by-security-misc -install firewire_ohci /bin/disabled-firewire-by-security-misc -install firewire_sbp2 /bin/disabled-firewire-by-security-misc -install firewire-sbp2 /bin/disabled-firewire-by-security-misc -install ohci1394 /bin/disabled-firewire-by-security-misc -install sbp2 /bin/disabled-firewire-by-security-misc -install dv1394 /bin/disabled-firewire-by-security-misc -install raw1394 /bin/disabled-firewire-by-security-misc -install video1394 /bin/disabled-firewire-by-security-misc +install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc +install firewire-core /usr/bin/disabled-firewire-by-security-misc +install firewire_core /usr/bin/disabled-firewire-by-security-misc +install firewire-ohci /usr/bin/disabled-firewire-by-security-misc +install firewire_ohci /usr/bin/disabled-firewire-by-security-misc +install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc +install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc +install ohci1394 /usr/bin/disabled-firewire-by-security-misc +install sbp2 /usr/bin/disabled-firewire-by-security-misc +install dv1394 /usr/bin/disabled-firewire-by-security-misc +install raw1394 /usr/bin/disabled-firewire-by-security-misc +install video1394 /usr/bin/disabled-firewire-by-security-misc ## Disable CPU MSRs as they can be abused to write to arbitrary memory. ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -install msr /bin/disabled-msr-by-security-misc +install msr /usr/bin/disabled-msr-by-security-misc ## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. ## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. ## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. ## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. -install dccp /bin/disabled-network-by-security-misc -install sctp /bin/disabled-network-by-security-misc -install rds /bin/disabled-network-by-security-misc -install tipc /bin/disabled-network-by-security-misc -install n-hdlc /bin/disabled-network-by-security-misc -install ax25 /bin/disabled-network-by-security-misc -install netrom /bin/disabled-network-by-security-misc -install x25 /bin/disabled-network-by-security-misc -install rose /bin/disabled-network-by-security-misc -install decnet /bin/disabled-network-by-security-misc -install econet /bin/disabled-network-by-security-misc -install af_802154 /bin/disabled-network-by-security-misc -install ipx /bin/disabled-network-by-security-misc -install appletalk /bin/disabled-network-by-security-misc -install psnap /bin/disabled-network-by-security-misc -install p8023 /bin/disabled-network-by-security-misc -install p8022 /bin/disabled-network-by-security-misc -install can /bin/disabled-network-by-security-misc -install atm /bin/disabled-network-by-security-misc +install dccp /usr/bin/disabled-network-by-security-misc +install sctp /usr/bin/disabled-network-by-security-misc +install rds /usr/bin/disabled-network-by-security-misc +install tipc /usr/bin/disabled-network-by-security-misc +install n-hdlc /usr/bin/disabled-network-by-security-misc +install ax25 /usr/bin/disabled-network-by-security-misc +install netrom /usr/bin/disabled-network-by-security-misc +install x25 /usr/bin/disabled-network-by-security-misc +install rose /usr/bin/disabled-network-by-security-misc +install decnet /usr/bin/disabled-network-by-security-misc +install econet /usr/bin/disabled-network-by-security-misc +install af_802154 /usr/bin/disabled-network-by-security-misc +install ipx /usr/bin/disabled-network-by-security-misc +install appletalk /usr/bin/disabled-network-by-security-misc +install psnap /usr/bin/disabled-network-by-security-misc +install p8023 /usr/bin/disabled-network-by-security-misc +install p8022 /usr/bin/disabled-network-by-security-misc +install can /usr/bin/disabled-network-by-security-misc +install atm /usr/bin/disabled-network-by-security-misc ## Disable uncommon file systems to reduce attack surface ## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI parition format -install cramfs /bin/disabled-filesys-by-security-misc -install freevxfs /bin/disabled-filesys-by-security-misc -install jffs2 /bin/disabled-filesys-by-security-misc -install hfs /bin/disabled-filesys-by-security-misc -install hfsplus /bin/disabled-filesys-by-security-misc -install udf /bin/disabled-filesys-by-security-misc +install cramfs /usr/bin/disabled-filesys-by-security-misc +install freevxfs /usr/bin/disabled-filesys-by-security-misc +install jffs2 /usr/bin/disabled-filesys-by-security-misc +install hfs /usr/bin/disabled-filesys-by-security-misc +install hfsplus /usr/bin/disabled-filesys-by-security-misc +install udf /usr/bin/disabled-filesys-by-security-misc ## Disable uncommon network file systems to reduce attack surface -install cifs /bin/disabled-netfilesys-by-security-misc -install nfs /bin/disabled-netfilesys-by-security-misc -install nfsv3 /bin/disabled-netfilesys-by-security-misc -install nfsv4 /bin/disabled-netfilesys-by-security-misc -install ksmbd /bin/disabled-netfilesys-by-security-misc -install gfs2 /bin/disabled-netfilesys-by-security-misc +install cifs /usr/bin/disabled-netfilesys-by-security-misc +install nfs /usr/bin/disabled-netfilesys-by-security-misc +install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc +install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc +install ksmbd /usr/bin/disabled-netfilesys-by-security-misc +install gfs2 /usr/bin/disabled-netfilesys-by-security-misc ## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -install vivid /bin/disabled-vivid-by-security-misc +install vivid /usr/bin/disabled-vivid-by-security-misc ## Disable Intel Management Engine (ME) interface with the OS ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html -install mei /bin/disabled-intelme-by-security-misc -install mei-me /bin/disabled-intelme-by-security-misc +install mei /usr/bin/disabled-intelme-by-security-misc +install mei-me /usr/bin/disabled-intelme-by-security-misc ## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco @@ -143,7 +143,7 @@ blacklist udlfb ## Disable CD-ROM devices ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 -#install cdrom /bin/disabled-cdrom-by-security-misc -#install sr_mod /bin/disabled-cdrom-by-security-misc +#install cdrom /usr/bin/disabled-cdrom-by-security-misc +#install sr_mod /usr/bin/disabled-cdrom-by-security-misc blacklist cdrom blacklist sr_mod diff --git a/etc/permission-hardener.d/30_default.conf b/etc/permission-hardener.d/30_default.conf index 0d5ea8a..f1ec473 100644 --- a/etc/permission-hardener.d/30_default.conf +++ b/etc/permission-hardener.d/30_default.conf @@ -36,14 +36,14 @@ ## In case you need to use 'su'. See also: ## https://www.kicksecure.com/wiki/root#su -#/bin/su exactwhitelist +#/usr/bin/su exactwhitelist #/usr/bin/su exactwhitelist ## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html ## https://lwn.net/Articles/590315/ ## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/35 #/usr/lib/xorg/Xorg.wrap whitelist -#/lib/xorg/Xorg.wrap whitelist +#/usr/lib/xorg/Xorg.wrap whitelist ###################################################################### # SUID whitelist matches in any section of the path: matchwhitelist @@ -51,7 +51,7 @@ ## Examples below are already configured: #ssh-agent matchwhitelist -#/lib/openssh matchwhitelist +#/usr/lib/openssh matchwhitelist ###################################################################### # Permission Hardening @@ -62,7 +62,7 @@ /boot/ 0700 root root /etc/permission-hardener.d 0600 root root /usr/local/etc/permission-hardener.d 0600 root root -/lib/modules/ 0700 root root +/usr/lib/modules/ 0700 root root /usr/src 0700 root root /etc/cups/cupsd.conf 0400 root root /etc/syslog.conf 0600 root root @@ -93,25 +93,25 @@ ## ## Remove all SUID/SGID binaries/libraries. -/bin/ nosuid +/usr/bin/ nosuid /usr/local/bin/ nosuid /usr/bin/ nosuid /usr/local/usr/bin/ nosuid -/sbin/ nosuid +/usr/sbin/ nosuid /usr/local/sbin/ nosuid /usr/sbin/ nosuid /usr/local/usr/sbin/ nosuid -/lib/ nosuid +/usr/lib/ nosuid /usr/local/lib/ nosuid -/lib32/ nosuid +/usr/lib32/ nosuid /usr/local/lib32/ nosuid -/lib64/ nosuid +/usr/lib64/ nosuid /usr/local/lib64/ nosuid /usr/lib/ nosuid @@ -134,7 +134,7 @@ ## Ping doesn't work with Tor anyway so its capabilities are removed to ## reduce attack surface. ## anon-apps-config does this. -#/bin/ping 0744 root root none +#/usr/bin/ping 0744 root root none ## TODO: research #/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper 0744 root root none diff --git a/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc similarity index 100% rename from bin/disabled-bluetooth-by-security-misc rename to usr/bin/disabled-bluetooth-by-security-misc diff --git a/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc similarity index 100% rename from bin/disabled-cdrom-by-security-misc rename to usr/bin/disabled-cdrom-by-security-misc diff --git a/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc similarity index 100% rename from bin/disabled-filesys-by-security-misc rename to usr/bin/disabled-filesys-by-security-misc diff --git a/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc similarity index 100% rename from bin/disabled-firewire-by-security-misc rename to usr/bin/disabled-firewire-by-security-misc diff --git a/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc similarity index 100% rename from bin/disabled-intelme-by-security-misc rename to usr/bin/disabled-intelme-by-security-misc diff --git a/bin/disabled-msr-by-security-misc b/usr/bin/disabled-msr-by-security-misc similarity index 100% rename from bin/disabled-msr-by-security-misc rename to usr/bin/disabled-msr-by-security-misc diff --git a/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc similarity index 100% rename from bin/disabled-netfilesys-by-security-misc rename to usr/bin/disabled-netfilesys-by-security-misc diff --git a/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc similarity index 100% rename from bin/disabled-network-by-security-misc rename to usr/bin/disabled-network-by-security-misc diff --git a/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc similarity index 100% rename from bin/disabled-thunderbolt-by-security-misc rename to usr/bin/disabled-thunderbolt-by-security-misc diff --git a/bin/disabled-vivid-by-security-misc b/usr/bin/disabled-vivid-by-security-misc similarity index 100% rename from bin/disabled-vivid-by-security-misc rename to usr/bin/disabled-vivid-by-security-misc diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 4831581..2e5df3d 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -221,7 +221,7 @@ add_nosuid_statoverride_entry() { # shellcheck disable=SC2086 echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" - ## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'. + ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {}) diff --git a/lib/systemd/coredump.conf.d/30_security-misc.conf b/usr/lib/systemd/coredump.conf.d/30_security-misc.conf similarity index 100% rename from lib/systemd/coredump.conf.d/30_security-misc.conf rename to usr/lib/systemd/coredump.conf.d/30_security-misc.conf diff --git a/lib/systemd/system-preset/50-security-misc.preset b/usr/lib/systemd/system-preset/50-security-misc.preset similarity index 100% rename from lib/systemd/system-preset/50-security-misc.preset rename to usr/lib/systemd/system-preset/50-security-misc.preset diff --git a/lib/systemd/system/harden-module-loading.service b/usr/lib/systemd/system/harden-module-loading.service similarity index 100% rename from lib/systemd/system/harden-module-loading.service rename to usr/lib/systemd/system/harden-module-loading.service diff --git a/lib/systemd/system/haveged.service.d/30_security-misc.conf b/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf similarity index 100% rename from lib/systemd/system/haveged.service.d/30_security-misc.conf rename to usr/lib/systemd/system/haveged.service.d/30_security-misc.conf diff --git a/lib/systemd/system/hide-hardware-info.service b/usr/lib/systemd/system/hide-hardware-info.service similarity index 100% rename from lib/systemd/system/hide-hardware-info.service rename to usr/lib/systemd/system/hide-hardware-info.service diff --git a/lib/systemd/system/permission-hardener.service b/usr/lib/systemd/system/permission-hardener.service similarity index 100% rename from lib/systemd/system/permission-hardener.service rename to usr/lib/systemd/system/permission-hardener.service diff --git a/lib/systemd/system/proc-hidepid.service b/usr/lib/systemd/system/proc-hidepid.service similarity index 100% rename from lib/systemd/system/proc-hidepid.service rename to usr/lib/systemd/system/proc-hidepid.service diff --git a/lib/systemd/system/remount-secure.service b/usr/lib/systemd/system/remount-secure.service similarity index 100% rename from lib/systemd/system/remount-secure.service rename to usr/lib/systemd/system/remount-secure.service diff --git a/lib/systemd/system/remove-system-map.service b/usr/lib/systemd/system/remove-system-map.service similarity index 100% rename from lib/systemd/system/remove-system-map.service rename to usr/lib/systemd/system/remove-system-map.service diff --git a/lib/systemd/system/sysinit-post.target b/usr/lib/systemd/system/sysinit-post.target similarity index 100% rename from lib/systemd/system/sysinit-post.target rename to usr/lib/systemd/system/sysinit-post.target diff --git a/lib/systemd/system/user@.service.d/sysfs.conf b/usr/lib/systemd/system/user@.service.d/sysfs.conf similarity index 100% rename from lib/systemd/system/user@.service.d/sysfs.conf rename to usr/lib/systemd/system/user@.service.d/sysfs.conf diff --git a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf index 1336b2c..c94e65e 100644 --- a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf +++ b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf @@ -15,7 +15,7 @@ ## /etc/sysctl.d/30-lkrg-virtualbox.conf ## by package security-misc, files: ## /usr/share/security-misc/lkrg/lkrg-virtualbox -## /lib/systemd/system/lkrg.service.d/40-virtualbox.conf +## /usr/lib/systemd/system/lkrg.service.d/40-virtualbox.conf ## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/32 ## https://www.openwall.com/lists/lkrg-users/2020/01/24/2 @@ -24,7 +24,7 @@ ## https://github.com/openwall/lkrg/blob/main/scripts/bootup/lkrg.conf ## https://github.com/openwall/lkrg/blob/main/scripts/bootup/systemd/lkrg.service ## /etc/sysctl.d/30-lkrg-dkms.conf -## /lib/systemd/system/lkrg.service +## /usr/lib/systemd/system/lkrg.service ## https://github.com/openwall/lkrg/issues/82#issuecomment-886188999 lkrg.pcfi_validate = 1 From 011e55e3e52485ccd728b4bb249efbc816f38806 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jan 2024 13:45:17 -0500 Subject: [PATCH 1087/1650] remove duplicates after usrmerge https://github.com/Kicksecure/security-misc/issues/190 --- etc/permission-hardener.d/30_default.conf | 7 ------- 1 file changed, 7 deletions(-) diff --git a/etc/permission-hardener.d/30_default.conf b/etc/permission-hardener.d/30_default.conf index f1ec473..5db32b2 100644 --- a/etc/permission-hardener.d/30_default.conf +++ b/etc/permission-hardener.d/30_default.conf @@ -37,13 +37,11 @@ ## In case you need to use 'su'. See also: ## https://www.kicksecure.com/wiki/root#su #/usr/bin/su exactwhitelist -#/usr/bin/su exactwhitelist ## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html ## https://lwn.net/Articles/590315/ ## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/35 #/usr/lib/xorg/Xorg.wrap whitelist -#/usr/lib/xorg/Xorg.wrap whitelist ###################################################################### # SUID whitelist matches in any section of the path: matchwhitelist @@ -93,25 +91,20 @@ ## ## Remove all SUID/SGID binaries/libraries. -/usr/bin/ nosuid /usr/local/bin/ nosuid /usr/bin/ nosuid /usr/local/usr/bin/ nosuid -/usr/sbin/ nosuid /usr/local/sbin/ nosuid /usr/sbin/ nosuid /usr/local/usr/sbin/ nosuid -/usr/lib/ nosuid /usr/local/lib/ nosuid -/usr/lib32/ nosuid /usr/local/lib32/ nosuid -/usr/lib64/ nosuid /usr/local/lib64/ nosuid /usr/lib/ nosuid From 071b984a1eaaa8a8ea6a40e4ee36eabcde2d630d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jan 2024 13:49:05 -0500 Subject: [PATCH 1088/1650] `sort -d` https://github.com/Kicksecure/security-misc/issues/190 --- etc/permission-hardener.d/30_default.conf | 41 +++++++++-------------- 1 file changed, 15 insertions(+), 26 deletions(-) diff --git a/etc/permission-hardener.d/30_default.conf b/etc/permission-hardener.d/30_default.conf index 5db32b2..d35ee5a 100644 --- a/etc/permission-hardener.d/30_default.conf +++ b/etc/permission-hardener.d/30_default.conf @@ -91,34 +91,23 @@ ## ## Remove all SUID/SGID binaries/libraries. -/usr/local/bin/ nosuid - -/usr/bin/ nosuid -/usr/local/usr/bin/ nosuid - -/usr/local/sbin/ nosuid - -/usr/sbin/ nosuid -/usr/local/usr/sbin/ nosuid - -/usr/local/lib/ nosuid - -/usr/local/lib32/ nosuid - -/usr/local/lib64/ nosuid - -/usr/lib/ nosuid -/usr/local/usr/lib/ nosuid - -/usr/lib32/ nosuid -/usr/local/usr/lib32/ nosuid - -/usr/lib64/ nosuid -/usr/local/usr/lib64/ nosuid - -## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68 /opt/ nosuid +/usr/bin/ nosuid +/usr/lib32/ nosuid +/usr/lib64/ nosuid +/usr/lib/ nosuid +/usr/local/bin/ nosuid +/usr/local/lib32/ nosuid +/usr/local/lib64/ nosuid +/usr/local/lib/ nosuid /usr/local/opt/ nosuid +/usr/local/sbin/ nosuid +/usr/local/usr/bin/ nosuid +/usr/local/usr/lib32/ nosuid +/usr/local/usr/lib64/ nosuid +/usr/local/usr/lib/ nosuid +/usr/local/usr/sbin/ nosuid +/usr/sbin/ nosuid ###################################################################### # Capability Removal From 5a6cd4c2abd243c91575e9477a921aa290c68ba5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jan 2024 13:51:30 -0500 Subject: [PATCH 1089/1650] remove now empty /bin from copying since it is empty after usrmerge https://github.com/Kicksecure/security-misc/issues/190 --- debian/security-misc.install | 1 - 1 file changed, 1 deletion(-) diff --git a/debian/security-misc.install b/debian/security-misc.install index ea6d791..9cea19c 100644 --- a/debian/security-misc.install +++ b/debian/security-misc.install @@ -3,7 +3,6 @@ ## This file was generated using 'genmkfile debinstfile'. -bin/* etc/* usr/* var/* From 3048e0ac76e4eba1c53b43ba2424157505578cdd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jan 2024 13:54:07 -0500 Subject: [PATCH 1090/1650] usrmerge https://github.com/Kicksecure/security-misc/issues/190 --- usr/share/lintian/overrides/security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index 7d34486..69081ee 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -14,4 +14,4 @@ security-misc: file-in-unusual-dir [var/cache/security-misc/state-files/placehol security-misc: uses-dpkg-database-directly [usr/bin/remount-secure] ## Special target to make sure this runs as non-parallelized as possible to avoid race conditions. -security-misc: systemd-service-file-refers-to-unusual-wantedby-target sysinit-post.target [lib/systemd/system/remount-secure.service] +security-misc: systemd-service-file-refers-to-unusual-wantedby-target sysinit-post.target [usr/lib/systemd/system/remount-secure.service] From 08619d6a7307b6ab05a3ba7e71ea33b00db20b27 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jan 2024 13:59:36 -0500 Subject: [PATCH 1091/1650] minor RPM updates https://github.com/Kicksecure/security-misc/issues/160 --- rpm_spec/security-misc.spec.in | 47 ++-------------------------------- 1 file changed, 2 insertions(+), 45 deletions(-) diff --git a/rpm_spec/security-misc.spec.in b/rpm_spec/security-misc.spec.in index 289cd42..e922b76 100644 --- a/rpm_spec/security-misc.spec.in +++ b/rpm_spec/security-misc.spec.in @@ -4,7 +4,7 @@ Release: 1%{?dist} Summary: enhances misc security settings License: AGPL-3+ -URL: https://github.com/Whonix/security-misc +URL: https://github.com/Kicksecure/security-misc Source0: %{name}-%{version}.tar.xz BuildRequires: dpkg-dev @@ -13,50 +13,7 @@ Requires: make BuildArch: noarch %description -The following settings are changed: - -deactivates previews in Dolphin; -deactivates previews in Nautilus; -deactivates thumbnails in Thunar; -deactivates TCP timestamps; -deactivates Netfilter's connection tracking helper; - -TCP time stamps (RFC 1323) allow for tracking clock -information with millisecond resolution. This may or may not allow an -attacker to learn information about the system clock at such -a resolution, depending on various issues such as network lag. -This information is available to anyone who monitors the network -somewhere between the attacked system and the destination server. -It may allow an attacker to find out how long a given -system has been running, and to distinguish several -systems running behind NAT and using the same IP address. It might -also allow one to look for clocks that match an expected value to find the -public IP used by a user. - -Hence, this package disables this feature by shipping the -/etc/sysctl.d/tcp_timestamps.conf configuration file. - -Note that TCP time stamps normally have some usefulness. They are -needed for: - -* the TCP protection against wrapped sequence numbers; however, to - trigger a wrap, one needs to send roughly 2^32 packets in one - minute: as said in RFC 1700, "The current recommended default - time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". - So, this probably won't be a practical problem in the context - of Anonymity Distributions. - -* "Round-Trip Time Measurement", which is only useful when the user - manages to saturate their connection. When using Anonymity Distributions, - probably the limiting factor for transmission speed is rarely the capacity - of the user connection. - -Netfilter's connection tracking helper module increases kernel attack -surface by enabling superfluous functionality such as IRC parsing in -the kernel. (!) - -Hence, this package disables this feature by shipping the -/etc/sysctl.d/nf_conntrack_helper.conf configuration file. +See README. %prep %setup -q From 314e5b490c6864b745fbf5fd6d9bb2c724d478b8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jan 2024 14:03:09 -0500 Subject: [PATCH 1092/1650] use wildcards instead of outdated, incomplete list https://github.com/Kicksecure/security-misc/issues/160 --- rpm_spec/security-misc.spec.in | 44 +++------------------------------- 1 file changed, 3 insertions(+), 41 deletions(-) diff --git a/rpm_spec/security-misc.spec.in b/rpm_spec/security-misc.spec.in index e922b76..b42625e 100644 --- a/rpm_spec/security-misc.spec.in +++ b/rpm_spec/security-misc.spec.in @@ -29,47 +29,9 @@ make %{?_smp_mflags} %files %license debian/copyright -/etc/X11/Xsession.d/50panic_on_oops -/etc/X11/Xsession.d/50security-misc -/etc/apparmor.d/tunables/home.d/security-misc -/etc/apt/apt.conf.d/40sandbox -/etc/default/grub.d/40_enable_iommu.cfg -/etc/default/grub.d/40_kernel_hardening.cfg -/etc/login.defs.security-misc -/etc/modprobe.d/30_nf_conntrack_helper_disable.conf -/etc/modprobe.d/blacklist-dma.conf -/etc/modprobe.d/uncommon-network-protocols.conf -/etc/securetty.security-misc -/etc/security/limits.d/disable-coredumps.conf -/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml -/etc/sudoers.d/security-misc -/etc/sysctl.d/coredumps.conf -/etc/sysctl.d/dmesg_restrict.conf -/etc/sysctl.d/fs_protected.conf -/etc/sysctl.d/harden_bpf.conf -/etc/sysctl.d/kexec.conf -/etc/sysctl.d/kptr_restrict.conf -/etc/sysctl.d/mmap_aslr.conf -/etc/sysctl.d/ptrace_scope.conf -/etc/sysctl.d/suid_dumpable.conf -/etc/sysctl.d/sysrq.conf -/etc/sysctl.d/tcp_hardening.conf -/etc/sysctl.d/tcp_sack.conf -/etc/sysctl.d/tcp_timestamps.conf -/etc/systemd/system/emergency.service.d/override.conf -/etc/systemd/system/rescue.service.d/override.conf -/lib/systemd/coredump.conf.d/disable-coredumps.conf -/lib/systemd/system/proc-hidepid.service -/lib/systemd/system/remove-system-map.service -/usr/libexec/security-misc/apt-get-update -/usr/libexec/security-misc/apt-get-update-sanity-test -/usr/libexec/security-misc/panic-on-oops -/usr/libexec/security-misc/remove-system.map -/usr/share/glib-2.0/schemas/30_security-misc.gschema.override -/usr/share/lintian/overrides/security-misc -/usr/share/pam-configs/usergroups -/usr/share/pam-configs/wheel -/usr/share/security-misc/dolphinrc +/etc/* +/lib/* +/usr/* %changelog @CHANGELOG@ From f0e2a82b558f64611f037424c6f8f12de32737f6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jan 2024 19:18:25 +0000 Subject: [PATCH 1093/1650] bumped changelog version --- changelog.upstream | 74 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 80 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 316c98d..cd78b32 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,77 @@ +commit 314e5b490c6864b745fbf5fd6d9bb2c724d478b8 +Author: Patrick Schleizer +Date: Wed Jan 17 14:03:09 2024 -0500 + + use wildcards + + instead of outdated, incomplete list + + https://github.com/Kicksecure/security-misc/issues/160 + +commit 08619d6a7307b6ab05a3ba7e71ea33b00db20b27 +Author: Patrick Schleizer +Date: Wed Jan 17 13:59:36 2024 -0500 + + minor RPM updates + + https://github.com/Kicksecure/security-misc/issues/160 + +commit 3048e0ac76e4eba1c53b43ba2424157505578cdd +Author: Patrick Schleizer +Date: Wed Jan 17 13:54:07 2024 -0500 + + usrmerge + + https://github.com/Kicksecure/security-misc/issues/190 + +commit 5a6cd4c2abd243c91575e9477a921aa290c68ba5 +Author: Patrick Schleizer +Date: Wed Jan 17 13:51:30 2024 -0500 + + remove now empty /bin from copying since it is empty after usrmerge + + https://github.com/Kicksecure/security-misc/issues/190 + +commit 071b984a1eaaa8a8ea6a40e4ee36eabcde2d630d +Author: Patrick Schleizer +Date: Wed Jan 17 13:49:05 2024 -0500 + + `sort -d` + + https://github.com/Kicksecure/security-misc/issues/190 + +commit 011e55e3e52485ccd728b4bb249efbc816f38806 +Author: Patrick Schleizer +Date: Wed Jan 17 13:45:17 2024 -0500 + + remove duplicates after usrmerge + + https://github.com/Kicksecure/security-misc/issues/190 + +commit 0efee2f50fd38feade7700c2f033cc3d4c200d34 +Author: Patrick Schleizer +Date: Wed Jan 17 13:39:56 2024 -0500 + + usrmerge + + fixes https://github.com/Kicksecure/security-misc/issues/190 + +commit 18a06935e0cca3dc090643aad406d861e4583085 +Author: Patrick Schleizer +Date: Wed Jan 17 13:23:20 2024 -0500 + + run permission hardener when new packages are install files to /usr or /opt + + (basically anywhere) + + fixes https://github.com/Kicksecure/security-misc/issues/189 + +commit 66e6371221c3395a0523e30e8ef1a051d3e6cdd0 +Author: Patrick Schleizer +Date: Tue Jan 16 14:26:34 2024 +0000 + + bumped changelog version + commit 0d78ecaee37536379ad2f230f45904f57425cb19 Author: Patrick Schleizer Date: Tue Jan 16 09:26:21 2024 -0500 diff --git a/debian/changelog b/debian/changelog index cbf6a0b..fd07f91 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 17 Jan 2024 19:18:24 +0000 + security-misc (3:35.4-1) unstable; urgency=medium * New upstream version (local package). From 1855fa08b1386b1ea8697767104e7ad0f1521c9c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 18 Jan 2024 08:54:39 -0500 Subject: [PATCH 1094/1650] readme --- README_generic.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README_generic.md b/README_generic.md index e5c0e76..787af72 100644 --- a/README_generic.md +++ b/README_generic.md @@ -1,8 +1,8 @@ # Enhances Miscellaneous Security Settings # -https://github.com/Whonix/security-misc/blob/master/README.md +https://github.com/Kicksecure/security-misc/blob/master/README.md -https://www.whonix.org/wiki/Security-misc +https://www.kicksecure.com/wiki/Security-misc Discussion: From 64e41b113cae893d1f27f441f99340389ba8b9b3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 18 Jan 2024 14:10:51 +0000 Subject: [PATCH 1095/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index cd78b32..8d8e04a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 1855fa08b1386b1ea8697767104e7ad0f1521c9c +Author: Patrick Schleizer +Date: Thu Jan 18 08:54:39 2024 -0500 + + readme + +commit f0e2a82b558f64611f037424c6f8f12de32737f6 +Author: Patrick Schleizer +Date: Wed Jan 17 19:18:25 2024 +0000 + + bumped changelog version + commit 314e5b490c6864b745fbf5fd6d9bb2c724d478b8 Author: Patrick Schleizer Date: Wed Jan 17 14:03:09 2024 -0500 diff --git a/debian/changelog b/debian/changelog index fd07f91..eb6d894 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 18 Jan 2024 14:10:50 +0000 + security-misc (3:35.5-1) unstable; urgency=medium * New upstream version (local package). From 185bfe749787a8c6e93103ae8c6b0751a169e276 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 25 Jan 2024 06:54:36 -0500 Subject: [PATCH 1096/1650] use `interest-noawait` instead of `interest-await` fixes https://github.com/Kicksecure/security-misc/issues/196 --- debian/security-misc.triggers | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index bcfd1c5..f425076 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -1,5 +1,6 @@ ## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -interest-await /usr -interest-await /opt +## https://github.com/Kicksecure/security-misc/issues/196 +interest-noawait /usr +interest-noawait /opt From 8037ce52f96dcc6f8007c1567daf38ff013352d6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 25 Jan 2024 13:59:29 +0000 Subject: [PATCH 1097/1650] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 8d8e04a..5f202ec 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit 185bfe749787a8c6e93103ae8c6b0751a169e276 +Author: Patrick Schleizer +Date: Thu Jan 25 06:54:36 2024 -0500 + + use `interest-noawait` instead of `interest-await` + + fixes https://github.com/Kicksecure/security-misc/issues/196 + +commit 64e41b113cae893d1f27f441f99340389ba8b9b3 +Author: Patrick Schleizer +Date: Thu Jan 18 14:10:51 2024 +0000 + + bumped changelog version + commit 1855fa08b1386b1ea8697767104e7ad0f1521c9c Author: Patrick Schleizer Date: Thu Jan 18 08:54:39 2024 -0500 diff --git a/debian/changelog b/debian/changelog index eb6d894..9d49344 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 25 Jan 2024 13:59:29 +0000 + security-misc (3:35.6-1) unstable; urgency=medium * New upstream version (local package). From 4231155efa0970d2456b67cc89c8828b0766cf7f Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Jan 2024 12:57:48 +0000 Subject: [PATCH 1098/1650] Add reference for kernel parameters --- etc/default/grub.d/40_cpu_mitigations.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 1351206..e92d7cc 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -4,6 +4,7 @@ ## Enables all known mitigations for CPU vulnerabilities. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html +## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 ## Enable mitigations for Spectre variant 2 (indirect branch speculation). From 4509a5fc95204080f2855849d22c7e05393455d9 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Jan 2024 12:58:14 +0000 Subject: [PATCH 1099/1650] Enable known mitigations for CPU vulnerabilities and disable SMT --- etc/default/grub.d/40_cpu_mitigations.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index e92d7cc..8bcf7c2 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -7,6 +7,9 @@ ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 +## Enable known mitigations for CPU vulnerabilities and disable SMT. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" + ## Enable mitigations for Spectre variant 2 (indirect branch speculation). ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html From 6c54e35027e86ec045102cd1d95f84aa30bc55c9 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Jan 2024 12:58:51 +0000 Subject: [PATCH 1100/1650] Enable mitigations for RETBleed vulnerability and disable SMT --- etc/default/grub.d/40_cpu_mitigations.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 8bcf7c2..e90579c 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -63,3 +63,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" + +## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with +## Return Instructions) vulnerability and disable SMT. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" From 139b10a9aad85018f87bdc4bb227e938f7955235 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Jan 2024 12:59:13 +0000 Subject: [PATCH 1101/1650] Control RAS overflow mitigation on AMD Zen CPUs --- etc/default/grub.d/40_cpu_mitigations.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index e90579c..7c55707 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -68,3 +68,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" ## Return Instructions) vulnerability and disable SMT. ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" + +## Control RAS overflow mitigation on AMD Zen CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" From b16c99ab62a902b1f61b9d4fe63273cd614e757c Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Jan 2024 13:39:40 +0000 Subject: [PATCH 1102/1650] Remove hardcoded `spec_rstack_overflow` setting --- etc/default/grub.d/40_cpu_mitigations.cfg | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 7c55707..9bd9fc5 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -70,6 +70,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## Control RAS overflow mitigation on AMD Zen CPUs. +## The current default kernel parameter is 'spec_rstack_overflow=safe-ret' +## This default will used until provided sufficient evidence to modify. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" + From ad9d913902d7e696f1114da74d84f9cdcb22bc25 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 3 Feb 2024 18:28:27 +0000 Subject: [PATCH 1103/1650] bumped changelog version --- changelog.upstream | 52 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 58 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 5f202ec..96f74e9 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,55 @@ +commit 02090da08cfd411314ffeeb6df95f73c701f06c6 +Merge: 8037ce5 ba13657 +Author: Patrick Schleizer +Date: Sat Feb 3 12:51:07 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit ba13657d894f2f30d8deb7c08b85e5fbc1dcea21 +Merge: 8037ce5 b16c99a +Author: Patrick Schleizer +Date: Sat Feb 3 12:50:28 2024 -0500 + + Merge pull request #197 from raja-grewal/mitigations + + Additional Explicit CPU Mitigations + +commit b16c99ab62a902b1f61b9d4fe63273cd614e757c +Author: raja-grewal +Date: Mon Jan 29 13:39:40 2024 +0000 + + Remove hardcoded `spec_rstack_overflow` setting + +commit 139b10a9aad85018f87bdc4bb227e938f7955235 +Author: raja-grewal +Date: Mon Jan 29 12:59:13 2024 +0000 + + Control RAS overflow mitigation on AMD Zen CPUs + +commit 6c54e35027e86ec045102cd1d95f84aa30bc55c9 +Author: raja-grewal +Date: Mon Jan 29 12:58:51 2024 +0000 + + Enable mitigations for RETBleed vulnerability and disable SMT + +commit 4509a5fc95204080f2855849d22c7e05393455d9 +Author: raja-grewal +Date: Mon Jan 29 12:58:14 2024 +0000 + + Enable known mitigations for CPU vulnerabilities and disable SMT + +commit 4231155efa0970d2456b67cc89c8828b0766cf7f +Author: raja-grewal +Date: Mon Jan 29 12:57:48 2024 +0000 + + Add reference for kernel parameters + +commit 8037ce52f96dcc6f8007c1567daf38ff013352d6 +Author: Patrick Schleizer +Date: Thu Jan 25 13:59:29 2024 +0000 + + bumped changelog version + commit 185bfe749787a8c6e93103ae8c6b0751a169e276 Author: Patrick Schleizer Date: Thu Jan 25 06:54:36 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 9d49344..1b722e7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 03 Feb 2024 18:28:26 +0000 + security-misc (3:35.7-1) unstable; urgency=medium * New upstream version (local package). From 38783faf60b85c4e855bf78c87e1c07765776b50 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 05:58:53 -0500 Subject: [PATCH 1104/1650] add more bind mounts of mount options hardening as suggested in https://github.com/Kicksecure/security-misc/pull/202 --- usr/bin/remount-secure | 76 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 0a0c38e..65541d6 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -208,6 +208,13 @@ _boot() { remount_secure } +_boot_efi() { + ## TODO: new, test + mount_folder="$NEWROOT/boot/efi" + intended_mount_options="nosuid,nodev,noexec" + remount_secure +} + _run() { mount_folder="/run" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html @@ -229,6 +236,13 @@ _dev_shm() { remount_secure } +_sys() { + ## TODO: new, test + mount_folder="/sys" + intended_mount_options="nosuid,nodev,noexec" + remount_secure +} + _tmp() { mount_folder="$NEWROOT/tmp" intended_mount_options="nosuid,nodev${most_noexec_maybe}" @@ -255,12 +269,63 @@ _var() { remount_secure } +_usr() { + ## TODO: new, test + mount_folder="$NEWROOT/usr" + intended_mount_options="nodev" + remount_secure +} + _home() { mount_folder="$NEWROOT/home" intended_mount_options="nosuid,nodev${home_noexec_maybe}" remount_secure } +_root() { + ## TODO: new, test + mount_folder="$NEWROOT/root" + intended_mount_options="nosuid,nodev${home_noexec_maybe}" + remount_secure +} + +_srv() { + ## TODO: new, test + mount_folder="$NEWROOT/srv" + intended_mount_options="nosuid,nodev${home_noexec_maybe}" + remount_secure +} + +_media() { + ## TODO: new, test + mount_folder="$NEWROOT/media" + intended_mount_options="nosuid,nodev${home_noexec_maybe}" + remount_secure +} + +_mnt() { + ## TODO: new, test + mount_folder="$NEWROOT/mnt" + intended_mount_options="nosuid,nodev${home_noexec_maybe}" + remount_secure +} + +_opt() { + ## TODO: new, test + mount_folder="$NEWROOT/opt" + intended_mount_options="nosuid,nodev${home_noexec_maybe}" + remount_secure +} + +_etc() { + ## TODO: new, test + ## /etc cannot be noexec because various executables are there. To find, run: + ## sudo find /etc -executable + mount_folder="$NEWROOT/etc" + intended_mount_options="nosuid,nodev" + remount_secure +} + end() { ## Debugging. #$output_command "INFO: 'findmnt --list' output at the END." @@ -277,6 +342,7 @@ main() { preparation _boot + _boot_efi _run _dev _dev_shm @@ -284,9 +350,19 @@ main() { _var_tmp _var_log _var + _usr _home + _root + _srv + _media + _mnt + _opt + _etc end } +## TODO: see also hidepid /usr/lib/systemd/system/proc-hidepid.service +#mount --options defaults,nosuid,nodev,noexec,remount,subset=pid /proc + main "$@" From 7c7b4b24b4959f3ef96ff7ef0b11fa4c0bd48c8e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 06:01:00 -0500 Subject: [PATCH 1105/1650] fix home_noexec_maybe -> most_noexec_maybe https://github.com/Kicksecure/security-misc/pull/202 --- usr/bin/remount-secure | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 65541d6..92a68cb 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -292,21 +292,21 @@ _root() { _srv() { ## TODO: new, test mount_folder="$NEWROOT/srv" - intended_mount_options="nosuid,nodev${home_noexec_maybe}" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } _media() { ## TODO: new, test mount_folder="$NEWROOT/media" - intended_mount_options="nosuid,nodev${home_noexec_maybe}" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } _mnt() { ## TODO: new, test mount_folder="$NEWROOT/mnt" - intended_mount_options="nosuid,nodev${home_noexec_maybe}" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } From 1e1613aa93dca1e7fe7f24dbd32028a0cadd21fd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 06:02:28 -0500 Subject: [PATCH 1106/1650] allow /opt exec as usually optional binaries are placed there such as firefox https://github.com/Kicksecure/security-misc/pull/202 --- usr/bin/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 92a68cb..8927566 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -313,7 +313,7 @@ _mnt() { _opt() { ## TODO: new, test mount_folder="$NEWROOT/opt" - intended_mount_options="nosuid,nodev${home_noexec_maybe}" + intended_mount_options="nosuid,nodev" remount_secure } From c0f98b05b609c7c8ac6f86e123af9e0642d82697 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 06:03:59 -0500 Subject: [PATCH 1107/1650] comment https://github.com/Kicksecure/security-misc/pull/202 --- usr/bin/remount-secure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 8927566..233287c 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -313,6 +313,8 @@ _mnt() { _opt() { ## TODO: new, test mount_folder="$NEWROOT/opt" + ## Allow /opt exec as usually optional binaries are placed there such as Firefox + ## when manually installed from tarball. intended_mount_options="nosuid,nodev" remount_secure } From 44a15cd97da3066e39d2d7df1f456e703036a6e9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 09:13:56 -0500 Subject: [PATCH 1108/1650] mount --make-private https://github.com/Kicksecure/security-misc/issues/172 --- usr/bin/remount-secure | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 233287c..38c3e2c 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -187,12 +187,12 @@ remount_secure() { if findmnt --noheadings "$mount_folder" >/dev/null ; then $output_command "INFO: '$mount_folder' already mounted, therefore using remount." - $output_command INFO: Executing: mount --options "remount,${intended_mount_options}" "$mount_folder" - mount --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 + $output_command INFO: Executing: mount --make-private --options "remount,${intended_mount_options}" "$mount_folder" + mount --make-private --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 else $output_command "INFO: '$mount_folder' not yet mounted, therefore using mount bind." - $output_command INFO: Executing: mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" - mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 + $output_command INFO: Executing: mount --make-private --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" + mount --make-private --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true From 5bdd7b8475bdfde8dbee5318fb43d0c2a236e3b0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 09:14:52 -0500 Subject: [PATCH 1109/1650] output --- usr/bin/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 38c3e2c..7b2c133 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -196,7 +196,7 @@ remount_secure() { fi new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true - $output_command "INFO: '$mount_folder' new_mount_options: $new_mount_options" + $output_command "INFO: '$mount_folder' new_mount_options: '$new_mount_options'" touch "$status_file_full_path" } From f7831db197b2fff33b66eeb44efd749e482315e0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 09:17:41 -0500 Subject: [PATCH 1110/1650] do not exit non-zero if folder does not exist --- usr/bin/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 7b2c133..1446ac8 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -179,8 +179,8 @@ remount_secure() { fi if ! test -d "$mount_folder" ; then + ## For example /boot/efi does not always exist on all systems. $output_command "INFO: '$mount_folder' folder exists: no" - exit_code=102 return 0 fi $output_command "INFO: '$mount_folder' folder exists: yes" From 6d7cf3c12a8a772fee1cd893d5504767690b3b77 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 09:49:48 -0500 Subject: [PATCH 1111/1650] output --- usr/bin/remount-secure | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 1446ac8..d30d146 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -333,6 +333,7 @@ end() { #$output_command "INFO: 'findmnt --list' output at the END." #$output_command "$(findmnt --list)" + $output_command "" $output_command "INFO: exit_code: $exit_code" $output_command "$0: INFO: END" exit $exit_code From d148a769b7106831c0b27a7ad63d91ab42257678 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 14:50:05 +0000 Subject: [PATCH 1112/1650] bumped changelog version --- changelog.upstream | 64 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 70 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 96f74e9..8c91668 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,67 @@ +commit 6d7cf3c12a8a772fee1cd893d5504767690b3b77 +Author: Patrick Schleizer +Date: Thu Feb 22 09:49:48 2024 -0500 + + output + +commit f7831db197b2fff33b66eeb44efd749e482315e0 +Author: Patrick Schleizer +Date: Thu Feb 22 09:17:41 2024 -0500 + + do not exit non-zero if folder does not exist + +commit 5bdd7b8475bdfde8dbee5318fb43d0c2a236e3b0 +Author: Patrick Schleizer +Date: Thu Feb 22 09:14:52 2024 -0500 + + output + +commit 44a15cd97da3066e39d2d7df1f456e703036a6e9 +Author: Patrick Schleizer +Date: Thu Feb 22 09:13:56 2024 -0500 + + mount --make-private + + https://github.com/Kicksecure/security-misc/issues/172 + +commit c0f98b05b609c7c8ac6f86e123af9e0642d82697 +Author: Patrick Schleizer +Date: Thu Feb 22 06:03:59 2024 -0500 + + comment + + https://github.com/Kicksecure/security-misc/pull/202 + +commit 1e1613aa93dca1e7fe7f24dbd32028a0cadd21fd +Author: Patrick Schleizer +Date: Thu Feb 22 06:02:28 2024 -0500 + + allow /opt exec as usually optional binaries are placed there such as firefox + + https://github.com/Kicksecure/security-misc/pull/202 + +commit 7c7b4b24b4959f3ef96ff7ef0b11fa4c0bd48c8e +Author: Patrick Schleizer +Date: Thu Feb 22 06:01:00 2024 -0500 + + fix home_noexec_maybe -> most_noexec_maybe + + https://github.com/Kicksecure/security-misc/pull/202 + +commit 38783faf60b85c4e855bf78c87e1c07765776b50 +Author: Patrick Schleizer +Date: Thu Feb 22 05:58:53 2024 -0500 + + add more bind mounts of mount options hardening + + as suggested in https://github.com/Kicksecure/security-misc/pull/202 + +commit ad9d913902d7e696f1114da74d84f9cdcb22bc25 +Author: Patrick Schleizer +Date: Sat Feb 3 18:28:27 2024 +0000 + + bumped changelog version + commit 02090da08cfd411314ffeeb6df95f73c701f06c6 Merge: 8037ce5 ba13657 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 1b722e7..40e0bab 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 14:50:05 +0000 + security-misc (3:35.8-1) unstable; urgency=medium * New upstream version (local package). From c0924321b84874ae7fc72c59fd58e4c4ae8bc6d9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 09:52:36 -0500 Subject: [PATCH 1113/1650] fix systemd unit ExecStart --- usr/lib/systemd/system/remount-secure.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/systemd/system/remount-secure.service b/usr/lib/systemd/system/remount-secure.service index b801fe2..575f05e 100644 --- a/usr/lib/systemd/system/remount-secure.service +++ b/usr/lib/systemd/system/remount-secure.service @@ -24,7 +24,7 @@ Requires=sysinit.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart=remount-secure +ExecStart=remount-secure 3 [Install] WantedBy=sysinit-post.target From eb3e0b9292f71a5dba312500508f893779fb1b9c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 14:52:55 +0000 Subject: [PATCH 1114/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 8c91668..32cfe10 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit c0924321b84874ae7fc72c59fd58e4c4ae8bc6d9 +Author: Patrick Schleizer +Date: Thu Feb 22 09:52:36 2024 -0500 + + fix systemd unit ExecStart + +commit d148a769b7106831c0b27a7ad63d91ab42257678 +Author: Patrick Schleizer +Date: Thu Feb 22 14:50:05 2024 +0000 + + bumped changelog version + commit 6d7cf3c12a8a772fee1cd893d5504767690b3b77 Author: Patrick Schleizer Date: Thu Feb 22 09:49:48 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 40e0bab..324018a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 14:52:54 +0000 + security-misc (3:35.9-1) unstable; urgency=medium * New upstream version (local package). From 37a7abdf0c1e6d8179bd09d3c1bd0363e8bc0a96 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 11:07:01 -0500 Subject: [PATCH 1115/1650] ConditionKernelCommandLine=!remountsecure=0 --- usr/lib/systemd/system/remount-secure.service | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/systemd/system/remount-secure.service b/usr/lib/systemd/system/remount-secure.service index 575f05e..8797b9c 100644 --- a/usr/lib/systemd/system/remount-secure.service +++ b/usr/lib/systemd/system/remount-secure.service @@ -5,6 +5,8 @@ Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) Documentation=https://github.com/Kicksecure/security-misc +ConditionKernelCommandLine=!remountsecure=0 + DefaultDependencies=no Before=sysinit-post.target From 6b73e6c2a9ff1efe211e41e005e4ecaa63731d82 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 16:07:16 +0000 Subject: [PATCH 1116/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 32cfe10..ce54959 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 37a7abdf0c1e6d8179bd09d3c1bd0363e8bc0a96 +Author: Patrick Schleizer +Date: Thu Feb 22 11:07:01 2024 -0500 + + ConditionKernelCommandLine=!remountsecure=0 + +commit eb3e0b9292f71a5dba312500508f893779fb1b9c +Author: Patrick Schleizer +Date: Thu Feb 22 14:52:55 2024 +0000 + + bumped changelog version + commit c0924321b84874ae7fc72c59fd58e4c4ae8bc6d9 Author: Patrick Schleizer Date: Thu Feb 22 09:52:36 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 324018a..57d4a88 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 16:07:16 +0000 + security-misc (3:36.0-1) unstable; urgency=medium * New upstream version (local package). From 3bc1765dbbd333a1d607ab6962281b4d0a5c4b60 Mon Sep 17 00:00:00 2001 From: Daniel Winzen Date: Wed, 21 Feb 2024 20:37:34 +0100 Subject: [PATCH 1117/1650] Allow access to /sys/fs for polkit --- usr/libexec/security-misc/hide-hardware-info | 29 ++++++++++++-------- 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index b55441f..4ed2aca 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -80,6 +80,23 @@ do fi done +## restrict permissions on everything but +## what is needed +for i in /sys/* /sys/fs/* +do + ## Using '|| true': + ## https://github.com/Kicksecure/security-misc/pull/108 + if [ "${sysfs_whitelist}" = "1" ]; then + chmod o-rwx "${i}" || true + else + chmod og-rwx "${i}" || true + fi +done + +## polkit needs stat access to /sys/fs/cgroup +## to function properly +chmod o+rx /sys /sys/fs + ## on SELinux systems, at least /sys/fs/selinux ## must be visible to unprivileged users, else ## SELinux userspace utilities will not function @@ -88,18 +105,6 @@ if [ -d /sys/fs/selinux ]; then echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" echo "https://www.kicksecure.com/wiki/Security-misc#selinux" if [ "${selinux}" = "1" ]; then - ## restrict permissions on everything but - ## what is needed - for i in /sys/* /sys/fs/* - do - ## Using '|| true': - ## https://github.com/Kicksecure/security-misc/pull/108 - if [ "${sysfs_whitelist}" = "1" ]; then - chmod o-rwx "${i}" || true - else - chmod og-rwx "${i}" || true - fi - done chmod o+rx /sys /sys/fs /sys/fs/selinux echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." else From ef44ecea44ee516b1ba92175eb78b2e8143c4502 Mon Sep 17 00:00:00 2001 From: Daniel Winzen Date: Thu, 22 Feb 2024 16:51:23 +0100 Subject: [PATCH 1118/1650] Add option to disabe /sys hardening --- etc/hide-hardware-info.d/30_default.conf | 3 + usr/libexec/security-misc/hide-hardware-info | 73 +++++++++++--------- 2 files changed, 43 insertions(+), 33 deletions(-) diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf index df6952e..ffda4de 100644 --- a/etc/hide-hardware-info.d/30_default.conf +++ b/etc/hide-hardware-info.d/30_default.conf @@ -7,6 +7,9 @@ ## Disable the /proc/cpuinfo whitelist. #cpuinfo_whitelist=0 +## Disable /sys hardening. +#sysfs=0 + ## Disable selinux mode. ## https://www.whonix.org/wiki/Security-misc#selinux #selinux=0 diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 4ed2aca..810433b 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -8,6 +8,8 @@ set -e sysfs_whitelist=1 cpuinfo_whitelist=1 +sysfs=1 + ## https://www.whonix.org/wiki/Security-misc#selinux selinux=0 @@ -53,12 +55,14 @@ for i in /proc/cpuinfo /proc/bus /proc/scsi /sys do if [ -e "${i}" ]; then if [ "${i}" = "/sys" ]; then - ## Whitelist for /sys. - if [ "${sysfs_whitelist}" = "1" ]; then - create_whitelist sysfs - else - chmod og-rwx /sys - echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." + if [ "${sysfs}" = "1" ]; then + ## Whitelist for /sys. + if [ "${sysfs_whitelist}" = "1" ]; then + create_whitelist sysfs + else + chmod og-rwx /sys + echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." + fi fi elif [ "${i}" = "/proc/cpuinfo" ]; then ## Whitelist for /proc/cpuinfo. @@ -80,34 +84,37 @@ do fi done -## restrict permissions on everything but -## what is needed -for i in /sys/* /sys/fs/* -do - ## Using '|| true': - ## https://github.com/Kicksecure/security-misc/pull/108 - if [ "${sysfs_whitelist}" = "1" ]; then - chmod o-rwx "${i}" || true - else - chmod og-rwx "${i}" || true - fi -done -## polkit needs stat access to /sys/fs/cgroup -## to function properly -chmod o+rx /sys /sys/fs +if [ "${sysfs}" = "1" ]; then + ## restrict permissions on everything but + ## what is needed + for i in /sys/* /sys/fs/* + do + ## Using '|| true': + ## https://github.com/Kicksecure/security-misc/pull/108 + if [ "${sysfs_whitelist}" = "1" ]; then + chmod o-rwx "${i}" || true + else + chmod og-rwx "${i}" || true + fi + done -## on SELinux systems, at least /sys/fs/selinux -## must be visible to unprivileged users, else -## SELinux userspace utilities will not function -## properly -if [ -d /sys/fs/selinux ]; then - echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" - echo "https://www.kicksecure.com/wiki/Security-misc#selinux" - if [ "${selinux}" = "1" ]; then - chmod o+rx /sys /sys/fs /sys/fs/selinux - echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." - else - echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." + ## polkit needs stat access to /sys/fs/cgroup + ## to function properly + chmod o+rx /sys /sys/fs + + ## on SELinux systems, at least /sys/fs/selinux + ## must be visible to unprivileged users, else + ## SELinux userspace utilities will not function + ## properly + if [ -d /sys/fs/selinux ]; then + echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" + echo "https://www.kicksecure.com/wiki/Security-misc#selinux" + if [ "${selinux}" = "1" ]; then + chmod o+rx /sys /sys/fs /sys/fs/selinux + echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." + else + echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." + fi fi fi From c3dd178b19be8c078ed6a2f46a072bef3d144c06 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 14:57:50 -0500 Subject: [PATCH 1119/1650] output --- usr/bin/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index d30d146..7723918 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -164,7 +164,7 @@ remount_secure() { $output_command "INFO: '$mount_folder' old_mount_options: '$old_mount_options'" if echo "$old_mount_options" | grep --quiet "$intended_mount_options" ; then - $output_command "INFO: '$mount_folder' has already intended mount options. ($intended_mount_options)" + $output_command "INFO: '$mount_folder' has already intended mount options. ('$intended_mount_options')" return 0 fi From a1f898e3b317f49a5bb9507c8b9d3bd3c4e23abf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 19:58:01 +0000 Subject: [PATCH 1120/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index ce54959..fb3dcdd 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit c3dd178b19be8c078ed6a2f46a072bef3d144c06 +Author: Patrick Schleizer +Date: Thu Feb 22 14:57:50 2024 -0500 + + output + +commit 6b73e6c2a9ff1efe211e41e005e4ecaa63731d82 +Author: Patrick Schleizer +Date: Thu Feb 22 16:07:16 2024 +0000 + + bumped changelog version + commit 37a7abdf0c1e6d8179bd09d3c1bd0363e8bc0a96 Author: Patrick Schleizer Date: Thu Feb 22 11:07:01 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 57d4a88..6600db3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 19:58:00 +0000 + security-misc (3:36.1-1) unstable; urgency=medium * New upstream version (local package). From d13d1aa7ec7e9ac9f1aa87e4b36228bfd3af6eb2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 15:07:53 -0500 Subject: [PATCH 1121/1650] comments --- usr/bin/remount-secure | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 7723918..92e3aa8 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -1,11 +1,28 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## features: +## - nodev,nosuid where appropriate +## - optional noexec for most except /home +## - optional noexec for all including /home +## - idempotent (script can be safely re-run) +## - can be run from: +## - systemd +## - dracut +## - manually from command line +## - can safely handle non-existing folders +## - error handling +## - log output: +## - shows each and every command executed +## - shows old mount options prior running remount-secure +## - shows new mount options after running remount-secure + ## noexec in /tmp and/or /home can break some malware but also legitimate ## applications. +## https://www.kicksecure.com/wiki/Noexec ## https://www.kicksecure.com/wiki/Dev/remount-secure ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 From 02d6f67741ef93d9ab39e02ac56b27c551a19dca Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 20:08:17 +0000 Subject: [PATCH 1122/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index fb3dcdd..8d799e8 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit d13d1aa7ec7e9ac9f1aa87e4b36228bfd3af6eb2 +Author: Patrick Schleizer +Date: Thu Feb 22 15:07:53 2024 -0500 + + comments + +commit a1f898e3b317f49a5bb9507c8b9d3bd3c4e23abf +Author: Patrick Schleizer +Date: Thu Feb 22 19:58:01 2024 +0000 + + bumped changelog version + commit c3dd178b19be8c078ed6a2f46a072bef3d144c06 Author: Patrick Schleizer Date: Thu Feb 22 14:57:50 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 6600db3..83cfe4d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 20:08:17 +0000 + security-misc (3:36.2-1) unstable; urgency=medium * New upstream version (local package). From f2958bbfa5e67ee10380a25d996826233469080a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 26 Feb 2024 07:49:30 -0500 Subject: [PATCH 1123/1650] comment --- usr/libexec/security-misc/hide-hardware-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 810433b..2a4a56d 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -10,7 +10,7 @@ cpuinfo_whitelist=1 sysfs=1 -## https://www.whonix.org/wiki/Security-misc#selinux +## https://www.kicksecure.com/wiki/Security-misc#selinux selinux=0 shopt -s nullglob From cf84762a3a84d2be3b9510dddb32bdc433170dfa Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 26 Feb 2024 07:52:41 -0500 Subject: [PATCH 1124/1650] improve output https://github.com/Kicksecure/security-misc/issues/172 --- usr/libexec/security-misc/hide-hardware-info | 25 +++++++++++++------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 2a4a56d..48bb3a2 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -5,6 +5,13 @@ set -e +run_cmd() { + echo "INFO: executing: $@" + "$@" +} + +echo "$0: INFO: START" + sysfs_whitelist=1 cpuinfo_whitelist=1 @@ -36,9 +43,9 @@ create_whitelist() { ## Changing the permissions of /sys recursively ## causes errors as the permissions of /sys/kernel/debug ## and /sys/fs/cgroup cannot be changed. - chgrp -fR "${1}" "${whitelist_path}" || true + run_cmd chgrp -fR "${1}" "${whitelist_path}" || true - chmod o-rwx "${whitelist_path}" + run_cmd chmod o-rwx "${whitelist_path}" else echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created." fi @@ -60,7 +67,7 @@ do if [ "${sysfs_whitelist}" = "1" ]; then create_whitelist sysfs else - chmod og-rwx /sys + run_cmd chmod og-rwx /sys echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." fi fi @@ -69,7 +76,7 @@ do if [ "${cpuinfo_whitelist}" = "1" ]; then create_whitelist cpuinfo else - chmod og-rwx /proc/cpuinfo + run_cmd chmod og-rwx /proc/cpuinfo echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly." fi else @@ -93,15 +100,15 @@ if [ "${sysfs}" = "1" ]; then ## Using '|| true': ## https://github.com/Kicksecure/security-misc/pull/108 if [ "${sysfs_whitelist}" = "1" ]; then - chmod o-rwx "${i}" || true + run_cmd chmod o-rwx "${i}" || true else - chmod og-rwx "${i}" || true + run_cmd chmod og-rwx "${i}" || true fi done ## polkit needs stat access to /sys/fs/cgroup ## to function properly - chmod o+rx /sys /sys/fs + run_cmd chmod o+rx /sys /sys/fs ## on SELinux systems, at least /sys/fs/selinux ## must be visible to unprivileged users, else @@ -111,10 +118,12 @@ if [ "${sysfs}" = "1" ]; then echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" echo "https://www.kicksecure.com/wiki/Security-misc#selinux" if [ "${selinux}" = "1" ]; then - chmod o+rx /sys /sys/fs /sys/fs/selinux + run_cmd chmod o+rx /sys /sys/fs /sys/fs/selinux echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." else echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." fi fi fi + +echo "$0: INFO: END" From d8f5376c4f36f5deb734e6dead42a62566d13480 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 26 Feb 2024 07:58:06 -0500 Subject: [PATCH 1125/1650] improve output https://github.com/Kicksecure/security-misc/issues/172 --- usr/libexec/security-misc/hide-hardware-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 48bb3a2..46ef9bf 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -80,7 +80,7 @@ do echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly." fi else - chmod og-rwx "${i}" + run_cmd chmod og-rwx "${i}" fi else ## /proc/scsi doesn't exist on Debian so errors From 2d1d1b246f3fe061d4f817da5cecf46010839e1d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 26 Feb 2024 08:07:29 -0500 Subject: [PATCH 1126/1650] improve output https://github.com/Kicksecure/security-misc/issues/172 --- usr/libexec/security-misc/hide-hardware-info | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 46ef9bf..3c1902e 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -6,7 +6,12 @@ set -e run_cmd() { - echo "INFO: executing: $@" + echo "INFO: normal executing : $@" + "$@" +} + +run_cmd_whitelist() { + echo "INFO: whitelist executing: $@" "$@" } @@ -43,9 +48,9 @@ create_whitelist() { ## Changing the permissions of /sys recursively ## causes errors as the permissions of /sys/kernel/debug ## and /sys/fs/cgroup cannot be changed. - run_cmd chgrp -fR "${1}" "${whitelist_path}" || true + run_cmd_whitelist chgrp -fR "${1}" "${whitelist_path}" || true - run_cmd chmod o-rwx "${whitelist_path}" + run_cmd_whitelist chmod o-rwx "${whitelist_path}" else echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created." fi @@ -67,17 +72,16 @@ do if [ "${sysfs_whitelist}" = "1" ]; then create_whitelist sysfs else + echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly. Full sysfs hardening..." run_cmd chmod og-rwx /sys - echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." fi fi elif [ "${i}" = "/proc/cpuinfo" ]; then - ## Whitelist for /proc/cpuinfo. if [ "${cpuinfo_whitelist}" = "1" ]; then create_whitelist cpuinfo else + echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly. Full cpuinfo hardening..." run_cmd chmod og-rwx /proc/cpuinfo - echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly." fi else run_cmd chmod og-rwx "${i}" From 808e72f24bf30b3476ab6b87f96eb636632c195c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 26 Feb 2024 08:11:26 -0500 Subject: [PATCH 1127/1650] use long options https://github.com/Kicksecure/security-misc/issues/172 --- usr/libexec/security-misc/hide-hardware-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 3c1902e..d250a6a 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -48,7 +48,7 @@ create_whitelist() { ## Changing the permissions of /sys recursively ## causes errors as the permissions of /sys/kernel/debug ## and /sys/fs/cgroup cannot be changed. - run_cmd_whitelist chgrp -fR "${1}" "${whitelist_path}" || true + run_cmd_whitelist chgrp --quiet --recursive "${1}" "${whitelist_path}" || true run_cmd_whitelist chmod o-rwx "${whitelist_path}" else From a5cc1774f2fbf6475e7b56601fbcd84a2a63fed0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 26 Feb 2024 13:32:44 +0000 Subject: [PATCH 1128/1650] bumped changelog version --- changelog.upstream | 72 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 78 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 8d799e8..c8ce2af 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,63 @@ +commit 808e72f24bf30b3476ab6b87f96eb636632c195c +Author: Patrick Schleizer +Date: Mon Feb 26 08:11:26 2024 -0500 + + use long options + + https://github.com/Kicksecure/security-misc/issues/172 + +commit 2d1d1b246f3fe061d4f817da5cecf46010839e1d +Author: Patrick Schleizer +Date: Mon Feb 26 08:07:29 2024 -0500 + + improve output + + https://github.com/Kicksecure/security-misc/issues/172 + +commit d8f5376c4f36f5deb734e6dead42a62566d13480 +Author: Patrick Schleizer +Date: Mon Feb 26 07:58:06 2024 -0500 + + improve output + + https://github.com/Kicksecure/security-misc/issues/172 + +commit cf84762a3a84d2be3b9510dddb32bdc433170dfa +Author: Patrick Schleizer +Date: Mon Feb 26 07:52:41 2024 -0500 + + improve output + + https://github.com/Kicksecure/security-misc/issues/172 + +commit f2958bbfa5e67ee10380a25d996826233469080a +Author: Patrick Schleizer +Date: Mon Feb 26 07:49:30 2024 -0500 + + comment + +commit bc8f9edc3197e33e75ea1d691834d9abbdcdefd0 +Merge: 02d6f67 b23d167 +Author: Patrick Schleizer +Date: Mon Feb 26 07:48:19 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit b23d167342ef242a1e9d4e91b6a4b945e80c3e7e +Merge: 02d6f67 ef44ece +Author: Patrick Schleizer +Date: Mon Feb 26 07:46:02 2024 -0500 + + Merge pull request #204 from DanWin/sysfs-mount + + Make /sys hardening optional and allow access to /sys/fs to make polkit work + +commit 02d6f67741ef93d9ab39e02ac56b27c551a19dca +Author: Patrick Schleizer +Date: Thu Feb 22 20:08:17 2024 +0000 + + bumped changelog version + commit d13d1aa7ec7e9ac9f1aa87e4b36228bfd3af6eb2 Author: Patrick Schleizer Date: Thu Feb 22 15:07:53 2024 -0500 @@ -16,6 +76,18 @@ Date: Thu Feb 22 14:57:50 2024 -0500 output +commit ef44ecea44ee516b1ba92175eb78b2e8143c4502 +Author: Daniel Winzen +Date: Thu Feb 22 16:51:23 2024 +0100 + + Add option to disabe /sys hardening + +commit 3bc1765dbbd333a1d607ab6962281b4d0a5c4b60 +Author: Daniel Winzen +Date: Wed Feb 21 20:37:34 2024 +0100 + + Allow access to /sys/fs for polkit + commit 6b73e6c2a9ff1efe211e41e005e4ecaa63731d82 Author: Patrick Schleizer Date: Thu Feb 22 16:07:16 2024 +0000 diff --git a/debian/changelog b/debian/changelog index 83cfe4d..f64949b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 26 Feb 2024 13:32:44 +0000 + security-misc (3:36.3-1) unstable; urgency=medium * New upstream version (local package). From e013070e0bfc43d006e09ae1c5ae3533f7bebc5f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 4 Mar 2024 06:33:21 -0500 Subject: [PATCH 1129/1650] newline --- etc/sudoers.d/security-misc | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index 4256683..fd9b7fc 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -3,4 +3,3 @@ user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops %sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops - From af6c6971a741c69a584ba3f92dbfed12e40784dc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 4 Mar 2024 06:33:51 -0500 Subject: [PATCH 1130/1650] comment --- etc/default/grub.d/40_kernel_hardening.cfg | 2 -- 1 file changed, 2 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index be7c40c..9b7b53b 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -59,6 +59,4 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## Implemented differently: ## /usr/libexec/security-misc/panic-on-oops -## /etc/profile.d/security-misc.sh -## /etc/sudoers.d/security-misc #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" From 6b76373395622bac0e701c6d15c6656658febced Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 4 Mar 2024 06:44:26 -0500 Subject: [PATCH 1131/1650] fix panic-on-oops started every 10s in Qubes-Whonix by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach Thanks to @marmarek for the bug report! https://forums.whonix.org/t/panic-on-oops-started-every-10s/19450 --- etc/profile.d/30_security-misc.sh | 5 ----- usr/lib/systemd/system/panic-on-oops.service | 20 ++++++++++++++++++++ 2 files changed, 20 insertions(+), 5 deletions(-) create mode 100644 usr/lib/systemd/system/panic-on-oops.service diff --git a/etc/profile.d/30_security-misc.sh b/etc/profile.d/30_security-misc.sh index 351d3ed..2ab169d 100755 --- a/etc/profile.d/30_security-misc.sh +++ b/etc/profile.d/30_security-misc.sh @@ -9,8 +9,3 @@ fi if ! echo "$XDG_CONFIG_DIRS" | grep --quiet /usr/share/security-misc/ ; then export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS fi - -if [ -x /usr/libexec/security-misc/panic-on-oops ]; then - ## Hide output. Otherwise could confuse Qubes UpdatesProxy. - sudo --non-interactive /usr/libexec/security-misc/panic-on-oops 1>/dev/null 2>/dev/null -fi diff --git a/usr/lib/systemd/system/panic-on-oops.service b/usr/lib/systemd/system/panic-on-oops.service new file mode 100644 index 0000000..cf13053 --- /dev/null +++ b/usr/lib/systemd/system/panic-on-oops.service @@ -0,0 +1,20 @@ +## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +[Unit] +Description=Sets 'sysctl kernel.panic_on_oops=1' late during the boot process. +Documentation=https://github.com/Kicksecure/security-misc + +ConditionKernelCommandLine=!panic-on-oops=0 + +After=multi-user.target +After=graphical.target +After=getty.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/security-misc/panic-on-oops + +[Install] +WantedBy=multi-user.target From 0f0d9ca2a42cf9fc04e405ae90f3d67bc0794e12 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 4 Mar 2024 11:48:30 +0000 Subject: [PATCH 1132/1650] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c8ce2af..70aab3e 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit 6b76373395622bac0e701c6d15c6656658febced +Author: Patrick Schleizer +Date: Mon Mar 4 06:44:26 2024 -0500 + + fix panic-on-oops started every 10s in Qubes-Whonix + + by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach + + Thanks to @marmarek for the bug report! + + https://forums.whonix.org/t/panic-on-oops-started-every-10s/19450 + +commit af6c6971a741c69a584ba3f92dbfed12e40784dc +Author: Patrick Schleizer +Date: Mon Mar 4 06:33:51 2024 -0500 + + comment + +commit e013070e0bfc43d006e09ae1c5ae3533f7bebc5f +Author: Patrick Schleizer +Date: Mon Mar 4 06:33:21 2024 -0500 + + newline + +commit a5cc1774f2fbf6475e7b56601fbcd84a2a63fed0 +Author: Patrick Schleizer +Date: Mon Feb 26 13:32:44 2024 +0000 + + bumped changelog version + commit 808e72f24bf30b3476ab6b87f96eb636632c195c Author: Patrick Schleizer Date: Mon Feb 26 08:11:26 2024 -0500 diff --git a/debian/changelog b/debian/changelog index f64949b..22e313b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 04 Mar 2024 11:48:30 +0000 + security-misc (3:36.4-1) unstable; urgency=medium * New upstream version (local package). From a5206bde336c159be065345e7dd5cb86b2b6a27f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 10 Mar 2024 08:44:53 -0400 Subject: [PATCH 1133/1650] `proc-hidepid.service` add `gid=proc` This allows users that are a member of the `proc` group to be excluded from `hidepid` protections. https://github.com/Kicksecure/security-misc/issues/208 --- usr/lib/systemd/system/proc-hidepid.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/systemd/system/proc-hidepid.service b/usr/lib/systemd/system/proc-hidepid.service index 7acad5b..2ec1858 100644 --- a/usr/lib/systemd/system/proc-hidepid.service +++ b/usr/lib/systemd/system/proc-hidepid.service @@ -12,7 +12,7 @@ After=local-fs.target [Service] Type=oneshot -ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2 /proc +ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2,gid=proc /proc RemainAfterExit=yes [Install] From 57fc487e5e5ffad765f1418236744319cc666871 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 10 Mar 2024 13:19:26 +0000 Subject: [PATCH 1134/1650] bumped changelog version --- changelog.upstream | 16 ++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 22 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 70aab3e..1fea6fd 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,19 @@ +commit a5206bde336c159be065345e7dd5cb86b2b6a27f +Author: Patrick Schleizer +Date: Sun Mar 10 08:44:53 2024 -0400 + + `proc-hidepid.service` add `gid=proc` + + This allows users that are a member of the `proc` group to be excluded from `hidepid` protections. + + https://github.com/Kicksecure/security-misc/issues/208 + +commit 0f0d9ca2a42cf9fc04e405ae90f3d67bc0794e12 +Author: Patrick Schleizer +Date: Mon Mar 4 11:48:30 2024 +0000 + + bumped changelog version + commit 6b76373395622bac0e701c6d15c6656658febced Author: Patrick Schleizer Date: Mon Mar 4 06:44:26 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 22e313b..5cc0bd7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 10 Mar 2024 13:19:26 +0000 + security-misc (3:36.5-1) unstable; urgency=medium * New upstream version (local package). From 03ed546cd8992b29855ca1c2748ed988dd3c765d Mon Sep 17 00:00:00 2001 From: wryMitts <158655396+wryMitts@users.noreply.github.com> Date: Sun, 10 Mar 2024 16:55:10 -0400 Subject: [PATCH 1135/1650] Create proc group on install Fixes https://github.com/Kicksecure/security-misc/issues/210 --- debian/security-misc.preinst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index dc032b1..4b6a4d7 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -20,6 +20,9 @@ user_groups_modifications() { addgroup --system sysfs addgroup --system cpuinfo + ## /usr/lib/systemd/system/proc-hidepid.service + addgroup --system proc + ## group 'sudo' membership required to use 'su' ## /usr/share/pam-configs/wheel-security-misc adduser root sudo From 357ea5deab85debb9dff5d9e4e80a972954249c8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 11 Mar 2024 15:07:50 +0000 Subject: [PATCH 1136/1650] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1fea6fd..c6f87f7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit 0a018bdebca167d671d8bda81a2b0d929d396945 +Merge: 57fc487 0b81316 +Author: Patrick Schleizer +Date: Mon Mar 11 10:13:57 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0b8131630041dbd80f1aa61dcedde446208c06f7 +Merge: 57fc487 03ed546 +Author: Patrick Schleizer +Date: Mon Mar 11 10:12:46 2024 -0400 + + Merge pull request #211 from wryMitts/patch-1 + + Create proc group on install + +commit 03ed546cd8992b29855ca1c2748ed988dd3c765d +Author: wryMitts <158655396+wryMitts@users.noreply.github.com> +Date: Sun Mar 10 16:55:10 2024 -0400 + + Create proc group on install + + Fixes https://github.com/Kicksecure/security-misc/issues/210 + +commit 57fc487e5e5ffad765f1418236744319cc666871 +Author: Patrick Schleizer +Date: Sun Mar 10 13:19:26 2024 +0000 + + bumped changelog version + commit a5206bde336c159be065345e7dd5cb86b2b6a27f Author: Patrick Schleizer Date: Sun Mar 10 08:44:53 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 5cc0bd7..a53e7cf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 11 Mar 2024 15:07:50 +0000 + security-misc (3:36.6-1) unstable; urgency=medium * New upstream version (local package). From ecaa024f226f4f45ac9d2a4f38bcdb82a6e35a2f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 18 Mar 2024 11:01:56 -0400 Subject: [PATCH 1137/1650] lower debugging --- usr/share/security-misc/lkrg/lkrg-virtualbox | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox b/usr/share/security-misc/lkrg/lkrg-virtualbox index 022d2dc..545a694 100755 --- a/usr/share/security-misc/lkrg/lkrg-virtualbox +++ b/usr/share/security-misc/lkrg/lkrg-virtualbox @@ -3,7 +3,7 @@ ## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -set -x +#set -x set -e if ! command -v vboxmanage &>/dev/null ; then From d9ac01ba5c26f9730feb17fe573d447e625e59f8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 18 Mar 2024 15:10:10 +0000 Subject: [PATCH 1138/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c6f87f7..4eced19 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit ecaa024f226f4f45ac9d2a4f38bcdb82a6e35a2f +Author: Patrick Schleizer +Date: Mon Mar 18 11:01:56 2024 -0400 + + lower debugging + +commit 357ea5deab85debb9dff5d9e4e80a972954249c8 +Author: Patrick Schleizer +Date: Mon Mar 11 15:07:50 2024 +0000 + + bumped changelog version + commit 0a018bdebca167d671d8bda81a2b0d929d396945 Merge: 57fc487 0b81316 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index a53e7cf..8f36f5e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 18 Mar 2024 15:10:10 +0000 + security-misc (3:36.7-1) unstable; urgency=medium * New upstream version (local package). From 7dba3fb7bebd4fdc7f168df378c2d505971f2c04 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 1 Apr 2024 02:55:59 -0400 Subject: [PATCH 1139/1650] no longer disable MSR by default fixes https://github.com/Kicksecure/security-misc/issues/215 --- etc/modprobe.d/30_security-misc.conf | 3 ++- usr/bin/disabled-msr-by-security-misc | 10 ---------- 2 files changed, 2 insertions(+), 11 deletions(-) delete mode 100755 usr/bin/disabled-msr-by-security-misc diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 24ee928..8b5af64 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -33,7 +33,8 @@ install video1394 /usr/bin/disabled-firewire-by-security-misc ## Disable CPU MSRs as they can be abused to write to arbitrary memory. ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -install msr /usr/bin/disabled-msr-by-security-misc +## https://github.com/Kicksecure/security-misc/issues/215 +#install msr /usr/bin/disabled-msr-by-security-misc ## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. ## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. diff --git a/usr/bin/disabled-msr-by-security-misc b/usr/bin/disabled-msr-by-security-misc deleted file mode 100755 index 2c5e6e1..0000000 --- a/usr/bin/disabled-msr-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. - -echo "$0: ERROR: This CPU MSR kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 - -exit 1 From 7fba04d1485187fe648f3d3ab44cd834b0eb9791 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 1 Apr 2024 06:56:45 +0000 Subject: [PATCH 1140/1650] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 4eced19..d5e5794 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit 7dba3fb7bebd4fdc7f168df378c2d505971f2c04 +Author: Patrick Schleizer +Date: Mon Apr 1 02:55:59 2024 -0400 + + no longer disable MSR by default + + fixes https://github.com/Kicksecure/security-misc/issues/215 + +commit d9ac01ba5c26f9730feb17fe573d447e625e59f8 +Author: Patrick Schleizer +Date: Mon Mar 18 15:10:10 2024 +0000 + + bumped changelog version + commit ecaa024f226f4f45ac9d2a4f38bcdb82a6e35a2f Author: Patrick Schleizer Date: Mon Mar 18 11:01:56 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 8f36f5e..51b4db5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 01 Apr 2024 06:56:44 +0000 + security-misc (3:36.8-1) unstable; urgency=medium * New upstream version (local package). From 493576836c90653f9c3514fcd5b3bf816e56d689 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 12 Apr 2024 00:17:06 +1000 Subject: [PATCH 1141/1650] BHI mitigation on Intel CPUs --- etc/default/grub.d/40_cpu_mitigations.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 9bd9fc5..667480e 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -75,3 +75,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html +## Enables mitigation of Branch History Injection vulnerabilities on Intel CPUs. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2bb69f5fc72183e1c62547d900f560d0e9334925 +## TODO: update the above link with better alternative when possible +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" From a9886a3119f9b662b15fc26d28a7fedf316b72c4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 12 Apr 2024 06:56:39 +0000 Subject: [PATCH 1142/1650] bumped changelog version --- changelog.upstream | 28 ++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d5e5794..5f51674 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,31 @@ +commit 5cbdf3c1262d26ae03b28baee87b1d268329da40 +Merge: 7fba04d ab8b6da +Author: Patrick Schleizer +Date: Fri Apr 12 02:54:17 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit ab8b6da484a90e9a62f8ba515c757aa3758baf48 +Merge: 7fba04d 4935768 +Author: Patrick Schleizer +Date: Fri Apr 12 02:53:08 2024 -0400 + + Merge pull request #216 from raja-grewal/spectre_bhi + + BHI mitigation on Intel CPUs + +commit 493576836c90653f9c3514fcd5b3bf816e56d689 +Author: raja-grewal +Date: Fri Apr 12 00:17:06 2024 +1000 + + BHI mitigation on Intel CPUs + +commit 7fba04d1485187fe648f3d3ab44cd834b0eb9791 +Author: Patrick Schleizer +Date: Mon Apr 1 06:56:45 2024 +0000 + + bumped changelog version + commit 7dba3fb7bebd4fdc7f168df378c2d505971f2c04 Author: Patrick Schleizer Date: Mon Apr 1 02:55:59 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 51b4db5..38a464a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 12 Apr 2024 06:56:38 +0000 + security-misc (3:36.9-1) unstable; urgency=medium * New upstream version (local package). From 965c8641fd28e0ee592b50605edb7494fe9c3a28 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:47:02 +1000 Subject: [PATCH 1143/1650] Update BHI mitigation reference --- etc/default/grub.d/40_cpu_mitigations.cfg | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 667480e..7940b25 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -77,6 +77,5 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## Enables mitigation of Branch History Injection vulnerabilities on Intel CPUs. ## -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2bb69f5fc72183e1c62547d900f560d0e9334925 -## TODO: update the above link with better alternative when possible +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" From de4f4be94762c9751ea62f744d7d6ede3ef30e88 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:47:40 +1000 Subject: [PATCH 1144/1650] Merge spectre mitigations --- etc/default/grub.d/40_cpu_mitigations.cfg | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 7940b25..de9ca82 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -10,10 +10,11 @@ ## Enable known mitigations for CPU vulnerabilities and disable SMT. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" -## Enable mitigations for Spectre variant 2 (indirect branch speculation). +## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) +## and Intel branch history injection (BHI) vulnerabilities. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on" ## Disable Speculative Store Bypass. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" @@ -74,8 +75,3 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## This default will used until provided sufficient evidence to modify. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html - -## Enables mitigation of Branch History Injection vulnerabilities on Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" From 015dcc4212736417a2202ea0e0a92e5c2e58d6a5 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:48:13 +1000 Subject: [PATCH 1145/1650] Add reference for SSB --- etc/default/grub.d/40_cpu_mitigations.cfg | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index de9ca82..b683200 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -16,7 +16,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on" -## Disable Speculative Store Bypass. +## Disable Speculative Store Bypass (Spectre Variant 4). +## +## https://www.suse.com/support/kb/doc/?id=000019189 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" ## Enable mitigations for the L1TF vulnerability through disabling SMT From d89d7e8ef8ee3fd45456e82e8f649f7f28c93e80 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:49:00 +1000 Subject: [PATCH 1146/1650] Add reference for RETBleed --- etc/default/grub.d/40_cpu_mitigations.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index b683200..ee6a2df 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -70,6 +70,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" ## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with ## Return Instructions) vulnerability and disable SMT. ## +## https://www.suse.com/support/kb/doc/?id=000020693 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## Control RAS overflow mitigation on AMD Zen CPUs. From c002bd62e8584a19e73b3f42673a3f9bafba6a2c Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:49:34 +1000 Subject: [PATCH 1147/1650] Clarify use of `mitigations=auto` --- etc/default/grub.d/40_cpu_mitigations.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index ee6a2df..49c200e 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -7,7 +7,7 @@ ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 -## Enable known mitigations for CPU vulnerabilities and disable SMT. +## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) From 1122b3402c0856a087415d7ba1a313048b7e3eea Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:50:42 +1000 Subject: [PATCH 1148/1650] GDS mitigation for CPUs --- etc/default/grub.d/40_cpu_mitigations.cfg | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 49c200e..029db6d 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -78,3 +78,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## This default will used until provided sufficient evidence to modify. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html + +## Mitigates Gather Data Sampling (GDS) vulnerability. +## Note for systems that have not received a suitable microcode update this will +## entirely disable use of the AVX instructions set. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" From 0c031a29d33d13d9106746d61b87f9d98a80b5cd Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:55:09 +1000 Subject: [PATCH 1149/1650] RFDS mitigation on Intel Atom CPUs (including E-cores) --- etc/default/grub.d/40_cpu_mitigations.cfg | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 029db6d..aaefdaf 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -85,3 +85,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" + +## Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which +## encompasses E-cores on hybrid architectures. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" From 8f7768ce96e32e3f1ec52118afffc2a44a160976 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 5 May 2024 12:50:39 +0000 Subject: [PATCH 1150/1650] Add vendor links --- etc/default/grub.d/40_cpu_mitigations.cfg | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index aaefdaf..20f62c1 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -7,6 +7,12 @@ ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 +## Check for potential updates directly from AMD and Intel. +## +## https://www.amd.com/en/resources/product-security.html +## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html +## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html + ## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" From 4694268b8f779c1a0a56546dc6d12bf9f23a7cdd Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 5 May 2024 12:52:51 +0000 Subject: [PATCH 1151/1650] Remove a word --- etc/default/grub.d/40_cpu_mitigations.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 20f62c1..fd997e4 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,7 +1,7 @@ ## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Enables all known mitigations for CPU vulnerabilities. +## Enables known mitigations for CPU vulnerabilities. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html From 132b41ae73e9ea72bc3d8aff22ae75fc622758a3 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 9 May 2024 02:16:50 +0000 Subject: [PATCH 1152/1650] Revert logging of martians --- usr/lib/sysctl.d/990-security-misc.conf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 321f3b8..95b44ff 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -81,8 +81,9 @@ kernel.io_uring_disabled=2 ## A martian packet is a one with a source address which is blatantly wrong ## Recommended to keep a log of these to identify these suspicious packets -net.ipv4.conf.all.log_martians=1 -net.ipv4.conf.default.log_martians=1 +## Good for troubleshooting and diagnostics but not necessary by default +#net.ipv4.conf.all.log_martians=1 +#net.ipv4.conf.default.log_martians=1 ## Protects against time-wait assassination. ## It drops RST packets for sockets in the time-wait state. From f3800a4e2b7bef87cc3bd8791f9e7f654f8d782a Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 9 May 2024 02:25:46 +0000 Subject: [PATCH 1153/1650] Create disabled-gps-by-security-misc --- usr/bin/disabled-gps-by-security-misc | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 usr/bin/disabled-gps-by-security-misc diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc new file mode 100644 index 0000000..460e39c --- /dev/null +++ b/usr/bin/disabled-gps-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 From 06f13bb766bd84182331aeb1632b917de4b36020 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 9 May 2024 02:28:53 +0000 Subject: [PATCH 1154/1650] Disable GPS modules like GNSS --- etc/modprobe.d/30_security-misc.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 8b5af64..d993919 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -88,6 +88,14 @@ install vivid /usr/bin/disabled-vivid-by-security-misc install mei /usr/bin/disabled-intelme-by-security-misc install mei-me /usr/bin/disabled-intelme-by-security-misc +# Disable GPS modules like GNSS (Global Navigation Satellite System) +install gnss /usr/bin/disabled-gps-by-security-misc +install gnss-mtk /usr/bin/disabled-gps-by-security-misc +install gnss-serial /usr/bin/disabled-gps-by-security-misc +install gnss-sirf /usr/bin/disabled-gps-by-security-misc +install gnss-usb /usr/bin/disabled-gps-by-security-misc +install gnss-ubx /usr/bin/disabled-gps-by-security-misc + ## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco blacklist ath_pci From 677f75ae8ed64af599f837ced15f34990df498e5 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 9 May 2024 02:34:02 +0000 Subject: [PATCH 1155/1650] Disable `firewire-net` module --- etc/modprobe.d/30_security-misc.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 8b5af64..5e6c1f6 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -21,6 +21,7 @@ options nf_conntrack nf_conntrack_helper=0 install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install firewire-core /usr/bin/disabled-firewire-by-security-misc install firewire_core /usr/bin/disabled-firewire-by-security-misc +install firewire-net /usr/bin/disabled-firewire-by-security-misc install firewire-ohci /usr/bin/disabled-firewire-by-security-misc install firewire_ohci /usr/bin/disabled-firewire-by-security-misc install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc From 8d01fc2d351285c9c2f810bf5cf10797c9b9eb41 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 10 May 2024 06:48:26 -0400 Subject: [PATCH 1156/1650] chmod +x --- usr/bin/disabled-gps-by-security-misc | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 usr/bin/disabled-gps-by-security-misc diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc old mode 100644 new mode 100755 From 9b589bc3116c8f9d6d574021bcec7b5dec3888b8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 10 May 2024 06:49:34 -0400 Subject: [PATCH 1157/1650] comment --- usr/lib/sysctl.d/990-security-misc.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 95b44ff..9f2736e 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -81,7 +81,9 @@ kernel.io_uring_disabled=2 ## A martian packet is a one with a source address which is blatantly wrong ## Recommended to keep a log of these to identify these suspicious packets -## Good for troubleshooting and diagnostics but not necessary by default +## Good for troubleshooting and diagnostics but not necessary by default. +## Caused issue: +## https://github.com/Kicksecure/security-misc/issues/214 #net.ipv4.conf.all.log_martians=1 #net.ipv4.conf.default.log_martians=1 From 5867b1b014f450acdf70c203ffe2f27831f1d9b0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 10 May 2024 11:20:36 +0000 Subject: [PATCH 1158/1650] bumped changelog version --- changelog.upstream | 139 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 145 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 5f51674..7c04cd0 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,142 @@ +commit 9b589bc3116c8f9d6d574021bcec7b5dec3888b8 +Author: Patrick Schleizer +Date: Fri May 10 06:49:34 2024 -0400 + + comment + +commit 8d01fc2d351285c9c2f810bf5cf10797c9b9eb41 +Author: Patrick Schleizer +Date: Fri May 10 06:48:26 2024 -0400 + + chmod +x + +commit 8a28c1bc38b87bf55f25764c96a0e81e22137232 +Merge: a9886a3 0f1119f +Author: Patrick Schleizer +Date: Fri May 10 06:48:04 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0f1119f326cd769db8995e8eb54ff35503c70562 +Merge: 547757f 677f75a +Author: Patrick Schleizer +Date: Fri May 10 06:45:57 2024 -0400 + + Merge pull request #221 from raja-grewal/firewire + + Disable Firewire Module + +commit 547757f4514a54437d044656c5e2b6d413a4cc30 +Merge: 7b9fe44 06f13bb +Author: Patrick Schleizer +Date: Fri May 10 06:45:34 2024 -0400 + + Merge pull request #220 from raja-grewal/block_gps + + Block Several GPS-related Modules + +commit 7b9fe44a20f3caf67f386969a5fc7c980e5f0282 +Merge: 62ea4dc 132b41a +Author: Patrick Schleizer +Date: Fri May 10 06:43:43 2024 -0400 + + Merge pull request #219 from raja-grewal/logging_martians + + Revert Logging of Martians + +commit 62ea4dc1768f69bb28a69c20e55c87ae692cc0c8 +Merge: a9886a3 4694268 +Author: Patrick Schleizer +Date: Fri May 10 06:43:15 2024 -0400 + + Merge pull request #218 from raja-grewal/secure_cpu + + More CPU Mitigations and Additional References + +commit 677f75ae8ed64af599f837ced15f34990df498e5 +Author: raja-grewal +Date: Thu May 9 02:34:02 2024 +0000 + + Disable `firewire-net` module + +commit 06f13bb766bd84182331aeb1632b917de4b36020 +Author: raja-grewal +Date: Thu May 9 02:28:53 2024 +0000 + + Disable GPS modules like GNSS + +commit f3800a4e2b7bef87cc3bd8791f9e7f654f8d782a +Author: raja-grewal +Date: Thu May 9 02:25:46 2024 +0000 + + Create disabled-gps-by-security-misc + +commit 132b41ae73e9ea72bc3d8aff22ae75fc622758a3 +Author: raja-grewal +Date: Thu May 9 02:16:50 2024 +0000 + + Revert logging of martians + +commit 4694268b8f779c1a0a56546dc6d12bf9f23a7cdd +Author: raja-grewal +Date: Sun May 5 12:52:51 2024 +0000 + + Remove a word + +commit 8f7768ce96e32e3f1ec52118afffc2a44a160976 +Author: raja-grewal +Date: Sun May 5 12:50:39 2024 +0000 + + Add vendor links + +commit 0c031a29d33d13d9106746d61b87f9d98a80b5cd +Author: raja-grewal +Date: Wed May 1 13:55:09 2024 +1000 + + RFDS mitigation on Intel Atom CPUs (including E-cores) + +commit 1122b3402c0856a087415d7ba1a313048b7e3eea +Author: raja-grewal +Date: Wed May 1 13:50:42 2024 +1000 + + GDS mitigation for CPUs + +commit c002bd62e8584a19e73b3f42673a3f9bafba6a2c +Author: raja-grewal +Date: Wed May 1 13:49:34 2024 +1000 + + Clarify use of `mitigations=auto` + +commit d89d7e8ef8ee3fd45456e82e8f649f7f28c93e80 +Author: raja-grewal +Date: Wed May 1 13:49:00 2024 +1000 + + Add reference for RETBleed + +commit 015dcc4212736417a2202ea0e0a92e5c2e58d6a5 +Author: raja-grewal +Date: Wed May 1 13:48:13 2024 +1000 + + Add reference for SSB + +commit de4f4be94762c9751ea62f744d7d6ede3ef30e88 +Author: raja-grewal +Date: Wed May 1 13:47:40 2024 +1000 + + Merge spectre mitigations + +commit 965c8641fd28e0ee592b50605edb7494fe9c3a28 +Author: raja-grewal +Date: Wed May 1 13:47:02 2024 +1000 + + Update BHI mitigation reference + +commit a9886a3119f9b662b15fc26d28a7fedf316b72c4 +Author: Patrick Schleizer +Date: Fri Apr 12 06:56:39 2024 +0000 + + bumped changelog version + commit 5cbdf3c1262d26ae03b28baee87b1d268329da40 Merge: 7fba04d ab8b6da Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 38a464a..d56325f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 10 May 2024 11:20:36 +0000 + security-misc (3:37.0-1) unstable; urgency=medium * New upstream version (local package). From dddac1dc4015a28fc6b12244809685295272edd1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 11 May 2024 13:15:42 +1000 Subject: [PATCH 1159/1650] Update README.md --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e47754f..c774837 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,9 @@ configuration file. - Set coredump file name based on core_pattern value instead of the default of naming it 'core'. +- Will disable `io_uring` interface for performing asynchronous I/O as it has + historically been a significant attack surface. + ### mmap ASLR - The bits of entropy used for mmap ASLR are maxed out via @@ -89,7 +92,7 @@ Boot parameters are outlined in configuration files located in the - Enables randomisation of the kernel stack offset on syscall entries. -- All mitigations for known CPU vulnerabilities are enabled and SMT is +- Mitigations for known CPU vulnerabilities are enabled and SMT is disabled. - IOMMU is enabled to prevent DMA attacks along with strict enforcement of @@ -169,6 +172,9 @@ surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file. Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS. +- Disables several kernel modules responsible for GPS such as GNSS (Global + Navigation Satellite System). + - Incorporates much of [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) default blacklist of modules to be blocked from automatically loading. From 1bb843ec3863696170242c57668d0b3f44f41d7b Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 11 May 2024 13:18:36 +1000 Subject: [PATCH 1160/1650] Update Copyright (C) to 2024 --- COPYING | 2 +- debian/control | 2 +- debian/copyright | 2 +- debian/make-helper-overrides.bsh | 2 +- debian/rules | 2 +- debian/security-misc.displace | 2 +- debian/security-misc.install | 2 +- debian/security-misc.maintscript | 2 +- debian/security-misc.postinst | 2 +- debian/security-misc.postrm | 2 +- debian/security-misc.preinst | 2 +- debian/security-misc.prerm | 2 +- debian/security-misc.undisplace | 2 +- debian/watch | 2 +- etc/apparmor.d/tunables/home.d/security-misc | 2 +- etc/apt/apt.conf.d/40error-on-any | 2 +- etc/apt/apt.conf.d/40sandbox | 2 +- etc/default/grub.d/40_cpu_mitigations.cfg | 2 +- etc/default/grub.d/40_distrust_bootloader.cfg | 2 +- etc/default/grub.d/40_distrust_cpu.cfg | 2 +- etc/default/grub.d/40_enable_iommu.cfg | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- etc/default/grub.d/40_remmount-secure.cfg | 2 +- etc/default/grub.d/41_quiet.cfg | 2 +- etc/hide-hardware-info.d/30_default.conf | 2 +- etc/initramfs-tools/hooks/sysctl-initramfs | 2 +- etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs | 2 +- etc/kernel/postinst.d/30_remove-system-map | 2 +- etc/modprobe.d/30_security-misc.conf | 2 +- etc/permission-hardener.d/25_default_passwd.conf | 2 +- etc/permission-hardener.d/25_default_sudo.conf | 2 +- .../25_default_whitelist_bubblewrap.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_chromium.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_dbus.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_firejail.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_fuse.conf | 2 +- .../25_default_whitelist_hardened_malloc.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_mount.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_pam.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_policykit.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_qubes.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_selinux.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_spice.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_ssh.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_sudo.conf | 2 +- .../25_default_whitelist_unix_chkpwd.conf | 2 +- .../25_default_whitelist_virtualbox.conf | 2 +- etc/profile.d/30_security-misc.sh | 2 +- etc/security/access-security-misc.conf | 2 +- etc/security/limits.d/30_security-misc.conf | 2 +- etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml | 2 +- etc/sudoers.d/pkexec-security-misc | 2 +- etc/sudoers.d/security-misc | 2 +- etc/sudoers.d/xfce-security-misc | 2 +- etc/thunderbird/pref/40_security-misc.js | 2 +- usr/bin/disabled-bluetooth-by-security-misc | 2 +- usr/bin/disabled-cdrom-by-security-misc | 2 +- usr/bin/disabled-filesys-by-security-misc | 2 +- usr/bin/disabled-firewire-by-security-misc | 2 +- usr/bin/disabled-gps-by-security-misc | 2 +- usr/bin/disabled-intelme-by-security-misc | 2 +- usr/bin/disabled-netfilesys-by-security-misc | 2 +- usr/bin/disabled-network-by-security-misc | 2 +- usr/bin/disabled-thunderbolt-by-security-misc | 2 +- usr/bin/disabled-vivid-by-security-misc | 2 +- usr/bin/pkexec.security-misc | 2 +- .../modules.d-disabled/20remount-secure/module-setup.sh | 2 +- .../modules.d-disabled/20remount-secure/remount-secure.sh | 2 +- usr/lib/modules-load.d/30_security-misc.conf | 2 +- usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 2 +- usr/lib/sysctl.d/30_silent-kernel-printk.conf | 2 +- usr/lib/sysctl.d/990-security-misc.conf | 2 +- usr/lib/systemd/system-preset/50-security-misc.preset | 2 +- .../systemd/system/haveged.service.d/30_security-misc.conf | 2 +- usr/lib/systemd/system/hide-hardware-info.service | 2 +- usr/lib/systemd/system/permission-hardener.service | 2 +- usr/lib/systemd/system/proc-hidepid.service | 2 +- usr/lib/systemd/system/remount-secure.service | 2 +- usr/lib/systemd/system/remove-system-map.service | 2 +- usr/libexec/security-misc/apt-get-update | 2 +- usr/libexec/security-misc/apt-get-update-sanity-test | 2 +- usr/libexec/security-misc/askpass | 2 +- usr/libexec/security-misc/echo-path | 2 +- usr/libexec/security-misc/hide-hardware-info | 2 +- usr/libexec/security-misc/mmap-rnd-bits | 4 ++-- usr/libexec/security-misc/pam-abort-on-locked-password | 2 +- usr/libexec/security-misc/pam-info | 2 +- usr/libexec/security-misc/pam_faillock_not_if_x | 2 +- usr/libexec/security-misc/pam_only_if_login | 2 +- usr/libexec/security-misc/panic-on-oops | 2 +- usr/libexec/security-misc/permission-lockdown | 2 +- usr/libexec/security-misc/remove-system.map | 2 +- usr/libexec/security-misc/virusforget | 2 +- usr/share/lintian/overrides/security-misc | 2 +- usr/share/security-misc/dolphinrc | 2 +- usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf | 2 +- usr/share/security-misc/lkrg/lkrg-virtualbox | 2 +- 97 files changed, 98 insertions(+), 98 deletions(-) diff --git a/COPYING b/COPYING index 2a78337..808999e 100644 --- a/COPYING +++ b/COPYING @@ -1,7 +1,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2023 ENCRYPTED SUPPORT LP +Copyright: 2012 - 2024 ENCRYPTED SUPPORT LP License: AGPL-3+ License: AGPL-3+ diff --git a/debian/control b/debian/control index 77d5704..4909511 100644 --- a/debian/control +++ b/debian/control @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. Source: security-misc diff --git a/debian/copyright b/debian/copyright index 2a78337..808999e 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,7 +1,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2023 ENCRYPTED SUPPORT LP +Copyright: 2012 - 2024 ENCRYPTED SUPPORT LP License: AGPL-3+ License: AGPL-3+ diff --git a/debian/make-helper-overrides.bsh b/debian/make-helper-overrides.bsh index c43ca87..ca24e42 100755 --- a/debian/make-helper-overrides.bsh +++ b/debian/make-helper-overrides.bsh @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24 diff --git a/debian/rules b/debian/rules index a1570ba..60f46e0 100755 --- a/debian/rules +++ b/debian/rules @@ -1,6 +1,6 @@ #!/usr/bin/make -f -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #export DH_VERBOSE=1 diff --git a/debian/security-misc.displace b/debian/security-misc.displace index d80a247..29392d5 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. /etc/securetty.security-misc diff --git a/debian/security-misc.install b/debian/security-misc.install index 9cea19c..51e61ce 100644 --- a/debian/security-misc.install +++ b/debian/security-misc.install @@ -1,4 +1,4 @@ -## Copyright (C) 2020 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2020 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This file was generated using 'genmkfile debinstfile'. diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 7e44c41..f64e762 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. rm_conffile /etc/sudoers.d/umask-security-misc diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index b3aaae8..6dd7738 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.postrm b/debian/security-misc.postrm index c40721f..d474547 100644 --- a/debian/security-misc.postrm +++ b/debian/security-misc.postrm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 4b6a4d7..f10ff11 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.prerm b/debian/security-misc.prerm index 78d5f3a..b1f7db3 100644 --- a/debian/security-misc.prerm +++ b/debian/security-misc.prerm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.undisplace b/debian/security-misc.undisplace index 4aed27c..6db9354 100644 --- a/debian/security-misc.undisplace +++ b/debian/security-misc.undisplace @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. /etc/login.defs.security-misc diff --git a/debian/watch b/debian/watch index 4a80d35..e38736e 100644 --- a/debian/watch +++ b/debian/watch @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. version=4 diff --git a/etc/apparmor.d/tunables/home.d/security-misc b/etc/apparmor.d/tunables/home.d/security-misc index b1aad3d..92faf91 100644 --- a/etc/apparmor.d/tunables/home.d/security-misc +++ b/etc/apparmor.d/tunables/home.d/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. alias /etc/pam.d/common-session -> /etc/pam.d//etc/pam.d/common-session.security-misc, diff --git a/etc/apt/apt.conf.d/40error-on-any b/etc/apt/apt.conf.d/40error-on-any index fbde1db..85de3be 100644 --- a/etc/apt/apt.conf.d/40error-on-any +++ b/etc/apt/apt.conf.d/40error-on-any @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Make "sudo apt-get update" exit non-zero for transient failures. diff --git a/etc/apt/apt.conf.d/40sandbox b/etc/apt/apt.conf.d/40sandbox index eb7ef7a..e8025ac 100644 --- a/etc/apt/apt.conf.d/40sandbox +++ b/etc/apt/apt.conf.d/40sandbox @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702 diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index fd997e4..99582ae 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Enables known mitigations for CPU vulnerabilities. diff --git a/etc/default/grub.d/40_distrust_bootloader.cfg b/etc/default/grub.d/40_distrust_bootloader.cfg index 36ce183..eb26262 100644 --- a/etc/default/grub.d/40_distrust_bootloader.cfg +++ b/etc/default/grub.d/40_distrust_bootloader.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Distrusts the bootloader for initial entropy at boot. diff --git a/etc/default/grub.d/40_distrust_cpu.cfg b/etc/default/grub.d/40_distrust_cpu.cfg index 107b717..5cfaba9 100644 --- a/etc/default/grub.d/40_distrust_cpu.cfg +++ b/etc/default/grub.d/40_distrust_cpu.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Distrusts the CPU for initial entropy at boot as it is not possible to diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg index 10a82fd..898e500 100644 --- a/etc/default/grub.d/40_enable_iommu.cfg +++ b/etc/default/grub.d/40_enable_iommu.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Enables IOMMU to prevent DMA attacks. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 9b7b53b..4c70928 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. kpkg="linux-image-$(dpkg --print-architecture)" || true diff --git a/etc/default/grub.d/40_remmount-secure.cfg b/etc/default/grub.d/40_remmount-secure.cfg index 845ca46..4bdc3a9 100644 --- a/etc/default/grub.d/40_remmount-secure.cfg +++ b/etc/default/grub.d/40_remmount-secure.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure diff --git a/etc/default/grub.d/41_quiet.cfg b/etc/default/grub.d/41_quiet.cfg index b863029..ecb268b 100644 --- a/etc/default/grub.d/41_quiet.cfg +++ b/etc/default/grub.d/41_quiet.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Prevent kernel info leaks in console during boot. diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf index ffda4de..07e1c7e 100644 --- a/etc/hide-hardware-info.d/30_default.conf +++ b/etc/hide-hardware-info.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Disable the /sys whitelist. diff --git a/etc/initramfs-tools/hooks/sysctl-initramfs b/etc/initramfs-tools/hooks/sysctl-initramfs index 1a80c8f..22ceaf1 100755 --- a/etc/initramfs-tools/hooks/sysctl-initramfs +++ b/etc/initramfs-tools/hooks/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index d932fc1..88d0162 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. PREREQ="" diff --git a/etc/kernel/postinst.d/30_remove-system-map b/etc/kernel/postinst.d/30_remove-system-map index 14ac9b6..f5e3d96 100755 --- a/etc/kernel/postinst.d/30_remove-system-map +++ b/etc/kernel/postinst.d/30_remove-system-map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if test -x /usr/libexec/security-misc/remove-system.map ; then diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 421c8be..0e4b0f2 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## See the following links for a community discussion and overview regarding the selections diff --git a/etc/permission-hardener.d/25_default_passwd.conf b/etc/permission-hardener.d/25_default_passwd.conf index dcd403f..6313e15 100644 --- a/etc/permission-hardener.d/25_default_passwd.conf +++ b/etc/permission-hardener.d/25_default_passwd.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_sudo.conf b/etc/permission-hardener.d/25_default_sudo.conf index 6a1cf21..ee46b0e 100644 --- a/etc/permission-hardener.d/25_default_sudo.conf +++ b/etc/permission-hardener.d/25_default_sudo.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf b/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf index 071e724..57ad396 100644 --- a/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf +++ b/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_chromium.conf b/etc/permission-hardener.d/25_default_whitelist_chromium.conf index db6f8ea..68f54ed 100644 --- a/etc/permission-hardener.d/25_default_whitelist_chromium.conf +++ b/etc/permission-hardener.d/25_default_whitelist_chromium.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_dbus.conf b/etc/permission-hardener.d/25_default_whitelist_dbus.conf index 2997915..4c185ca 100644 --- a/etc/permission-hardener.d/25_default_whitelist_dbus.conf +++ b/etc/permission-hardener.d/25_default_whitelist_dbus.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_firejail.conf b/etc/permission-hardener.d/25_default_whitelist_firejail.conf index a56cb23..fbece5c 100644 --- a/etc/permission-hardener.d/25_default_whitelist_firejail.conf +++ b/etc/permission-hardener.d/25_default_whitelist_firejail.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_fuse.conf b/etc/permission-hardener.d/25_default_whitelist_fuse.conf index 4affc6a..a8b41b1 100644 --- a/etc/permission-hardener.d/25_default_whitelist_fuse.conf +++ b/etc/permission-hardener.d/25_default_whitelist_fuse.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf b/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf index 6cc01fe..5437436 100644 --- a/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf +++ b/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_mount.conf b/etc/permission-hardener.d/25_default_whitelist_mount.conf index ce7d014..54b22a6 100644 --- a/etc/permission-hardener.d/25_default_whitelist_mount.conf +++ b/etc/permission-hardener.d/25_default_whitelist_mount.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_pam.conf b/etc/permission-hardener.d/25_default_whitelist_pam.conf index 7348e0c..f9d8a08 100644 --- a/etc/permission-hardener.d/25_default_whitelist_pam.conf +++ b/etc/permission-hardener.d/25_default_whitelist_pam.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_policykit.conf b/etc/permission-hardener.d/25_default_whitelist_policykit.conf index 032c6b2..227b5fc 100644 --- a/etc/permission-hardener.d/25_default_whitelist_policykit.conf +++ b/etc/permission-hardener.d/25_default_whitelist_policykit.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_qubes.conf b/etc/permission-hardener.d/25_default_whitelist_qubes.conf index ad8592a..ec84733 100644 --- a/etc/permission-hardener.d/25_default_whitelist_qubes.conf +++ b/etc/permission-hardener.d/25_default_whitelist_qubes.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_selinux.conf b/etc/permission-hardener.d/25_default_whitelist_selinux.conf index 2a5686a..0259ef1 100644 --- a/etc/permission-hardener.d/25_default_whitelist_selinux.conf +++ b/etc/permission-hardener.d/25_default_whitelist_selinux.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_spice.conf b/etc/permission-hardener.d/25_default_whitelist_spice.conf index a8b7f7a..85e0197 100644 --- a/etc/permission-hardener.d/25_default_whitelist_spice.conf +++ b/etc/permission-hardener.d/25_default_whitelist_spice.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_ssh.conf b/etc/permission-hardener.d/25_default_whitelist_ssh.conf index f7ef445..8d9eba5 100644 --- a/etc/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/etc/permission-hardener.d/25_default_whitelist_ssh.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_sudo.conf b/etc/permission-hardener.d/25_default_whitelist_sudo.conf index a7b0fd2..7003861 100644 --- a/etc/permission-hardener.d/25_default_whitelist_sudo.conf +++ b/etc/permission-hardener.d/25_default_whitelist_sudo.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf b/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf index dc1fb5a..5953d85 100644 --- a/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf +++ b/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf b/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf index 17701d9..d9c68bc 100644 --- a/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf +++ b/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/profile.d/30_security-misc.sh b/etc/profile.d/30_security-misc.sh index 2ab169d..41aa6ac 100755 --- a/etc/profile.d/30_security-misc.sh +++ b/etc/profile.d/30_security-misc.sh @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -z "$XDG_CONFIG_DIRS" ]; then diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index 248335c..a78abd1 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## To enable root login, see: diff --git a/etc/security/limits.d/30_security-misc.conf b/etc/security/limits.d/30_security-misc.conf index bbbe31d..91a08a3 100644 --- a/etc/security/limits.d/30_security-misc.conf +++ b/etc/security/limits.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Disable coredumps. diff --git a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml index fa9d01d..0f588ae 100644 --- a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +++ b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml @@ -1,6 +1,6 @@ - + diff --git a/etc/sudoers.d/pkexec-security-misc b/etc/sudoers.d/pkexec-security-misc index db5f32f..bd78bde 100644 --- a/etc/sudoers.d/pkexec-security-misc +++ b/etc/sudoers.d/pkexec-security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## REVIEW: is it ok that users can find out the PATH setting of root? diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index fd9b7fc..7084b1f 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops diff --git a/etc/sudoers.d/xfce-security-misc b/etc/sudoers.d/xfce-security-misc index be92ce9..3d26d7b 100644 --- a/etc/sudoers.d/xfce-security-misc +++ b/etc/sudoers.d/xfce-security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 diff --git a/etc/thunderbird/pref/40_security-misc.js b/etc/thunderbird/pref/40_security-misc.js index b0586e8..49df52d 100644 --- a/etc/thunderbird/pref/40_security-misc.js +++ b/etc/thunderbird/pref/40_security-misc.js @@ -1,4 +1,4 @@ -//#### Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +//#### Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP //#### See the file COPYING for copying conditions. //#### meta start diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc index 55b1e63..8091b45 100755 --- a/usr/bin/disabled-bluetooth-by-security-misc +++ b/usr/bin/disabled-bluetooth-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc index 9efd765..13e4592 100755 --- a/usr/bin/disabled-cdrom-by-security-misc +++ b/usr/bin/disabled-cdrom-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc index 50dd638..b5b2426 100755 --- a/usr/bin/disabled-filesys-by-security-misc +++ b/usr/bin/disabled-filesys-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc index ca04ab1..dbcc7ce 100755 --- a/usr/bin/disabled-firewire-by-security-misc +++ b/usr/bin/disabled-firewire-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc index 460e39c..90b7076 100755 --- a/usr/bin/disabled-gps-by-security-misc +++ b/usr/bin/disabled-gps-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc index 108cc81..47bdcb1 100755 --- a/usr/bin/disabled-intelme-by-security-misc +++ b/usr/bin/disabled-intelme-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc index 5c15b39..e62f0c0 100755 --- a/usr/bin/disabled-netfilesys-by-security-misc +++ b/usr/bin/disabled-netfilesys-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc index d2ae58c..f00086e 100755 --- a/usr/bin/disabled-network-by-security-misc +++ b/usr/bin/disabled-network-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc index e086d4a..d153ceb 100755 --- a/usr/bin/disabled-thunderbolt-by-security-misc +++ b/usr/bin/disabled-thunderbolt-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/disabled-vivid-by-security-misc b/usr/bin/disabled-vivid-by-security-misc index ed1487f..aa7c639 100755 --- a/usr/bin/disabled-vivid-by-security-misc +++ b/usr/bin/disabled-vivid-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc index cb57c9a..be8fddd 100755 --- a/usr/bin/pkexec.security-misc +++ b/usr/bin/pkexec.security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with diff --git a/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh index ce0a67b..e5a4188 100755 --- a/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh +++ b/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. # called by dracut diff --git a/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh index b742dda..de44d46 100755 --- a/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This script is intended to remount specified mount points with more secure diff --git a/usr/lib/modules-load.d/30_security-misc.conf b/usr/lib/modules-load.d/30_security-misc.conf index 072c9b0..08ee22a 100644 --- a/usr/lib/modules-load.d/30_security-misc.conf +++ b/usr/lib/modules-load.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://www.whonix.org/wiki/Dev/Entropy diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index 5cca304..bbdf5ea 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index e99f0b5..b76a4b3 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Prevent kernel info leaks in console during boot. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 9f2736e..371c265 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## NOTE: diff --git a/usr/lib/systemd/system-preset/50-security-misc.preset b/usr/lib/systemd/system-preset/50-security-misc.preset index a852419..37374b3 100644 --- a/usr/lib/systemd/system-preset/50-security-misc.preset +++ b/usr/lib/systemd/system-preset/50-security-misc.preset @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 diff --git a/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf b/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf index fd79dc8..97d4688 100644 --- a/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf +++ b/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Service] diff --git a/usr/lib/systemd/system/hide-hardware-info.service b/usr/lib/systemd/system/hide-hardware-info.service index 68d7401..6d39335 100644 --- a/usr/lib/systemd/system/hide-hardware-info.service +++ b/usr/lib/systemd/system/hide-hardware-info.service @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/permission-hardener.service b/usr/lib/systemd/system/permission-hardener.service index 94ddd6b..99d4c37 100644 --- a/usr/lib/systemd/system/permission-hardener.service +++ b/usr/lib/systemd/system/permission-hardener.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/proc-hidepid.service b/usr/lib/systemd/system/proc-hidepid.service index 2ec1858..f48211d 100644 --- a/usr/lib/systemd/system/proc-hidepid.service +++ b/usr/lib/systemd/system/proc-hidepid.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/remount-secure.service b/usr/lib/systemd/system/remount-secure.service index 8797b9c..414bba6 100644 --- a/usr/lib/systemd/system/remount-secure.service +++ b/usr/lib/systemd/system/remount-secure.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/remove-system-map.service b/usr/lib/systemd/system/remove-system-map.service index c6eb17b..51041f2 100644 --- a/usr/lib/systemd/system/remove-system-map.service +++ b/usr/lib/systemd/system/remove-system-map.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 39afd9c..9c5dde1 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. sigterm_trap() { diff --git a/usr/libexec/security-misc/apt-get-update-sanity-test b/usr/libexec/security-misc/apt-get-update-sanity-test index d71e680..a363fae 100755 --- a/usr/libexec/security-misc/apt-get-update-sanity-test +++ b/usr/libexec/security-misc/apt-get-update-sanity-test @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -x diff --git a/usr/libexec/security-misc/askpass b/usr/libexec/security-misc/askpass index 73f7d40..c3bb41a 100755 --- a/usr/libexec/security-misc/askpass +++ b/usr/libexec/security-misc/askpass @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/echo-path b/usr/libexec/security-misc/echo-path index 9231d85..4a82272 100755 --- a/usr/libexec/security-misc/echo-path +++ b/usr/libexec/security-misc/echo-path @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index d250a6a..f6a963b 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index 17482bf..74078fa 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -1,6 +1,6 @@ #!/usr/bin/env bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This script enforces the maximum ASLR hardening settings for mmap, given the @@ -56,7 +56,7 @@ fi ## Generate a sysctl.d conf file. SYSCTL="\ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This file is automatically generated by: diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password index 8e2a575..bb1a3ee 100755 --- a/usr/libexec/security-misc/pam-abort-on-locked-password +++ b/usr/libexec/security-misc/pam-abort-on-locked-password @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This is only a usability feature to avoid needlessly bumping pam_faillock diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index de6a3e0..aa730de 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## To enable debug log, run: diff --git a/usr/libexec/security-misc/pam_faillock_not_if_x b/usr/libexec/security-misc/pam_faillock_not_if_x index 3fcf10f..edfa35d 100755 --- a/usr/libexec/security-misc/pam_faillock_not_if_x +++ b/usr/libexec/security-misc/pam_faillock_not_if_x @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/libexec/security-misc/pam_only_if_login b/usr/libexec/security-misc/pam_only_if_login index 11f56d4..f81592e 100755 --- a/usr/libexec/security-misc/pam_only_if_login +++ b/usr/libexec/security-misc/pam_only_if_login @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 20365df..907ee69 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 973c70d..a5623b2 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Doing this for all users would create many issues. diff --git a/usr/libexec/security-misc/remove-system.map b/usr/libexec/security-misc/remove-system.map index a541222..5341844 100755 --- a/usr/libexec/security-misc/remove-system.map +++ b/usr/libexec/security-misc/remove-system.map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/usr/libexec/security-misc/virusforget b/usr/libexec/security-misc/virusforget index 785d026..5a2c5d7 100755 --- a/usr/libexec/security-misc/virusforget +++ b/usr/libexec/security-misc/virusforget @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## VirusForget is inspired by Christopher Laprise. diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index 69081ee..0a24ab0 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## The whole point of the package. diff --git a/usr/share/security-misc/dolphinrc b/usr/share/security-misc/dolphinrc index 0d4b739..682401d 100644 --- a/usr/share/security-misc/dolphinrc +++ b/usr/share/security-misc/dolphinrc @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions [PreviewSettings] diff --git a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf index c94e65e..e1485b6 100644 --- a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf +++ b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## LKRG VirtualBox host configuration diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox b/usr/share/security-misc/lkrg/lkrg-virtualbox index 545a694..3b4a061 100755 --- a/usr/share/security-misc/lkrg/lkrg-virtualbox +++ b/usr/share/security-misc/lkrg/lkrg-virtualbox @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #set -x From 2f716050d17016be6f550a7de8e0c1030e869e8f Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 12 May 2024 01:06:34 +0000 Subject: [PATCH 1161/1650] Update README.md --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index c774837..d5cc076 100644 --- a/README.md +++ b/README.md @@ -52,9 +52,6 @@ configuration file. - TCP timestamps are disabled as it can allow detecting the system time. -- Enforces the logging of martian packets, those with a source address which - is blatantly wrong. - - Set coredump file name based on core_pattern value instead of the default of naming it 'core'. From bfca98ea89cea0f8604ecca0c8640860320e8e33 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 18 May 2024 20:45:12 +0000 Subject: [PATCH 1162/1650] bumped changelog version --- changelog.upstream | 40 ++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 46 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7c04cd0..6be71e2 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,43 @@ +commit eb82884fb2e3d3bb4fa5555d8212146042ba8aa4 +Merge: 5867b1b 12e006e +Author: Patrick Schleizer +Date: Sat May 18 16:42:41 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 12e006ef9cabbbcbe9cb45d9a6631e9a7a47cf3a +Merge: 5867b1b 2f71605 +Author: Patrick Schleizer +Date: Sat May 18 16:30:07 2024 -0400 + + Merge pull request #222 from raja-grewal/text + + Update Readme and Copyright + +commit 2f716050d17016be6f550a7de8e0c1030e869e8f +Author: raja-grewal +Date: Sun May 12 01:06:34 2024 +0000 + + Update README.md + +commit 1bb843ec3863696170242c57668d0b3f44f41d7b +Author: Raja Grewal +Date: Sat May 11 13:18:36 2024 +1000 + + Update Copyright (C) to 2024 + +commit dddac1dc4015a28fc6b12244809685295272edd1 +Author: Raja Grewal +Date: Sat May 11 13:15:42 2024 +1000 + + Update README.md + +commit 5867b1b014f450acdf70c203ffe2f27831f1d9b0 +Author: Patrick Schleizer +Date: Fri May 10 11:20:36 2024 +0000 + + bumped changelog version + commit 9b589bc3116c8f9d6d574021bcec7b5dec3888b8 Author: Patrick Schleizer Date: Fri May 10 06:49:34 2024 -0400 diff --git a/debian/changelog b/debian/changelog index d56325f..fda0e0c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 18 May 2024 20:45:11 +0000 + security-misc (3:37.1-1) unstable; urgency=medium * New upstream version (local package). From 4efa293f3b76814bc5399a959482d7db6e7431ec Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 28 May 2024 07:51:06 -0400 Subject: [PATCH 1163/1650] add `/etc/gitconfig` by default for better `git` security ``` [core] symlinks = false [transfer] fsckobjects = true fsckobjects = true [fetch] fsckobjects = true fsckobjects = true [receive] fsckobjects = true fsckobjects = true ``` + additional suggestions as comments fixes https://github.com/Kicksecure/security-misc/issues/225 --- etc/gitconfig | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 etc/gitconfig diff --git a/etc/gitconfig b/etc/gitconfig new file mode 100644 index 0000000..4c6780f --- /dev/null +++ b/etc/gitconfig @@ -0,0 +1,41 @@ +## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Lines starting with a hash symbol ('#') are comments. +## https://github.com/Kicksecure/security-misc/issues/225 + +[core] +## https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm + symlinks = false + +## https://forums.whonix.org/t/git-users-enable-fsck-by-default-for-better-security/2066 +[transfer] + fsckobjects = true + fsckobjects = true +[fetch] + fsckobjects = true + fsckobjects = true +[receive] + fsckobjects = true + fsckobjects = true + +## Generally a good idea but too intrusive to enable by default. +## Listed here as suggestions what users should put into their ~/.gitconfig +## file. + +## Not enabled by default because it requires essential knowledge about OpenPG +## and an already existing local signing key. Otherwise would prevent all new +## commits. +#[commit] +# gpgsign = true + +## Not enabled by default because it would break the 'git merge' command for +## unsigned commits and require the '--no-verify-signature' command line +## option. +#[merge] +# verifySignatures = true + +## Not enabled by default because it would break for users who are not having +## an account at the git server and having added a SSH public key. +#[url "ssh://git@github.com/"] +# insteadOf = https://github.com/ From bbe64a0b7992610dfef6002271718a2aee115cae Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 28 May 2024 12:04:53 +0000 Subject: [PATCH 1164/1650] bumped changelog version --- changelog.upstream | 47 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 53 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 6be71e2..ee1d78d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,50 @@ +commit ae24a97d4d0ffcfb3d1cc92edb61e7ecf4535ee7 +Merge: bfca98e a735857 +Author: Patrick Schleizer +Date: Tue May 28 08:02:21 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit a7358578520294b51e1001199670a0bbeeb43eb1 +Merge: bfca98e 4efa293 +Author: Patrick Schleizer +Date: Tue May 28 07:55:31 2024 -0400 + + Merge pull request #226 from Kicksecure/gitconfig + + add `/etc/gitconfig` by default for better `git` security + +commit 4efa293f3b76814bc5399a959482d7db6e7431ec +Author: Patrick Schleizer +Date: Tue May 28 07:51:06 2024 -0400 + + add `/etc/gitconfig` by default for better `git` security + + ``` + [core] + symlinks = false + + [transfer] + fsckobjects = true + fsckobjects = true + [fetch] + fsckobjects = true + fsckobjects = true + [receive] + fsckobjects = true + fsckobjects = true + ``` + + + additional suggestions as comments + + fixes https://github.com/Kicksecure/security-misc/issues/225 + +commit bfca98ea89cea0f8604ecca0c8640860320e8e33 +Author: Patrick Schleizer +Date: Sat May 18 20:45:12 2024 +0000 + + bumped changelog version + commit eb82884fb2e3d3bb4fa5555d8212146042ba8aa4 Merge: 5867b1b 12e006e Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index fda0e0c..562a2c8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 28 May 2024 12:04:52 +0000 + security-misc (3:37.2-1) unstable; urgency=medium * New upstream version (local package). From e0cd9579d64e6d16667832de51f77a3091ef213e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 1 Jun 2024 13:32:13 -0400 Subject: [PATCH 1165/1650] remove duplicate `fsckobjects = true` from `/etc/gitconfig` --- etc/gitconfig | 3 --- 1 file changed, 3 deletions(-) diff --git a/etc/gitconfig b/etc/gitconfig index 4c6780f..4955199 100644 --- a/etc/gitconfig +++ b/etc/gitconfig @@ -11,13 +11,10 @@ ## https://forums.whonix.org/t/git-users-enable-fsck-by-default-for-better-security/2066 [transfer] fsckobjects = true - fsckobjects = true [fetch] fsckobjects = true - fsckobjects = true [receive] fsckobjects = true - fsckobjects = true ## Generally a good idea but too intrusive to enable by default. ## Listed here as suggestions what users should put into their ~/.gitconfig From 641e98e57714f7d38962bfd12d673500b8114356 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 1 Jun 2024 17:35:04 +0000 Subject: [PATCH 1166/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index ee1d78d..7d9ccb6 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit e0cd9579d64e6d16667832de51f77a3091ef213e +Author: Patrick Schleizer +Date: Sat Jun 1 13:32:13 2024 -0400 + + remove duplicate `fsckobjects = true` from `/etc/gitconfig` + +commit bbe64a0b7992610dfef6002271718a2aee115cae +Author: Patrick Schleizer +Date: Tue May 28 12:04:53 2024 +0000 + + bumped changelog version + commit ae24a97d4d0ffcfb3d1cc92edb61e7ecf4535ee7 Merge: bfca98e a735857 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 562a2c8..f15cd40 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 01 Jun 2024 17:35:04 +0000 + security-misc (3:37.3-1) unstable; urgency=medium * New upstream version (local package). From c815304026d30f7774f804498d20431ccdf8dc7f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 1 Jun 2024 14:12:57 -0400 Subject: [PATCH 1167/1650] readme --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d5cc076..5c9df4a 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ configuration file. - Set coredump file name based on core_pattern value instead of the default of naming it 'core'. -- Will disable `io_uring` interface for performing asynchronous I/O as it has +- Will disable `io_uring` interface for performing asynchronous I/O as it has historically been a significant attack surface. ### mmap ASLR @@ -478,6 +478,8 @@ See: - Deactivates previews in Nautilus - `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. - Deactivates thumbnails in Thunar. + - rationale: lower attack surface when using the file manager + - https://forums.whonix.org/t/disable-preview-in-file-manager-by-default/18904 - Thunderbird is hardened with the following options: - Displays domain names in punycode to prevent IDN homograph attacks (a form of phishing). From b316352ede379d96cff4813735b93eb59506fe42 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 1 Jun 2024 18:13:08 +0000 Subject: [PATCH 1168/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7d9ccb6..ef1375d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit c815304026d30f7774f804498d20431ccdf8dc7f +Author: Patrick Schleizer +Date: Sat Jun 1 14:12:57 2024 -0400 + + readme + +commit 641e98e57714f7d38962bfd12d673500b8114356 +Author: Patrick Schleizer +Date: Sat Jun 1 17:35:04 2024 +0000 + + bumped changelog version + commit e0cd9579d64e6d16667832de51f77a3091ef213e Author: Patrick Schleizer Date: Sat Jun 1 13:32:13 2024 -0400 diff --git a/debian/changelog b/debian/changelog index f15cd40..be428f2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 01 Jun 2024 18:13:08 +0000 + security-misc (3:37.4-1) unstable; urgency=medium * New upstream version (local package). From e1984478662fc51e6eacc989bc6bba0ca1fc07cd Mon Sep 17 00:00:00 2001 From: Ashlen Date: Sat, 8 Jun 2024 22:17:05 -0600 Subject: [PATCH 1169/1650] fix(etc): delete typo in /etc/apparmor.d tunables /etc/pam.d was present twice in a row ("/etc/pam.d//etc/pam.d") in this file: /etc/apparmor.d/tunables/home.d/security-misc. --- etc/apparmor.d/tunables/home.d/security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/apparmor.d/tunables/home.d/security-misc b/etc/apparmor.d/tunables/home.d/security-misc index 92faf91..5256089 100644 --- a/etc/apparmor.d/tunables/home.d/security-misc +++ b/etc/apparmor.d/tunables/home.d/security-misc @@ -1,7 +1,7 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -alias /etc/pam.d/common-session -> /etc/pam.d//etc/pam.d/common-session.security-misc, +alias /etc/pam.d/common-session -> /etc/pam.d/common-session.security-misc, alias /etc/pam.d/common-session-noninteractive -> /etc/pam.d/common-session-noninteractive.security-misc, alias /etc/login.defs -> /etc/login.defs.security-misc, alias /etc/securetty -> /etc/securetty.security-misc, From 05c1711b16c96a221c13a011a6666fe6b385ec1e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 11 Jun 2024 12:56:56 +0000 Subject: [PATCH 1170/1650] bumped changelog version --- changelog.upstream | 31 +++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 37 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index ef1375d..c63cf13 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,34 @@ +commit e48115588caae8e51bb980ac84b1f0f415ca0d17 +Merge: b316352 cad8d85 +Author: Patrick Schleizer +Date: Tue Jun 11 07:25:47 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit cad8d857556e29544f742fdac8fe82758a4f885c +Merge: b316352 e198447 +Author: Patrick Schleizer +Date: Tue Jun 11 07:25:07 2024 -0400 + + Merge pull request #227 from 3uryd1ce/fix-pam.d-path + + fix(etc): delete typo in /etc/apparmor.d tunables + +commit e1984478662fc51e6eacc989bc6bba0ca1fc07cd +Author: Ashlen +Date: Sat Jun 8 22:17:05 2024 -0600 + + fix(etc): delete typo in /etc/apparmor.d tunables + + /etc/pam.d was present twice in a row ("/etc/pam.d//etc/pam.d") in this + file: /etc/apparmor.d/tunables/home.d/security-misc. + +commit b316352ede379d96cff4813735b93eb59506fe42 +Author: Patrick Schleizer +Date: Sat Jun 1 18:13:08 2024 +0000 + + bumped changelog version + commit c815304026d30f7774f804498d20431ccdf8dc7f Author: Patrick Schleizer Date: Sat Jun 1 14:12:57 2024 -0400 diff --git a/debian/changelog b/debian/changelog index be428f2..0cf310c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 11 Jun 2024 12:56:56 +0000 + security-misc (3:37.5-1) unstable; urgency=medium * New upstream version (local package). From b7796a5334075d5fa538d7579003fde6287d7e6d Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Thu, 11 Jul 2024 11:04:22 +0200 Subject: [PATCH 1171/1650] Unify method to find SUID files --- usr/bin/permission-hardener | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 2e5df3d..1d4c868 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -60,10 +60,16 @@ add_nosuid_statoverride_entry() { local fso_to_process fso_to_process="${fso}" local should_be_counter - should_be_counter="$(find "${fso_to_process}" -perm /u=s,g=s | wc -l)" || true + should_be_counter=0 local counter_actual counter_actual=0 + local dummy_line + while read -r dummy_line; do + true "DEBUG: test would evaluate parse" "${dummy_line}" + should_be_counter=$((should_be_counter + 1)) + done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {}) + local line while read -r line; do true "line: ${line}" From 275a4ffc1114856cbd9a1cd49701dcb25d87bfb5 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 02:27:56 +1000 Subject: [PATCH 1172/1650] Remove redundant disabled modules --- etc/modprobe.d/30_security-misc.conf | 3 --- 1 file changed, 3 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 0e4b0f2..90b2a46 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -20,11 +20,8 @@ options nf_conntrack nf_conntrack_helper=0 ## Disable thunderbolt and firewire modules to prevent some DMA attacks install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install firewire-core /usr/bin/disabled-firewire-by-security-misc -install firewire_core /usr/bin/disabled-firewire-by-security-misc install firewire-net /usr/bin/disabled-firewire-by-security-misc install firewire-ohci /usr/bin/disabled-firewire-by-security-misc -install firewire_ohci /usr/bin/disabled-firewire-by-security-misc -install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc install ohci1394 /usr/bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc From fe20f3240e2f31099bcaa9f9e2045320df810edf Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 02:28:48 +1000 Subject: [PATCH 1173/1650] Refactor existing modprobe for clarity --- etc/modprobe.d/30_security-misc.conf | 268 +++++++++++++++------------ 1 file changed, 151 insertions(+), 117 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 90b2a46..af5fd10 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -1,123 +1,34 @@ ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## See the following links for a community discussion and overview regarding the selections +## See the following links for a community discussion and overview regarding the selections. ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules -## Disable automatic conntrack helper assignment +## Blacklisting prevents kernel modules from automatically starting. +## Disabling prohibits kernel modules from starting. + +## CD-ROM/DVD: +## Blacklist CD-ROM and DVD modules. +## Do not disable by default for potential future ISO plans. +## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 +# +blacklist cdrom +blacklist sr_mod +# +#install cdrom /usr/bin/disabled-cdrom-by-security-misc +#install sr_mod /usr/bin/disabled-cdrom-by-security-misc + +## Connection Tracking: +## Disable automatic conntrack helper assignment. ## https://phabricator.whonix.org/T486 +# options nf_conntrack nf_conntrack_helper=0 -## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities -## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -# -## Now replaced by a privacy and security preserving default bluetooth configuration for better usability -# -# install bluetooth /usr/bin/disabled-bluetooth-by-security-misc -# install btusb /usr/bin/disabled-bluetooth-by-security-misc - -## Disable thunderbolt and firewire modules to prevent some DMA attacks -install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc -install firewire-core /usr/bin/disabled-firewire-by-security-misc -install firewire-net /usr/bin/disabled-firewire-by-security-misc -install firewire-ohci /usr/bin/disabled-firewire-by-security-misc -install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc -install ohci1394 /usr/bin/disabled-firewire-by-security-misc -install sbp2 /usr/bin/disabled-firewire-by-security-misc -install dv1394 /usr/bin/disabled-firewire-by-security-misc -install raw1394 /usr/bin/disabled-firewire-by-security-misc -install video1394 /usr/bin/disabled-firewire-by-security-misc - -## Disable CPU MSRs as they can be abused to write to arbitrary memory. -## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -## https://github.com/Kicksecure/security-misc/issues/215 -#install msr /usr/bin/disabled-msr-by-security-misc - -## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. -## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. -## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. -## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. -install dccp /usr/bin/disabled-network-by-security-misc -install sctp /usr/bin/disabled-network-by-security-misc -install rds /usr/bin/disabled-network-by-security-misc -install tipc /usr/bin/disabled-network-by-security-misc -install n-hdlc /usr/bin/disabled-network-by-security-misc -install ax25 /usr/bin/disabled-network-by-security-misc -install netrom /usr/bin/disabled-network-by-security-misc -install x25 /usr/bin/disabled-network-by-security-misc -install rose /usr/bin/disabled-network-by-security-misc -install decnet /usr/bin/disabled-network-by-security-misc -install econet /usr/bin/disabled-network-by-security-misc -install af_802154 /usr/bin/disabled-network-by-security-misc -install ipx /usr/bin/disabled-network-by-security-misc -install appletalk /usr/bin/disabled-network-by-security-misc -install psnap /usr/bin/disabled-network-by-security-misc -install p8023 /usr/bin/disabled-network-by-security-misc -install p8022 /usr/bin/disabled-network-by-security-misc -install can /usr/bin/disabled-network-by-security-misc -install atm /usr/bin/disabled-network-by-security-misc - -## Disable uncommon file systems to reduce attack surface -## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI parition format -install cramfs /usr/bin/disabled-filesys-by-security-misc -install freevxfs /usr/bin/disabled-filesys-by-security-misc -install jffs2 /usr/bin/disabled-filesys-by-security-misc -install hfs /usr/bin/disabled-filesys-by-security-misc -install hfsplus /usr/bin/disabled-filesys-by-security-misc -install udf /usr/bin/disabled-filesys-by-security-misc - -## Disable uncommon network file systems to reduce attack surface -install cifs /usr/bin/disabled-netfilesys-by-security-misc -install nfs /usr/bin/disabled-netfilesys-by-security-misc -install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc -install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc -install ksmbd /usr/bin/disabled-netfilesys-by-security-misc -install gfs2 /usr/bin/disabled-netfilesys-by-security-misc - -## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities -## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 -## https://www.openwall.com/lists/oss-security/2019/11/02/1 -## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -install vivid /usr/bin/disabled-vivid-by-security-misc - -## Disable Intel Management Engine (ME) interface with the OS -## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html -install mei /usr/bin/disabled-intelme-by-security-misc -install mei-me /usr/bin/disabled-intelme-by-security-misc - -# Disable GPS modules like GNSS (Global Navigation Satellite System) -install gnss /usr/bin/disabled-gps-by-security-misc -install gnss-mtk /usr/bin/disabled-gps-by-security-misc -install gnss-serial /usr/bin/disabled-gps-by-security-misc -install gnss-sirf /usr/bin/disabled-gps-by-security-misc -install gnss-usb /usr/bin/disabled-gps-by-security-misc -install gnss-ubx /usr/bin/disabled-gps-by-security-misc - -## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco -blacklist ath_pci - -## Blacklist automatic loading of miscellaneous modules -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco -blacklist evbug -blacklist usbmouse -blacklist usbkbd -blacklist eepro100 -blacklist de4x5 -blacklist eth1394 -blacklist snd_intel8x0m -blacklist snd_aw2 -blacklist prism54 -blacklist bcm43xx -blacklist garmin_gps -blacklist asus_acpi -blacklist snd_pcsp -blacklist pcspkr -blacklist amd76x_edac - -## Blacklist automatic loading of framebuffer drivers +## Framebuffer Drivers: ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +# blacklist aty128fb blacklist atyfb blacklist radeonfb @@ -147,10 +58,133 @@ blacklist viafb blacklist vt8623fb blacklist udlfb -## Disable CD-ROM devices -## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 -#install cdrom /usr/bin/disabled-cdrom-by-security-misc -#install sr_mod /usr/bin/disabled-cdrom-by-security-misc -blacklist cdrom -blacklist sr_mod +## Miscellaneous: +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco +# +blacklist ath_pci +blacklist evbug +blacklist usbmouse +blacklist usbkbd +blacklist eepro100 +blacklist de4x5 +blacklist eth1394 +blacklist snd_intel8x0m +blacklist snd_aw2 +blacklist prism54 +blacklist bcm43xx +blacklist garmin_gps +blacklist asus_acpi +blacklist snd_pcsp +blacklist pcspkr +blacklist amd76x_edac + +## Bluetooth: +## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. +## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns +# +## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability. +# +#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc +#install btusb /usr/bin/disabled-bluetooth-by-security-misc + +## CPU Model-Specific Registers (MSRs): +## Disable CPU MSRs as they can be abused to write to arbitrary memory. +## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode +## https://github.com/Kicksecure/security-misc/issues/215 +# +#install msr /usr/bin/disabled-msr-by-security-misc + +## FireWire (IEEE 1394): +## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. +## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues +# +install firewire-core /usr/bin/disabled-firewire-by-security-misc +install firewire-net /usr/bin/disabled-firewire-by-security-misc +install firewire-ohci /usr/bin/disabled-firewire-by-security-misc +install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc +install ohci1394 /usr/bin/disabled-firewire-by-security-misc +install sbp2 /usr/bin/disabled-firewire-by-security-misc +install dv1394 /usr/bin/disabled-firewire-by-security-misc +install raw1394 /usr/bin/disabled-firewire-by-security-misc +install video1394 /usr/bin/disabled-firewire-by-security-misc + +## File Systems: +## Disable uncommon file systems to reduce attack surface. +## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format. +# +install cramfs /usr/bin/disabled-filesys-by-security-misc +install freevxfs /usr/bin/disabled-filesys-by-security-misc +install jffs2 /usr/bin/disabled-filesys-by-security-misc +install hfs /usr/bin/disabled-filesys-by-security-misc +install hfsplus /usr/bin/disabled-filesys-by-security-misc +install udf /usr/bin/disabled-filesys-by-security-misc + +## Global Positioning Systems: +## Disable GPS-related modules like GNSS (Global Navigation Satellite System). +# +install gnss /usr/bin/disabled-gps-by-security-misc +install gnss-mtk /usr/bin/disabled-gps-by-security-misc +install gnss-serial /usr/bin/disabled-gps-by-security-misc +install gnss-sirf /usr/bin/disabled-gps-by-security-misc +install gnss-usb /usr/bin/disabled-gps-by-security-misc +install gnss-ubx /usr/bin/disabled-gps-by-security-misc + +## Intel Management Engine (ME): +## Partially disable the Intel ME interface with the OS. +## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html +# +install mei /usr/bin/disabled-intelme-by-security-misc +install mei-me /usr/bin/disabled-intelme-by-security-misc + +## Network File Systems: +## Disable uncommon network file systems to reduce attack surface. +# +install cifs /usr/bin/disabled-netfilesys-by-security-misc +install nfs /usr/bin/disabled-netfilesys-by-security-misc +install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc +install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc +install ksmbd /usr/bin/disabled-netfilesys-by-security-misc +install gfs2 /usr/bin/disabled-netfilesys-by-security-misc + +## Network Protocols: +## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. +## https://tails.boum.org/blueprint/blacklist_modules/ +## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols) +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco +# +install dccp /usr/bin/disabled-network-by-security-misc +install sctp /usr/bin/disabled-network-by-security-misc +install rds /usr/bin/disabled-network-by-security-misc +install tipc /usr/bin/disabled-network-by-security-misc +install n-hdlc /usr/bin/disabled-network-by-security-misc +install ax25 /usr/bin/disabled-network-by-security-misc +install netrom /usr/bin/disabled-network-by-security-misc +install x25 /usr/bin/disabled-network-by-security-misc +install rose /usr/bin/disabled-network-by-security-misc +install decnet /usr/bin/disabled-network-by-security-misc +install econet /usr/bin/disabled-network-by-security-misc +install af_802154 /usr/bin/disabled-network-by-security-misc +install ipx /usr/bin/disabled-network-by-security-misc +install appletalk /usr/bin/disabled-network-by-security-misc +install psnap /usr/bin/disabled-network-by-security-misc +install p8023 /usr/bin/disabled-network-by-security-misc +install p8022 /usr/bin/disabled-network-by-security-misc +install can /usr/bin/disabled-network-by-security-misc +install atm /usr/bin/disabled-network-by-security-misc + +## Miscellaneous: +# +## Vivid: +## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. +## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 +## https://www.openwall.com/lists/oss-security/2019/11/02/1 +## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 +# +install vivid /usr/bin/disabled-vivid-by-security-misc + +## Thunderbolt: +## Disables Thunderbolt modules to prevent some DMA attacks. +## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities +# +install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc From fc792ff23234399ed299c3fdc086d47c87d9b4a3 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 02:29:36 +1000 Subject: [PATCH 1174/1650] Alphabetically sort existing modprobe --- etc/modprobe.d/30_security-misc.conf | 76 ++++++++++++++-------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index af5fd10..a4e8baa 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -31,7 +31,6 @@ options nf_conntrack nf_conntrack_helper=0 # blacklist aty128fb blacklist atyfb -blacklist radeonfb blacklist cirrusfb blacklist cyber2000fb blacklist cyblafb @@ -45,6 +44,7 @@ blacklist matroxfb_bases blacklist neofb blacklist nvidiafb blacklist pm2fb +blacklist radeonfb blacklist rivafb blacklist s1d13xxxfb blacklist savagefb @@ -63,21 +63,21 @@ blacklist udlfb ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco # blacklist ath_pci -blacklist evbug -blacklist usbmouse -blacklist usbkbd -blacklist eepro100 -blacklist de4x5 -blacklist eth1394 -blacklist snd_intel8x0m -blacklist snd_aw2 -blacklist prism54 -blacklist bcm43xx -blacklist garmin_gps -blacklist asus_acpi -blacklist snd_pcsp -blacklist pcspkr blacklist amd76x_edac +blacklist asus_acpi +blacklist bcm43xx +blacklist eepro100 +blacklist eth1394 +blacklist evbug +blacklist de4x5 +blacklist garmin_gps +blacklist pcspkr +blacklist prism54 +blacklist snd_aw2 +blacklist snd_intel8x0m +blacklist snd_pcsp +blacklist usbkbd +blacklist usbmouse ## Bluetooth: ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. @@ -99,14 +99,14 @@ blacklist amd76x_edac ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. ## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues # +install dv1394 /usr/bin/disabled-firewire-by-security-misc install firewire-core /usr/bin/disabled-firewire-by-security-misc -install firewire-net /usr/bin/disabled-firewire-by-security-misc install firewire-ohci /usr/bin/disabled-firewire-by-security-misc +install firewire-net /usr/bin/disabled-firewire-by-security-misc install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc install ohci1394 /usr/bin/disabled-firewire-by-security-misc -install sbp2 /usr/bin/disabled-firewire-by-security-misc -install dv1394 /usr/bin/disabled-firewire-by-security-misc install raw1394 /usr/bin/disabled-firewire-by-security-misc +install sbp2 /usr/bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc ## File Systems: @@ -115,9 +115,9 @@ install video1394 /usr/bin/disabled-firewire-by-security-misc # install cramfs /usr/bin/disabled-filesys-by-security-misc install freevxfs /usr/bin/disabled-filesys-by-security-misc -install jffs2 /usr/bin/disabled-filesys-by-security-misc install hfs /usr/bin/disabled-filesys-by-security-misc install hfsplus /usr/bin/disabled-filesys-by-security-misc +install jffs2 /usr/bin/disabled-filesys-by-security-misc install udf /usr/bin/disabled-filesys-by-security-misc ## Global Positioning Systems: @@ -127,8 +127,8 @@ install gnss /usr/bin/disabled-gps-by-security-misc install gnss-mtk /usr/bin/disabled-gps-by-security-misc install gnss-serial /usr/bin/disabled-gps-by-security-misc install gnss-sirf /usr/bin/disabled-gps-by-security-misc -install gnss-usb /usr/bin/disabled-gps-by-security-misc install gnss-ubx /usr/bin/disabled-gps-by-security-misc +install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Management Engine (ME): ## Partially disable the Intel ME interface with the OS. @@ -141,11 +141,11 @@ install mei-me /usr/bin/disabled-intelme-by-security-misc ## Disable uncommon network file systems to reduce attack surface. # install cifs /usr/bin/disabled-netfilesys-by-security-misc +install gfs2 /usr/bin/disabled-netfilesys-by-security-misc +install ksmbd /usr/bin/disabled-netfilesys-by-security-misc install nfs /usr/bin/disabled-netfilesys-by-security-misc install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc -install ksmbd /usr/bin/disabled-netfilesys-by-security-misc -install gfs2 /usr/bin/disabled-netfilesys-by-security-misc ## Network Protocols: ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. @@ -153,25 +153,25 @@ install gfs2 /usr/bin/disabled-netfilesys-by-security-misc ## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols) ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco # -install dccp /usr/bin/disabled-network-by-security-misc -install sctp /usr/bin/disabled-network-by-security-misc -install rds /usr/bin/disabled-network-by-security-misc -install tipc /usr/bin/disabled-network-by-security-misc -install n-hdlc /usr/bin/disabled-network-by-security-misc -install ax25 /usr/bin/disabled-network-by-security-misc -install netrom /usr/bin/disabled-network-by-security-misc -install x25 /usr/bin/disabled-network-by-security-misc -install rose /usr/bin/disabled-network-by-security-misc -install decnet /usr/bin/disabled-network-by-security-misc -install econet /usr/bin/disabled-network-by-security-misc install af_802154 /usr/bin/disabled-network-by-security-misc -install ipx /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc -install psnap /usr/bin/disabled-network-by-security-misc -install p8023 /usr/bin/disabled-network-by-security-misc -install p8022 /usr/bin/disabled-network-by-security-misc -install can /usr/bin/disabled-network-by-security-misc install atm /usr/bin/disabled-network-by-security-misc +install ax25 /usr/bin/disabled-network-by-security-misc +install can /usr/bin/disabled-network-by-security-misc +install decnet /usr/bin/disabled-network-by-security-misc +install dccp /usr/bin/disabled-network-by-security-misc +install econet /usr/bin/disabled-network-by-security-misc +install ipx /usr/bin/disabled-network-by-security-misc +install n-hdlc /usr/bin/disabled-network-by-security-misc +install netrom /usr/bin/disabled-network-by-security-misc +install p8022 /usr/bin/disabled-network-by-security-misc +install p8023 /usr/bin/disabled-network-by-security-misc +install psnap /usr/bin/disabled-network-by-security-misc +install rds /usr/bin/disabled-network-by-security-misc +install rose /usr/bin/disabled-network-by-security-misc +install sctp /usr/bin/disabled-network-by-security-misc +install tipc /usr/bin/disabled-network-by-security-misc +install x25 /usr/bin/disabled-network-by-security-misc ## Miscellaneous: # From b02230a783941da412be72fb52053db0c6b8010f Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 02:42:37 +1000 Subject: [PATCH 1175/1650] Split modprobe into blacklisted and disabled configurations --- README.md | 7 +- debian/security-misc.maintscript | 2 +- .../30_security-misc_blacklist.conf | 80 +++++++++++++++++++ ...isc.conf => 30_security-misc_disable.conf} | 71 ---------------- usr/bin/disabled-bluetooth-by-security-misc | 2 +- usr/bin/disabled-cdrom-by-security-misc | 2 +- usr/bin/disabled-filesys-by-security-misc | 2 +- usr/bin/disabled-firewire-by-security-misc | 2 +- usr/bin/disabled-gps-by-security-misc | 2 +- usr/bin/disabled-intelme-by-security-misc | 2 +- usr/bin/disabled-netfilesys-by-security-misc | 2 +- usr/bin/disabled-network-by-security-misc | 2 +- usr/bin/disabled-thunderbolt-by-security-misc | 2 +- usr/bin/disabled-vivid-by-security-misc | 3 +- 14 files changed, 96 insertions(+), 85 deletions(-) create mode 100644 etc/modprobe.d/30_security-misc_blacklist.conf rename etc/modprobe.d/{30_security-misc.conf => 30_security-misc_disable.conf} (77%) diff --git a/README.md b/README.md index 5c9df4a..7601260 100644 --- a/README.md +++ b/README.md @@ -122,10 +122,11 @@ preventing new modules from being loaded. Since this isn't configured directly within systemctl, it does not break the loading of legitimate and necessary modules for the user, like drivers etc., given they are plugged in on startup. -#### Disables and blacklists kernel modules +#### Blacklist and disable kernel modules -Certain kernel modules are disabled and blacklisted by default to reduce attack -surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file. +Certain kernel modules are blacklisted and disabled by default to reduce attack +surface via both the `/etc/modprobe.d/30_security-misc_blacklist.conf` and +`/etc/modprobe.d/30_security-misc_disable.conf` configuration files respectively. - Deactivates Netfilter's connection tracking helper - this module increases kernel attack surface by enabling superfluous functionality such as IRC diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index f64e762..4279cf2 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -24,7 +24,7 @@ rm_conffile /etc/sysctl.d/kexec.conf rm_conffile /etc/sysctl.d/tcp_hardening.conf rm_conffile /etc/sysctl.d/tcp_sack.conf -## merged into 1 file /etc/modprobe.d/30_security-misc.conf +## merged into 2 files /etc/modprobe.d/30_security-misc_blacklist.conf and /etc/modprobe.d/30_security-misc_disable.conf rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf rm_conffile /etc/modprobe.d/vivid.conf diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf new file mode 100644 index 0000000..f516fe2 --- /dev/null +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -0,0 +1,80 @@ +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## See the following links for a community discussion and overview regarding the selections. +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules + +## Blacklisting prevents kernel modules from automatically starting. +## Disabling prohibits kernel modules from starting. + +## CD-ROM/DVD: +## Blacklist CD-ROM and DVD modules. +## Do not disable by default for potential future ISO plans. +## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 +# +blacklist cdrom +blacklist sr_mod +# +#install cdrom /usr/bin/disabled-cdrom-by-security-misc +#install sr_mod /usr/bin/disabled-cdrom-by-security-misc + +## Conntrack: +## Disable automatic conntrack helper assignment. +## https://phabricator.whonix.org/T486 +# +options nf_conntrack nf_conntrack_helper=0 + +## Framebuffer Drivers: +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +# +blacklist aty128fb +blacklist atyfb +blacklist cirrusfb +blacklist cyber2000fb +blacklist cyblafb +blacklist gx1fb +blacklist hgafb +blacklist i810fb +blacklist intelfb +blacklist kyrofb +blacklist lxfb +blacklist matroxfb_bases +blacklist neofb +blacklist nvidiafb +blacklist pm2fb +blacklist radeonfb +blacklist rivafb +blacklist s1d13xxxfb +blacklist savagefb +blacklist sisfb +blacklist sstfb +blacklist tdfxfb +blacklist tridentfb +blacklist vesafb +blacklist vfb +blacklist viafb +blacklist vt8623fb +blacklist udlfb + +## Miscellaneous: +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco +# +blacklist ath_pci +blacklist amd76x_edac +blacklist asus_acpi +blacklist bcm43xx +blacklist eepro100 +blacklist eth1394 +blacklist evbug +blacklist de4x5 +blacklist garmin_gps +blacklist pcspkr +blacklist prism54 +blacklist snd_aw2 +blacklist snd_intel8x0m +blacklist snd_pcsp +blacklist usbkbd +blacklist usbmouse diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc_disable.conf similarity index 77% rename from etc/modprobe.d/30_security-misc.conf rename to etc/modprobe.d/30_security-misc_disable.conf index a4e8baa..0a676d1 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -8,77 +8,6 @@ ## Blacklisting prevents kernel modules from automatically starting. ## Disabling prohibits kernel modules from starting. -## CD-ROM/DVD: -## Blacklist CD-ROM and DVD modules. -## Do not disable by default for potential future ISO plans. -## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 -# -blacklist cdrom -blacklist sr_mod -# -#install cdrom /usr/bin/disabled-cdrom-by-security-misc -#install sr_mod /usr/bin/disabled-cdrom-by-security-misc - -## Connection Tracking: -## Disable automatic conntrack helper assignment. -## https://phabricator.whonix.org/T486 -# -options nf_conntrack nf_conntrack_helper=0 - -## Framebuffer Drivers: -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco -# -blacklist aty128fb -blacklist atyfb -blacklist cirrusfb -blacklist cyber2000fb -blacklist cyblafb -blacklist gx1fb -blacklist hgafb -blacklist i810fb -blacklist intelfb -blacklist kyrofb -blacklist lxfb -blacklist matroxfb_bases -blacklist neofb -blacklist nvidiafb -blacklist pm2fb -blacklist radeonfb -blacklist rivafb -blacklist s1d13xxxfb -blacklist savagefb -blacklist sisfb -blacklist sstfb -blacklist tdfxfb -blacklist tridentfb -blacklist vesafb -blacklist vfb -blacklist viafb -blacklist vt8623fb -blacklist udlfb - -## Miscellaneous: -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco -# -blacklist ath_pci -blacklist amd76x_edac -blacklist asus_acpi -blacklist bcm43xx -blacklist eepro100 -blacklist eth1394 -blacklist evbug -blacklist de4x5 -blacklist garmin_gps -blacklist pcspkr -blacklist prism54 -blacklist snd_aw2 -blacklist snd_intel8x0m -blacklist snd_pcsp -blacklist usbkbd -blacklist usbmouse - ## Bluetooth: ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc index 8091b45..7e011e3 100755 --- a/usr/bin/disabled-bluetooth-by-security-misc +++ b/usr/bin/disabled-bluetooth-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc index 13e4592..55f4b0c 100755 --- a/usr/bin/disabled-cdrom-by-security-misc +++ b/usr/bin/disabled-cdrom-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc index b5b2426..6c7dd5a 100755 --- a/usr/bin/disabled-filesys-by-security-misc +++ b/usr/bin/disabled-filesys-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc index dbcc7ce..cbde5d1 100755 --- a/usr/bin/disabled-firewire-by-security-misc +++ b/usr/bin/disabled-firewire-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc index 90b7076..f1a24bf 100755 --- a/usr/bin/disabled-gps-by-security-misc +++ b/usr/bin/disabled-gps-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc index 47bdcb1..0913fcf 100755 --- a/usr/bin/disabled-intelme-by-security-misc +++ b/usr/bin/disabled-intelme-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc index e62f0c0..bbb57a8 100755 --- a/usr/bin/disabled-netfilesys-by-security-misc +++ b/usr/bin/disabled-netfilesys-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc index f00086e..8035522 100755 --- a/usr/bin/disabled-network-by-security-misc +++ b/usr/bin/disabled-network-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc index d153ceb..98f0840 100755 --- a/usr/bin/disabled-thunderbolt-by-security-misc +++ b/usr/bin/disabled-thunderbolt-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-vivid-by-security-misc b/usr/bin/disabled-vivid-by-security-misc index aa7c639..4a9855e 100755 --- a/usr/bin/disabled-vivid-by-security-misc +++ b/usr/bin/disabled-vivid-by-security-misc @@ -5,6 +5,7 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable +.conf | args: $@" >&2 exit 1 From f31dc8aebc652b2037c375351fc478d9b5ba4c27 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 16:21:03 +1000 Subject: [PATCH 1176/1650] Fix error in error script --- usr/bin/disabled-vivid-by-security-misc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr/bin/disabled-vivid-by-security-misc b/usr/bin/disabled-vivid-by-security-misc index 4a9855e..f2d07b7 100755 --- a/usr/bin/disabled-vivid-by-security-misc +++ b/usr/bin/disabled-vivid-by-security-misc @@ -5,7 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable -.conf | args: $@" >&2 +echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 From 41a3bf92fbdac88a1884dee735600cafa35134bf Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 16:21:41 +1000 Subject: [PATCH 1177/1650] Sort `30_security-misc_disable.conf` --- etc/modprobe.d/30_security-misc_disable.conf | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 0a676d1..c9f5499 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -24,6 +24,17 @@ # #install msr /usr/bin/disabled-msr-by-security-misc +## File Systems: +## Disable uncommon file systems to reduce attack surface. +## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format. +# +install cramfs /usr/bin/disabled-filesys-by-security-misc +install freevxfs /usr/bin/disabled-filesys-by-security-misc +install hfs /usr/bin/disabled-filesys-by-security-misc +install hfsplus /usr/bin/disabled-filesys-by-security-misc +install jffs2 /usr/bin/disabled-filesys-by-security-misc +install udf /usr/bin/disabled-filesys-by-security-misc + ## FireWire (IEEE 1394): ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. ## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues @@ -38,18 +49,7 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc -## File Systems: -## Disable uncommon file systems to reduce attack surface. -## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format. -# -install cramfs /usr/bin/disabled-filesys-by-security-misc -install freevxfs /usr/bin/disabled-filesys-by-security-misc -install hfs /usr/bin/disabled-filesys-by-security-misc -install hfsplus /usr/bin/disabled-filesys-by-security-misc -install jffs2 /usr/bin/disabled-filesys-by-security-misc -install udf /usr/bin/disabled-filesys-by-security-misc - -## Global Positioning Systems: +## Global Positioning Systems (GPS): ## Disable GPS-related modules like GNSS (Global Navigation Satellite System). # install gnss /usr/bin/disabled-gps-by-security-misc From 5f10cc8bcf11654f5e0f97c07e0a7ff198013c1e Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 16:22:10 +1000 Subject: [PATCH 1178/1650] Update README.md relating to modprobe --- README.md | 72 +++++++++++++++++++++---------------------------------- 1 file changed, 27 insertions(+), 45 deletions(-) diff --git a/README.md b/README.md index 7601260..114b90c 100644 --- a/README.md +++ b/README.md @@ -124,62 +124,44 @@ modules for the user, like drivers etc., given they are plugged in on startup. #### Blacklist and disable kernel modules -Certain kernel modules are blacklisted and disabled by default to reduce attack -surface via both the `/etc/modprobe.d/30_security-misc_blacklist.conf` and -`/etc/modprobe.d/30_security-misc_disable.conf` configuration files respectively. +Certain kernel modules are blacklisted by default to reduce attack surface via +`/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel +modules from automatically starting. -- Deactivates Netfilter's connection tracking helper - this module increases - kernel attack surface by enabling superfluous functionality such as IRC - parsing in the kernel. Hence, this feature is disabled. +- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. -- Thunderbolt and numerous FireWire kernel modules are also disabled as they - are often vulnerable to DMA attacks. +- Conntrack: Deactivates Netfilter's connection tracking helper - this module + increases kernel attack surface by enabling superfluous functionality such + as IRC parsing in the kernel. Hence, this feature is disabled. -- The MSR kernel module is disabled to prevent CPU MSRs from being abused to - write to arbitrary memory. +- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause + kernel panics, and are generally only used by legacy devices. -- Uncommon network protocols are blacklisted. This includes: +- Miscellaneous: Blacklist an assortment other modules to prevent them from + automatically loading. - - DCCP - Datagram Congestion Control Protocol - - SCTP - Stream Control Transmission Protocol - - RDS - Reliable Datagram Sockets - - TIPC - Transparent Inter-process Communication - - HDLC - High-Level Data Link Control - - AX25 - Amateur X.25 - - NetRom - - X25 - - ROSE - - DECnet - - Econet - - af_802154 - IEEE 802.15.4 - - IPX - Internetwork Packet Exchange - - AppleTalk - - PSNAP - Subnetwork Access Protocol - - p8023 - Novell raw IEEE 802.3 - - p8022 - IEEE 802.2 - - CAN - Controller Area Network - - ATM +Specific kernel modules are entirely disabled to reduce attack surface via +`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel +modules from starting. This approach should not be considered comprehensive, +rather it is a form of badness enumeration. -- Disables a large array of uncommon file systems and network file systems - that reduces the attack surface especially against legacy approaches. +- File Systems: Disable uncommon and legacy file systems. -- The vivid kernel module is only required for testing and has been the cause - of multiple vulnerabilities so it is disabled. +- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. -- Provides some disabling of the interface between the [Intel Management - Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) - and the OS. +- GPS: Disables GPS-related modules responsible systems such as for Global + Navigation Satellite System (GNSS). -- Disables several kernel modules responsible for GPS such as GNSS (Global - Navigation Satellite System). +- Intel Management Engine (ME): Provides some disabling of the interface between the + Intel ME and the OS. -- Incorporates much of - [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) - default blacklist of modules to be blocked from automatically loading. - However, they are still permitted to load. +- Network File Systems: Disable uncommon and legacy network file systems. -- Blocks automatic loading of the modules needed to use of CD-ROM devices by - default. Not completely disabled yet. +- Network Protocols: Wide array of uncommon and legacy network protocols are disabled. + +- Miscellaneous: Disable an assortment other modules such as vivid. + +- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. ### Other From 2de3a795990234134be15be90aa55f547c064d92 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 13 Jul 2024 22:41:40 +1000 Subject: [PATCH 1179/1650] Refactor existing sysctl for clarity --- README.md | 96 +++-- debian/security-misc.maintscript | 2 +- .../30_security-misc_kexec-disable.conf | 9 +- usr/lib/sysctl.d/30_silent-kernel-printk.conf | 4 +- usr/lib/sysctl.d/990-security-misc.conf | 401 ++++++++++++------ 5 files changed, 330 insertions(+), 182 deletions(-) diff --git a/README.md b/README.md index 114b90c..9ed387b 100644 --- a/README.md +++ b/README.md @@ -6,57 +6,76 @@ This section is inspired by the Kernel Self Protection Project (KSPP). It implements all recommended Linux kernel settings by the KSPP and many more. - https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project +- https://kspp.github.io/Recommended_Settings ### sysctl -sysctl settings are configured via the `/etc/sysctl.d/30_security-misc.conf` +sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf` configuration file. -- A kernel pointer points to a specific location in kernel memory. These can - be very useful in exploiting the kernel so they are restricted to - `CAP_SYSLOG`. +Significant hardening is applied by default to a myriad of components within kernel +space, user space, core dumps, and swap space. -- The kernel logs are restricted to `CAP_SYSLOG` as they can often leak - sensitive information such as kernel pointers. +- Restrict kernel addresses regardless of user privileges. -- The `ptrace()` system call is restricted to `CAP_SYS_PTRACE`. +- Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain + sensitive information. -- eBPF is restricted to `CAP_BPF` (`CAP_SYS_ADMIN` on kernel versions prior to - 5.8) and JIT hardening techniques such as constant blinding are enabled. +- Prevent kernel information leaks in the console during boot. -- Restricts performance events to `CAP_PERFMON` (`CAP_SYS_ADMIN` on kernel - versions prior to 5.8). +- Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening. -- Restricts loading line disciplines to `CAP_SYS_MODULE` to prevent - unprivileged attackers from loading vulnerable line disciplines with the - `TIOCSETD` ioctl which has been abused in a number of exploits before. +- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`. -- Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` as `userfaultfd()` - is often abused to exploit use-after-free flaws. +- Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` which reduces the + likelihood of use-after-free exploits. -- Kexec is disabled as it can be used to load a malicious kernel and gain - arbitrary code execution in kernel mode. +- Disable `kexec` as it can be used to replace the running kernel. -- Randomises the addresses for mmap base, heap, stack, and VDSO pages. +- Entirely disables the SysRq key so that the Secure Attention Key (SAK) + can no longer be utilised. -- Prevents unintentional writes to attacker-controlled files. +- Restrict kernel profiling and the performance events system to `CAP_PERFMON`. -- Prevents common symlink and hardlink TOCTOU races. +- Randomise the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. -- Disables SysRq key completely. - * Therefore Secure Attention Key (SAK) cannot be used. - * https://www.kicksecure.com/wiki/SysRq +- Disable asynchronous I/O (when using Linux kernel version >= 6.6). -- The kernel is only allowed to swap if it is absolutely necessary. This - prevents writing potentially sensitive contents of memory to disk. +- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it + enables programs to inspect and modify other active processes. -- TCP timestamps are disabled as it can allow detecting the system time. +- Prevent hardlink and symlink TOCTOU races in world-writable directories. -- Set coredump file name based on core_pattern value instead of the default of - naming it 'core'. +- Disallow unintentional writes to attacker-controlled files. -- Will disable `io_uring` interface for performing asynchronous I/O as it has - historically been a significant attack surface. +- Increase the maximum number of memory map areas a process is able to utilise. + +- Disable core dump files and prevent their creation. + +- Limit the copying of potentially sensitive content in memory to the swap device. + +Various networking components of the TCP/IP stack are hardened for IPv4/6. + +- Enable TCP SYN cookie protection to assist against SYN flood attacks. + +- Protect against TCP time-wait assassination hazards. + +- Enables reverse path filtering (source validation) of packets received + from all interfaces to prevent IP spoofing. + +- Disable ICMP redirect acceptance and redirect sending messages to + prevent man-in-the-middle attacks and minimise information disclosure. + +- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. + +- Ignore bogus ICMP error responses. + +- Disable source routing which allows users redirect network traffic that + can result in man-in-the-middle attacks. + +- Do not accept IPv6 router advertisements and solicitations. + +- Disable TCP timestamps as it can allow detecting the system time. ### mmap ASLR @@ -193,21 +212,6 @@ rather it is a form of badness enumeration. ## Network hardening -- TCP syncookies are enabled to prevent SYN flood attacks. - -- ICMP redirect acceptance, ICMP redirect sending, source routing and IPv6 - router advertisements are disabled to prevent man-in-the-middle attacks. - -- The kernel is configured to ignore all ICMP requests to avoid Smurf attacks, - make the device more difficult to enumerate on the network and prevent clock - fingerprinting through ICMP timestamps. - -- RFC1337 is enabled to protect against time-wait assassination attacks by - dropping RST packets for sockets in the time-wait state. - -- Reverse path filtering is enabled to prevent IP spoofing and mitigate - vulnerabilities such as CVE-2019-14899. - - Unlike version 4, IPv6 addresses can provide information not only about the originating network, but also the originating device. We prevent this from happening by enabling the respective privacy extensions for IPv6. diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 4279cf2..8636e0c 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -10,7 +10,7 @@ rm_conffile /etc/sysctl.d/sysrq.conf rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown -## merged into 1 file /etc/sysctl.d/30_security-misc.conf +## merged into 3 files /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf, /usr/lib/sysctl.d/30_silent-kernel-printk.conf, and /usr/lib/sysctl.d/990-security-misc.conf rm_conffile /etc/sysctl.d/fs_protected.conf rm_conffile /etc/sysctl.d/kptr_restrict.conf rm_conffile /etc/sysctl.d/suid_dumpable.conf diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index bbdf5ea..ad2f6bd 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -1,12 +1,11 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html -## -## kexec_load_disabled: -## -## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. ## Disables kexec which can be used to replace the running kernel. +## Useful for live kernel patching without rebooting. +## +## https://en.wikipedia.org/wiki/Kexec +## kernel.kexec_load_disabled=1 ## Why is this in a dedicated config file? diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index b76a4b3..5ac7b6f 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Prevent kernel info leaks in console during boot. -## https://phabricator.whonix.org/T950 +## Prevent kernel information leaks in the console during boot. +## kernel.printk = 3 3 3 3 ## NOTE: diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 371c265..c1bf3e9 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -2,177 +2,322 @@ ## See the file COPYING for copying conditions. ## NOTE: -## This file has a weird file name so /usr/lib/sysctl.d/99-protect-links.conf -## is parsed first and /usr/lib/sysctl.d/990-security-misc.conf is parsed -## afterwards. See also: +## This file has a strange name so that `/usr/lib/sysctl.d/99-protect-links.conf` is +## first parsed and then followed by `/usr/lib/sysctl.d/990-security-misc.conf`. ## https://github.com/Kicksecure/security-misc/pull/135 -## Restricts the kernel log to root only. -kernel.dmesg_restrict=1 +## This configuration file is split into 5 sections: +## 1. Kernel Space +## 2. User Space +## 3. Core Dumps +## 4. Swap Space +## 5. Networking -## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. -## security-misc also disables coredumps in other ways. -kernel.core_pattern=|/bin/false +## See the documentation below for details on the majority of the selected commands. +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/vm.html +## https://www.kernel.org/doc/html/latest//networking/ip-sysctl.html -## Does not set coredump name to 'core' which is default. Defense in depth. -kernel.core_uses_pid=1 - -## Prevent setuid processes from creating coredumps. -fs.suid_dumpable=0 - -## Don't allow writes to files that we don't own -## in world writable sticky directories, unless -## they are owned by the owner of the directory. -fs.protected_fifos=2 -fs.protected_regular=2 - -## Only allow symlinks to be followed when outside of -## a world-writable sticky directory, or when the owner -## of the symlink and follower match, or when the directory -## owner matches the symlink's owner. +## 1. Kernel Space: ## -## Prevent hardlinks from being created by users that do not -## have read/write access to the source file. -## -## These prevent many TOCTOU races. -fs.protected_symlinks=1 -fs.protected_hardlinks=1 +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +## https://wiki.archlinux.org/title/Security#Kernel_hardening -## Hides kernel addresses in various files in /proc. -## Kernel addresses can be very useful in certain exploits. +## Restrict kernel addresses via /proc and other interfaces regardless of user privileges. +## Kernel pointers expose specific locations in kernel memory. ## ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak +## kernel.kptr_restrict=2 -## Improves ASLR effectiveness for mmap. -## Both explicit sysctl are made redundant due to automation +## Restrict access to the kernel log buffer to CAP_SYSLOG. +## Kernel logs often contain sensitive information such as kernel pointers. +## +kernel.dmesg_restrict=1 + +## Prevent kernel information leaks in the console during boot. +## +## See `/usr/lib/sysctl.d/30_silent-kernel-printk.conf` for implementation. +## +#kernel.printk=3 3 3 3s + +## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening. +## +## https://en.wikipedia.org/wiki/EBPF#Security +## +kernel.unprivileged_bpf_disabled=1 +net.core.bpf_jit_harden=2 + +## Restrict loading TTY line disciplines to CAP_SYS_MODULE. +## Prevents unprivileged users loading vulnerable line disciplines with the TIOCSETD ioctl. +## +## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html +## https://lkml.org/lkml/2019/4/15/890 +## +dev.tty.ldisc_autoload=0 + +## Restrict the userfaultfd() syscall to SYS_CAP_PTRACE. +## Reduces likelihood of use-after-free exploits from heap sprays. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0 +## https://duasynt.com/blog/linux-kernel-heap-spray +## +vm.unprivileged_userfaultfd=0 + +## Disables kexec which can be used to replace the running kernel. +## Useful for live kernel patching without rebooting. +## +## https://en.wikipedia.org/wiki/Kexec +## +## See `/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf` for implementation. +## +#kernel.kexec_load_disabled=1 + +## Disable the SysRq key to prevent leakage of kernel information. +## The Secure Attention Key (SAK) can no longer be utilised. +## +## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html +## https://www.kicksecure.com/wiki/SysRq +## https://github.com/xairy/unlockdown +## +kernel.sysrq=0 + +## Restrict user namespaces to CAP_SYS_ADMIN. +## User namespaces aim to improve sandboxing and accessibility for unprivileged users. +## Unprivileged user namespaces pose substantial privilege escalation risks. +## Restricting is well-known to cause breakages across numerous software. +## +## https://madaidans-insecurities.github.io/linux.html#kernel +## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers +## +## Unprivileged user namespaces are currently enabled. +## +#kernel.unprivileged_userns_clone=0 + +## Restricts kernel profiling to CAP_PERFMON. +## The performance events system should not be accessible by unprivileged users. +## +## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users +## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ +## +kernel.perf_event_paranoid=3 + +## Enable ASLR for mmap base, stack, VDSO pages, and heap. +## Heap randomisation can lead to breakages with legacy applications. +## +## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux +## +kernel.randomize_va_space=2 + +## Disable asynchronous I/O for all processes. +## +## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html +## +## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). +## +kernel.io_uring_disabled=2 + + +## 2.User Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace + +## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. +## Limit ptrace() as it enables programs to inspect and modify other active processes. +## This may break some programs running under WINE. +## +## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope +## +kernel.yama.ptrace_scope=2 + +## Maximise bits of entropy for improved effectiveness of mmap ASLR. +## The maximum numbers of bits are dependent on CPU architecture (the ones shown below are for x86). +## Both explicit sysctl are made redundant due to automation. +## Do NOT enable either sysctl - displaying only for clarity. +## ## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 -## Do NOT enable either - displaying only for clarity +## +## See `/usr/libexec/security-misc/mmap-rnd-bits` for implementation. ## #vm.mmap_rnd_bits=32 #vm.mmap_rnd_compat_bits=16 -## Restricts the use of ptrace to root. This might break some programs running under WINE. -## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: +## Prevent hardlink creation by users who do not have read/write/ownership of source file. +## Only allow symlinks to be followed when outside of a world-writable sticky directories. +## Allow symlinks when the owner and follower match or when the directory owner matches the symlink's owner. +## Hardens cross privilege boundaries if root process follows a hardlink/symlink belonging to another user. +## This mitigates many hardlink/symlink-based TOCTOU races in world-writable directories like /tmp. ## -## sudo apt-get install libcap2-bin -## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver -## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader -kernel.yama.ptrace_scope=2 +## https://wiki.archlinux.org/title/Security#File_systems +## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp +## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU +## +fs.protected_hardlinks=1 +fs.protected_symlinks=1 -## Randomize the addresses for mmap base, heap, stack, and VDSO pages -kernel.randomize_va_space=2 +## Disallow writes to files in world-writable sticky directories unless owned by the directory owner. +## Also applies to group writable sticky directories to make data spoofing attacks more difficult. +## Prevents unintentional writes to attacker-controlled files. +## +fs.protected_fifos=2 +fs.protected_regular=2 -## Hardens the BPF JIT compiler and restricts it to root. -kernel.unprivileged_bpf_disabled=1 -net.core.bpf_jit_harden=2 +## Increase the maximum number of memory map areas a process is permitted to utilise. +## Addresses performance, crash, and start-up issues for some memory intensive applications. +## Required to accommodate the very large number of guard pages created by hardened_malloc. +## Kicksecure version 18 will deprecate hardened_malloc and so this sysctl will be applied here instead. +## +## https://archlinux.org/news/increasing-the-default-vmmax_map_count-value/ +## https://github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems +## https://github.com/Kicksecure/hardened_malloc/blob/master/debian/hardened_malloc.conf +## https://www.kicksecure.com/wiki/Hardened_Malloc#Deprecation_in_Kicksecure +## +vm.max_map_count=1048576 -## Disable asynchronous I/O for all processes. -## Valid only for linux kernel version >= 6.6. -## Command is retained here for future-proofing and completeness. -## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890/6 -kernel.io_uring_disabled=2 -#### meta start -#### project Kicksecure -#### category networking and security -#### description -## TCP/IP stack hardening +## 3. Core Dumps: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps -## A martian packet is a one with a source address which is blatantly wrong -## Recommended to keep a log of these to identify these suspicious packets -## Good for troubleshooting and diagnostics but not necessary by default. -## Caused issue: -## https://github.com/Kicksecure/security-misc/issues/214 -#net.ipv4.conf.all.log_martians=1 -#net.ipv4.conf.default.log_martians=1 +## Disable core dump files by preventing any pattern names. +## This setting may be overwritten by systemd is is not comprehensive. +## Core dumps are also disabled in security-misc via other means. +## +## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps +## +kernel.core_pattern=|/bin/false -## Protects against time-wait assassination. -## It drops RST packets for sockets in the time-wait state. +## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps. +## Any process which has changed privilege levels or is execute-only will not be dumped. +## +fs.suid_dumpable=0 + +## Set core dump file name to 'core.PID' instead of 'core' as a form of defence-in-depth. +## If core dumps are permitted, only useful if PID listings are hidden from non-root users. +## +kernel.core_uses_pid=1 + + +## 4. Swap Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap + +## Limit the copying of memory to the swap device only if absolutely necessary. +## Minimises the likelihood of writing potentially sensitive contents to disk. +## +## https://en.wikipedia.org/wiki/Memory_paging#Linux +## +vm.swappiness=1 + + +## 5. Networking: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network +## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening + +## Enable TCP SYN cookie protection to assist against SYN flood attacks. +## +## https://en.wikipedia.org/wiki/SYN_flood +## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html +## +net.ipv4.tcp_syncookies=1 + +## Protect against TCP time-wait assassination hazards. +## Drops RST packets for sockets in the time-wait state. +## +## https://tools.ietf.org/html/rfc1337 +## net.ipv4.tcp_rfc1337=1 -## Disables ICMP redirect acceptance. +## Enable reverse path filtering (source validation) of packets received from all interfaces. +## Prevents IP spoofing and mitigate vulnerabilities such as CVE-2019-14899. +## +## https://en.wikipedia.org/wiki/IP_address_spoofing +## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 +## https://seclists.org/oss-sec/2019/q4/122 +## +net.ipv4.conf.all.rp_filter=1 +net.ipv4.conf.default.rp_filter=1 + +## Disable ICMP redirect acceptance and redirect sending messages. +## Prevents man-in-the-middle attacks and minimises information disclosure. +## net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 - -## Disables ICMP redirect sending. net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 -## Ignores ICMP requests. +## Ignore ICMP echo requests. +## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. +## +## https://en.wikipedia.org/wiki/Smurf_attack +## net.ipv4.icmp_echo_ignore_all=1 net.ipv6.icmp.echo_ignore_all=1 -## Ignores bogus ICMP error responses +## Ignore bogus ICMP error responses. +## Mitigates attacks designed to fill log files with useless error messages. +## net.ipv4.icmp_ignore_bogus_error_responses=1 -## Enables TCP syncookies. -net.ipv4.tcp_syncookies=1 - -## Disable source routing. +## Disable source routing which allows users redirect network traffic. +## Prevents man-in-the-middle attacks in which the traffic is redirected. +## +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing +## net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0 -## Enable reverse path filtering to prevent IP spoofing and -## mitigate vulnerabilities such as CVE-2019-14899. -## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 -net.ipv4.conf.default.rp_filter=1 -net.ipv4.conf.all.rp_filter=1 - -#### meta end - - -## Previously disabled SACK, DSACK, and FACK. -## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109 -#net.ipv4.tcp_sack=0 -#net.ipv4.tcp_dsack=0 -#net.ipv4.tcp_fack=0 - - -#### meta start -#### project Kicksecure -#### category networking and security -#### description -## disable IPv4 TCP Timestamps - -net.ipv4.tcp_timestamps=0 - -#### meta end - - -## Disable SysRq key -kernel.sysrq=0 - -## Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent -## unprivileged attackers from loading vulnerable line disciplines -## with the TIOCSETD ioctl which has been used in exploits before -## such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html +## Do not accept IPv6 router advertisements and solicitations. ## -## https://lkml.org/lkml/2019/4/15/890 -dev.tty.ldisc_autoload=0 - -## Restrict the userfaultfd() syscall to root as it can make heap sprays -## easier. -## -## https://duasynt.com/blog/linux-kernel-heap-spray -vm.unprivileged_userfaultfd=0 - -## Let the kernel only swap if it is absolutely necessary. -## Better not be set to zero: -## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html -## - https://en.wikipedia.org/wiki/Swappiness -vm.swappiness=1 - -## Disallow kernel profiling by users without CAP_SYS_ADMIN -## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt -kernel.perf_event_paranoid=3 - -## Do not accept router advertisements net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 + +## Disable SACK, DSACK, and FACK. +## Select acknowledgements (SACKs) are a known common vector of exploitation. +## Duplicate select acknowledgements (DSACKs) are an extension of SACK. +## Forward acknowledgements (FACKs) are a legacy option that will (eventually) be deprecated. +## Disabling can cause severe connectivity issues on networks with high latency or packet loss. +## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections. +## +## https://datatracker.ietf.org/doc/html/rfc2018 +## https://datatracker.ietf.org/doc/html/rfc2883 +## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf +## https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md +## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement +## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5 +## +## SACK and DSACK are currently enabled. +## +#net.ipv4.tcp_sack=0 +#net.ipv4.tcp_dsack=0 +net.ipv4.tcp_fack=0 + +## Disable TCP timestamps to limit system fingerprinting via time. +## +## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824 +## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html +## +net.ipv4.tcp_timestamps=0 + +## Previously enabled logging of packets with impossible source or destination addresses. +## Martian and unroutable packets may be used for dangerous purposes. +## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets +## Good for troubleshooting and diagnostics but not necessary by default. +## Known for causing performance issues especially on systems with multiple interfaces. +## +## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement +## https://github.com/Kicksecure/security-misc/issues/214 +## +## The logging of martian packets is currently disabled. +## +#net.ipv4.conf.all.log_martians=1 +#net.ipv4.conf.default.log_martians=1 From 98580bb39a495a141e7b40792fd9d232fcf29d23 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 13 Jul 2024 23:29:52 +1000 Subject: [PATCH 1180/1650] Update modprobe presentation --- .../30_security-misc_blacklist.conf | 14 ++++++--- etc/modprobe.d/30_security-misc_disable.conf | 31 ++++++++++++------- 2 files changed, 28 insertions(+), 17 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index f516fe2..a4401f6 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -11,24 +11,27 @@ ## CD-ROM/DVD: ## Blacklist CD-ROM and DVD modules. ## Do not disable by default for potential future ISO plans. +## ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 -# +## blacklist cdrom blacklist sr_mod -# +## #install cdrom /usr/bin/disabled-cdrom-by-security-misc #install sr_mod /usr/bin/disabled-cdrom-by-security-misc ## Conntrack: ## Disable automatic conntrack helper assignment. +## ## https://phabricator.whonix.org/T486 -# +## options nf_conntrack nf_conntrack_helper=0 ## Framebuffer Drivers: +## ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco -# +## blacklist aty128fb blacklist atyfb blacklist cirrusfb @@ -59,9 +62,10 @@ blacklist vt8623fb blacklist udlfb ## Miscellaneous: +## ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco -# +## blacklist ath_pci blacklist amd76x_edac blacklist asus_acpi diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index c9f5499..f82ccb6 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -10,24 +10,26 @@ ## Bluetooth: ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. +## ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -# +## ## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability. -# +## #install bluetooth /usr/bin/disabled-bluetooth-by-security-misc #install btusb /usr/bin/disabled-bluetooth-by-security-misc ## CPU Model-Specific Registers (MSRs): ## Disable CPU MSRs as they can be abused to write to arbitrary memory. +## ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode ## https://github.com/Kicksecure/security-misc/issues/215 -# +## #install msr /usr/bin/disabled-msr-by-security-misc ## File Systems: ## Disable uncommon file systems to reduce attack surface. ## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format. -# +## install cramfs /usr/bin/disabled-filesys-by-security-misc install freevxfs /usr/bin/disabled-filesys-by-security-misc install hfs /usr/bin/disabled-filesys-by-security-misc @@ -37,8 +39,9 @@ install udf /usr/bin/disabled-filesys-by-security-misc ## FireWire (IEEE 1394): ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. +## ## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues -# +## install dv1394 /usr/bin/disabled-firewire-by-security-misc install firewire-core /usr/bin/disabled-firewire-by-security-misc install firewire-ohci /usr/bin/disabled-firewire-by-security-misc @@ -51,7 +54,7 @@ install video1394 /usr/bin/disabled-firewire-by-security-misc ## Global Positioning Systems (GPS): ## Disable GPS-related modules like GNSS (Global Navigation Satellite System). -# +## install gnss /usr/bin/disabled-gps-by-security-misc install gnss-mtk /usr/bin/disabled-gps-by-security-misc install gnss-serial /usr/bin/disabled-gps-by-security-misc @@ -61,14 +64,15 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Management Engine (ME): ## Partially disable the Intel ME interface with the OS. +## ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html -# +## install mei /usr/bin/disabled-intelme-by-security-misc install mei-me /usr/bin/disabled-intelme-by-security-misc ## Network File Systems: ## Disable uncommon network file systems to reduce attack surface. -# +## install cifs /usr/bin/disabled-netfilesys-by-security-misc install gfs2 /usr/bin/disabled-netfilesys-by-security-misc install ksmbd /usr/bin/disabled-netfilesys-by-security-misc @@ -78,10 +82,11 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc ## Network Protocols: ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. +## ## https://tails.boum.org/blueprint/blacklist_modules/ ## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols) ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco -# +## install af_802154 /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc install atm /usr/bin/disabled-network-by-security-misc @@ -103,17 +108,19 @@ install tipc /usr/bin/disabled-network-by-security-misc install x25 /usr/bin/disabled-network-by-security-misc ## Miscellaneous: -# +## ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. +## ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -# +## install vivid /usr/bin/disabled-vivid-by-security-misc ## Thunderbolt: ## Disables Thunderbolt modules to prevent some DMA attacks. +## ## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities -# +## install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc From 8f2ec75f8173b6ab970a5ef213dcf5a3f67aa84a Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 13 Jul 2024 23:30:55 +1000 Subject: [PATCH 1181/1650] Clarify README.mmd relating to module disabling --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 114b90c..668b793 100644 --- a/README.md +++ b/README.md @@ -143,7 +143,8 @@ modules from automatically starting. Specific kernel modules are entirely disabled to reduce attack surface via `/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel modules from starting. This approach should not be considered comprehensive, -rather it is a form of badness enumeration. +rather it is a form of badness enumeration. Any potential candidates for future +disabling should first be blacklisted for a suitable amount of time. - File Systems: Disable uncommon and legacy file systems. From 9f582665467fd4fdf20c83841305785024bceedf Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 13 Jul 2024 23:32:01 +1000 Subject: [PATCH 1182/1650] Move nf_conntrack_helper disabling into separate file --- README.md | 8 ++++---- debian/security-misc.maintscript | 2 +- etc/modprobe.d/30_security-misc_blacklist.conf | 7 ------- etc/modprobe.d/30_security-misc_conntrack.conf | 11 +++++++++++ 4 files changed, 16 insertions(+), 12 deletions(-) create mode 100644 etc/modprobe.d/30_security-misc_conntrack.conf diff --git a/README.md b/README.md index 668b793..b5cf7a3 100644 --- a/README.md +++ b/README.md @@ -124,16 +124,16 @@ modules for the user, like drivers etc., given they are plugged in on startup. #### Blacklist and disable kernel modules +Conntrack: Deactivates Netfilter's connection tracking helper module which +increases kernel attack surface by enabling superfluous functionality such +as IRC parsing in the kernel. See `/etc/modprobe.d/30_security-misc_conntrack.conf`. + Certain kernel modules are blacklisted by default to reduce attack surface via `/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel modules from automatically starting. - CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. -- Conntrack: Deactivates Netfilter's connection tracking helper - this module - increases kernel attack surface by enabling superfluous functionality such - as IRC parsing in the kernel. Hence, this feature is disabled. - - Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause kernel panics, and are generally only used by legacy devices. diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 4279cf2..5d115c3 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -24,7 +24,7 @@ rm_conffile /etc/sysctl.d/kexec.conf rm_conffile /etc/sysctl.d/tcp_hardening.conf rm_conffile /etc/sysctl.d/tcp_sack.conf -## merged into 2 files /etc/modprobe.d/30_security-misc_blacklist.conf and /etc/modprobe.d/30_security-misc_disable.conf +## merged into 3 files /etc/modprobe.d/30_security-misc_blacklist.conf, 30_security-misc_conntrack.conf, and /etc/modprobe.d/30_security-misc_disable.conf rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf rm_conffile /etc/modprobe.d/vivid.conf diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index a4401f6..6dce2d2 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -21,13 +21,6 @@ blacklist sr_mod #install cdrom /usr/bin/disabled-cdrom-by-security-misc #install sr_mod /usr/bin/disabled-cdrom-by-security-misc -## Conntrack: -## Disable automatic conntrack helper assignment. -## -## https://phabricator.whonix.org/T486 -## -options nf_conntrack nf_conntrack_helper=0 - ## Framebuffer Drivers: ## ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco diff --git a/etc/modprobe.d/30_security-misc_conntrack.conf b/etc/modprobe.d/30_security-misc_conntrack.conf new file mode 100644 index 0000000..c1a641b --- /dev/null +++ b/etc/modprobe.d/30_security-misc_conntrack.conf @@ -0,0 +1,11 @@ +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Conntrack: +## Disable Netfilter's automatic connection tracking helper assignment. +## Increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. +## +## https://conntrack-tools.netfilter.org/manual.html +## https://forums.whonix.org/t/disable-conntrack-helper/18917 +## +options nf_conntrack nf_conntrack_helper=0 From 5ba5a85ad09b74a29c5ed0e5c265d54d93da9d32 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 13 Jul 2024 15:01:16 +0000 Subject: [PATCH 1183/1650] bumped changelog version --- changelog.upstream | 80 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 86 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c63cf13..49f6141 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,83 @@ +commit ad860063aba0443a8ac8b9cf191d008617d6d904 +Merge: f34b9d7 9f58266 +Author: Patrick Schleizer +Date: Sat Jul 13 10:55:45 2024 -0400 + + Merge remote-tracking branch 'raja/modprobe' + +commit 9f582665467fd4fdf20c83841305785024bceedf +Author: Raja Grewal +Date: Sat Jul 13 23:32:01 2024 +1000 + + Move nf_conntrack_helper disabling into separate file + +commit 8f2ec75f8173b6ab970a5ef213dcf5a3f67aa84a +Author: Raja Grewal +Date: Sat Jul 13 23:30:55 2024 +1000 + + Clarify README.mmd relating to module disabling + +commit 98580bb39a495a141e7b40792fd9d232fcf29d23 +Author: Raja Grewal +Date: Sat Jul 13 23:29:52 2024 +1000 + + Update modprobe presentation + +commit f34b9d7c45cd723535eedd3df99896ee7f852388 +Merge: 05c1711 5f10cc8 +Author: Patrick Schleizer +Date: Sat Jul 13 06:14:43 2024 -0400 + + Merge remote-tracking branch 'raja/modules' + +commit 5f10cc8bcf11654f5e0f97c07e0a7ff198013c1e +Author: Raja Grewal +Date: Fri Jul 12 16:22:10 2024 +1000 + + Update README.md relating to modprobe + +commit 41a3bf92fbdac88a1884dee735600cafa35134bf +Author: Raja Grewal +Date: Fri Jul 12 16:21:41 2024 +1000 + + Sort `30_security-misc_disable.conf` + +commit f31dc8aebc652b2037c375351fc478d9b5ba4c27 +Author: Raja Grewal +Date: Fri Jul 12 16:21:03 2024 +1000 + + Fix error in error script + +commit b02230a783941da412be72fb52053db0c6b8010f +Author: Raja Grewal +Date: Fri Jul 12 02:42:37 2024 +1000 + + Split modprobe into blacklisted and disabled configurations + +commit fc792ff23234399ed299c3fdc086d47c87d9b4a3 +Author: Raja Grewal +Date: Fri Jul 12 02:29:36 2024 +1000 + + Alphabetically sort existing modprobe + +commit fe20f3240e2f31099bcaa9f9e2045320df810edf +Author: Raja Grewal +Date: Fri Jul 12 02:28:48 2024 +1000 + + Refactor existing modprobe for clarity + +commit 275a4ffc1114856cbd9a1cd49701dcb25d87bfb5 +Author: Raja Grewal +Date: Fri Jul 12 02:27:56 2024 +1000 + + Remove redundant disabled modules + +commit 05c1711b16c96a221c13a011a6666fe6b385ec1e +Author: Patrick Schleizer +Date: Tue Jun 11 12:56:56 2024 +0000 + + bumped changelog version + commit e48115588caae8e51bb980ac84b1f0f415ca0d17 Merge: b316352 cad8d85 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 0cf310c..058cddc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 13 Jul 2024 15:01:15 +0000 + security-misc (3:37.6-1) unstable; urgency=medium * New upstream version (local package). From 565597c9a282b08697d04204f5eb9c22153e77bd Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 14 Jul 2024 01:21:24 +1000 Subject: [PATCH 1184/1650] Minor documentation changes and fixes --- .../sysctl.d/30_security-misc_kexec-disable.conf | 13 +++++++------ usr/lib/sysctl.d/30_silent-kernel-printk.conf | 12 ++++-------- usr/lib/sysctl.d/990-security-misc.conf | 14 +++++++------- 3 files changed, 18 insertions(+), 21 deletions(-) diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index ad2f6bd..74c0bbf 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -1,15 +1,16 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## NOTE: +## Why is this in a dedicated config file? +## Package ram-wipe requires kexec. However, ram-wipe could not ship a config +## file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'. +## This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1' +## it cannot be undone without reboot. This is a upstream Linux security feature. + ## Disables kexec which can be used to replace the running kernel. ## Useful for live kernel patching without rebooting. ## ## https://en.wikipedia.org/wiki/Kexec ## kernel.kexec_load_disabled=1 - -## Why is this in a dedicated config file? -## Package ram-wipe requires kexec. However, ram-wipe could not ship a config -## file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'. -## This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1' -## it cannot be undone without reboot. This is a upstream Linux security feature. diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index 5ac7b6f..7283bcb 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -1,14 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## NOTE: +## For higher verbosity, delete file /etc/default/grub.d/41_quiet.cfg. +## Alternatively, install the debug-misc package which will undo these settings. + ## Prevent kernel information leaks in the console during boot. ## kernel.printk = 3 3 3 3 - -## NOTE: -## For higher verbosity, the user might also want to delete file -## /etc/default/grub.d/41_quiet.cfg -## (or out-comment its settings). -## -## Alternatively, the user could consider to install the debug-misc package, -## which will undo the settings found here. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index c1bf3e9..2f47e89 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -2,8 +2,8 @@ ## See the file COPYING for copying conditions. ## NOTE: -## This file has a strange name so that `/usr/lib/sysctl.d/99-protect-links.conf` is -## first parsed and then followed by `/usr/lib/sysctl.d/990-security-misc.conf`. +## This file has a strange name so that /usr/lib/sysctl.d/99-protect-links.conf is +## first parsed and then followed by /usr/lib/sysctl.d/990-security-misc.conf. ## https://github.com/Kicksecure/security-misc/pull/135 ## This configuration file is split into 5 sections: @@ -39,9 +39,9 @@ kernel.dmesg_restrict=1 ## Prevent kernel information leaks in the console during boot. ## -## See `/usr/lib/sysctl.d/30_silent-kernel-printk.conf` for implementation. +## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## -#kernel.printk=3 3 3 3s +#kernel.printk=3 3 3 3 ## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening. ## @@ -71,7 +71,7 @@ vm.unprivileged_userfaultfd=0 ## ## https://en.wikipedia.org/wiki/Kexec ## -## See `/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf` for implementation. +## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation. ## #kernel.kexec_load_disabled=1 @@ -139,7 +139,7 @@ kernel.yama.ptrace_scope=2 ## ## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 ## -## See `/usr/libexec/security-misc/mmap-rnd-bits` for implementation. +## See /usr/libexec/security-misc/mmap-rnd-bits for implementation. ## #vm.mmap_rnd_bits=32 #vm.mmap_rnd_compat_bits=16 @@ -314,7 +314,7 @@ net.ipv4.tcp_timestamps=0 ## Good for troubleshooting and diagnostics but not necessary by default. ## Known for causing performance issues especially on systems with multiple interfaces. ## -## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement +## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets ## https://github.com/Kicksecure/security-misc/issues/214 ## ## The logging of martian packets is currently disabled. From dd1741c4a1cd18f34f69437c00f3a78a9ebd402a Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 14 Jul 2024 13:40:53 +1000 Subject: [PATCH 1185/1650] Some documentation additions and fixes --- usr/lib/sysctl.d/990-security-misc.conf | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 2f47e89..322abb8 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -98,6 +98,7 @@ kernel.sysrq=0 ## Restricts kernel profiling to CAP_PERFMON. ## The performance events system should not be accessible by unprivileged users. +## Other distributions such as Ubuntu and Fedora may permit further restricting. ## ## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users ## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ @@ -126,9 +127,16 @@ kernel.io_uring_disabled=2 ## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. ## Limit ptrace() as it enables programs to inspect and modify other active processes. -## This may break some programs running under WINE. +## Prevents native code debugging which some programs use as a method to detect tampering. +## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. ## ## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope +## https://en.wikipedia.org/wiki/Ptrace +## https://grapheneos.org/features#attack-surface-reduction +## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 +## https://github.com/netblue30/firejail/issues/2860 +## +## It is possible to harden further by disabling ptrace() for all users, see documentation. ## kernel.yama.ptrace_scope=2 @@ -301,16 +309,16 @@ net.ipv6.conf.default.accept_ra=0 #net.ipv4.tcp_dsack=0 net.ipv4.tcp_fack=0 -## Disable TCP timestamps to limit system fingerprinting via time. +## Disable TCP timestamps to limit device fingerprinting via system time. ## ## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824 ## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html ## net.ipv4.tcp_timestamps=0 -## Previously enabled logging of packets with impossible source or destination addresses. +## Enable logging of packets with impossible source or destination addresses. ## Martian and unroutable packets may be used for dangerous purposes. -## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets +## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets. ## Good for troubleshooting and diagnostics but not necessary by default. ## Known for causing performance issues especially on systems with multiple interfaces. ## From 2b9e174c9db69f2c30828aae236c631d46255e07 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 14 Jul 2024 16:22:52 +1000 Subject: [PATCH 1186/1650] Remove empty lines --- usr/lib/sysctl.d/990-security-misc.conf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 322abb8..5fbe51c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -120,7 +120,6 @@ kernel.randomize_va_space=2 ## kernel.io_uring_disabled=2 - ## 2.User Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace @@ -184,7 +183,6 @@ fs.protected_regular=2 ## vm.max_map_count=1048576 - ## 3. Core Dumps: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps @@ -207,7 +205,6 @@ fs.suid_dumpable=0 ## kernel.core_uses_pid=1 - ## 4. Swap Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap @@ -219,7 +216,6 @@ kernel.core_uses_pid=1 ## vm.swappiness=1 - ## 5. Networking: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network From 5cf9afc21563712b851850e2041141807503807c Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 14 Jul 2024 17:05:49 +1000 Subject: [PATCH 1187/1650] Include optional `sysctl`'s in README.md --- README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9ed387b..d49d65f 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,9 @@ space, user space, core dumps, and swap space. - Entirely disables the SysRq key so that the Secure Attention Key (SAK) can no longer be utilised. +- Provide option to disable unprivileged user namespaces as they can lead to + privilege escalation. + - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. - Randomise the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. @@ -42,7 +45,8 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel version >= 6.6). - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - enables programs to inspect and modify other active processes. + enables programs to inspect and modify other active processes. Provide option + to also entirely disable the use of `ptrace()` for all processes. - Prevent hardlink and symlink TOCTOU races in world-writable directories. @@ -75,8 +79,14 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Do not accept IPv6 router advertisements and solicitations. +- Provide option to disable SACK and DSACK as they have historically been a + vector for exploitation. + - Disable TCP timestamps as it can allow detecting the system time. +- Provide option to log of packets with impossible source or destination + addresses to enable inspection and further analysis. + ### mmap ASLR - The bits of entropy used for mmap ASLR are maxed out via From acd60e45d8cbc98ea935c9bf035f2840622ab58d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 14 Jul 2024 20:07:31 +1000 Subject: [PATCH 1188/1650] Add comment about enabling core dump files --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d49d65f..5d9b594 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,8 @@ space, user space, core dumps, and swap space. - Increase the maximum number of memory map areas a process is able to utilise. -- Disable core dump files and prevent their creation. +- Disable core dump files and prevent their creation. If core dump files are + enabled, they will be nammed based on `core.PID` instead of the default `core`. - Limit the copying of potentially sensitive content in memory to the swap device. From a33d4cd099b8cbf569ff35627eeacf3562a4371e Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 01:56:25 +1000 Subject: [PATCH 1189/1650] Refactor existing kernel parameters for clarity --- README.md | 65 ++++--- etc/default/grub.d/40_cpu_mitigations.cfg | 59 +++--- etc/default/grub.d/40_distrust_bootloader.cfg | 7 - etc/default/grub.d/40_distrust_cpu.cfg | 12 -- etc/default/grub.d/40_enable_iommu.cfg | 17 -- etc/default/grub.d/40_kernel_hardening.cfg | 183 ++++++++++++++---- .../grub.d/40_only_allow_signed_modules.cfg | 8 - ...mount-secure.cfg => 40_remount_secure.cfg} | 15 +- etc/default/grub.d/40_signed_modules.cfg | 25 +++ etc/default/grub.d/41_quiet.cfg | 27 --- etc/default/grub.d/41_quiet_boot.cfg | 21 ++ 11 files changed, 284 insertions(+), 155 deletions(-) delete mode 100644 etc/default/grub.d/40_distrust_bootloader.cfg delete mode 100644 etc/default/grub.d/40_distrust_cpu.cfg delete mode 100644 etc/default/grub.d/40_enable_iommu.cfg delete mode 100644 etc/default/grub.d/40_only_allow_signed_modules.cfg rename etc/default/grub.d/{40_remmount-secure.cfg => 40_remount_secure.cfg} (52%) create mode 100644 etc/default/grub.d/40_signed_modules.cfg delete mode 100644 etc/default/grub.d/41_quiet.cfg create mode 100644 etc/default/grub.d/41_quiet_boot.cfg diff --git a/README.md b/README.md index b5cf7a3..fde0464 100644 --- a/README.md +++ b/README.md @@ -67,36 +67,54 @@ configuration file. ### Boot parameters -Boot parameters are outlined in configuration files located in the -`etc/default/grub.d/` directory. +Mitigations for known CPU vulnerabilities are enabled in their strictest form +and simultaneous multithreading (SMT) is disabled. See the +`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. -- Slab merging is disabled which significantly increases the difficulty of - heap exploitation by preventing overwriting objects from merged caches and - by making it harder to influence slab cache layout. +Boot parameters relating to kernel hardening, DMA mitigations, and entropy +generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` +configuration file. -- Memory zeroing at allocation and free time is enabled to mitigate some - use-after-free vulnerabilities and erase sensitive information in memory. +- Disable merging of slabs with similar size which reduces the risk of + triggering heap overflows and limits influencing slab cache layout. -- Page allocator freelist randomization is enabled. +- Provides option to enable sanity checks and red zoning via slab debugging. + Not reccommened due to implicit disabling of kernel pointer hashing. -- Kernel Page Table Isolation is enabled to mitigate Meltdown and increase - KASLR effectiveness. +- Enable Memory zeroing at both allocation and free time which mitigate some + use-after-free vulnerabilities by erasing sensitive information in memory. -- vsyscalls are disabled as they are obsolete, are at fixed addresses and - thus, are a potential target for ROP. +- Enable the kernel page allocator to randomise free lists to limit some data + exfiltration and ROP attacks especially during the early boot process. -- The kernel panics on oopses to thwart certain kernel exploits. +- Enable kernel page table isolation increase KASLR effectiveness and also + mitigate the Meltdown CPU vulnerability. -- Enables randomisation of the kernel stack offset on syscall entries. +- Enables randomisation of the kernel stack offset on syscall entries to harden + against memory corruption attacks. -- Mitigations for known CPU vulnerabilities are enabled and SMT is - disabled. +- Disable vsyscalls as they are vulnerable to ROP attacks and have now been + replaced by vDSO. -- IOMMU is enabled to prevent DMA attacks along with strict enforcement of - IOMMU TLB invalidation so devices will never be able to access stale data - contents. +- Restrict access to debugfs by not registering the file system since it can + contain sensitive information. -- Distrust the 'randomly' generated CPU and bootloader seeds. +- Force kernel panics on "oopses" to potentially indicate and thwart certain + kernel exploitation attempts. + +- Provide option to modify machine check exception handler. + +- Enable strict IOMMU translation to protect against DMA attacks and disable + the busmaster bit on all PCI bridges during the early boot process. + +- Do not credit the CPU or bootloader as entropy sources at boot in order to + maximise the absolute quantity of entropy the pool. + +- Obtain more entropy at boot from RAM as the runtime memory allocator is + being initialised. + +Disallow sensitive kernel information leaks in the console during boot. See +the `/etc/default/grub.d/40_quiet_boot.cfg` configuration file. ### Kernel Modules @@ -109,7 +127,7 @@ Not yet due to issues: See: -- `/etc/default/grub.d/40_only_allow_signed_modules.cfg` +- `/etc/default/grub.d/40_signed_modules.cfg` #### Disables the loading of new modules to the kernel after the fact @@ -259,8 +277,9 @@ See: `/usr/lib/modules-load.d/30_security-misc.conf` configuration file. - Distrusts the CPU for initial entropy at boot as it is not possible to - audit, may contain weaknesses or a backdoor. For references, see: - `/etc/default/grub.d/40_distrust_cpu.cfg` + audit, may contain weaknesses or a backdoor. Similarly, do not credit the + bootloader seed for initial entropy. For references, see: + `/etc/default/grub.d/40_kernel_hardening.cfg` - Gathers more entropy during boot if using the linux-hardened kernel patch. diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 99582ae..13d8ffd 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,99 +1,114 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Enables known mitigations for CPU vulnerabilities. -## +## Enable known mitigations for CPU vulnerabilities. ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 ## Check for potential updates directly from AMD and Intel. -## ## https://www.amd.com/en/resources/product-security.html ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html ## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" +## Disable SMT as it has been the cause of and amplified numerous CPU exploits. +## The only full mitigation of cross-HT attacks is to disable SMT. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" + ## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) ## and Intel branch history injection (BHI) vulnerabilities. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on" +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" ## Disable Speculative Store Bypass (Spectre Variant 4). ## ## https://www.suse.com/support/kb/doc/?id=000019189 +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" ## Enable mitigations for the L1TF vulnerability through disabling SMT ## and L1D flush runtime control. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" ## Enable mitigations for the MDS vulnerability through clearing buffer cache ## and disabling SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" -## Patches the TAA vulnerability by disabling TSX and enables mitigations using +## Patches the TAA vulnerability by disabling TSX and enable mitigations using ## TSX Async Abort along with disabling SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" ## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" -## Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions. -## Only mitigated through microcode updates from Intel. +## Mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions +## are only possible through microcode updates from Intel. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html ## https://access.redhat.com/solutions/5142691 -## Force disable SMT as it has caused numerous CPU vulnerabilities. -## The only full mitigation of cross-HT attacks is to disable SMT. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html -## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" - -## Enables the prctl interface to prevent leaks from L1D on context switches. +## Enable the prctl() interface to prevent leaks from L1D on context switches. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" -## Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT. +## Mitigate numerous MMIO Stale Data vulnerabilities and disable SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" ## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with ## Return Instructions) vulnerability and disable SMT. ## ## https://www.suse.com/support/kb/doc/?id=000020693 +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## Control RAS overflow mitigation on AMD Zen CPUs. -## The current default kernel parameter is 'spec_rstack_overflow=safe-ret' -## This default will used until provided sufficient evidence to modify. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html +## +## The default kernel setting will be utilised until provided sufficient evidence to modify. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" -## Mitigates Gather Data Sampling (GDS) vulnerability. +## Enable Gather Data Sampling (GDS) mitigation. ## Note for systems that have not received a suitable microcode update this will ## entirely disable use of the AVX instructions set. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" -## Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which +## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which ## encompasses E-cores on hybrid architectures. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" \ No newline at end of file diff --git a/etc/default/grub.d/40_distrust_bootloader.cfg b/etc/default/grub.d/40_distrust_bootloader.cfg deleted file mode 100644 index eb26262..0000000 --- a/etc/default/grub.d/40_distrust_bootloader.cfg +++ /dev/null @@ -1,7 +0,0 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Distrusts the bootloader for initial entropy at boot. -## -## https://lkml.org/lkml/2022/6/5/271 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" diff --git a/etc/default/grub.d/40_distrust_cpu.cfg b/etc/default/grub.d/40_distrust_cpu.cfg deleted file mode 100644 index 5cfaba9..0000000 --- a/etc/default/grub.d/40_distrust_cpu.cfg +++ /dev/null @@ -1,12 +0,0 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Distrusts the CPU for initial entropy at boot as it is not possible to -## audit, may contain weaknesses or a backdoor. -## -## https://en.wikipedia.org/wiki/RDRAND#Reception -## https://twitter.com/pid_eins/status/1149649806056280069 -## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html -## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 -## https://lkml.org/lkml/2022/6/5/271 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg deleted file mode 100644 index 898e500..0000000 --- a/etc/default/grub.d/40_enable_iommu.cfg +++ /dev/null @@ -1,17 +0,0 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Enables IOMMU to prevent DMA attacks. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=force_isolation" - -## Disable the busmaster bit on all PCI bridges during very -## early boot to avoid holes in IOMMU. -## -## https://mjg59.dreamwidth.org/54433.html -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" - -## Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents -## https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97 -## Page 11 of https://lenovopress.lenovo.com/lp1467.pdf -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force iommu.passthrough=0 iommu.strict=1" diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 4c70928..0129fe9 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -5,58 +5,169 @@ kpkg="linux-image-$(dpkg --print-architecture)" || true kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true #echo "## kver: $kver" -## Disables the merging of slabs of similar sizes. -## Sometimes a slab can be used in a vulnerable way which an attacker can exploit. +## This configuration file is split into 3 sections: +## 1. Kernel Space +## 2. Direct Memory Access +## 3. Entropy + +## See the documentation below for details on the majority of the selected commands. +## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html +## https://wiki.archlinux.org/title/Kernel_parameters#GRUB + +## 1. Kernel Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters + +## Disable merging of slabs with similar size. +## Reduces the risk of triggering heap overflows. +## Prevents overwriting objects from merged caches and limits influencing slab cache layout. +## +## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33 +## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10 +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -## Enables sanity checks (F) and redzoning (Z). -## Disabled due to kernel deciding to implicitly disable kernel pointer hashing -## https://github.com/torvalds/linux/commit/792702911f581f7793962fbeb99d5c3a1b28f4c3 +## Enable sanity checks and red zoning of slabs. +## +## https://www.kernel.org/doc/html/latest/mm/slub.html +## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u +## +## Disabled as enabling this implicitly disables kernel pointer hashing. +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" -## Zero memory at allocation and free time. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" +## Zero memory at allocation time and free time. +## Fills newly allocated pages, freed pages, and heap objects with zeros. +## Mitigates use-after-free exploits by erasing sensitive information in memory. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" -## Machine check exception handler decides whether the system should panic or not based on the exception that happened. -## https://forums.whonix.org/t/kernel-hardening/7296/494 -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" - -## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" - -## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" - -## Enables page allocator freelist randomization. +## Enable the kernel page allocator to randomise free lists. +## During early boot the page allocator has predictable FIFO behaviour for physical pages. +## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location. +## Also improves performance by optimising memory-side cache utilisation. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692 +## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" -## Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13). +## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses. +## Mitigates the Meltdown CPU vulnerability. +## +## https://en.wikipedia.org/wiki/Kernel_page-table_isolation +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" + +## Enable randomisation of the kernel stack offset on syscall entries. +## Hardens against memory corruption attacks due to increased entropy. +## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure. +## ## https://lkml.org/lkml/2019/3/18/246 +## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" -## Enables kernel lockdown. +## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO. +## Vulnerable to ROP attacks as vsyscalls are located at fixed addresses in memory. ## -## Disabled for now as it enforces module signature verification which breaks -## too many things. -## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 +## https://lwn.net/Articles/446528/ +## https://en.wikipedia.org/wiki/VDSO ## -#if dpkg --compare-versions "${kver}" ge "5.4"; then -# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" -#fi +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" -## Gather more entropy during boot. +## Restrict access to debugfs by not registering the file system. +## Deactivated since the file system can contain sensitive information. ## -## Requires linux-hardened kernel patch. -## https://github.com/anthraxx/linux-hardened -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" - -## Restrict access to debugfs since it can contain a lot of sensitive information. ## https://lkml.org/lkml/2020/7/16/122 -## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848 +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" -## Force the kernel to panic on "oopses" (which may be due to false positives) +## Force the kernel to panic on "oopses". +## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. +## Also cause panics on machine check exceptions. +## Panics may be due to false-positives such as bad drivers. +## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 -## Implemented differently: -## /usr/libexec/security-misc/panic-on-oops +## +## See /usr/libexec/security-misc/panic-on-oops for implementation. +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" + +## Modify machine check exception handler. +## Can decide whether the system should panic or not based on the occurrence of an exception. +## +## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html +## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check +## https://forums.whonix.org/t/kernel-hardening/7296/494 +## +## The default kernel setting will be utilised until provided sufficient evidence to modify. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" + +## 2. Direct Memory Access: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks + +## Enable CPU manufacturer-specific IOMMU drivers to protect against DMA attacks. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu" + +## Enable and force use of IOMMU translation to protect against DMA attacks. +## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs. +## Ensures devices will never be able to access stale data contents. +## +## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit +## https://en.wikipedia.org/wiki/DMA_attack +## https://lenovopress.lenovo.com/lp1467.pdf +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" + +## Disable the busmaster bit on all PCI bridges during the early boot process. +## Patches weak-point in some existing IOMMU implementations. +## May lead to issues such as complete system boot failure on certain devices. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 +## https://mjg59.dreamwidth.org/54433.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" + +## 3. Entropy: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand + +## Do not credit the CPU or bootloader seeds as entropy sources at boot. +## The RDRAND CPU (RNG) instructions are proprietary and closed-source. +## Numerous implementations of RDRAND have a long history of being defective. +## The RNG seed passed by the bootloader could also potentially be tampered. +## Maximising the entropy pool at boot is desirable for all cryptographic operations. +## These settings ensure additional entropy is obtained from other sources to initialise the RNG. +## Note that distrusting these (relatively fast) sources of entropy will increase boot time. +## +## https://en.wikipedia.org/wiki/RDRAND#Reception +## https://systemd.io/RANDOM_SEEDS/ +## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ +## https://x.com/pid_eins/status/1149649806056280069 +## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html +## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 +## https://github.com/NixOS/nixpkgs/pull/165355 +## https://lkml.org/lkml/2022/6/5/271 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" + +## Obtain more entropy during boot as the runtime memory allocator is being initialised. +## Entropy will be extracted from up to the first 4GB of RAM. +## Requires the linux-hardened kernel patch. +## +## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened +## https://github.com/anthraxx/linux-hardened/commit/c3e7df1dba1eb8105d6d5143079a6a0ad9e9ebc7 +## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" diff --git a/etc/default/grub.d/40_only_allow_signed_modules.cfg b/etc/default/grub.d/40_only_allow_signed_modules.cfg deleted file mode 100644 index 5d1a357..0000000 --- a/etc/default/grub.d/40_only_allow_signed_modules.cfg +++ /dev/null @@ -1,8 +0,0 @@ -## Requires every module to be signed before being loaded. -## Any module that is unsigned or signed with an invalid key cannot be loaded. -## This makes it harder to load a malicious module. -## -## Not enabled by default yet due to issues: -## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61 -## https://github.com/dell/dkms/issues/359 -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" diff --git a/etc/default/grub.d/40_remmount-secure.cfg b/etc/default/grub.d/40_remount_secure.cfg similarity index 52% rename from etc/default/grub.d/40_remmount-secure.cfg rename to etc/default/grub.d/40_remount_secure.cfg index 4bdc3a9..c180456 100644 --- a/etc/default/grub.d/40_remmount-secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -1,16 +1,25 @@ ## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Remount Secure provides enhanced security via mmount options: ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure +## Option A (No Security): ## Disable Remount Secure. +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0" -## Re-mount with nodev, nosuid only. +## Option B (Low Security): +## Re-mount with nodev and nosuid only. +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" -## Re-mount with nodev, nosuid and most with noexec except for /home. +## Option C (Medium Security): +## Re-mount with nodev, nosuid, and noexec for most mount points, excluding /home. +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2" -## Re-mount with nodev, nosuid and all with noexec including /home. +## Option D (Highest Security) +## Re-mount with nodev, nosuid, and noexec for all mount points including /home. +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg new file mode 100644 index 0000000..9a6a101 --- /dev/null +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -0,0 +1,25 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Require every kernel module to be signed before being loaded. +## Any module that is unsigned or signed with an invalid key cannot be loaded. +## This prevents all out-of-tree kernel modules unless signed. +## This makes it harder to load a malicious module. +## +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61 +## https://github.com/dell/dkms/issues/359 +## +## Not enabled by default yet due to several issues. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" + +## Enable kernel lockdown to enforce security boundary between user and kernel space. +## Confidentiality mode enforces module signature verification. +## +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 +## +## ## Not enabled by default yet due to several issues. +## +#if dpkg --compare-versions "${kver}" ge "5.4"; then +# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" +#fi diff --git a/etc/default/grub.d/41_quiet.cfg b/etc/default/grub.d/41_quiet.cfg deleted file mode 100644 index ecb268b..0000000 --- a/etc/default/grub.d/41_quiet.cfg +++ /dev/null @@ -1,27 +0,0 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Prevent kernel info leaks in console during boot. -## https://phabricator.whonix.org/T950 - -## LANG=C str_replace is provided by package helper-scripts. - -## The following command actually removed "quiet" from the kernel command line. -## If verbosity is desired, the user might want to keep this line. -## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. -GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" - -## If verbosity is desired, the user might want to out-comment the following line. -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet loglevel=0" - -## NOTE: -## After editing this file, running: -## sudo update-grub -## is required. -## -## If higher verbosity is desired, the user might also want to delete file -## /etc/sysctl.d/30_silent-kernel-printk.conf -## (or out-comment its settings). -## -## Alternatively, the user could consider to install the debug-misc package, -## which will undo the settings found here. diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg new file mode 100644 index 0000000..48a38d4 --- /dev/null +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -0,0 +1,21 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## NOTE: +## For higher verbosity, delete file /usr/lib/sysctl.d/30_silent-kernel-printk.conf. +## Alternatively, install the debug-misc package which will undo theses settings. + +## LANG=C str_replace is provided by package helper-scripts. + +## The following command actually removed "quiet" from the kernel command line. +## If verbosity is desired, the user might want to keep this line. +## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. +GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" + +## Prevent sensitive kernel information leaks in the console during boot. +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-kernel +## https://wiki.archlinux.org/title/silent_boot +## +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT loglevel=0" From f550fbe07cafb75112e98268730d1bcc511489e2 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 01:59:04 +1000 Subject: [PATCH 1190/1650] Add option to disable the entire IPv6 stack functionality --- README.md | 2 ++ etc/default/grub.d/40_kernel_hardening.cfg | 15 +++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/README.md b/README.md index fde0464..a55002e 100644 --- a/README.md +++ b/README.md @@ -113,6 +113,8 @@ configuration file. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialised. +- Provide option to disable the entire IPv6 stack to reduce attack surface. + Disallow sensitive kernel information leaks in the console during boot. See the `/etc/default/grub.d/40_quiet_boot.cfg` configuration file. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 0129fe9..c4575b3 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -9,6 +9,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## 1. Kernel Space ## 2. Direct Memory Access ## 3. Entropy +## 4. Networking ## See the documentation below for details on the majority of the selected commands. ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html @@ -171,3 +172,17 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" ## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4 ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" + +## 4. Networking +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters + +## Disable the entire IPv6 stack functionality. +## Removes attack surface associated with the IPv6 module. +## +## https://www.kernel.org/doc/html/latest/networking/ipv6.html +## https://wiki.archlinux.org/title/IPv6#Disable_IPv6 +## +## Enabling makes redundant many network hardening sysctl's in usr/lib/sysctl.d/990-security-misc.conf. +## +#ipv6.disable=1 \ No newline at end of file From 99038c7a0621f5c9852638c1706c5306b42e6480 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 02:02:01 +1000 Subject: [PATCH 1191/1650] Add option to disable support for x86 processes and syscalls in the future --- README.md | 3 +++ etc/default/grub.d/40_kernel_hardening.cfg | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/README.md b/README.md index a55002e..238e2c1 100644 --- a/README.md +++ b/README.md @@ -104,6 +104,9 @@ configuration file. - Provide option to modify machine check exception handler. +- Provide option to disable support for all x86 processes and syscalls to reduce + attack surface (when using Linux kernel version >= 6.7). + - Enable strict IOMMU translation to protect against DMA attacks and disable the busmaster bit on all PCI bridges during the early boot process. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index c4575b3..36cf099 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -109,6 +109,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" +## Disable support for x86 processes and syscalls. +## Unconditionally disables IA32 emulation to substantially reduce attack surface. +## +## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ +## +## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). +## +#ia32_emulation=0 + ## 2. Direct Memory Access: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks From 48e1ac416314d2c66f3a0d5044a3c51cb6fb4093 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 02:04:25 +1000 Subject: [PATCH 1192/1650] Remove the optional `slub_debug` parameter since it is no longer recommended --- README.md | 3 --- etc/default/grub.d/40_kernel_hardening.cfg | 9 --------- 2 files changed, 12 deletions(-) diff --git a/README.md b/README.md index 238e2c1..f2bf497 100644 --- a/README.md +++ b/README.md @@ -78,9 +78,6 @@ configuration file. - Disable merging of slabs with similar size which reduces the risk of triggering heap overflows and limits influencing slab cache layout. -- Provides option to enable sanity checks and red zoning via slab debugging. - Not reccommened due to implicit disabling of kernel pointer hashing. - - Enable Memory zeroing at both allocation and free time which mitigate some use-after-free vulnerabilities by erasing sensitive information in memory. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 36cf099..fcc5352 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -28,15 +28,6 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -## Enable sanity checks and red zoning of slabs. -## -## https://www.kernel.org/doc/html/latest/mm/slub.html -## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u -## -## Disabled as enabling this implicitly disables kernel pointer hashing. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" - ## Zero memory at allocation time and free time. ## Fills newly allocated pages, freed pages, and heap objects with zeros. ## Mitigates use-after-free exploits by erasing sensitive information in memory. From 69c8e849270393537d3e024137bc20a42c848333 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 14:38:21 +1000 Subject: [PATCH 1193/1650] Fix typos --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f2bf497..f53d126 100644 --- a/README.md +++ b/README.md @@ -78,7 +78,7 @@ configuration file. - Disable merging of slabs with similar size which reduces the risk of triggering heap overflows and limits influencing slab cache layout. -- Enable Memory zeroing at both allocation and free time which mitigate some +- Enable memory zeroing at both allocation and free time which mitigate some use-after-free vulnerabilities by erasing sensitive information in memory. - Enable the kernel page allocator to randomise free lists to limit some data @@ -108,7 +108,7 @@ configuration file. the busmaster bit on all PCI bridges during the early boot process. - Do not credit the CPU or bootloader as entropy sources at boot in order to - maximise the absolute quantity of entropy the pool. + maximise the absolute quantity of entropy in the combined pool. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialised. From f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 14:39:12 +1000 Subject: [PATCH 1194/1650] Update presentation of `quiet loglevel=0` --- etc/default/grub.d/40_kernel_hardening.cfg | 12 ++++++++++ etc/default/grub.d/41_quiet_boot.cfg | 26 +++++++++++----------- 2 files changed, 25 insertions(+), 13 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index fcc5352..0854a4f 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -100,6 +100,18 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" +## Prevent sensitive kernel information leaks in the console during boot. +## Must be used in combination with the kernel.printk sysctl. +## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. +## +## https://www.kernel.org/doc/html/next/core-api/printk-basics.html +## https://wiki.archlinux.org/title/silent_boot +## +## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" + ## Disable support for x86 processes and syscalls. ## Unconditionally disables IA32 emulation to substantially reduce attack surface. ## diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 48a38d4..c06ac8f 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -1,21 +1,21 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## NOTE: -## For higher verbosity, delete file /usr/lib/sysctl.d/30_silent-kernel-printk.conf. -## Alternatively, install the debug-misc package which will undo theses settings. - -## LANG=C str_replace is provided by package helper-scripts. - -## The following command actually removed "quiet" from the kernel command line. -## If verbosity is desired, the user might want to keep this line. -## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. -GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" - ## Prevent sensitive kernel information leaks in the console during boot. +## Must be used in combination with the kernel.printk sysctl. +## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-kernel +## https://www.kernel.org/doc/html/next/core-api/printk-basics.html ## https://wiki.archlinux.org/title/silent_boot ## -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" +## For easier debugging, these are not applied to the recovery boot option. +## Switch the pair of commands to universally apply parameters to all boot options. +## GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT loglevel=0" +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" + +## For Increased Log Verbosity: +## Comment-out the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf. +## Alternatively, install the debug-misc package which will undo theses settingss. From fbfdb0fa99087e4160979b612db04e63a1d3e3b1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 14:40:03 +1000 Subject: [PATCH 1195/1650] Update `security-misc.maintscript` relating to grub --- debian/security-misc.maintscript | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 5d115c3..78a36fd 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -66,3 +66,17 @@ rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf rm_conffile /etc/permission-hardening.d/30_default.conf + +## merged into 1 file /etc/default/grub.d/40_kernel_hardening.cfg +rm /etc/default/grub.d/40_distrust_bootloader.cfg +rm /etc/default/grub.d/40_distrust_cpu.cfg +rm /etc/default/grub.d/40_enable_iommu.cfg + +## renamed to /etc/default/grub.d/40_remount_secure.cfg +rm /etc/default/grub.d/40_remmount-secure.cfg + +## renamed to /etc/default/grub.d/40_signed_modules.cfg +rm /etc/default/grub.d/40_only_allow_signed_modules.cfg + +## renamed to /etc/default/grub.d/41_quiet_boot.cfg +rm /etc/default/grub.d/41_quiet.cfg From d229e8b04d914803fa66c3a695022cfb2d9b2a25 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 14:50:29 +1000 Subject: [PATCH 1196/1650] Fix link --- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- etc/default/grub.d/41_quiet_boot.cfg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 0854a4f..eaedccb 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -104,7 +104,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Must be used in combination with the kernel.printk sysctl. ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## -## https://www.kernel.org/doc/html/next/core-api/printk-basics.html +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html ## https://wiki.archlinux.org/title/silent_boot ## ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index c06ac8f..7bccbaa 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -5,7 +5,7 @@ ## Must be used in combination with the kernel.printk sysctl. ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## -## https://www.kernel.org/doc/html/next/core-api/printk-basics.html +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html ## https://wiki.archlinux.org/title/silent_boot ## ## For easier debugging, these are not applied to the recovery boot option. From c8385d82fbd6ba16ba1f0b4969661474966b74f1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 14:57:40 +1000 Subject: [PATCH 1197/1650] Clarify instructions for increasing log verbosity --- etc/default/grub.d/41_quiet_boot.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 7bccbaa..c07d874 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -17,5 +17,5 @@ GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" ## For Increased Log Verbosity: -## Comment-out the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf. +## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf. ## Alternatively, install the debug-misc package which will undo theses settingss. From 1c2afc1f253e15d2605d1bef0e323e6e972a2484 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 15:01:48 +1000 Subject: [PATCH 1198/1650] Update presentation of the `kernel.printk` sysctl --- usr/lib/sysctl.d/30_silent-kernel-printk.conf | 14 +++++++++----- usr/lib/sysctl.d/990-security-misc.conf | 4 ++++ 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index 7283bcb..de73876 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -1,10 +1,14 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## NOTE: -## For higher verbosity, delete file /etc/default/grub.d/41_quiet.cfg. -## Alternatively, install the debug-misc package which will undo these settings. - ## Prevent kernel information leaks in the console during boot. +## Must be used in combination with the kernel boot parameters. +## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. ## -kernel.printk = 3 3 3 3 +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## +kernel.printk=3 3 3 3 + +## For Increased Log Verbosity: +## Adjust (or comment out) the kernel parameters in /etc/default/grub.d/41_quiet_boot.cfg. +## Alternatively, installing the debug-misc package will undo these settings. \ No newline at end of file diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 5fbe51c..c1316be 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -38,6 +38,10 @@ kernel.kptr_restrict=2 kernel.dmesg_restrict=1 ## Prevent kernel information leaks in the console during boot. +## Must be used in combination with the kernel boot parameters. +## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. +## +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html ## ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## From b2657bc61fb15bb89d62f0743a36835c1f0dda8a Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 15:05:00 +1000 Subject: [PATCH 1199/1650] Improve docs --- README.md | 2 +- etc/default/grub.d/41_quiet_boot.cfg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f53d126..1a38546 100644 --- a/README.md +++ b/README.md @@ -116,7 +116,7 @@ configuration file. - Provide option to disable the entire IPv6 stack to reduce attack surface. Disallow sensitive kernel information leaks in the console during boot. See -the `/etc/default/grub.d/40_quiet_boot.cfg` configuration file. +the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file. ### Kernel Modules diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index c07d874..25d819a 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -18,4 +18,4 @@ GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" ## For Increased Log Verbosity: ## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf. -## Alternatively, install the debug-misc package which will undo theses settingss. +## Alternatively, installing the debug-misc package will undo these settings. \ No newline at end of file From e0696d02a234e6f7ab9fb601ffe58e7d953846a2 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 20:46:04 +1000 Subject: [PATCH 1200/1650] Update `security-misc.maintscript` Due to previous splitting IN https://github.com/Kicksecure/security-misc/commit/b02230a783941da412be72fb52053db0c6b8010f. --- debian/security-misc.maintscript | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 5d115c3..59043e5 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -31,6 +31,7 @@ rm_conffile /etc/modprobe.d/vivid.conf rm_conffile /etc/modprobe.d/blacklist-dma.conf rm_conffile /etc/modprobe.d/msr.conf rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf +rm_conffile /etc/modprobe.d/30_security-misc.conf ## renamed to /etc/security/limits.d/30_security-misc.conf rm_conffile /etc/security/limits.d/disable-coredumps.conf From 4476a477a77c98cf4334fbcb866bc8f113f568ac Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 20:47:07 +1000 Subject: [PATCH 1201/1650] Provide option to disable more Bluetooth modules --- etc/modprobe.d/30_security-misc_disable.conf | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index f82ccb6..bd6a181 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -16,7 +16,22 @@ ## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability. ## #install bluetooth /usr/bin/disabled-bluetooth-by-security-misc +#install bluetooth_6lowpan /usr/bin/disabled-bluetooth-by-security-misc +#install bt3c_cs /usr/bin/disabled-bluetooth-by-security-misc +#install btbcm /usr/bin/disabled-bluetooth-by-security-misc +#install btintel /usr/bin/disabled-bluetooth-by-security-misc +#install btmrvl /usr/bin/disabled-bluetooth-by-security-misc +#install btmrvl_sdio /usr/bin/disabled-bluetooth-by-security-misc +#install btmtk /usr/bin/disabled-bluetooth-by-security-misc +#install btmtksdio /usr/bin/disabled-bluetooth-by-security-misc +#install btmtkuart /usr/bin/disabled-bluetooth-by-security-misc +#install btnxpuart /usr/bin/disabled-bluetooth-by-security-misc +#install btqca /usr/bin/disabled-bluetooth-by-security-misc +#install btrsi /usr/bin/disabled-bluetooth-by-security-misc +#install btrtl /usr/bin/disabled-bluetooth-by-security-misc +#install btsdio /usr/bin/disabled-bluetooth-by-security-misc #install btusb /usr/bin/disabled-bluetooth-by-security-misc +#install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc ## CPU Model-Specific Registers (MSRs): ## Disable CPU MSRs as they can be abused to write to arbitrary memory. From 99b0ce7948213e7f7adf42ddd7c7beb229374bd4 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 20:47:56 +1000 Subject: [PATCH 1202/1650] Disable more file systems --- etc/modprobe.d/30_security-misc_disable.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index bd6a181..e36f074 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -43,13 +43,15 @@ ## File Systems: ## Disable uncommon file systems to reduce attack surface. -## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format. +## HFS and HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. ## install cramfs /usr/bin/disabled-filesys-by-security-misc install freevxfs /usr/bin/disabled-filesys-by-security-misc install hfs /usr/bin/disabled-filesys-by-security-misc install hfsplus /usr/bin/disabled-filesys-by-security-misc install jffs2 /usr/bin/disabled-filesys-by-security-misc +install jfs /usr/bin/disabled-filesys-by-security-misc +install reiserfs /usr/bin/disabled-filesys-by-security-misc install udf /usr/bin/disabled-filesys-by-security-misc ## FireWire (IEEE 1394): From 82c5a93f7cf2846490120c5262a146a313a5ce47 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 20:53:07 +1000 Subject: [PATCH 1203/1650] Disable another GPS module --- README.md | 4 ++-- etc/modprobe.d/30_security-misc_blacklist.conf | 1 - etc/modprobe.d/30_security-misc_disable.conf | 1 + 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b5cf7a3..442c2be 100644 --- a/README.md +++ b/README.md @@ -150,8 +150,8 @@ disabling should first be blacklisted for a suitable amount of time. - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. -- GPS: Disables GPS-related modules responsible systems such as for Global - Navigation Satellite System (GNSS). +- GPS: Disable GPS-related modules such as those required for Global Navigation + Satellite Systems (GNSS). - Intel Management Engine (ME): Provides some disabling of the interface between the Intel ME and the OS. diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index 6dce2d2..c192c3c 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -67,7 +67,6 @@ blacklist eepro100 blacklist eth1394 blacklist evbug blacklist de4x5 -blacklist garmin_gps blacklist pcspkr blacklist prism54 blacklist snd_aw2 diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index e36f074..40bcf7f 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -72,6 +72,7 @@ install video1394 /usr/bin/disabled-firewire-by-security-misc ## Global Positioning Systems (GPS): ## Disable GPS-related modules like GNSS (Global Navigation Satellite System). ## +install garmin_gps /usr/bin/disabled-gps-by-security-misc install gnss /usr/bin/disabled-gps-by-security-misc install gnss-mtk /usr/bin/disabled-gps-by-security-misc install gnss-serial /usr/bin/disabled-gps-by-security-misc From 9e40ff055195b1e8637d1e957c3f8db01f99bbc1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 20:54:18 +1000 Subject: [PATCH 1204/1650] Disable more network file systems --- etc/modprobe.d/30_security-misc_disable.conf | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 40bcf7f..423aced 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -91,10 +91,23 @@ install mei-me /usr/bin/disabled-intelme-by-security-misc ## Network File Systems: ## Disable uncommon network file systems to reduce attack surface. ## -install cifs /usr/bin/disabled-netfilesys-by-security-misc install gfs2 /usr/bin/disabled-netfilesys-by-security-misc install ksmbd /usr/bin/disabled-netfilesys-by-security-misc +## +## Common Internet File System (CIFS): +## +install cifs /usr/bin/disabled-netfilesys-by-security-misc +install cifs_arc4 /usr/bin/disabled-netfilesys-by-security-misc +install cifs_md4 /usr/bin/disabled-netfilesys-by-security-misc +## +## Network File System (NFS): +## install nfs /usr/bin/disabled-netfilesys-by-security-misc +install nfs_acl /usr/bin/disabled-netfilesys-by-security-misc +install nfs_layout_nfsv41_files /usr/bin/disabled-netfilesys-by-security-misc +install nfs_layout_flexfiles /usr/bin/disabled-netfilesys-by-security-misc +install nfsd /usr/bin/disabled-netfilesys-by-security-misc +install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc From 51f7776bc8722752d53fc503b0c79564d8715d4c Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 20:56:12 +1000 Subject: [PATCH 1205/1650] Disable more network protocols/drivers --- .../30_security-misc_blacklist.conf | 2 - etc/modprobe.d/30_security-misc_disable.conf | 57 +++++++++++++++++-- 2 files changed, 51 insertions(+), 8 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index c192c3c..c35af0b 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -63,8 +63,6 @@ blacklist ath_pci blacklist amd76x_edac blacklist asus_acpi blacklist bcm43xx -blacklist eepro100 -blacklist eth1394 blacklist evbug blacklist de4x5 blacklist pcspkr diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 423aced..9ba5f84 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -115,28 +115,73 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. ## ## https://tails.boum.org/blueprint/blacklist_modules/ -## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols) +## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco ## install af_802154 /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc -install atm /usr/bin/disabled-network-by-security-misc install ax25 /usr/bin/disabled-network-by-security-misc -install can /usr/bin/disabled-network-by-security-misc +install brcm80211 /bin/true /usr/bin/disabled-network-by-security-misc install decnet /usr/bin/disabled-network-by-security-misc install dccp /usr/bin/disabled-network-by-security-misc install econet /usr/bin/disabled-network-by-security-misc +install eepro100 /usr/bin/disabled-network-by-security-misc +install eth1394 /usr/bin/disabled-network-by-security-misc install ipx /usr/bin/disabled-network-by-security-misc install n-hdlc /usr/bin/disabled-network-by-security-misc install netrom /usr/bin/disabled-network-by-security-misc install p8022 /usr/bin/disabled-network-by-security-misc install p8023 /usr/bin/disabled-network-by-security-misc install psnap /usr/bin/disabled-network-by-security-misc -install rds /usr/bin/disabled-network-by-security-misc install rose /usr/bin/disabled-network-by-security-misc -install sctp /usr/bin/disabled-network-by-security-misc -install tipc /usr/bin/disabled-network-by-security-misc install x25 /usr/bin/disabled-network-by-security-misc +## +## Asynchronous Transfer Mode (ATM): +## +install atm /usr/bin/disabled-network-by-security-misc +install ueagle-atm /usr/bin/disabled-network-by-security-misc +install usbatm /usr/bin/disabled-network-by-security-misc +install xusbatm /usr/bin/disabled-network-by-security-misc +## +## Controller Area Network (CAN) Protocol: +## +install c_can /usr/bin/disabled-network-by-security-misc +install c_can_pci /usr/bin/disabled-network-by-security-misc +install c_can_platform /usr/bin/disabled-network-by-security-misc +install can /usr/bin/disabled-network-by-security-misc +install can-bcm /usr/bin/disabled-network-by-security-misc +install can-dev /usr/bin/disabled-network-by-security-misc +install can-gw /usr/bin/disabled-network-by-security-misc +install can-isotp /usr/bin/disabled-network-by-security-misc +install can-raw /usr/bin/disabled-network-by-security-misc +install can-j1939 /usr/bin/disabled-network-by-security-misc +install can327 /usr/bin/disabled-network-by-security-misc +install ifi_canfd /usr/bin/disabled-network-by-security-misc +install janz-ican3 /usr/bin/disabled-network-by-security-misc +install m_can /usr/bin/disabled-network-by-security-misc +install m_can_pci /usr/bin/disabled-network-by-security-misc +install m_can_platform /usr/bin/disabled-network-by-security-misc +install phy-can-transceiver /usr/bin/disabled-network-by-security-misc +install slcan /usr/bin/disabled-network-by-security-misc +install ucan /usr/bin/disabled-network-by-security-misc +install vxcan /usr/bin/disabled-network-by-security-misc +install vcan /usr/bin/disabled-network-by-security-misc +## +## Transparent Inter Process Communication (TIPC): +## +install tipc /usr/bin/disabled-network-by-security-misc +install tipc_diag /usr/bin/disabled-network-by-security-misc +## +## Reliable Datagram Sockets (RDS): +## +install rds /usr/bin/disabled-network-by-security-misc +install rds_rdma /usr/bin/disabled-network-by-security-misc +install rds_tcp /usr/bin/disabled-network-by-security-misc +## +## Stream Control Transmission Protocol (SCTP): +## +install sctp /usr/bin/disabled-network-by-security-misc +install sctp_diag /usr/bin/disabled-network-by-security-misc ## Miscellaneous: ## From 96aa63267a6fcee03f252f0791f37b7b6222a7c1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 20:57:14 +1000 Subject: [PATCH 1206/1650] Disable more Thunderbolt modules --- etc/modprobe.d/30_security-misc_disable.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 9ba5f84..74ce512 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -199,4 +199,6 @@ install vivid /usr/bin/disabled-vivid-by-security-misc ## ## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities ## +install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc +install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc From c52b1a3fd269ef4f98028dd5eead476abe5d138d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 20:58:45 +1000 Subject: [PATCH 1207/1650] Create `disabled-miscellaneous-by-security-misc` --- usr/bin/disabled-miscellaneous-by-security-misc | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100755 usr/bin/disabled-miscellaneous-by-security-misc diff --git a/usr/bin/disabled-miscellaneous-by-security-misc b/usr/bin/disabled-miscellaneous-by-security-misc new file mode 100755 index 0000000..2c23909 --- /dev/null +++ b/usr/bin/disabled-miscellaneous-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 + +exit 1 From cb2fb95b81efa2ebb2bd80aeaacad9122f0f073c Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 21:01:36 +1000 Subject: [PATCH 1208/1650] Disable more miscellaneous drivers --- etc/modprobe.d/30_security-misc_disable.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 74ce512..024a0b1 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -185,6 +185,14 @@ install sctp_diag /usr/bin/disabled-network-by-security-misc ## Miscellaneous: ## +## Amateur Radios: +## +install hamradio /bin/true /usr/bin/disabled-miscellaneous-by-security-misc +## +## Floppy Disks: +## +install floppy /bin/true /usr/bin/disabled-miscellaneous-by-security-misc +## ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. ## From 8219a1e257525d487a49e7b3a6b14c1e180a7b52 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 21:02:10 +1000 Subject: [PATCH 1209/1650] Update README.md relating to disabled miscellaneous modules --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 442c2be..d99cdaa 100644 --- a/README.md +++ b/README.md @@ -160,7 +160,8 @@ disabling should first be blacklisted for a suitable amount of time. - Network Protocols: Wide array of uncommon and legacy network protocols are disabled. -- Miscellaneous: Disable an assortment other modules such as vivid. +- Miscellaneous: Disable an assortment other modules such as those required + for amateur radio, floppy disks, and vivid. - Thunderbolt: Disabled as they are often vulnerable to DMA attacks. From fda3832eaf293915ab77ce73a0be2caec15e21fa Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 21:08:45 +1000 Subject: [PATCH 1210/1650] Replace bash file presented for disabling of miscellaneous modules --- debian/security-misc.maintscript | 3 +++ etc/modprobe.d/30_security-misc_disable.conf | 4 ++-- usr/bin/disabled-vivid-by-security-misc | 10 ---------- 3 files changed, 5 insertions(+), 12 deletions(-) delete mode 100755 usr/bin/disabled-vivid-by-security-misc diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 59043e5..e046582 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -67,3 +67,6 @@ rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf rm_conffile /etc/permission-hardening.d/30_default.conf + +## repalced with /usr/bin/disabled-miscellaneous-by-security-misc +rm_conffile /usr/bin/disabled-vivid-by-security-misc \ No newline at end of file diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 024a0b1..eda012c 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -39,7 +39,7 @@ ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode ## https://github.com/Kicksecure/security-misc/issues/215 ## -#install msr /usr/bin/disabled-msr-by-security-misc +#install msr /usr/bin/disabled-miscellaneous-by-security-misc ## File Systems: ## Disable uncommon file systems to reduce attack surface. @@ -200,7 +200,7 @@ install floppy /bin/true /usr/bin/disabled-miscellaneous-by-security-misc ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 ## -install vivid /usr/bin/disabled-vivid-by-security-misc +install vivid /usr/bin/disabled-miscellaneous-by-security-misc ## Thunderbolt: ## Disables Thunderbolt modules to prevent some DMA attacks. diff --git a/usr/bin/disabled-vivid-by-security-misc b/usr/bin/disabled-vivid-by-security-misc deleted file mode 100755 index f2d07b7..0000000 --- a/usr/bin/disabled-vivid-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. - -echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 - -exit 1 From a8bc1144c32b4b4f20904af5f813da1051fe4c9c Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 21:10:13 +1000 Subject: [PATCH 1211/1650] Updated wording of error files for disabled modules --- usr/bin/disabled-bluetooth-by-security-misc | 2 +- usr/bin/disabled-cdrom-by-security-misc | 2 +- usr/bin/disabled-firewire-by-security-misc | 2 +- usr/bin/disabled-gps-by-security-misc | 2 +- usr/bin/disabled-thunderbolt-by-security-misc | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc index 7e011e3..3669fc1 100755 --- a/usr/bin/disabled-bluetooth-by-security-misc +++ b/usr/bin/disabled-bluetooth-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc index 55f4b0c..4a7b141 100755 --- a/usr/bin/disabled-cdrom-by-security-misc +++ b/usr/bin/disabled-cdrom-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc index cbde5d1..2abc6bc 100755 --- a/usr/bin/disabled-firewire-by-security-misc +++ b/usr/bin/disabled-firewire-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc index f1a24bf..d43626e 100755 --- a/usr/bin/disabled-gps-by-security-misc +++ b/usr/bin/disabled-gps-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This GPS (Global Positioning System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc index 98f0840..dbe89ec 100755 --- a/usr/bin/disabled-thunderbolt-by-security-misc +++ b/usr/bin/disabled-thunderbolt-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 From 382f1e9ec00ab5f012f028fa324d6cf73040c37d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 21:13:25 +1000 Subject: [PATCH 1212/1650] Fix error --- debian/security-misc.maintscript | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 78a36fd..c5c2569 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -68,15 +68,15 @@ rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf rm_conffile /etc/permission-hardening.d/30_default.conf ## merged into 1 file /etc/default/grub.d/40_kernel_hardening.cfg -rm /etc/default/grub.d/40_distrust_bootloader.cfg -rm /etc/default/grub.d/40_distrust_cpu.cfg -rm /etc/default/grub.d/40_enable_iommu.cfg +rm_conffile /etc/default/grub.d/40_distrust_bootloader.cfg +rm_conffile /etc/default/grub.d/40_distrust_cpu.cfg +rm_conffile /etc/default/grub.d/40_enable_iommu.cfg ## renamed to /etc/default/grub.d/40_remount_secure.cfg -rm /etc/default/grub.d/40_remmount-secure.cfg +rm_conffile /etc/default/grub.d/40_remmount-secure.cfg ## renamed to /etc/default/grub.d/40_signed_modules.cfg -rm /etc/default/grub.d/40_only_allow_signed_modules.cfg +rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg ## renamed to /etc/default/grub.d/41_quiet_boot.cfg -rm /etc/default/grub.d/41_quiet.cfg +rm_conffile /etc/default/grub.d/41_quiet.cfg From f2db11269e89d4c945642b661aa9cbe356f89037 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 21:18:32 +1000 Subject: [PATCH 1213/1650] Fix script --- etc/modprobe.d/30_security-misc_disable.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index eda012c..d6b5122 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -187,11 +187,11 @@ install sctp_diag /usr/bin/disabled-network-by-security-misc ## ## Amateur Radios: ## -install hamradio /bin/true /usr/bin/disabled-miscellaneous-by-security-misc +install hamradio /usr/bin/disabled-miscellaneous-by-security-misc ## ## Floppy Disks: ## -install floppy /bin/true /usr/bin/disabled-miscellaneous-by-security-misc +install floppy /usr/bin/disabled-miscellaneous-by-security-misc ## ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. From 9300c208e25d936f2c633a0904126566afc1c275 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 21:36:25 +1000 Subject: [PATCH 1214/1650] Fix script --- etc/modprobe.d/30_security-misc_disable.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index d6b5122..0158586 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -121,7 +121,7 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc install af_802154 /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc install ax25 /usr/bin/disabled-network-by-security-misc -install brcm80211 /bin/true /usr/bin/disabled-network-by-security-misc +install brcm80211 /usr/bin/disabled-network-by-security-misc install decnet /usr/bin/disabled-network-by-security-misc install dccp /usr/bin/disabled-network-by-security-misc install econet /usr/bin/disabled-network-by-security-misc From 22ba7a7c393a8c9005dfe26aea396815a4d54803 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 22:21:20 +1000 Subject: [PATCH 1215/1650] Disable more Intel Management Engine (ME) modules --- etc/modprobe.d/30_security-misc_disable.conf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index f82ccb6..da40ded 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -68,7 +68,17 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html ## install mei /usr/bin/disabled-intelme-by-security-misc +install mei-gsc /usr/bin/disabled-intelme-by-security-misc +install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc +install mei_hdcp /usr/bin/disabled-intelme-by-security-misc install mei-me /usr/bin/disabled-intelme-by-security-misc +install mei_phy /usr/bin/disabled-intelme-by-security-misc +install mei_pxp /usr/bin/disabled-intelme-by-security-misc +install mei-txe /usr/bin/disabled-intelme-by-security-misc +install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc +install mei-vsc /usr/bin/disabled-intelme-by-security-misc +install mei_wdt /usr/bin/disabled-intelme-by-security-misc +install microread_mei /usr/bin/disabled-intelme-by-security-misc ## Network File Systems: ## Disable uncommon network file systems to reduce attack surface. From 61941da37509a4bb809212536b79f461a209f584 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 22:38:09 +1000 Subject: [PATCH 1216/1650] Create `disabled-intelpmt-by-security-misc` --- usr/bin/disabled-intelpmt-by-security-misc | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100755 usr/bin/disabled-intelpmt-by-security-misc diff --git a/usr/bin/disabled-intelpmt-by-security-misc b/usr/bin/disabled-intelpmt-by-security-misc new file mode 100755 index 0000000..44f04bc --- /dev/null +++ b/usr/bin/disabled-intelpmt-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This Intel Platform Monitoring Technology Telemetry (PMT) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 + +exit 1 From 724435e56ea059183241044a4fc09423187533eb Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 22:38:43 +1000 Subject: [PATCH 1217/1650] Disable some Intel Platform Monitoring Technology Telemetry (PMT) modules --- README.md | 3 +++ etc/modprobe.d/30_security-misc_disable.conf | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/README.md b/README.md index b5cf7a3..d4c965c 100644 --- a/README.md +++ b/README.md @@ -156,6 +156,9 @@ disabling should first be blacklisted for a suitable amount of time. - Intel Management Engine (ME): Provides some disabling of the interface between the Intel ME and the OS. +- Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality + of the Intel PMT components. + - Network File Systems: Disable uncommon and legacy network file systems. - Network Protocols: Wide array of uncommon and legacy network protocols are disabled. diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index f82ccb6..9cb1156 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -70,6 +70,15 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc install mei /usr/bin/disabled-intelme-by-security-misc install mei-me /usr/bin/disabled-intelme-by-security-misc +## Intel Platform Monitoring Technology Telemetry (PMT): +## Disable some functionality of the Intel PMT components. +## +## https://github.com/intel/Intel-PMT +## +install pmt_class /usr/bin/disabled-intelpmt-by-security-misc +install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc +install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc + ## Network File Systems: ## Disable uncommon network file systems to reduce attack surface. ## From 73f6d4b26f51f0c920fe020677f464c536d75410 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 16 Jul 2024 01:03:41 +1000 Subject: [PATCH 1218/1650] Fix transcription error --- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index eaedccb..8285744 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -128,7 +128,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Enable CPU manufacturer-specific IOMMU drivers to protect against DMA attacks. ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" ## Enable and force use of IOMMU translation to protect against DMA attacks. ## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs. From 94df2e3d244f5e6e8e4320c1f28cc11dba00dd36 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 15 Jul 2024 12:29:52 -0400 Subject: [PATCH 1219/1650] further discussion required https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2228909249 --- etc/modprobe.d/30_security-misc_disable.conf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 0158586..97d3840 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -121,12 +121,12 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc install af_802154 /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc install ax25 /usr/bin/disabled-network-by-security-misc -install brcm80211 /usr/bin/disabled-network-by-security-misc +#install brcm80211 /usr/bin/disabled-network-by-security-misc install decnet /usr/bin/disabled-network-by-security-misc install dccp /usr/bin/disabled-network-by-security-misc install econet /usr/bin/disabled-network-by-security-misc -install eepro100 /usr/bin/disabled-network-by-security-misc -install eth1394 /usr/bin/disabled-network-by-security-misc +#install eepro100 /usr/bin/disabled-network-by-security-misc +#install eth1394 /usr/bin/disabled-network-by-security-misc install ipx /usr/bin/disabled-network-by-security-misc install n-hdlc /usr/bin/disabled-network-by-security-misc install netrom /usr/bin/disabled-network-by-security-misc @@ -139,9 +139,9 @@ install x25 /usr/bin/disabled-network-by-security-misc ## Asynchronous Transfer Mode (ATM): ## install atm /usr/bin/disabled-network-by-security-misc -install ueagle-atm /usr/bin/disabled-network-by-security-misc -install usbatm /usr/bin/disabled-network-by-security-misc -install xusbatm /usr/bin/disabled-network-by-security-misc +#install ueagle-atm /usr/bin/disabled-network-by-security-misc +#install usbatm /usr/bin/disabled-network-by-security-misc +#install xusbatm /usr/bin/disabled-network-by-security-misc ## ## Controller Area Network (CAN) Protocol: ## From fe0846c8c2bdfc0534850b1e9bf9c4130381def9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 15 Jul 2024 12:30:38 -0400 Subject: [PATCH 1220/1650] fix https://github.com/Kicksecure/security-misc/pull/234#discussion_r1678065395 --- debian/security-misc.maintscript | 3 --- 1 file changed, 3 deletions(-) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index e046582..59043e5 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -67,6 +67,3 @@ rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf rm_conffile /etc/permission-hardening.d/30_default.conf - -## repalced with /usr/bin/disabled-miscellaneous-by-security-misc -rm_conffile /usr/bin/disabled-vivid-by-security-misc \ No newline at end of file From fe5c840b79c4aabd5c21a286d3ce1a3ee460812c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 15 Jul 2024 21:18:55 +0000 Subject: [PATCH 1221/1650] bumped changelog version --- changelog.upstream | 127 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++ 2 files changed, 133 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 49f6141..b135da6 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,124 @@ +commit 6e63fc8985b97902dbae2553ded51950168dc222 +Merge: fe0846c b7796a5 +Author: Patrick Schleizer +Date: Mon Jul 15 17:14:25 2024 -0400 + + Merge remote-tracking branch 'ben-grande/fuzz' + +commit fe0846c8c2bdfc0534850b1e9bf9c4130381def9 +Author: Patrick Schleizer +Date: Mon Jul 15 12:30:38 2024 -0400 + + fix + + https://github.com/Kicksecure/security-misc/pull/234#discussion_r1678065395 + +commit 94df2e3d244f5e6e8e4320c1f28cc11dba00dd36 +Author: Patrick Schleizer +Date: Mon Jul 15 12:29:52 2024 -0400 + + further discussion required + + https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2228909249 + +commit 41f0b53dd62d2968a6ff88a6fd907ca42f581847 +Merge: 5ba5a85 9300c20 +Author: Patrick Schleizer +Date: Mon Jul 15 12:28:03 2024 -0400 + + Merge remote-tracking branch 'raja/kernel_modules' + +commit 9300c208e25d936f2c633a0904126566afc1c275 +Author: Raja Grewal +Date: Mon Jul 15 21:36:25 2024 +1000 + + Fix script + +commit f2db11269e89d4c945642b661aa9cbe356f89037 +Author: Raja Grewal +Date: Mon Jul 15 21:18:32 2024 +1000 + + Fix script + +commit a8bc1144c32b4b4f20904af5f813da1051fe4c9c +Author: Raja Grewal +Date: Mon Jul 15 21:10:13 2024 +1000 + + Updated wording of error files for disabled modules + +commit fda3832eaf293915ab77ce73a0be2caec15e21fa +Author: Raja Grewal +Date: Mon Jul 15 21:08:45 2024 +1000 + + Replace bash file presented for disabling of miscellaneous modules + +commit 8219a1e257525d487a49e7b3a6b14c1e180a7b52 +Author: Raja Grewal +Date: Mon Jul 15 21:02:10 2024 +1000 + + Update README.md relating to disabled miscellaneous modules + +commit cb2fb95b81efa2ebb2bd80aeaacad9122f0f073c +Author: Raja Grewal +Date: Mon Jul 15 21:01:36 2024 +1000 + + Disable more miscellaneous drivers + +commit c52b1a3fd269ef4f98028dd5eead476abe5d138d +Author: Raja Grewal +Date: Mon Jul 15 20:58:45 2024 +1000 + + Create `disabled-miscellaneous-by-security-misc` + +commit 96aa63267a6fcee03f252f0791f37b7b6222a7c1 +Author: Raja Grewal +Date: Mon Jul 15 20:57:14 2024 +1000 + + Disable more Thunderbolt modules + +commit 51f7776bc8722752d53fc503b0c79564d8715d4c +Author: Raja Grewal +Date: Mon Jul 15 20:56:12 2024 +1000 + + Disable more network protocols/drivers + +commit 9e40ff055195b1e8637d1e957c3f8db01f99bbc1 +Author: Raja Grewal +Date: Mon Jul 15 20:54:18 2024 +1000 + + Disable more network file systems + +commit 82c5a93f7cf2846490120c5262a146a313a5ce47 +Author: Raja Grewal +Date: Mon Jul 15 20:53:07 2024 +1000 + + Disable another GPS module + +commit 99b0ce7948213e7f7adf42ddd7c7beb229374bd4 +Author: Raja Grewal +Date: Mon Jul 15 20:47:56 2024 +1000 + + Disable more file systems + +commit 4476a477a77c98cf4334fbcb866bc8f113f568ac +Author: Raja Grewal +Date: Mon Jul 15 20:47:07 2024 +1000 + + Provide option to disable more Bluetooth modules + +commit e0696d02a234e6f7ab9fb601ffe58e7d953846a2 +Author: Raja Grewal +Date: Mon Jul 15 20:46:04 2024 +1000 + + Update `security-misc.maintscript` + Due to previous splitting IN https://github.com/Kicksecure/security-misc/commit/b02230a783941da412be72fb52053db0c6b8010f. + +commit 5ba5a85ad09b74a29c5ed0e5c265d54d93da9d32 +Author: Patrick Schleizer +Date: Sat Jul 13 15:01:16 2024 +0000 + + bumped changelog version + commit ad860063aba0443a8ac8b9cf191d008617d6d904 Merge: f34b9d7 9f58266 Author: Patrick Schleizer @@ -72,6 +193,12 @@ Date: Fri Jul 12 02:27:56 2024 +1000 Remove redundant disabled modules +commit b7796a5334075d5fa538d7579003fde6287d7e6d +Author: Ben Grande +Date: Thu Jul 11 11:04:22 2024 +0200 + + Unify method to find SUID files + commit 05c1711b16c96a221c13a011a6666fe6b385ec1e Author: Patrick Schleizer Date: Tue Jun 11 12:56:56 2024 +0000 diff --git a/debian/changelog b/debian/changelog index 058cddc..ce06bfd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 15 Jul 2024 21:18:54 +0000 + security-misc (3:37.7-1) unstable; urgency=medium * New upstream version (local package). From d1119c38b6ad4193919d4b800de0a3cb014f92c1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 00:31:23 +1000 Subject: [PATCH 1222/1650] Apply changes from code review --- README.md | 10 ++++++---- usr/lib/sysctl.d/990-security-misc.conf | 2 ++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 5d9b594..14d1a23 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,8 @@ configuration file. Significant hardening is applied by default to a myriad of components within kernel space, user space, core dumps, and swap space. -- Restrict kernel addresses regardless of user privileges. +- Restrict access to kernel addresses through the us of kernel pointers regardless + of user privileges. - Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain sensitive information. @@ -33,7 +34,7 @@ space, user space, core dumps, and swap space. - Disable `kexec` as it can be used to replace the running kernel. - Entirely disables the SysRq key so that the Secure Attention Key (SAK) - can no longer be utilised. + can no longer be utilised. See [documentation](https://www.kicksecure.com/wiki/SysRq). - Provide option to disable unprivileged user namespaces as they can lead to privilege escalation. @@ -50,12 +51,13 @@ space, user space, core dumps, and swap space. - Prevent hardlink and symlink TOCTOU races in world-writable directories. -- Disallow unintentional writes to attacker-controlled files. +- Disallow unintentional writes to files in world-writable directories unless + they are owned by the directory owner to mitigate some data spoofing attacks. - Increase the maximum number of memory map areas a process is able to utilise. - Disable core dump files and prevent their creation. If core dump files are - enabled, they will be nammed based on `core.PID` instead of the default `core`. + enabled, they will be named based on `core.PID` instead of the default `core`. - Limit the copying of potentially sensitive content in memory to the swap device. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index c1316be..3c80e23 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -215,8 +215,10 @@ kernel.core_uses_pid=1 ## Limit the copying of memory to the swap device only if absolutely necessary. ## Minimises the likelihood of writing potentially sensitive contents to disk. +## Not reccommmeded to set to zero since this disables periodic write behavior. ## ## https://en.wikipedia.org/wiki/Memory_paging#Linux +## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html ## vm.swappiness=1 From 824d9b82e53485eed8eaf24e9815ac07ad0f2406 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 00:36:18 +1000 Subject: [PATCH 1223/1650] Uncomment redundant disabling of TCP FACK` --- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 3c80e23..fd51343 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -309,7 +309,7 @@ net.ipv6.conf.default.accept_ra=0 ## #net.ipv4.tcp_sack=0 #net.ipv4.tcp_dsack=0 -net.ipv4.tcp_fack=0 +#net.ipv4.tcp_fack=0 ## Disable TCP timestamps to limit device fingerprinting via system time. ## From 49594ccb223c09d70f00434e5875c9dae1a2360d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 00:49:25 +1000 Subject: [PATCH 1224/1650] Partially revert https://github.com/raja-grewal/security-misc/commit/f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 --- etc/default/grub.d/41_quiet_boot.cfg | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 25d819a..4beed93 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -1,6 +1,14 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Some default configuration files automatically include the "quiet" parameter. +## Thefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. +## LANG=C str_replace is provided by package helper-scripts. +## +## https://github.com/Kicksecure/security-misc/pull/233#issuecomment-2228792461 +## +GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" + ## Prevent sensitive kernel information leaks in the console during boot. ## Must be used in combination with the kernel.printk sysctl. ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. From d69fe88091c7212a9af86306c797aed40398584b Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 01:08:01 +1000 Subject: [PATCH 1225/1650] Provide option to disable `uvcvideo` driver --- etc/modprobe.d/30_security-misc_disable.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 97d3840..9e91697 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -193,6 +193,11 @@ install hamradio /usr/bin/disabled-miscellaneous-by-security-misc ## install floppy /usr/bin/disabled-miscellaneous-by-security-misc ## +## USB Video Device Class: +## Disables USB-based video streaming driver for devices like webcams and digital camcorders. +## +#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc +## ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. ## From f317aaebab126bafe3cfaef8159bf0820c392c87 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 01:09:02 +1000 Subject: [PATCH 1226/1650] Disable two network modules These were previously blacklisted for two years in https://github.com/Kicksecure/security-misc/commit/61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc. --- etc/modprobe.d/30_security-misc_disable.conf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 9e91697..b6be29e 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -113,10 +113,12 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc ## Network Protocols: ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. +## Previously had blacklisted eepro100 and eth1394. ## ## https://tails.boum.org/blueprint/blacklist_modules/ ## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco +## https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2230732015 ## install af_802154 /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc @@ -125,8 +127,8 @@ install ax25 /usr/bin/disabled-network-by-security-misc install decnet /usr/bin/disabled-network-by-security-misc install dccp /usr/bin/disabled-network-by-security-misc install econet /usr/bin/disabled-network-by-security-misc -#install eepro100 /usr/bin/disabled-network-by-security-misc -#install eth1394 /usr/bin/disabled-network-by-security-misc +install eepro100 /usr/bin/disabled-network-by-security-misc +install eth1394 /usr/bin/disabled-network-by-security-misc install ipx /usr/bin/disabled-network-by-security-misc install n-hdlc /usr/bin/disabled-network-by-security-misc install netrom /usr/bin/disabled-network-by-security-misc From abafb1945cace774429fefd0c1a037fb2ec3f774 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 13:26:03 +1000 Subject: [PATCH 1227/1650] Add Intel ME references --- etc/modprobe.d/30_security-misc_disable.conf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index da40ded..28f9f3d 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -64,8 +64,13 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Management Engine (ME): ## Partially disable the Intel ME interface with the OS. +## ME functionality has increasing become more intertwined with basic system operation. +## Disabling may lead to breakages places such as security, power management, display, and DRM. ## ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html +## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities +## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages +## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 ## install mei /usr/bin/disabled-intelme-by-security-misc install mei-gsc /usr/bin/disabled-intelme-by-security-misc @@ -75,8 +80,8 @@ install mei-me /usr/bin/disabled-intelme-by-security-misc install mei_phy /usr/bin/disabled-intelme-by-security-misc install mei_pxp /usr/bin/disabled-intelme-by-security-misc install mei-txe /usr/bin/disabled-intelme-by-security-misc -install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc install mei-vsc /usr/bin/disabled-intelme-by-security-misc +install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc install mei_wdt /usr/bin/disabled-intelme-by-security-misc install microread_mei /usr/bin/disabled-intelme-by-security-misc From 81a3715c7c0b73796a62297ebe55e861a46f7686 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 13:32:08 +1000 Subject: [PATCH 1228/1650] Add info regarding the downsides of disabling SMT --- etc/default/grub.d/40_cpu_mitigations.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 13d8ffd..e303f9f 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -17,9 +17,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## Disable SMT as it has been the cause of and amplified numerous CPU exploits. ## The only full mitigation of cross-HT attacks is to disable SMT. +## Disabling will significantly decrease system performance on multi-threaded tasks. +## To enable SMT, remove this line all other occurrences of "nosmt" in this file. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 +## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365 ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" From 693b47e6235528ab7a9032818cce22fd63a4f5ea Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 14:58:30 +1000 Subject: [PATCH 1229/1650] Clarify ICMP redirect acceptance and sending --- usr/lib/sysctl.d/990-security-misc.conf | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index fd51343..3cebc76 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -252,16 +252,22 @@ net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. -## Prevents man-in-the-middle attacks and minimises information disclosure. +## Prevents man-in-the-middle attacks and minimises information disclosure. +## +## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked ## net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 -net.ipv4.conf.all.secure_redirects=0 -net.ipv4.conf.default.secure_redirects=0 -net.ipv6.conf.all.accept_redirects=0 -net.ipv6.conf.default.accept_redirects=0 net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.default.accept_redirects=0 + +## Accept ICMP redirect messages only for approved gateways. +## If ICMP redirect messages are permitted, only useful if managing a default gateway list. +## +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.conf.default.secure_redirects=0 ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. From a3408990ab439e6edbf8691cf7d65fb16c0d24df Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 15:03:39 +1000 Subject: [PATCH 1230/1650] Uncomment disabling of already disabled ATM modules --- etc/modprobe.d/30_security-misc_disable.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index b6be29e..e278caa 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -141,9 +141,9 @@ install x25 /usr/bin/disabled-network-by-security-misc ## Asynchronous Transfer Mode (ATM): ## install atm /usr/bin/disabled-network-by-security-misc -#install ueagle-atm /usr/bin/disabled-network-by-security-misc -#install usbatm /usr/bin/disabled-network-by-security-misc -#install xusbatm /usr/bin/disabled-network-by-security-misc +install ueagle-atm /usr/bin/disabled-network-by-security-misc +install usbatm /usr/bin/disabled-network-by-security-misc +install xusbatm /usr/bin/disabled-network-by-security-misc ## ## Controller Area Network (CAN) Protocol: ## From 39fd125eb0f0c16c8a64933bbd04709287a2686a Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 21:44:44 +1000 Subject: [PATCH 1231/1650] Provide explanation on the disabling of IPv6 Privacy Extensions --- .../NetworkManager/conf.d/80_ipv6-privacy.conf | 8 ++++++++ .../NetworkManager/conf.d/80_randomize-mac.conf | 8 ++++++++ usr/lib/sysctl.d/990-security-misc.conf | 17 +++++++++++++++++ .../80_ipv6-privacy-extensions.conf | 8 ++++++++ 4 files changed, 41 insertions(+) diff --git a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf index bc2280c..0605c37 100644 --- a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf +++ b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf @@ -1,2 +1,10 @@ +## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. + #[connection] #ipv6.ip6-privacy=2 diff --git a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf index 428c0e2..04d0312 100644 --- a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf +++ b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf @@ -1,3 +1,11 @@ +## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. + #[device-mac-randomization] #wifi.scan-rand-mac-address=yes diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 3cebc76..2235dfc 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -337,3 +337,20 @@ net.ipv4.tcp_timestamps=0 ## #net.ipv4.conf.all.log_martians=1 #net.ipv4.conf.default.log_martians=1 + +## Enable IPv6 Privacy Extensions prefer temporary addresses over public addresses. +## The temporary/privacy address is used as the source of all outgoing traffic. +## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf. +## Must be used in combination with /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf. +## Should be used with MAC randomisation in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf. +## +## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. +## +#net.ipv6.conf.all.use_tempaddr=2 +#net.ipv6.conf.default.use_tempaddr=2 \ No newline at end of file diff --git a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf index ad1e947..e53c635 100644 --- a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf +++ b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf @@ -1,2 +1,10 @@ +## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. + #[Network] #IPv6PrivacyExtensions=kernel From 25fd532ce62399d5bb42d844ad32b5128eaf748d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 21:56:40 +1000 Subject: [PATCH 1232/1650] Update README.md relating to `sysctl`'s --- README.md | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 14d1a23..1a4efa6 100644 --- a/README.md +++ b/README.md @@ -36,8 +36,8 @@ space, user space, core dumps, and swap space. - Entirely disables the SysRq key so that the Secure Attention Key (SAK) can no longer be utilised. See [documentation](https://www.kicksecure.com/wiki/SysRq). -- Provide option to disable unprivileged user namespaces as they can lead to - privilege escalation. +- Provide the option to disable unprivileged user namespaces as they can lead to + substantial privilege escalation. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. @@ -46,8 +46,8 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel version >= 6.6). - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - enables programs to inspect and modify other active processes. Provide option - to also entirely disable the use of `ptrace()` for all processes. + enables programs to inspect and modify other active processes. Provide the + option to also entirely disable the use of `ptrace()` for all processes. - Prevent hardlink and symlink TOCTOU races in world-writable directories. @@ -82,13 +82,15 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Do not accept IPv6 router advertisements and solicitations. -- Provide option to disable SACK and DSACK as they have historically been a - vector for exploitation. +- Provide the option to disable SACK and DSACK as they have historically been + a known vector for exploitation. - Disable TCP timestamps as it can allow detecting the system time. -- Provide option to log of packets with impossible source or destination - addresses to enable inspection and further analysis. +- Provide the option to log of packets with impossible source or destination + addresses to enable further inspection and analysis. + +- Provide the option to enable IPv6 Privacy Extensions. ### mmap ASLR @@ -225,6 +227,12 @@ rather it is a form of badness enumeration. ## Network hardening +Not yet due to issues: + +- https://github.com/Kicksecure/security-misc/pull/145 + +- https://github.com/Kicksecure/security-misc/issues/184 + - Unlike version 4, IPv6 addresses can provide information not only about the originating network, but also the originating device. We prevent this from happening by enabling the respective privacy extensions for IPv6. From 6d6e5473f2778a2a5b1ca7826d0a3a5a63cff08a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 08:00:24 -0400 Subject: [PATCH 1233/1650] minor --- usr/lib/sysctl.d/30_silent-kernel-printk.conf | 2 +- usr/lib/sysctl.d/990-security-misc.conf | 18 +++++++++--------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index de73876..884a2a6 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -11,4 +11,4 @@ kernel.printk=3 3 3 3 ## For Increased Log Verbosity: ## Adjust (or comment out) the kernel parameters in /etc/default/grub.d/41_quiet_boot.cfg. -## Alternatively, installing the debug-misc package will undo these settings. \ No newline at end of file +## Alternatively, installing the debug-misc package will undo these settings. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 3cebc76..67af3c3 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -26,7 +26,7 @@ ## https://wiki.archlinux.org/title/Security#Kernel_hardening ## Restrict kernel addresses via /proc and other interfaces regardless of user privileges. -## Kernel pointers expose specific locations in kernel memory. +## Kernel pointers expose specific locations in kernel memory. ## ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak ## @@ -128,10 +128,10 @@ kernel.io_uring_disabled=2 ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace -## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. +## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. ## Limit ptrace() as it enables programs to inspect and modify other active processes. ## Prevents native code debugging which some programs use as a method to detect tampering. -## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. +## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. ## ## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope ## https://en.wikipedia.org/wiki/Ptrace @@ -139,7 +139,7 @@ kernel.io_uring_disabled=2 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 ## https://github.com/netblue30/firejail/issues/2860 ## -## It is possible to harden further by disabling ptrace() for all users, see documentation. +## It is possible to harden further by disabling ptrace() for all users, see documentation. ## kernel.yama.ptrace_scope=2 @@ -236,7 +236,7 @@ net.ipv4.tcp_syncookies=1 ## Protect against TCP time-wait assassination hazards. ## Drops RST packets for sockets in the time-wait state. -## +## ## https://tools.ietf.org/html/rfc1337 ## net.ipv4.tcp_rfc1337=1 @@ -282,7 +282,7 @@ net.ipv6.icmp.echo_ignore_all=1 ## net.ipv4.icmp_ignore_bogus_error_responses=1 -## Disable source routing which allows users redirect network traffic. +## Disable source routing which allows users redirect network traffic. ## Prevents man-in-the-middle attacks in which the traffic is redirected. ## ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing @@ -303,7 +303,7 @@ net.ipv6.conf.default.accept_ra=0 ## Forward acknowledgements (FACKs) are a legacy option that will (eventually) be deprecated. ## Disabling can cause severe connectivity issues on networks with high latency or packet loss. ## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections. -## +## ## https://datatracker.ietf.org/doc/html/rfc2018 ## https://datatracker.ietf.org/doc/html/rfc2883 ## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf @@ -329,11 +329,11 @@ net.ipv4.tcp_timestamps=0 ## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets. ## Good for troubleshooting and diagnostics but not necessary by default. ## Known for causing performance issues especially on systems with multiple interfaces. -## +## ## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets ## https://github.com/Kicksecure/security-misc/issues/214 ## -## The logging of martian packets is currently disabled. +## The logging of martian packets is currently disabled. ## #net.ipv4.conf.all.log_martians=1 #net.ipv4.conf.default.log_martians=1 From 0b873b765e20b06113d808075fa95c8acbb1e0fc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 08:05:27 -0400 Subject: [PATCH 1234/1650] minor --- usr/lib/sysctl.d/990-security-misc.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 9e132f1..88dab81 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -340,10 +340,10 @@ net.ipv4.tcp_timestamps=0 ## Enable IPv6 Privacy Extensions prefer temporary addresses over public addresses. ## The temporary/privacy address is used as the source of all outgoing traffic. -## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf. +## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf. ## Must be used in combination with /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf. ## Should be used with MAC randomisation in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf. -## +## ## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. ## ## https://datatracker.ietf.org/doc/html/rfc4941 @@ -353,4 +353,4 @@ net.ipv4.tcp_timestamps=0 ## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. ## #net.ipv6.conf.all.use_tempaddr=2 -#net.ipv6.conf.default.use_tempaddr=2 \ No newline at end of file +#net.ipv6.conf.default.use_tempaddr=2 From d29a616142562492db6c45c299f002100e905828 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 08:39:20 -0400 Subject: [PATCH 1235/1650] minor --- etc/default/grub.d/40_cpu_mitigations.cfg | 4 ++-- etc/default/grub.d/40_kernel_hardening.cfg | 8 ++++---- etc/default/grub.d/40_remount_secure.cfg | 4 ++-- etc/default/grub.d/41_quiet_boot.cfg | 2 +- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index e303f9f..55b6c17 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -109,9 +109,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" -## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which +## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which ## encompasses E-cores on hybrid architectures. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html ## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" \ No newline at end of file +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 8285744..946f2a4 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -82,7 +82,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. ## Also cause panics on machine check exceptions. ## Panics may be due to false-positives such as bad drivers. -## +## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. @@ -157,7 +157,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## Do not credit the CPU or bootloader seeds as entropy sources at boot. ## The RDRAND CPU (RNG) instructions are proprietary and closed-source. -## Numerous implementations of RDRAND have a long history of being defective. +## Numerous implementations of RDRAND have a long history of being defective. ## The RNG seed passed by the bootloader could also potentially be tampered. ## Maximising the entropy pool at boot is desirable for all cryptographic operations. ## These settings ensure additional entropy is obtained from other sources to initialise the RNG. @@ -191,10 +191,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" ## Disable the entire IPv6 stack functionality. ## Removes attack surface associated with the IPv6 module. -## +## ## https://www.kernel.org/doc/html/latest/networking/ipv6.html ## https://wiki.archlinux.org/title/IPv6#Disable_IPv6 ## ## Enabling makes redundant many network hardening sysctl's in usr/lib/sysctl.d/990-security-misc.conf. ## -#ipv6.disable=1 \ No newline at end of file +#ipv6.disable=1 diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg index c180456..3427bf1 100644 --- a/etc/default/grub.d/40_remount_secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -1,7 +1,7 @@ ## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Remount Secure provides enhanced security via mmount options: +## Remount Secure provides enhanced security via mmount options: ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure ## Option A (No Security): @@ -20,6 +20,6 @@ #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2" ## Option D (Highest Security) -## Re-mount with nodev, nosuid, and noexec for all mount points including /home. +## Re-mount with nodev, nosuid, and noexec for all mount points including /home. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 4beed93..9a23579 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -26,4 +26,4 @@ GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" ## For Increased Log Verbosity: ## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf. -## Alternatively, installing the debug-misc package will undo these settings. \ No newline at end of file +## Alternatively, installing the debug-misc package will undo these settings. From 6157e328f40a7f3780208489b1ffecef8e6d738a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 08:52:11 -0400 Subject: [PATCH 1236/1650] no longer disable Intel ME related kernel modules https://github.com/Kicksecure/security-misc/issues/239 --- etc/modprobe.d/30_security-misc_disable.conf | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 8633c62..97a8196 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -90,18 +90,18 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages ## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 ## -install mei /usr/bin/disabled-intelme-by-security-misc -install mei-gsc /usr/bin/disabled-intelme-by-security-misc -install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc -install mei_hdcp /usr/bin/disabled-intelme-by-security-misc -install mei-me /usr/bin/disabled-intelme-by-security-misc -install mei_phy /usr/bin/disabled-intelme-by-security-misc -install mei_pxp /usr/bin/disabled-intelme-by-security-misc -install mei-txe /usr/bin/disabled-intelme-by-security-misc -install mei-vsc /usr/bin/disabled-intelme-by-security-misc -install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc -install mei_wdt /usr/bin/disabled-intelme-by-security-misc -install microread_mei /usr/bin/disabled-intelme-by-security-misc +#install mei /usr/bin/disabled-intelme-by-security-misc +#install mei-gsc /usr/bin/disabled-intelme-by-security-misc +#install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc +#install mei_hdcp /usr/bin/disabled-intelme-by-security-misc +#install mei-me /usr/bin/disabled-intelme-by-security-misc +#install mei_phy /usr/bin/disabled-intelme-by-security-misc +#install mei_pxp /usr/bin/disabled-intelme-by-security-misc +#install mei-txe /usr/bin/disabled-intelme-by-security-misc +#install mei-vsc /usr/bin/disabled-intelme-by-security-misc +#install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc +#install mei_wdt /usr/bin/disabled-intelme-by-security-misc +#install microread_mei /usr/bin/disabled-intelme-by-security-misc ## Network File Systems: ## Disable uncommon network file systems to reduce attack surface. From f7772fb85a1fe6d3c0749e5f34fc29111b6a8125 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 08:57:35 -0400 Subject: [PATCH 1237/1650] minor --- README.md | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index bad198e..1978aee 100644 --- a/README.md +++ b/README.md @@ -16,10 +16,10 @@ configuration file. Significant hardening is applied by default to a myriad of components within kernel space, user space, core dumps, and swap space. -- Restrict access to kernel addresses through the us of kernel pointers regardless +- Restrict access to kernel addresses through the us of kernel pointers regardless of user privileges. -- Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain +- Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain sensitive information. - Prevent kernel information leaks in the console during boot. @@ -46,7 +46,7 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel version >= 6.6). - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - enables programs to inspect and modify other active processes. Provide the + enables programs to inspect and modify other active processes. Provide the option to also entirely disable the use of `ptrace()` for all processes. - Prevent hardlink and symlink TOCTOU races in world-writable directories. @@ -67,10 +67,10 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Protect against TCP time-wait assassination hazards. -- Enables reverse path filtering (source validation) of packets received +- Enables reverse path filtering (source validation) of packets received from all interfaces to prevent IP spoofing. -- Disable ICMP redirect acceptance and redirect sending messages to +- Disable ICMP redirect acceptance and redirect sending messages to prevent man-in-the-middle attacks and minimise information disclosure. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. @@ -87,7 +87,7 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Disable TCP timestamps as it can allow detecting the system time. -- Provide the option to log of packets with impossible source or destination +- Provide the option to log of packets with impossible source or destination addresses to enable further inspection and analysis. - Provide the option to enable IPv6 Privacy Extensions. @@ -102,20 +102,20 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. ### Boot parameters Mitigations for known CPU vulnerabilities are enabled in their strictest form -and simultaneous multithreading (SMT) is disabled. See the +and simultaneous multithreading (SMT) is disabled. See the `/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` configuration file. -- Disable merging of slabs with similar size which reduces the risk of +- Disable merging of slabs with similar size which reduces the risk of triggering heap overflows and limits influencing slab cache layout. - Enable memory zeroing at both allocation and free time which mitigate some use-after-free vulnerabilities by erasing sensitive information in memory. -- Enable the kernel page allocator to randomise free lists to limit some data +- Enable the kernel page allocator to randomise free lists to limit some data exfiltration and ROP attacks especially during the early boot process. - Enable kernel page table isolation increase KASLR effectiveness and also @@ -124,13 +124,13 @@ configuration file. - Enables randomisation of the kernel stack offset on syscall entries to harden against memory corruption attacks. -- Disable vsyscalls as they are vulnerable to ROP attacks and have now been +- Disable vsyscalls as they are vulnerable to ROP attacks and have now been replaced by vDSO. -- Restrict access to debugfs by not registering the file system since it can +- Restrict access to debugfs by not registering the file system since it can contain sensitive information. -- Force kernel panics on "oopses" to potentially indicate and thwart certain +- Force kernel panics on "oopses" to potentially indicate and thwart certain kernel exploitation attempts. - Provide option to modify machine check exception handler. @@ -144,7 +144,7 @@ configuration file. - Do not credit the CPU or bootloader as entropy sources at boot in order to maximise the absolute quantity of entropy in the combined pool. -- Obtain more entropy at boot from RAM as the runtime memory allocator is +- Obtain more entropy at boot from RAM as the runtime memory allocator is being initialised. - Provide option to disable the entire IPv6 stack to reduce attack surface. @@ -188,8 +188,8 @@ modules from automatically starting. - CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. -- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause - kernel panics, and are generally only used by legacy devices. +- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause + kernel panics, and are generally only used by legacy devices. - Miscellaneous: Blacklist an assortment other modules to prevent them from automatically loading. @@ -204,7 +204,7 @@ disabling should first be blacklisted for a suitable amount of time. - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. -- GPS: Disable GPS-related modules such as those required for Global Navigation +- GPS: Disable GPS-related modules such as those required for Global Navigation Satellite Systems (GNSS). - Intel Management Engine (ME): Provides some disabling of the interface between the @@ -305,7 +305,7 @@ See: `/usr/lib/modules-load.d/30_security-misc.conf` configuration file. - Distrusts the CPU for initial entropy at boot as it is not possible to - audit, may contain weaknesses or a backdoor. Similarly, do not credit the + audit, may contain weaknesses or a backdoor. Similarly, do not credit the bootloader seed for initial entropy. For references, see: `/etc/default/grub.d/40_kernel_hardening.cfg` From afe3c25a49940f7f322414c08e8dbd631e696215 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 08:58:00 -0400 Subject: [PATCH 1238/1650] update readme https://github.com/Kicksecure/security-misc/issues/239 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1978aee..a515c45 100644 --- a/README.md +++ b/README.md @@ -207,8 +207,8 @@ disabling should first be blacklisted for a suitable amount of time. - GPS: Disable GPS-related modules such as those required for Global Navigation Satellite Systems (GNSS). -- Intel Management Engine (ME): Provides some disabling of the interface between the - Intel ME and the OS. +- Not yet enabled: Intel Management Engine (ME): Provides some disabling of the interface between the + Intel ME and the OS. See discussion: https://github.com/Kicksecure/security-misc/issues/239 - Network File Systems: Disable uncommon and legacy network file systems. From 0da22c20316c8f0f574e0127926506e52ccbc269 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 09:07:31 -0400 Subject: [PATCH 1239/1650] minor --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index cb65669..0e5d290 100644 --- a/README.md +++ b/README.md @@ -212,7 +212,7 @@ disabling should first be blacklisted for a suitable amount of time. - Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality of the Intel PMT components. - + - Network File Systems: Disable uncommon and legacy network file systems. - Network Protocols: Wide array of uncommon and legacy network protocols are disabled. From 1087387b362d5598e44262db07ab0fff9118b064 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 23:35:25 +1000 Subject: [PATCH 1240/1650] Remove obsolete `#net.ipv4.tcp_fack=0` --- usr/lib/sysctl.d/990-security-misc.conf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 88dab81..52e3345 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -297,10 +297,9 @@ net.ipv6.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 -## Disable SACK, DSACK, and FACK. +## Disable SACK and DSACK. ## Select acknowledgements (SACKs) are a known common vector of exploitation. ## Duplicate select acknowledgements (DSACKs) are an extension of SACK. -## Forward acknowledgements (FACKs) are a legacy option that will (eventually) be deprecated. ## Disabling can cause severe connectivity issues on networks with high latency or packet loss. ## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections. ## @@ -315,7 +314,6 @@ net.ipv6.conf.default.accept_ra=0 ## #net.ipv4.tcp_sack=0 #net.ipv4.tcp_dsack=0 -#net.ipv4.tcp_fack=0 ## Disable TCP timestamps to limit device fingerprinting via system time. ## From 8f3896c3dac13b604e36d4249f976598f271a215 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 23:44:37 +1000 Subject: [PATCH 1241/1650] Upgrade hyperlinks to HTTPS --- COPYING | 6 +++--- debian/copyright | 6 +++--- etc/skel/.gnupg/gpg.conf | 4 ++-- usr/bin/pkexec.security-misc | 2 +- usr/bin/remount-secure | 2 +- usr/libexec/security-misc/virusforget | 2 +- 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/COPYING b/COPYING index 808999e..bf11138 100644 --- a/COPYING +++ b/COPYING @@ -8,7 +8,7 @@ License: AGPL-3+ GNU AFFERO GENERAL PUBLIC LICENSE Version 3, 19 November 2007 . - Copyright (C) 2007 Free Software Foundation, Inc. + Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. . @@ -650,7 +650,7 @@ License: AGPL-3+ GNU Affero General Public License for more details. . You should have received a copy of the GNU Affero General Public License - along with this program. If not, see . + along with this program. If not, see . . Also add information on how to contact you by electronic and paper mail. . @@ -665,4 +665,4 @@ License: AGPL-3+ You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU AGPL, see - . + . diff --git a/debian/copyright b/debian/copyright index 808999e..bf11138 100644 --- a/debian/copyright +++ b/debian/copyright @@ -8,7 +8,7 @@ License: AGPL-3+ GNU AFFERO GENERAL PUBLIC LICENSE Version 3, 19 November 2007 . - Copyright (C) 2007 Free Software Foundation, Inc. + Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. . @@ -650,7 +650,7 @@ License: AGPL-3+ GNU Affero General Public License for more details. . You should have received a copy of the GNU Affero General Public License - along with this program. If not, see . + along with this program. If not, see . . Also add information on how to contact you by electronic and paper mail. . @@ -665,4 +665,4 @@ License: AGPL-3+ You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU AGPL, see - . + . diff --git a/etc/skel/.gnupg/gpg.conf b/etc/skel/.gnupg/gpg.conf index f8004fe..f0ed5a4 100644 --- a/etc/skel/.gnupg/gpg.conf +++ b/etc/skel/.gnupg/gpg.conf @@ -282,13 +282,13 @@ display-charset utf-8 ################################################################## ################################################################## -## BEGIN Some suggestions from Debian http://keyring.debian.org/creating-key.html +## BEGIN Some suggestions from Debian https://keyring.debian.org/creating-key.html personal-digest-preferences SHA512 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed -## END Some suggestions from Debian http://keyring.debian.org/creating-key.html +## END Some suggestions from Debian https://keyring.debian.org/creating-key.html ################################################################## ################################################################## diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc index be8fddd..3739391 100755 --- a/usr/bin/pkexec.security-misc +++ b/usr/bin/pkexec.security-misc @@ -34,7 +34,7 @@ switch_user=false original_args="$@" ## Thanks to: -## http://mywiki.wooledge.org/BashFAQ/035 +## https://mywiki.wooledge.org/BashFAQ/035 while : do diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 92e3aa8..14da1fe 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -70,7 +70,7 @@ init() { parse_options() { ## Thanks to: - ## http://mywiki.wooledge.org/BashFAQ/035 + ## https://mywiki.wooledge.org/BashFAQ/035 while : do diff --git a/usr/libexec/security-misc/virusforget b/usr/libexec/security-misc/virusforget index 5a2c5d7..62b6823 100755 --- a/usr/libexec/security-misc/virusforget +++ b/usr/libexec/security-misc/virusforget @@ -29,7 +29,7 @@ root_check() { parse_cmd_options() { ## Thanks to: - ## http://mywiki.wooledge.org/BashFAQ/035 + ## https://mywiki.wooledge.org/BashFAQ/035 while : do From d0a59617f6b8a90fd5c758699e910af9d7496c98 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 18 Jul 2024 00:13:30 +1000 Subject: [PATCH 1242/1650] Add missing Copyright (C) statements --- debian/security-misc.displace-extension | 3 +++ debian/security-misc.gconf-defaults | 3 +++ debian/security-misc.links | 3 +++ etc/bluetooth/30_security-misc.conf | 3 +++ etc/dkms/framework.conf.d/30_security-misc.conf | 3 +++ etc/dracut.conf.d/30-security-misc.conf | 3 +++ etc/securetty.security-misc | 3 +++ etc/security/faillock.conf.security-misc | 3 +++ etc/systemd/system/emergency.service.d/override.conf | 3 +++ etc/systemd/system/rescue.service.d/override.conf | 3 +++ usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf | 3 +++ usr/lib/NetworkManager/conf.d/80_randomize-mac.conf | 3 +++ usr/lib/systemd/coredump.conf.d/30_security-misc.conf | 3 +++ .../systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf | 3 +++ usr/lib/systemd/system/harden-module-loading.service | 3 +++ usr/lib/systemd/system/sysinit-post.target | 3 +++ usr/lib/systemd/system/user@.service.d/sysfs.conf | 3 +++ usr/libexec/security-misc/disable-kernel-module-loading | 3 +++ usr/share/glib-2.0/schemas/30_security-misc.gschema.override | 3 +++ 19 files changed, 57 insertions(+) diff --git a/debian/security-misc.displace-extension b/debian/security-misc.displace-extension index 6ecb033..2959324 100644 --- a/debian/security-misc.displace-extension +++ b/debian/security-misc.displace-extension @@ -1 +1,4 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + .security-misc diff --git a/debian/security-misc.gconf-defaults b/debian/security-misc.gconf-defaults index 26d57ff..ebfb7f3 100644 --- a/debian/security-misc.gconf-defaults +++ b/debian/security-misc.gconf-defaults @@ -1,3 +1,6 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + /apps/nautilus/preview_sound never /apps/nautilus/show_icon_text never /apps/nautilus/show-image-thumbnails never diff --git a/debian/security-misc.links b/debian/security-misc.links index 308f070..467193f 100644 --- a/debian/security-misc.links +++ b/debian/security-misc.links @@ -1,2 +1,5 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + /etc/profile.d/30_security-misc.sh /etc/zprofile.d/30_security-misc.zsh /etc/profile.d/30_security-misc.sh /etc/X11/Xsession.d/30_security-misc diff --git a/etc/bluetooth/30_security-misc.conf b/etc/bluetooth/30_security-misc.conf index d3410f2..0bd3b9f 100644 --- a/etc/bluetooth/30_security-misc.conf +++ b/etc/bluetooth/30_security-misc.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + [General] # How long to stay in pairable mode before going back to non-discoverable # The value is in seconds. Default is 0. diff --git a/etc/dkms/framework.conf.d/30_security-misc.conf b/etc/dkms/framework.conf.d/30_security-misc.conf index f9a643d..095e050 100644 --- a/etc/dkms/framework.conf.d/30_security-misc.conf +++ b/etc/dkms/framework.conf.d/30_security-misc.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + ## This configuration file modifies the behavior of ## DKMS (Dynamic Kernel Module Support) and is sourced ## in by DKMS every time it is run. diff --git a/etc/dracut.conf.d/30-security-misc.conf b/etc/dracut.conf.d/30-security-misc.conf index 90c7698..4e24799 100644 --- a/etc/dracut.conf.d/30-security-misc.conf +++ b/etc/dracut.conf.d/30-security-misc.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + reproducible=yes ## Debugging. diff --git a/etc/securetty.security-misc b/etc/securetty.security-misc index ca0d81b..e32ca29 100644 --- a/etc/securetty.security-misc +++ b/etc/securetty.security-misc @@ -1,2 +1,5 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + # /etc/securetty: list of terminals on which root is allowed to login. # See securetty(5) and login(1). diff --git a/etc/security/faillock.conf.security-misc b/etc/security/faillock.conf.security-misc index bb81754..d52c196 100644 --- a/etc/security/faillock.conf.security-misc +++ b/etc/security/faillock.conf.security-misc @@ -1,3 +1,6 @@ +## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + # Configuration for locking the user after multiple failed # authentication attempts. # diff --git a/etc/systemd/system/emergency.service.d/override.conf b/etc/systemd/system/emergency.service.d/override.conf index b24186a..a7d4469 100644 --- a/etc/systemd/system/emergency.service.d/override.conf +++ b/etc/systemd/system/emergency.service.d/override.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 ## https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d diff --git a/etc/systemd/system/rescue.service.d/override.conf b/etc/systemd/system/rescue.service.d/override.conf index b24186a..a7d4469 100644 --- a/etc/systemd/system/rescue.service.d/override.conf +++ b/etc/systemd/system/rescue.service.d/override.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 ## https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d diff --git a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf index 0605c37..246eaf2 100644 --- a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf +++ b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + ## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. ## ## https://datatracker.ietf.org/doc/html/rfc4941 diff --git a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf index 04d0312..dfeda10 100644 --- a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf +++ b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + ## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. ## ## https://datatracker.ietf.org/doc/html/rfc4941 diff --git a/usr/lib/systemd/coredump.conf.d/30_security-misc.conf b/usr/lib/systemd/coredump.conf.d/30_security-misc.conf index 519f838..2cb1b1a 100644 --- a/usr/lib/systemd/coredump.conf.d/30_security-misc.conf +++ b/usr/lib/systemd/coredump.conf.d/30_security-misc.conf @@ -1,2 +1,5 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + [Coredump] Storage=none diff --git a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf index e53c635..5959004 100644 --- a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf +++ b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + ## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. ## ## https://datatracker.ietf.org/doc/html/rfc4941 diff --git a/usr/lib/systemd/system/harden-module-loading.service b/usr/lib/systemd/system/harden-module-loading.service index ed2392c..3394623 100644 --- a/usr/lib/systemd/system/harden-module-loading.service +++ b/usr/lib/systemd/system/harden-module-loading.service @@ -1,3 +1,6 @@ +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + [Unit] Description=Disable the loading of additional modules after systemd-modules-load.service Documentation=https://github.com/Kicksecure/security-misc diff --git a/usr/lib/systemd/system/sysinit-post.target b/usr/lib/systemd/system/sysinit-post.target index faeb6f9..336133b 100644 --- a/usr/lib/systemd/system/sysinit-post.target +++ b/usr/lib/systemd/system/sysinit-post.target @@ -1,3 +1,6 @@ +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + [Unit] Description=sys-init.target by security-misc diff --git a/usr/lib/systemd/system/user@.service.d/sysfs.conf b/usr/lib/systemd/system/user@.service.d/sysfs.conf index e0cf3a7..2c27ce5 100644 --- a/usr/lib/systemd/system/user@.service.d/sysfs.conf +++ b/usr/lib/systemd/system/user@.service.d/sysfs.conf @@ -1,2 +1,5 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + [Service] SupplementaryGroups=sysfs diff --git a/usr/libexec/security-misc/disable-kernel-module-loading b/usr/libexec/security-misc/disable-kernel-module-loading index e2174ac..1916cc0 100644 --- a/usr/libexec/security-misc/disable-kernel-module-loading +++ b/usr/libexec/security-misc/disable-kernel-module-loading @@ -1,5 +1,8 @@ #!/bin/bash +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + set -x set -e diff --git a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override index 2ee9098..92b5348 100644 --- a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override +++ b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override @@ -1,2 +1,5 @@ +## Copyright (C) 2017 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + [org.gnome.nautilus.preferences] show-image-thumbnails="never" From 4afe257a42576158a54a68948440a2b4c043b67c Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 18 Jul 2024 00:14:13 +1000 Subject: [PATCH 1243/1650] minor --- etc/bluetooth/30_security-misc.conf | 2 +- usr/share/security-misc/dolphinrc | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/etc/bluetooth/30_security-misc.conf b/etc/bluetooth/30_security-misc.conf index 0bd3b9f..8f45502 100644 --- a/etc/bluetooth/30_security-misc.conf +++ b/etc/bluetooth/30_security-misc.conf @@ -19,7 +19,7 @@ MaxControllers=1 # How long to keep temporary devices around # The value is in seconds. Default is 30. # 0 = disable timer, i.e. never keep temporary devices -TemporaryTimeout = 0 +TemporaryTimeout = 0 [Policy] # AutoEnable defines option to enable all controllers when they are found. diff --git a/usr/share/security-misc/dolphinrc b/usr/share/security-misc/dolphinrc index 682401d..00e7768 100644 --- a/usr/share/security-misc/dolphinrc +++ b/usr/share/security-misc/dolphinrc @@ -3,4 +3,3 @@ [PreviewSettings] Plugins= - From 821a416fe39e11ca030c63f25a5220772d80eae5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 10:43:16 -0400 Subject: [PATCH 1244/1650] spelling --- README.md | 308 +++++++++++++++++++++++++++--------------------------- 1 file changed, 154 insertions(+), 154 deletions(-) diff --git a/README.md b/README.md index 0e5d290..515b259 100644 --- a/README.md +++ b/README.md @@ -5,8 +5,8 @@ This section is inspired by the Kernel Self Protection Project (KSPP). It implements all recommended Linux kernel settings by the KSPP and many more. -- https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project -- https://kspp.github.io/Recommended_Settings +- https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project +- https://kspp.github.io/Recommended_Settings ### sysctl @@ -16,88 +16,88 @@ configuration file. Significant hardening is applied by default to a myriad of components within kernel space, user space, core dumps, and swap space. -- Restrict access to kernel addresses through the us of kernel pointers regardless - of user privileges. +- Restrict access to kernel addresses through the use of kernel pointers regardless + of user privileges. -- Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain - sensitive information. +- Restrict access to the kernel logs to `CAP_SYSLOG` as they often contain + sensitive information. -- Prevent kernel information leaks in the console during boot. +- Prevent kernel information leaks in the console during boot. -- Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening. +- Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening. -- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`. +- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`. -- Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` which reduces the - likelihood of use-after-free exploits. +- Restrict the `userfaultfd()` syscall to `CAP_SYS_PTRACE`, which reduces the + likelihood of use-after-free exploits. -- Disable `kexec` as it can be used to replace the running kernel. +- Disable `kexec` as it can be used to replace the running kernel. -- Entirely disables the SysRq key so that the Secure Attention Key (SAK) - can no longer be utilised. See [documentation](https://www.kicksecure.com/wiki/SysRq). +- Entirely disable the SysRq key so that the Secure Attention Key (SAK) + can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). -- Provide the option to disable unprivileged user namespaces as they can lead to - substantial privilege escalation. +- Provide the option to disable unprivileged user namespaces as they can lead to + substantial privilege escalation. -- Restrict kernel profiling and the performance events system to `CAP_PERFMON`. +- Restrict kernel profiling and the performance events system to `CAP_PERFMON`. -- Randomise the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. +- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. -- Disable asynchronous I/O (when using Linux kernel version >= 6.6). +- Disable asynchronous I/O (when using Linux kernel version >= 6.6). -- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - enables programs to inspect and modify other active processes. Provide the - option to also entirely disable the use of `ptrace()` for all processes. +- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it + enables programs to inspect and modify other active processes. Provide the + option to entirely disable the use of `ptrace()` for all processes. -- Prevent hardlink and symlink TOCTOU races in world-writable directories. +- Prevent hardlink and symlink TOCTOU races in world-writable directories. -- Disallow unintentional writes to files in world-writable directories unless - they are owned by the directory owner to mitigate some data spoofing attacks. +- Disallow unintentional writes to files in world-writable directories unless + they are owned by the directory owner to mitigate some data spoofing attacks. -- Increase the maximum number of memory map areas a process is able to utilise. +- Increase the maximum number of memory map areas a process is able to utilize. -- Disable core dump files and prevent their creation. If core dump files are - enabled, they will be named based on `core.PID` instead of the default `core`. +- Disable core dump files and prevent their creation. If core dump files are + enabled, they will be named based on `core.PID` instead of the default `core`. -- Limit the copying of potentially sensitive content in memory to the swap device. +- Limit the copying of potentially sensitive content in memory to the swap device. Various networking components of the TCP/IP stack are hardened for IPv4/6. -- Enable TCP SYN cookie protection to assist against SYN flood attacks. +- Enable TCP SYN cookie protection to assist against SYN flood attacks. -- Protect against TCP time-wait assassination hazards. +- Protect against TCP time-wait assassination hazards. -- Enables reverse path filtering (source validation) of packets received - from all interfaces to prevent IP spoofing. +- Enable reverse path filtering (source validation) of packets received + from all interfaces to prevent IP spoofing. -- Disable ICMP redirect acceptance and redirect sending messages to - prevent man-in-the-middle attacks and minimise information disclosure. +- Disable ICMP redirect acceptance and redirect sending messages to + prevent man-in-the-middle attacks and minimize information disclosure. -- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. +- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. -- Ignore bogus ICMP error responses. +- Ignore bogus ICMP error responses. -- Disable source routing which allows users redirect network traffic that - can result in man-in-the-middle attacks. +- Disable source routing which allows users to redirect network traffic that + can result in man-in-the-middle attacks. -- Do not accept IPv6 router advertisements and solicitations. +- Do not accept IPv6 router advertisements and solicitations. -- Provide the option to disable SACK and DSACK as they have historically been - a known vector for exploitation. +- Provide the option to disable SACK and DSACK as they have historically been + a known vector for exploitation. -- Disable TCP timestamps as it can allow detecting the system time. +- Disable TCP timestamps as they can allow detecting the system time. -- Provide the option to log of packets with impossible source or destination - addresses to enable further inspection and analysis. +- Provide the option to log packets with impossible source or destination + addresses to enable further inspection and analysis. -- Provide the option to enable IPv6 Privacy Extensions. +- Provide the option to enable IPv6 Privacy Extensions. ### mmap ASLR -- The bits of entropy used for mmap ASLR are maxed out via - `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of - `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` - that the kernel was built with), therefore improving its effectiveness. +- The bits of entropy used for mmap ASLR are maxed out via + `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of + `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` + that the kernel was built with), therefore improving its effectiveness. ### Boot parameters @@ -109,45 +109,45 @@ Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` configuration file. -- Disable merging of slabs with similar size which reduces the risk of - triggering heap overflows and limits influencing slab cache layout. +- Disable merging of slabs with similar size, which reduces the risk of + triggering heap overflows and limits influencing slab cache layout. -- Enable memory zeroing at both allocation and free time which mitigate some - use-after-free vulnerabilities by erasing sensitive information in memory. +- Enable memory zeroing at both allocation and free time, which mitigates some + use-after-free vulnerabilities by erasing sensitive information in memory. -- Enable the kernel page allocator to randomise free lists to limit some data - exfiltration and ROP attacks especially during the early boot process. +- Enable the kernel page allocator to randomize free lists to limit some data + exfiltration and ROP attacks, especially during the early boot process. -- Enable kernel page table isolation increase KASLR effectiveness and also - mitigate the Meltdown CPU vulnerability. +- Enable kernel page table isolation to increase KASLR effectiveness and also + mitigate the Meltdown CPU vulnerability. -- Enables randomisation of the kernel stack offset on syscall entries to harden - against memory corruption attacks. +- Enable randomization of the kernel stack offset on syscall entries to harden + against memory corruption attacks. -- Disable vsyscalls as they are vulnerable to ROP attacks and have now been - replaced by vDSO. +- Disable vsyscalls as they are vulnerable to ROP attacks and have now been + replaced by vDSO. -- Restrict access to debugfs by not registering the file system since it can - contain sensitive information. +- Restrict access to debugfs by not registering the file system since it can + contain sensitive information. -- Force kernel panics on "oopses" to potentially indicate and thwart certain - kernel exploitation attempts. +- Force kernel panics on "oopses" to potentially indicate and thwart certain + kernel exploitation attempts. -- Provide option to modify machine check exception handler. +- Provide option to modify machine check exception handler. -- Provide option to disable support for all x86 processes and syscalls to reduce - attack surface (when using Linux kernel version >= 6.7). +- Provide option to disable support for all x86 processes and syscalls to reduce + attack surface (when using Linux kernel version >= 6.7). -- Enable strict IOMMU translation to protect against DMA attacks and disable - the busmaster bit on all PCI bridges during the early boot process. +- Enable strict IOMMU translation to protect against DMA attacks and disable + the busmaster bit on all PCI bridges during the early boot process. -- Do not credit the CPU or bootloader as entropy sources at boot in order to - maximise the absolute quantity of entropy in the combined pool. +- Do not credit the CPU or bootloader as entropy sources at boot in order to + maximize the absolute quantity of entropy in the combined pool. -- Obtain more entropy at boot from RAM as the runtime memory allocator is - being initialised. +- Obtain more entropy at boot from RAM as the runtime memory allocator is + being initialized. -- Provide option to disable the entire IPv6 stack to reduce attack surface. +- Provide option to disable the entire IPv6 stack to reduce attack surface. Disallow sensitive kernel information leaks in the console during boot. See the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file. @@ -156,20 +156,20 @@ the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file. #### Kernel Module Signature Verification -Not yet due to issues: +Not yet implemented due to issues: -- https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 -- https://github.com/dell/dkms/issues/359 +- https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 +- https://github.com/dell/dkms/issues/359 See: -- `/etc/default/grub.d/40_signed_modules.cfg` +- `/etc/default/grub.d/40_signed_modules.cfg` #### Disables the loading of new modules to the kernel after the fact -Not yet due to issues: +Not yet implemented due to issues: -- https://github.com/Kicksecure/security-misc/pull/152 +- https://github.com/Kicksecure/security-misc/pull/152 A systemd service dynamically sets the kernel parameter `modules_disabled` to 1, preventing new modules from being loaded. Since this isn't configured directly @@ -186,47 +186,47 @@ Certain kernel modules are blacklisted by default to reduce attack surface via `/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel modules from automatically starting. -- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. +- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. -- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause - kernel panics, and are generally only used by legacy devices. +- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause + kernel panics, and are generally only used by legacy devices. -- Miscellaneous: Blacklist an assortment other modules to prevent them from - automatically loading. +- Miscellaneous: Blacklist an assortment of other modules to prevent them from + automatically loading. Specific kernel modules are entirely disabled to reduce attack surface via `/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel -modules from starting. This approach should not be considered comprehensive, -rather it is a form of badness enumeration. Any potential candidates for future +modules from starting. This approach should not be considered comprehensive; +rather, it is a form of badness enumeration. Any potential candidates for future disabling should first be blacklisted for a suitable amount of time. -- File Systems: Disable uncommon and legacy file systems. +- File Systems: Disable uncommon and legacy file systems. -- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. +- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. -- GPS: Disable GPS-related modules such as those required for Global Navigation - Satellite Systems (GNSS). +- GPS: Disable GPS-related modules such as those required for Global Navigation + Satellite Systems (GNSS). -- Not yet enabled: Intel Management Engine (ME): Provides some disabling of the interface between the - Intel ME and the OS. See discussion: https://github.com/Kicksecure/security-misc/issues/239 +- Not yet enabled: Intel Management Engine (ME): Provides some disabling of the interface between the + Intel ME and the OS. See discussion: https://github.com/Kicksecure/security-misc/issues/239 -- Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality - of the Intel PMT components. +- Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality + of the Intel PMT components. -- Network File Systems: Disable uncommon and legacy network file systems. +- Network File Systems: Disable uncommon and legacy network file systems. -- Network Protocols: Wide array of uncommon and legacy network protocols are disabled. +- Network Protocols: A wide array of uncommon and legacy network protocols are disabled. -- Miscellaneous: Disable an assortment other modules such as those required - for amateur radio, floppy disks, and vivid. +- Miscellaneous: Disable an assortment of other modules such as those required + for amateur radio, floppy disks, and vivid. -- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. +- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. ### Other -- A systemd service clears the System.map file on boot as these contain kernel - pointers. The file is completely overwritten with zeroes to ensure it cannot - be recovered. See: +- A systemd service clears the System.map file on boot as these contain kernel + pointers. The file is completely overwritten with zeroes to ensure it cannot + be recovered. See: `/etc/kernel/postinst.d/30_remove-system-map` @@ -234,8 +234,8 @@ disabling should first be blacklisted for a suitable amount of time. `/usr/libexec/security-misc/remove-system.map` -- Coredumps are disabled as they may contain important information such as - encryption keys or passwords. See: +- Coredumps are disabled as they may contain important information such as + encryption keys or passwords. See: `/etc/security/limits.d/30_security-misc.conf` @@ -243,34 +243,34 @@ disabling should first be blacklisted for a suitable amount of time. `/lib/systemd/coredump.conf.d/30_security-misc.conf` -- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and - `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as - early as possible. This is implemented for `initramfs-tools` only because - this is not needed for `dracut` because `dracut` does that by default, at - least on `systemd` enabled systems. Not researched for non-`systemd` systems - by the author of this part of the readme. +- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and + `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as + early as possible. This is implemented for `initramfs-tools` only because + this is not needed for `dracut` as `dracut` does that by default, at + least on `systemd` enabled systems. Not researched for non-`systemd` systems + by the author of this part of the readme. ## Network hardening -Not yet due to issues: +Not yet implemented due to issues: -- https://github.com/Kicksecure/security-misc/pull/145 +- https://github.com/Kicksecure/security-misc/pull/145 -- https://github.com/Kicksecure/security-misc/issues/184 +- https://github.com/Kicksecure/security-misc/issues/184 -- Unlike version 4, IPv6 addresses can provide information not only about the - originating network, but also the originating device. We prevent this from - happening by enabling the respective privacy extensions for IPv6. +- Unlike version 4, IPv6 addresses can provide information not only about the + originating network but also the originating device. We prevent this from + happening by enabling the respective privacy extensions for IPv6. -- In addition, we deny the capability to track the originating device in the - network at all, by using randomized MAC addresses per connection per - default. +- In addition, we deny the capability to track the originating device in the + network at all, by using randomized MAC addresses per connection by + default. See: -- `/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf` -- `/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf` -- `/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf` +- `/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf` +- `/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf` +- `/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf` ## Bluetooth Hardening @@ -303,16 +303,16 @@ See: ## Entropy collection improvements -- The `jitterentropy_rng` kernel module is loaded as early as possible during - boot to gather more entropy via the - `/usr/lib/modules-load.d/30_security-misc.conf` configuration file. +- The `jitterentropy_rng` kernel module is loaded as early as possible during + boot to gather more entropy via the + `/usr/lib/modules-load.d/30_security-misc.conf` configuration file. -- Distrusts the CPU for initial entropy at boot as it is not possible to - audit, may contain weaknesses or a backdoor. Similarly, do not credit the - bootloader seed for initial entropy. For references, see: - `/etc/default/grub.d/40_kernel_hardening.cfg` +- Distrusts the CPU for initial entropy at boot as it is not possible to + audit, may contain weaknesses or a backdoor. Similarly, do not credit the + bootloader seed for initial entropy. For references, see: + `/etc/default/grub.d/40_kernel_hardening.cfg` -- Gathers more entropy during boot if using the linux-hardened kernel patch. +- Gathers more entropy during boot if using the linux-hardened kernel patch. ## Restrictive mount options @@ -320,44 +320,44 @@ A systemd service is triggered on boot to remount all sensitive partitions and directories with significantly more secure hardened mount options. Since this would require manual tuning for a given specific system, we handle it by creating a very solid configuration file for that very system on package -install. +installation. Not enabled by default yet. In development. Help welcome. -- https://www.kicksecure.com/wiki/Dev/remount-secure -- https://github.com/Kicksecure/security-misc/issues/157 -- https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ +- https://www.kicksecure.com/wiki/Dev/remount-secure +- https://github.com/Kicksecure/security-misc/issues/157 +- https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ ## Root access restrictions -- `su` is restricted to only users within the group `sudo` which prevents - users from using `su` to gain root access or to switch user accounts - - `/usr/share/pam-configs/wheel-security-misc` (which results in a change in - file `/etc/pam.d/common-auth`). +- `su` is restricted to only users within the group `sudo` which prevents + users from using `su` to gain root access or to switch user accounts - + `/usr/share/pam-configs/wheel-security-misc` (which results in a change in + file `/etc/pam.d/common-auth`). -- Add user `root` to group `sudo`. This is required due to the above - restriction so that logging in from a virtual console is still possible - - `debian/security-misc.postinst` +- Add user `root` to group `sudo`. This is required due to the above + restriction so that logging in from a virtual console is still possible - + `debian/security-misc.postinst` -- Abort login for users with locked passwords - - `/usr/libexec/security-misc/pam-abort-on-locked-password`. +- Abort login for users with locked passwords - + `/usr/libexec/security-misc/pam-abort-on-locked-password`. -- Logging into the root account from a virtual, serial, whatnot console is - prevented by shipping an existing and empty `/etc/securetty` file (deletion - of `/etc/securetty` has a different effect). +- Logging into the root account from a virtual, serial, or other console is + prevented by shipping an existing and empty `/etc/securetty` file (deletion + of `/etc/securetty` has a different effect). This package does not yet automatically lock the root account password. It is -not clear if this would be sane in such a package although, it is recommended to +not clear if this would be sane in such a package, although it is recommended to lock and expire the root account. -In new Kicksecure builds, root account will be locked by package +In new Kicksecure builds, the root account will be locked by package dist-base-files. See: -- https://www.kicksecure.com/wiki/Root -- https://www.kicksecure.com/wiki/Dev/Permissions -- https://forums.whonix.org/t/restrict-root-access/7658 +- https://www.kicksecure.com/wiki/Root +- https://www.kicksecure.com/wiki/Dev/Permissions +- https://forums.whonix.org/t/restrict-root-access/7658 However, a locked root password will break rescue and emergency shell. Therefore, this package enables passwordless rescue and emergency shell. This is From 5cec685cf9b0845838f17fba78ac65d6c2e63386 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 10:49:21 -0400 Subject: [PATCH 1245/1650] spelling --- README.md | 174 +++++++++++++++++++++++++++--------------------------- 1 file changed, 88 insertions(+), 86 deletions(-) diff --git a/README.md b/README.md index 515b259..b6aa965 100644 --- a/README.md +++ b/README.md @@ -361,31 +361,31 @@ See: However, a locked root password will break rescue and emergency shell. Therefore, this package enables passwordless rescue and emergency shell. This is -the same solution that Debian will likely adapt for Debian installer: +the same solution that Debian will likely adopt for the Debian installer: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 See: -- `/etc/systemd/system/emergency.service.d/override.conf` -- `/etc/systemd/system/rescue.service.d/override.conf` +- `/etc/systemd/system/emergency.service.d/override.conf` +- `/etc/systemd/system/rescue.service.d/override.conf` Adverse security effects can be prevented by setting up BIOS password -protection, GRUB password protection and/or full disk encryption. +protection, GRUB password protection, and/or full disk encryption. ## Console lockdown -This uses pam_access to allow members of group `console` to use console but +This uses pam_access to allow members of group `console` to use the console but restrict everyone else (except members of group `console-unrestricted`) from -using console with ancient, unpopular login methods such as `/bin/login` over +using the console with ancient, unpopular login methods such as `/bin/login` over networks as this might be exploitable. (CVE-2001-0797) This is not enabled by default in this package since this package does not know -which users shall be added to group 'console' and thus, would break console. +which users should be added to group 'console' and thus, would break console access. See: -- `/usr/share/pam-configs/console-lockdown-security-misc` -- `/etc/security/access-security-misc.conf` +- `/usr/share/pam-configs/console-lockdown-security-misc` +- `/etc/security/access-security-misc.conf` ## Brute force attack protection @@ -393,16 +393,16 @@ User accounts are locked after 50 failed login attempts using `pam_faillock`. Informational output during Linux PAM: -- Show failed and remaining password attempts. -- Document unlock procedure if Linux user account got locked. -- Point out that there is no password feedback for `su`. -- Explain locked root account if locked. +- Show failed and remaining password attempts. +- Document unlock procedure if Linux user account got locked. +- Point out that there is no password feedback for `su`. +- Explain locked root account if locked. See: -- `/usr/share/pam-configs/tally2-security-misc` -- `/usr/libexec/security-misc/pam-info` -- `/usr/libexec/security-misc/pam-abort-on-locked-password` +- `/usr/share/pam-configs/tally2-security-misc` +- `/usr/libexec/security-misc/pam-info` +- `/usr/libexec/security-misc/pam-abort-on-locked-password` ## Access rights restrictions @@ -410,11 +410,13 @@ See: #### Permission Lockdown -Read, write and execute access for "others" are removed during package -installation, upgrade or PAM `mkhomedir` for all users who have home folders in +Read, write, and execute access for "others" are removed during package +installation, upgrade, or PAM `mkhomedir` for all users who have home folders in `/home` by running, for example: - chmod o-rwx /home/user +``` +chmod o-rwx /home/user +``` This will be done only once per folder in `/home` so users who wish to relax file permissions are free to do so. This is to protect files in a home folder @@ -423,20 +425,20 @@ of this package. See: -- `debian/security-misc.postinst` -- `/usr/libexec/security-misc/permission-lockdown` -- `/usr/share/pam-configs/mkhomedir-security-misc` +- `debian/security-misc.postinst` +- `/usr/libexec/security-misc/permission-lockdown` +- `/usr/share/pam-configs/mkhomedir-security-misc` #### umask -Default `umask` is set to `027` for files created by non-root users such as for -example user `user`. Broken. Disabled. See: +Default `umask` is set to `027` for files created by non-root users such as +user `user`. Broken. Disabled. See: * https://github.com/Kicksecure/security-misc/issues/184 -This is doing using pam module `pam_mkhomedir.so umask=027`. +This is done using the PAM module `pam_mkhomedir.so umask=027`. -This means, files created by non-root users cannot be read by other non-root +This means files created by non-root users cannot be read by other non-root users by default. While Permission Lockdown already protects the `/home` folder, this protects other folders such as `/tmp`. @@ -444,13 +446,13 @@ this protects other folders such as `/tmp`. use of User Private Groups (UPGs). See also: https://wiki.debian.org/UserPrivateGroups -Default `umask` is unchanged for root, because then configuration files created +Default `umask` is unchanged for root because then configuration files created in `/etc` by the system administrator would be unreadable by "others" and break applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`. See: -- `/usr/share/pam-configs/umask-security-misc` +- `/usr/share/pam-configs/umask-security-misc` ### SUID / SGID removal and permission hardening @@ -464,13 +466,13 @@ are often used in privilege escalation attacks. Various file permissions are reset with more secure and hardened defaults. These include but are not limited to: -- Limiting `/home` and `/root` to the root only. -- Limiting crontab to root as well as all the configuration files for cron. -- Limiting the configuration for cups and ssh. -- Protecting the information of sudoers from others. -- Protecting various system relevant files and modules. +- Limiting `/home` and `/root` to the root only. +- Limiting crontab to root as well as all the configuration files for cron. +- Limiting the configuration for cups and ssh. +- Protecting the information of sudoers from others. +- Protecting various system-relevant files and modules. -##### permission-hardener ##### +##### permission-hardener `permission-hardener` removes SUID / SGID bits from non-essential binaries as these are often used in privilege escalation attacks. It is enabled by default @@ -479,7 +481,7 @@ and applied at security-misc package installation and upgrade time. There is also an optional systemd unit which does the same at boot time that can be enabled by running `systemctl enable permission-hardener.service` as root. The hardening at boot time is not the default because this slows down -the boot too much. +the boot process too much. See: @@ -505,43 +507,43 @@ See: ## Application-specific hardening -- Enables "`apt-get --error-on=any`" which makes apt exit non-zero for - transient failures. - `/etc/apt/apt.conf.d/40error-on-any`. -- Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`. -- Deactivates previews in Dolphin. -- Deactivates previews in Nautilus - - `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. -- Deactivates thumbnails in Thunar. - - rationale: lower attack surface when using the file manager - - https://forums.whonix.org/t/disable-preview-in-file-manager-by-default/18904 -- Thunderbird is hardened with the following options: - - Displays domain names in punycode to prevent IDN homograph attacks (a - form of phishing). - - Strips email client information for sent email headers. - - Stripts user time information from sent email headers by replacing the - originating time zone with UTC and rounding the timestamp to the nearest - minute. - - Disables scripting when viewing pdf files. - - Disables implicit outgoing connections. - - Disables all and any kind of telemetry. -- Security and privacy enhancements for gnupg's config file - `/etc/skel/.gnupg/gpg.conf`. See also: - - https://raw.github.com/ioerror/torbirdy/master/gpg.conf - - https://github.com/ioerror/torbirdy/pull/11 +- Enables "`apt-get --error-on=any`" which makes apt exit non-zero for + transient failures. - `/etc/apt/apt.conf.d/40error-on-any`. +- Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`. +- Deactivates previews in Dolphin. +- Deactivates previews in Nautilus - + `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. +- Deactivates thumbnails in Thunar. + - Rationale: lower attack surface when using the file manager + - https://forums.whonix.org/t/disable-preview-in-file-manager-by-default/18904 +- Thunderbird is hardened with the following options: + - Displays domain names in punycode to prevent IDN homograph attacks (a + form of phishing). + - Strips email client information from sent email headers. + - Strips user time information from sent email headers by replacing the + originating time zone with UTC and rounding the timestamp to the nearest + minute. + - Disables scripting when viewing PDF files. + - Disables implicit outgoing connections. + - Disables all and any kind of telemetry. +- Security and privacy enhancements for gnupg's config file + `/etc/skel/.gnupg/gpg.conf`. See also: + - https://raw.github.com/ioerror/torbirdy/master/gpg.conf + - https://github.com/ioerror/torbirdy/pull/11 -### project scope of application-specific hardening +### Project scope of application-specific hardening Added in December 2023. Before sending pull requests to harden arbitrary applications, please note the scope of security-misc is limited to default installed applications in -Kicksecure, Whonix. This includes: +Kicksecure and Whonix. This includes: -- Thunderbird, VLC Media Player, KeepassXC -- Debian Specific System Components (APT, DPKG) -- System Services (NetworkManager IPv6 privacy options, MAC address - randomization) -- Actually used development utilities such as `git`. +- Thunderbird, VLC Media Player, KeePassXC +- Debian Specific System Components (APT, DPKG) +- System Services (NetworkManager IPv6 privacy options, MAC address + randomization) +- Actually used development utilities such as `git`. It will not be possible to review and merge "1500" settings profiles for arbitrary applications outside of this context. @@ -552,26 +554,26 @@ compatible with Debian, reflecting a commitment to clean implementation and sound design principles. However, it's important to note that security-misc is a component of Kicksecure, not a substitute for it. The intention isn't to recreate Kicksecure within security-misc. Instead, specific security -enhancements, like for example recommending a curated list of security-focused +enhancements, like recommending a curated list of security-focused default packages (e.g., `libpam-tmpdir`), should be integrated directly into -those appropriate areas of Kicksecure (e.g.`kicksecure-meta-packages`). +those appropriate areas of Kicksecure (e.g. `kicksecure-meta-packages`). Discussion: https://github.com/Kicksecure/security-misc/issues/154 -### development philosophy +### Development philosophy Added in December 2023. -"Maintainability is a key priority \[1\]. Before modifying settings in the +Maintainability is a key priority \[1\]. Before modifying settings in the downstream security-misc, it's essential to first engage with upstream developers to propose these changes as defaults. This step should only be bypassed if there's a clear, prior indication from upstream that such changes won't be accepted. Additionally, before implementing any workarounds, consulting -with upstream is necessary to future unmaintainable complexity. +with upstream is necessary to avoid future unmaintainable complexity. If debugging features are disabled, pull requests won't be merged until there is a corresponding pull request for the debug-misc package to re-enable these. This -is to avoid configuring the system into a corner where it can be no longer +is to avoid configuring the system into a corner where it can no longer be debugged. \[1\] https://www.kicksecure.com/wiki/Dev/maintainability @@ -581,26 +583,26 @@ debugged. Some hardening is opt-in as it causes too much breakage to be enabled by default. -- An optional systemd service mounts `/proc` with `hidepid=2` at boot to - prevent users from seeing another user's processes. This is disabled by - default because it is incompatible with `pkexec`. It can be enabled by - executing `systemctl enable proc-hidepid.service` as root. +- An optional systemd service mounts `/proc` with `hidepid=2` at boot to + prevent users from seeing another user's processes. This is disabled by + default because it is incompatible with `pkexec`. It can be enabled by + executing `systemctl enable proc-hidepid.service` as root. -- A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and - `/sys` to the root user. This hides a lot of hardware identifiers from - unprivileged users and increases security as `/sys` exposes a lot of - information that shouldn't be accessible to unprivileged users. As this will - break many things, it is disabled by default and can optionally be enabled - by executing `systemctl enable hide-hardware-info.service` as root. +- A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi`, and + `/sys` to the root user. This hides a lot of hardware identifiers from + unprivileged users and increases security as `/sys` exposes a lot of + information that shouldn't be accessible to unprivileged users. As this will + break many things, it is disabled by default and can optionally be enabled + by executing `systemctl enable hide-hardware-info.service` as root. -## miscellaneous +## Miscellaneous -- hardened malloc compatibility for haveged workaround - `/lib/systemd/system/haveged.service.d/30_security-misc.conf` +- Hardened malloc compatibility for haveged workaround + `/lib/systemd/system/haveged.service.d/30_security-misc.conf` -- set `dracut` `reproducible=yes` setting +- Set `dracut` `reproducible=yes` setting -## legal +## Legal `/usr/lib/issue.d/20_security-misc.issue` From 24cd70a014b221b25669755b955bc114fe083643 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 10:55:12 -0400 Subject: [PATCH 1246/1650] spelling --- .../sysctl.d/30_security-misc_kexec-disable.conf | 15 ++++++++------- usr/lib/sysctl.d/30_silent-kernel-printk.conf | 7 ++++--- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index 74c0bbf..0177c2c 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -2,15 +2,16 @@ ## See the file COPYING for copying conditions. ## NOTE: -## Why is this in a dedicated config file? -## Package ram-wipe requires kexec. However, ram-wipe could not ship a config -## file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'. -## This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1' -## it cannot be undone without reboot. This is a upstream Linux security feature. +## This configuration is in a dedicated file because the ram-wipe package +## requires kexec. However, ram-wipe cannot ship a config file +## /etc/sysctl.d/40_ram-wipe.conf that sets 'kernel.kexec_load_disabled=0'. +## Once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1', +## it cannot be undone without a reboot. This is an upstream Linux security feature. -## Disables kexec which can be used to replace the running kernel. -## Useful for live kernel patching without rebooting. +## Disables kexec, which can be used to replace the running kernel. +## Kexec is useful for live kernel patching without rebooting. ## +## For more information, see: ## https://en.wikipedia.org/wiki/Kexec ## kernel.kexec_load_disabled=1 diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index 884a2a6..0d5e4aa 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -5,10 +5,11 @@ ## Must be used in combination with the kernel boot parameters. ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. ## +## For more information, refer to: ## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html ## kernel.printk=3 3 3 3 -## For Increased Log Verbosity: -## Adjust (or comment out) the kernel parameters in /etc/default/grub.d/41_quiet_boot.cfg. -## Alternatively, installing the debug-misc package will undo these settings. +## For increased log verbosity: +## A) Adjust (or comment out) the kernel parameters in /etc/default/grub.d/41_quiet_boot.cfg. Or, +## B) Alternatively, install the debug-misc package to undo these settings. From c8be4ac83c2563798ee35d56200eb8d11a2c32e3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 10:56:14 -0400 Subject: [PATCH 1247/1650] comment --- usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index 0177c2c..b61a762 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -7,6 +7,7 @@ ## /etc/sysctl.d/40_ram-wipe.conf that sets 'kernel.kexec_load_disabled=0'. ## Once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1', ## it cannot be undone without a reboot. This is an upstream Linux security feature. +## Instead, ram-wipe will config-package-dev 'hide' this file. ## Disables kexec, which can be used to replace the running kernel. ## Kexec is useful for live kernel patching without rebooting. From a2e26f441b6f44831c7b1bf3bf9dc2cf6f06e176 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 11:04:03 -0400 Subject: [PATCH 1248/1650] spelling --- usr/lib/sysctl.d/990-security-misc.conf | 84 ++++++++++++------------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 52e3345..60440e5 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -2,18 +2,18 @@ ## See the file COPYING for copying conditions. ## NOTE: -## This file has a strange name so that /usr/lib/sysctl.d/99-protect-links.conf is -## first parsed and then followed by /usr/lib/sysctl.d/990-security-misc.conf. +## This file has a special name to ensure that /usr/lib/sysctl.d/99-protect-links.conf +## is parsed first, followed by /usr/lib/sysctl.d/990-security-misc.conf. ## https://github.com/Kicksecure/security-misc/pull/135 -## This configuration file is split into 5 sections: +## This configuration file is divided into 5 sections: ## 1. Kernel Space ## 2. User Space ## 3. Core Dumps ## 4. Swap Space ## 5. Networking -## See the documentation below for details on the majority of the selected commands. +## For detailed explanations of most of the selected commands, refer to: ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html @@ -25,20 +25,20 @@ ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel ## https://wiki.archlinux.org/title/Security#Kernel_hardening -## Restrict kernel addresses via /proc and other interfaces regardless of user privileges. +## Restrict kernel address visibility via /proc and other interfaces, regardless of user privileges. ## Kernel pointers expose specific locations in kernel memory. ## ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak ## kernel.kptr_restrict=2 -## Restrict access to the kernel log buffer to CAP_SYSLOG. +## Restrict access to the kernel log buffer to users with CAP_SYSLOG. ## Kernel logs often contain sensitive information such as kernel pointers. ## kernel.dmesg_restrict=1 ## Prevent kernel information leaks in the console during boot. -## Must be used in combination with the kernel boot parameters. +## Must be used in conjunction with kernel boot parameters. ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. ## ## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html @@ -54,23 +54,23 @@ kernel.dmesg_restrict=1 kernel.unprivileged_bpf_disabled=1 net.core.bpf_jit_harden=2 -## Restrict loading TTY line disciplines to CAP_SYS_MODULE. -## Prevents unprivileged users loading vulnerable line disciplines with the TIOCSETD ioctl. +## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE. +## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl. ## ## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html ## https://lkml.org/lkml/2019/4/15/890 ## dev.tty.ldisc_autoload=0 -## Restrict the userfaultfd() syscall to SYS_CAP_PTRACE. -## Reduces likelihood of use-after-free exploits from heap sprays. +## Restrict the userfaultfd() syscall to users with SYS_CAP_PTRACE. +## Reduces the likelihood of use-after-free exploits from heap sprays. ## ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0 ## https://duasynt.com/blog/linux-kernel-heap-spray ## vm.unprivileged_userfaultfd=0 -## Disables kexec which can be used to replace the running kernel. +## Disables kexec, which can be used to replace the running kernel. ## Useful for live kernel patching without rebooting. ## ## https://en.wikipedia.org/wiki/Kexec @@ -80,7 +80,7 @@ vm.unprivileged_userfaultfd=0 #kernel.kexec_load_disabled=1 ## Disable the SysRq key to prevent leakage of kernel information. -## The Secure Attention Key (SAK) can no longer be utilised. +## The Secure Attention Key (SAK) can no longer be utilized. ## ## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html ## https://www.kicksecure.com/wiki/SysRq @@ -88,10 +88,10 @@ vm.unprivileged_userfaultfd=0 ## kernel.sysrq=0 -## Restrict user namespaces to CAP_SYS_ADMIN. +## Restrict user namespaces to users with CAP_SYS_ADMIN. ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. ## Unprivileged user namespaces pose substantial privilege escalation risks. -## Restricting is well-known to cause breakages across numerous software. +## Restricting is known to cause breakages across numerous software packages. ## ## https://madaidans-insecurities.github.io/linux.html#kernel ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers @@ -100,7 +100,7 @@ kernel.sysrq=0 ## #kernel.unprivileged_userns_clone=0 -## Restricts kernel profiling to CAP_PERFMON. +## Restricts kernel profiling to users with CAP_PERFMON. ## The performance events system should not be accessible by unprivileged users. ## Other distributions such as Ubuntu and Fedora may permit further restricting. ## @@ -110,7 +110,7 @@ kernel.sysrq=0 kernel.perf_event_paranoid=3 ## Enable ASLR for mmap base, stack, VDSO pages, and heap. -## Heap randomisation can lead to breakages with legacy applications. +## Heap randomization can lead to breakages with legacy applications. ## ## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux ## @@ -124,7 +124,7 @@ kernel.randomize_va_space=2 ## kernel.io_uring_disabled=2 -## 2.User Space: +## 2. User Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace @@ -143,8 +143,8 @@ kernel.io_uring_disabled=2 ## kernel.yama.ptrace_scope=2 -## Maximise bits of entropy for improved effectiveness of mmap ASLR. -## The maximum numbers of bits are dependent on CPU architecture (the ones shown below are for x86). +## Maximize bits of entropy for improved effectiveness of mmap ASLR. +## The maximum number of bits depends on CPU architecture (the ones shown below are for x86). ## Both explicit sysctl are made redundant due to automation. ## Do NOT enable either sysctl - displaying only for clarity. ## @@ -156,9 +156,9 @@ kernel.yama.ptrace_scope=2 #vm.mmap_rnd_compat_bits=16 ## Prevent hardlink creation by users who do not have read/write/ownership of source file. -## Only allow symlinks to be followed when outside of a world-writable sticky directories. +## Only allow symlinks to be followed when outside of world-writable sticky directories. ## Allow symlinks when the owner and follower match or when the directory owner matches the symlink's owner. -## Hardens cross privilege boundaries if root process follows a hardlink/symlink belonging to another user. +## Hardens cross-privilege boundaries if root process follows a hardlink/symlink belonging to another user. ## This mitigates many hardlink/symlink-based TOCTOU races in world-writable directories like /tmp. ## ## https://wiki.archlinux.org/title/Security#File_systems @@ -169,16 +169,16 @@ fs.protected_hardlinks=1 fs.protected_symlinks=1 ## Disallow writes to files in world-writable sticky directories unless owned by the directory owner. -## Also applies to group writable sticky directories to make data spoofing attacks more difficult. +## Also applies to group-writable sticky directories to make data spoofing attacks more difficult. ## Prevents unintentional writes to attacker-controlled files. ## fs.protected_fifos=2 fs.protected_regular=2 -## Increase the maximum number of memory map areas a process is permitted to utilise. -## Addresses performance, crash, and start-up issues for some memory intensive applications. +## Increase the maximum number of memory map areas a process is permitted to utilize. +## Addresses performance, crash, and start-up issues for some memory-intensive applications. ## Required to accommodate the very large number of guard pages created by hardened_malloc. -## Kicksecure version 18 will deprecate hardened_malloc and so this sysctl will be applied here instead. +## Kicksecure version 18 will deprecate hardened_malloc, so this sysctl will be applied here instead. ## ## https://archlinux.org/news/increasing-the-default-vmmax_map_count-value/ ## https://github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems @@ -192,7 +192,7 @@ vm.max_map_count=1048576 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps ## Disable core dump files by preventing any pattern names. -## This setting may be overwritten by systemd is is not comprehensive. +## This setting may be overwritten by systemd and is not comprehensive. ## Core dumps are also disabled in security-misc via other means. ## ## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps @@ -204,7 +204,7 @@ kernel.core_pattern=|/bin/false ## fs.suid_dumpable=0 -## Set core dump file name to 'core.PID' instead of 'core' as a form of defence-in-depth. +## Set core dump file name to 'core.PID' instead of 'core' as a form of defense-in-depth. ## If core dumps are permitted, only useful if PID listings are hidden from non-root users. ## kernel.core_uses_pid=1 @@ -214,8 +214,8 @@ kernel.core_uses_pid=1 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap ## Limit the copying of memory to the swap device only if absolutely necessary. -## Minimises the likelihood of writing potentially sensitive contents to disk. -## Not reccommmeded to set to zero since this disables periodic write behavior. +## Minimizes the likelihood of writing potentially sensitive contents to disk. +## Not recommended to set to zero since this disables periodic write behavior. ## ## https://en.wikipedia.org/wiki/Memory_paging#Linux ## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html @@ -242,7 +242,7 @@ net.ipv4.tcp_syncookies=1 net.ipv4.tcp_rfc1337=1 ## Enable reverse path filtering (source validation) of packets received from all interfaces. -## Prevents IP spoofing and mitigate vulnerabilities such as CVE-2019-14899. +## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899. ## ## https://en.wikipedia.org/wiki/IP_address_spoofing ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 @@ -252,7 +252,7 @@ net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. -## Prevents man-in-the-middle attacks and minimises information disclosure. +## Prevents man-in-the-middle attacks and minimizes information disclosure. ## ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked ## @@ -282,7 +282,7 @@ net.ipv6.icmp.echo_ignore_all=1 ## net.ipv4.icmp_ignore_bogus_error_responses=1 -## Disable source routing which allows users redirect network traffic. +## Disable source routing which allows users to redirect network traffic. ## Prevents man-in-the-middle attacks in which the traffic is redirected. ## ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing @@ -323,10 +323,10 @@ net.ipv6.conf.default.accept_ra=0 net.ipv4.tcp_timestamps=0 ## Enable logging of packets with impossible source or destination addresses. -## Martian and unroutable packets may be used for dangerous purposes. -## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets. -## Good for troubleshooting and diagnostics but not necessary by default. -## Known for causing performance issues especially on systems with multiple interfaces. +## Martian and unroutable packets may be used for malicious purposes. +## Recommended to keep a (kernel dmesg) log of these to identify suspicious packets. +## Useful for troubleshooting and diagnostics but not necessary by default. +## Known to cause performance issues, especially on systems with multiple interfaces. ## ## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets ## https://github.com/Kicksecure/security-misc/issues/214 @@ -336,19 +336,19 @@ net.ipv4.tcp_timestamps=0 #net.ipv4.conf.all.log_martians=1 #net.ipv4.conf.default.log_martians=1 -## Enable IPv6 Privacy Extensions prefer temporary addresses over public addresses. -## The temporary/privacy address is used as the source of all outgoing traffic. +## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses. +## The temporary/privacy address is used as the source for all outgoing traffic. ## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf. ## Must be used in combination with /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf. -## Should be used with MAC randomisation in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf. +## Should be used with MAC randomization in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf. ## -## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## MAC randomization breaks root server and VirtualBox DHCP, likely due to IPv6 Privacy Extensions. ## ## https://datatracker.ietf.org/doc/html/rfc4941 ## https://github.com/Kicksecure/security-misc/pull/145 ## https://github.com/Kicksecure/security-misc/issues/184 ## -## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. +## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. ## #net.ipv6.conf.all.use_tempaddr=2 #net.ipv6.conf.default.use_tempaddr=2 From b569fc02a4650187e69b62b95439c05ee2611e91 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 11:38:53 -0400 Subject: [PATCH 1249/1650] spelling --- etc/default/grub.d/41_quiet_boot.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 9a23579..4806484 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -2,7 +2,7 @@ ## See the file COPYING for copying conditions. ## Some default configuration files automatically include the "quiet" parameter. -## Thefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. +## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. ## LANG=C str_replace is provided by package helper-scripts. ## ## https://github.com/Kicksecure/security-misc/pull/233#issuecomment-2228792461 From 9e976474d5d620be9e4f8d8a97f73c6cc3e64573 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 11:40:51 -0400 Subject: [PATCH 1250/1650] spelling --- etc/default/grub.d/40_remount_secure.cfg | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg index 3427bf1..db6db11 100644 --- a/etc/default/grub.d/40_remount_secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -1,7 +1,7 @@ ## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Remount Secure provides enhanced security via mmount options: +## Remount Secure provides enhanced security via mount options: ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure ## Option A (No Security): @@ -19,7 +19,7 @@ ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2" -## Option D (Highest Security) +## Option D (Highest Security): ## Re-mount with nodev, nosuid, and noexec for all mount points including /home. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" From f4da582aa31b869413aef6f4e252b7985e961339 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 11:44:17 -0400 Subject: [PATCH 1251/1650] spelling --- etc/default/grub.d/40_cpu_mitigations.cfg | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 55b6c17..99eee7d 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -18,7 +18,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## Disable SMT as it has been the cause of and amplified numerous CPU exploits. ## The only full mitigation of cross-HT attacks is to disable SMT. ## Disabling will significantly decrease system performance on multi-threaded tasks. -## To enable SMT, remove this line all other occurrences of "nosmt" in this file. +## To enable SMT, remove this line and all other occurrences of "nosmt" in this file. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 @@ -54,7 +54,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" -## Patches the TAA vulnerability by disabling TSX and enable mitigations using +## Patches the TAA vulnerability by disabling TSX and enables mitigations using ## TSX Async Abort along with disabling SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html @@ -97,7 +97,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html ## -## The default kernel setting will be utilised until provided sufficient evidence to modify. +## The default kernel setting will be utilized until provided sufficient evidence to modify. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" From d454f36c63bd653e47353fb1c93107b2d5584fe2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 11:52:29 -0400 Subject: [PATCH 1252/1650] spelling --- etc/default/grub.d/40_kernel_hardening.cfg | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 946f2a4..b69dfe0 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -11,7 +11,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## 3. Entropy ## 4. Networking -## See the documentation below for details on the majority of the selected commands. +## See the documentation below for details on the majority of the selected commands: ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://wiki.archlinux.org/title/Kernel_parameters#GRUB @@ -37,10 +37,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" -## Enable the kernel page allocator to randomise free lists. -## During early boot the page allocator has predictable FIFO behaviour for physical pages. +## Enable the kernel page allocator to randomize free lists. +## During early boot, the page allocator has predictable FIFO behavior for physical pages. ## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location. -## Also improves performance by optimising memory-side cache utilisation. +## Also improves performance by optimizing memory-side cache utilization. ## ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692 ## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks @@ -54,7 +54,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" -## Enable randomisation of the kernel stack offset on syscall entries. +## Enable randomization of the kernel stack offset on syscall entries. ## Hardens against memory corruption attacks due to increased entropy. ## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure. ## @@ -96,7 +96,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check ## https://forums.whonix.org/t/kernel-hardening/7296/494 ## -## The default kernel setting will be utilised until provided sufficient evidence to modify. +## The default kernel setting will be utilized until provided sufficient evidence to modify. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" @@ -143,7 +143,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" ## Disable the busmaster bit on all PCI bridges during the early boot process. -## Patches weak-point in some existing IOMMU implementations. +## Patches weak points in some existing IOMMU implementations. ## May lead to issues such as complete system boot failure on certain devices. ## ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 @@ -159,8 +159,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## The RDRAND CPU (RNG) instructions are proprietary and closed-source. ## Numerous implementations of RDRAND have a long history of being defective. ## The RNG seed passed by the bootloader could also potentially be tampered. -## Maximising the entropy pool at boot is desirable for all cryptographic operations. -## These settings ensure additional entropy is obtained from other sources to initialise the RNG. +## Maximizing the entropy pool at boot is desirable for all cryptographic operations. +## These settings ensure additional entropy is obtained from other sources to initialize the RNG. ## Note that distrusting these (relatively fast) sources of entropy will increase boot time. ## ## https://en.wikipedia.org/wiki/RDRAND#Reception @@ -175,7 +175,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" -## Obtain more entropy during boot as the runtime memory allocator is being initialised. +## Obtain more entropy during boot as the runtime memory allocator is being initialized. ## Entropy will be extracted from up to the first 4GB of RAM. ## Requires the linux-hardened kernel patch. ## From b04828f858fa6d101099773d3156841fd6d33b6f Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 18 Jul 2024 11:01:41 +1000 Subject: [PATCH 1253/1650] Disable the usage of `ptrace()` by all processes --- README.md | 5 ++--- usr/lib/sysctl.d/990-security-misc.conf | 6 ++---- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index b6aa965..cbd2530 100644 --- a/README.md +++ b/README.md @@ -45,9 +45,8 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel version >= 6.6). -- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - enables programs to inspect and modify other active processes. Provide the - option to entirely disable the use of `ptrace()` for all processes. +- Disable the usage of `ptrace()` by all processes as it enables programs to + inspect and modify other active processes. - Prevent hardlink and symlink TOCTOU races in world-writable directories. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 60440e5..1131b77 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -128,7 +128,7 @@ kernel.io_uring_disabled=2 ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace -## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. +## Disable the usage of ptrace() system calls by all processes. ## Limit ptrace() as it enables programs to inspect and modify other active processes. ## Prevents native code debugging which some programs use as a method to detect tampering. ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. @@ -139,9 +139,7 @@ kernel.io_uring_disabled=2 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 ## https://github.com/netblue30/firejail/issues/2860 ## -## It is possible to harden further by disabling ptrace() for all users, see documentation. -## -kernel.yama.ptrace_scope=2 +kernel.yama.ptrace_scope=3 ## Maximize bits of entropy for improved effectiveness of mmap ASLR. ## The maximum number of bits depends on CPU architecture (the ones shown below are for x86). From 6d211faf591608ea6e7f484e8bc69dd567877abf Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 18 Jul 2024 11:04:54 +1000 Subject: [PATCH 1254/1650] Restrict unprivileged user namespaces --- README.md | 4 ++-- usr/lib/sysctl.d/990-security-misc.conf | 6 ++---- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index b6aa965..b401517 100644 --- a/README.md +++ b/README.md @@ -36,8 +36,8 @@ space, user space, core dumps, and swap space. - Entirely disable the SysRq key so that the Secure Attention Key (SAK) can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). -- Provide the option to disable unprivileged user namespaces as they can lead to - substantial privilege escalation. +- Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial + privilege escalation. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 60440e5..ccb3dd3 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -91,14 +91,12 @@ kernel.sysrq=0 ## Restrict user namespaces to users with CAP_SYS_ADMIN. ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. ## Unprivileged user namespaces pose substantial privilege escalation risks. -## Restricting is known to cause breakages across numerous software packages. +## Restricting may lead to breakages in numerous software packages. ## ## https://madaidans-insecurities.github.io/linux.html#kernel ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## -## Unprivileged user namespaces are currently enabled. -## -#kernel.unprivileged_userns_clone=0 +kernel.unprivileged_userns_clone=0 ## Restricts kernel profiling to users with CAP_PERFMON. ## The performance events system should not be accessible by unprivileged users. From faa9181a6c0c78b9471c9a4e6bdd3291aec704f6 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 18 Jul 2024 12:19:27 +1000 Subject: [PATCH 1255/1650] Typos --- README.md | 6 +++--- debian/security-misc.maintscript | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index b6aa965..9e3cbaf 100644 --- a/README.md +++ b/README.md @@ -133,9 +133,9 @@ configuration file. - Force kernel panics on "oopses" to potentially indicate and thwart certain kernel exploitation attempts. -- Provide option to modify machine check exception handler. +- Provide the option to modify machine check exception handler. -- Provide option to disable support for all x86 processes and syscalls to reduce +- Provide the option to disable support for all x86 processes and syscalls to reduce attack surface (when using Linux kernel version >= 6.7). - Enable strict IOMMU translation to protect against DMA attacks and disable @@ -147,7 +147,7 @@ configuration file. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. -- Provide option to disable the entire IPv6 stack to reduce attack surface. +- Provide the option to disable the entire IPv6 stack to reduce attack surface. Disallow sensitive kernel information leaks in the console during boot. See the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file. diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index efa72c2..b875fd4 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -47,7 +47,7 @@ rm_conffile /etc/sysctl.d/30_security-misc.conf rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf -## moved to etc/permission-hardener.d +## moved to /etc/permission-hardener.d rm_conffile /etc/permission-hardening.d/25_default_passwd.conf rm_conffile /etc/permission-hardening.d/25_default_sudo.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b69dfe0..13ccac6 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -195,6 +195,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" ## https://www.kernel.org/doc/html/latest/networking/ipv6.html ## https://wiki.archlinux.org/title/IPv6#Disable_IPv6 ## -## Enabling makes redundant many network hardening sysctl's in usr/lib/sysctl.d/990-security-misc.conf. +## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf. ## #ipv6.disable=1 From 9e6facda7017498e8310a9c39403e95e81c5a903 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 18 Jul 2024 12:21:37 +1000 Subject: [PATCH 1256/1650] Update module disabling presentation --- README.md | 15 ++++++++++++--- etc/modprobe.d/30_security-misc_disable.conf | 18 ++++++++++-------- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 9e3cbaf..6e19e2f 100644 --- a/README.md +++ b/README.md @@ -200,6 +200,10 @@ modules from starting. This approach should not be considered comprehensive; rather, it is a form of badness enumeration. Any potential candidates for future disabling should first be blacklisted for a suitable amount of time. +- Optional - Bluetooth: Disabled to reduce attack surface. + +- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. + - File Systems: Disable uncommon and legacy file systems. - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. @@ -207,21 +211,26 @@ disabling should first be blacklisted for a suitable amount of time. - GPS: Disable GPS-related modules such as those required for Global Navigation Satellite Systems (GNSS). -- Not yet enabled: Intel Management Engine (ME): Provides some disabling of the interface between the - Intel ME and the OS. See discussion: https://github.com/Kicksecure/security-misc/issues/239 +- Optional - Intel Management Engine (ME): Provides some disabling of the interface + between the Intel ME and the OS. May lead to breakages in places such as security, + power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239 - Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality of the Intel PMT components. - Network File Systems: Disable uncommon and legacy network file systems. -- Network Protocols: A wide array of uncommon and legacy network protocols are disabled. +- Network Protocols: A wide array of uncommon and legacy network protocols and drivers + are disabled. - Miscellaneous: Disable an assortment of other modules such as those required for amateur radio, floppy disks, and vivid. - Thunderbolt: Disabled as they are often vulnerable to DMA attacks. +- Optional - USB Video Device Class: Disables the USB-based video streaming driver for + devices like some webcams and digital camcorders. + ### Other - A systemd service clears the System.map file on boot as these contain kernel diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 426a0e6..d2408af 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -14,6 +14,7 @@ ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns ## ## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability. +## https://github.com/Kicksecure/security-misc/pull/145 ## #install bluetooth /usr/bin/disabled-bluetooth-by-security-misc #install bluetooth_6lowpan /usr/bin/disabled-bluetooth-by-security-misc @@ -43,7 +44,7 @@ ## File Systems: ## Disable uncommon file systems to reduce attack surface. -## HFS and HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. +## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. ## install cramfs /usr/bin/disabled-filesys-by-security-misc install freevxfs /usr/bin/disabled-filesys-by-security-misc @@ -82,13 +83,14 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Management Engine (ME): ## Partially disable the Intel ME interface with the OS. -## ME functionality has increasing become more intertwined with basic system operation. -## Disabling may lead to breakages places such as security, power management, display, and DRM. +## ME functionality has increasing become more intertwined with basic Intel system operation. +## Disabling may lead to breakages in places such as security, power management, display, and DRM. ## ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html ## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities ## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages ## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 +## https://github.com/Kicksecure/security-misc/issues/239 ## #install mei /usr/bin/disabled-intelme-by-security-misc #install mei-gsc /usr/bin/disabled-intelme-by-security-misc @@ -219,11 +221,6 @@ install hamradio /usr/bin/disabled-miscellaneous-by-security-misc ## install floppy /usr/bin/disabled-miscellaneous-by-security-misc ## -## USB Video Device Class: -## Disables USB-based video streaming driver for devices like webcams and digital camcorders. -## -#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc -## ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. ## @@ -241,3 +238,8 @@ install vivid /usr/bin/disabled-miscellaneous-by-security-misc install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc + +## USB Video Device Class: +## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. +## +#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc From 13cc1f0986033855a399b50442a86a8d8552eb96 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 18 Jul 2024 12:25:00 +1000 Subject: [PATCH 1257/1650] Clarify (future) disabling of `io_uring` --- README.md | 3 ++- usr/lib/sysctl.d/990-security-misc.conf | 8 +++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6e19e2f..5cd9fad 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,8 @@ space, user space, core dumps, and swap space. - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. -- Disable asynchronous I/O (when using Linux kernel version >= 6.6). +- Provide the option to disable asynchronous I/O as `io_uring` has been the source + of numerous kernel exploits (when using Linux kernel version >= 6.6). - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it enables programs to inspect and modify other active processes. Provide the diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 60440e5..e302047 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -117,12 +117,18 @@ kernel.perf_event_paranoid=3 kernel.randomize_va_space=2 ## Disable asynchronous I/O for all processes. +## Leading cause of numerous kernel exploits. +## Disabling will reduce the read/write performance of storage devices. ## +## https://en.wikipedia.org/wiki/Io_uring#Security +## https://lwn.net/Articles/902466/ ## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html +## https://github.com/moby/moby/pull/46762 +## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890 ## ## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). ## -kernel.io_uring_disabled=2 +#kernel.io_uring_disabled=2 ## 2. User Space: ## From 95286df50274953326accb615487e21d409b652a Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 18 Jul 2024 15:28:31 +1000 Subject: [PATCH 1258/1650] Update README.md regarding secure ICMP redirects --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5cd9fad..29654c4 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,8 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. from all interfaces to prevent IP spoofing. - Disable ICMP redirect acceptance and redirect sending messages to - prevent man-in-the-middle attacks and minimize information disclosure. + prevent man-in-the-middle attacks and minimize information disclosure. If + ICMP redirect messages are permitted, only do so from approved gateways. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. From 2ccc95f6d44bacd3da97d586542695f33d5faf38 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 18 Jul 2024 14:05:23 +0000 Subject: [PATCH 1259/1650] bumped changelog version --- changelog.upstream | 412 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 + 2 files changed, 418 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b135da6..c7b5c05 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,283 @@ +commit d454f36c63bd653e47353fb1c93107b2d5584fe2 +Author: Patrick Schleizer +Date: Wed Jul 17 11:52:29 2024 -0400 + + spelling + +commit f4da582aa31b869413aef6f4e252b7985e961339 +Author: Patrick Schleizer +Date: Wed Jul 17 11:44:17 2024 -0400 + + spelling + +commit 9e976474d5d620be9e4f8d8a97f73c6cc3e64573 +Author: Patrick Schleizer +Date: Wed Jul 17 11:40:51 2024 -0400 + + spelling + +commit b569fc02a4650187e69b62b95439c05ee2611e91 +Author: Patrick Schleizer +Date: Wed Jul 17 11:38:53 2024 -0400 + + spelling + +commit a2e26f441b6f44831c7b1bf3bf9dc2cf6f06e176 +Author: Patrick Schleizer +Date: Wed Jul 17 11:04:03 2024 -0400 + + spelling + +commit c8be4ac83c2563798ee35d56200eb8d11a2c32e3 +Author: Patrick Schleizer +Date: Wed Jul 17 10:56:14 2024 -0400 + + comment + +commit 24cd70a014b221b25669755b955bc114fe083643 +Author: Patrick Schleizer +Date: Wed Jul 17 10:55:12 2024 -0400 + + spelling + +commit 5cec685cf9b0845838f17fba78ac65d6c2e63386 +Author: Patrick Schleizer +Date: Wed Jul 17 10:49:21 2024 -0400 + + spelling + +commit 821a416fe39e11ca030c63f25a5220772d80eae5 +Author: Patrick Schleizer +Date: Wed Jul 17 10:43:16 2024 -0400 + + spelling + +commit 9a387f95e9346030e2adc3252a45942949561b52 +Merge: fd41acd 4afe257 +Author: Patrick Schleizer +Date: Wed Jul 17 10:32:26 2024 -0400 + + Merge remote-tracking branch 'raja/miscellaneous' + +commit fd41acdc721a6463813bc347cb965b6211fb9447 +Merge: 0da22c2 1087387 +Author: Patrick Schleizer +Date: Wed Jul 17 10:27:31 2024 -0400 + + Merge remote-tracking branch 'raja/fack_off' + +commit 4afe257a42576158a54a68948440a2b4c043b67c +Author: Raja Grewal +Date: Thu Jul 18 00:14:13 2024 +1000 + + minor + +commit d0a59617f6b8a90fd5c758699e910af9d7496c98 +Author: Raja Grewal +Date: Thu Jul 18 00:13:30 2024 +1000 + + Add missing Copyright (C) statements + +commit 8f3896c3dac13b604e36d4249f976598f271a215 +Author: Raja Grewal +Date: Wed Jul 17 23:44:37 2024 +1000 + + Upgrade hyperlinks to HTTPS + +commit 1087387b362d5598e44262db07ab0fff9118b064 +Author: Raja Grewal +Date: Wed Jul 17 23:35:25 2024 +1000 + + Remove obsolete `#net.ipv4.tcp_fack=0` + +commit 0da22c20316c8f0f574e0127926506e52ccbc269 +Author: Patrick Schleizer +Date: Wed Jul 17 09:07:31 2024 -0400 + + minor + +commit c336b266f61528cce27e1cafac6377370927a787 +Merge: afe3c25 df80385 +Author: Patrick Schleizer +Date: Wed Jul 17 09:06:44 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit df80385289717fee0266436d056c9aedd0fb06af +Merge: afe3c25 724435e +Author: Patrick Schleizer +Date: Wed Jul 17 09:04:18 2024 -0400 + + Merge pull request #237 from raja-grewal/intel_pmt + + Disable some Intel PMT kernel modules + +commit afe3c25a49940f7f322414c08e8dbd631e696215 +Author: Patrick Schleizer +Date: Wed Jul 17 08:58:00 2024 -0400 + + update readme + + https://github.com/Kicksecure/security-misc/issues/239 + +commit f7772fb85a1fe6d3c0749e5f34fc29111b6a8125 +Author: Patrick Schleizer +Date: Wed Jul 17 08:57:35 2024 -0400 + + minor + +commit 6157e328f40a7f3780208489b1ffecef8e6d738a +Author: Patrick Schleizer +Date: Wed Jul 17 08:52:11 2024 -0400 + + no longer disable Intel ME related kernel modules + + https://github.com/Kicksecure/security-misc/issues/239 + +commit daee8b900b3057235aedc17b1231c3c05599140c +Merge: 954ff1b a4ba6e4 +Author: Patrick Schleizer +Date: Wed Jul 17 08:47:55 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit a4ba6e485d94512fdf737b9f66137c3f692c9904 +Merge: 9a75135 abafb19 +Author: Patrick Schleizer +Date: Wed Jul 17 08:46:27 2024 -0400 + + Merge pull request #236 from raja-grewal/intel_me + + Disable more Intel ME kernel modules + +commit 954ff1be41288b5fa2e50d492d92544915f93bb5 +Merge: d29a616 9a75135 +Author: Patrick Schleizer +Date: Wed Jul 17 08:42:52 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 9a75135633ad172f7cbf318e1206865493c28bb4 +Merge: d29a616 a340899 +Author: Patrick Schleizer +Date: Wed Jul 17 08:41:43 2024 -0400 + + Merge pull request #238 from raja-grewal/uvcvideo_2 + + Minor additions to `30_security-misc_disable.conf` + +commit d29a616142562492db6c45c299f002100e905828 +Author: Patrick Schleizer +Date: Wed Jul 17 08:39:20 2024 -0400 + + minor + +commit a2802f352fc7021ead0d431c665cc16b2821ae0b +Merge: 0b873b7 81a3715 +Author: Patrick Schleizer +Date: Wed Jul 17 08:38:23 2024 -0400 + + Merge remote-tracking branch 'raja/kargs' + +commit 0b873b765e20b06113d808075fa95c8acbb1e0fc +Author: Patrick Schleizer +Date: Wed Jul 17 08:05:27 2024 -0400 + + minor + +commit 070bb46a08afcd84fb638472c39bd543bad4fb17 +Merge: 6d6e547 25fd532 +Author: Patrick Schleizer +Date: Wed Jul 17 08:02:45 2024 -0400 + + Merge remote-tracking branch 'raja/sysctl' + +commit 6d6e5473f2778a2a5b1ca7826d0a3a5a63cff08a +Author: Patrick Schleizer +Date: Wed Jul 17 08:00:24 2024 -0400 + + minor + +commit cf5f0edbb85589a72ec891e9c3e090f9e81c4fda +Merge: fe5c840 693b47e +Author: Patrick Schleizer +Date: Wed Jul 17 07:59:35 2024 -0400 + + Merge remote-tracking branch 'raja/sysctl' + +commit 25fd532ce62399d5bb42d844ad32b5128eaf748d +Author: Raja Grewal +Date: Wed Jul 17 21:56:40 2024 +1000 + + Update README.md relating to `sysctl`'s + +commit 39fd125eb0f0c16c8a64933bbd04709287a2686a +Author: Raja Grewal +Date: Wed Jul 17 21:44:44 2024 +1000 + + Provide explanation on the disabling of IPv6 Privacy Extensions + +commit a3408990ab439e6edbf8691cf7d65fb16c0d24df +Author: Raja Grewal +Date: Wed Jul 17 15:03:39 2024 +1000 + + Uncomment disabling of already disabled ATM modules + +commit 693b47e6235528ab7a9032818cce22fd63a4f5ea +Author: Raja Grewal +Date: Wed Jul 17 14:58:30 2024 +1000 + + Clarify ICMP redirect acceptance and sending + +commit 81a3715c7c0b73796a62297ebe55e861a46f7686 +Author: Raja Grewal +Date: Wed Jul 17 13:32:08 2024 +1000 + + Add info regarding the downsides of disabling SMT + +commit abafb1945cace774429fefd0c1a037fb2ec3f774 +Author: Raja Grewal +Date: Wed Jul 17 13:26:03 2024 +1000 + + Add Intel ME references + +commit f317aaebab126bafe3cfaef8159bf0820c392c87 +Author: Raja Grewal +Date: Wed Jul 17 01:09:02 2024 +1000 + + Disable two network modules + These were previously blacklisted for two years in https://github.com/Kicksecure/security-misc/commit/61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc. + +commit d69fe88091c7212a9af86306c797aed40398584b +Author: Raja Grewal +Date: Wed Jul 17 01:08:01 2024 +1000 + + Provide option to disable `uvcvideo` driver + +commit 49594ccb223c09d70f00434e5875c9dae1a2360d +Author: Raja Grewal +Date: Wed Jul 17 00:49:25 2024 +1000 + + Partially revert https://github.com/raja-grewal/security-misc/commit/f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 + +commit 824d9b82e53485eed8eaf24e9815ac07ad0f2406 +Author: Raja Grewal +Date: Wed Jul 17 00:36:18 2024 +1000 + + Uncomment redundant disabling of TCP FACK` + +commit d1119c38b6ad4193919d4b800de0a3cb014f92c1 +Author: Raja Grewal +Date: Wed Jul 17 00:31:23 2024 +1000 + + Apply changes from code review + +commit fe5c840b79c4aabd5c21a286d3ce1a3ee460812c +Author: Patrick Schleizer +Date: Mon Jul 15 21:18:55 2024 +0000 + + bumped changelog version + commit 6e63fc8985b97902dbae2553ded51950168dc222 Merge: fe0846c b7796a5 Author: Patrick Schleizer @@ -28,6 +308,30 @@ Date: Mon Jul 15 12:28:03 2024 -0400 Merge remote-tracking branch 'raja/kernel_modules' +commit 73f6d4b26f51f0c920fe020677f464c536d75410 +Author: Raja Grewal +Date: Tue Jul 16 01:03:41 2024 +1000 + + Fix transcription error + +commit 724435e56ea059183241044a4fc09423187533eb +Author: Raja Grewal +Date: Mon Jul 15 22:38:43 2024 +1000 + + Disable some Intel Platform Monitoring Technology Telemetry (PMT) modules + +commit 61941da37509a4bb809212536b79f461a209f584 +Author: Raja Grewal +Date: Mon Jul 15 22:38:09 2024 +1000 + + Create `disabled-intelpmt-by-security-misc` + +commit 22ba7a7c393a8c9005dfe26aea396815a4d54803 +Author: Raja Grewal +Date: Mon Jul 15 22:21:20 2024 +1000 + + Disable more Intel Management Engine (ME) modules + commit 9300c208e25d936f2c633a0904126566afc1c275 Author: Raja Grewal Date: Mon Jul 15 21:36:25 2024 +1000 @@ -40,6 +344,12 @@ Date: Mon Jul 15 21:18:32 2024 +1000 Fix script +commit 382f1e9ec00ab5f012f028fa324d6cf73040c37d +Author: Raja Grewal +Date: Mon Jul 15 21:13:25 2024 +1000 + + Fix error + commit a8bc1144c32b4b4f20904af5f813da1051fe4c9c Author: Raja Grewal Date: Mon Jul 15 21:10:13 2024 +1000 @@ -113,6 +423,102 @@ Date: Mon Jul 15 20:46:04 2024 +1000 Update `security-misc.maintscript` Due to previous splitting IN https://github.com/Kicksecure/security-misc/commit/b02230a783941da412be72fb52053db0c6b8010f. +commit b2657bc61fb15bb89d62f0743a36835c1f0dda8a +Author: Raja Grewal +Date: Mon Jul 15 15:05:00 2024 +1000 + + Improve docs + +commit 1c2afc1f253e15d2605d1bef0e323e6e972a2484 +Author: Raja Grewal +Date: Mon Jul 15 15:01:48 2024 +1000 + + Update presentation of the `kernel.printk` sysctl + +commit c8385d82fbd6ba16ba1f0b4969661474966b74f1 +Author: Raja Grewal +Date: Mon Jul 15 14:57:40 2024 +1000 + + Clarify instructions for increasing log verbosity + +commit d229e8b04d914803fa66c3a695022cfb2d9b2a25 +Author: Raja Grewal +Date: Mon Jul 15 14:50:29 2024 +1000 + + Fix link + +commit fbfdb0fa99087e4160979b612db04e63a1d3e3b1 +Author: Raja Grewal +Date: Mon Jul 15 14:40:03 2024 +1000 + + Update `security-misc.maintscript` relating to grub + +commit f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 +Author: Raja Grewal +Date: Mon Jul 15 14:39:12 2024 +1000 + + Update presentation of `quiet loglevel=0` + +commit 69c8e849270393537d3e024137bc20a42c848333 +Author: Raja Grewal +Date: Mon Jul 15 14:38:21 2024 +1000 + + Fix typos + +commit 48e1ac416314d2c66f3a0d5044a3c51cb6fb4093 +Author: Raja Grewal +Date: Mon Jul 15 02:04:25 2024 +1000 + + Remove the optional `slub_debug` parameter since it is no longer recommended + +commit 99038c7a0621f5c9852638c1706c5306b42e6480 +Author: Raja Grewal +Date: Mon Jul 15 02:02:01 2024 +1000 + + Add option to disable support for x86 processes and syscalls in the future + +commit f550fbe07cafb75112e98268730d1bcc511489e2 +Author: Raja Grewal +Date: Mon Jul 15 01:59:04 2024 +1000 + + Add option to disable the entire IPv6 stack functionality + +commit a33d4cd099b8cbf569ff35627eeacf3562a4371e +Author: Raja Grewal +Date: Mon Jul 15 01:56:25 2024 +1000 + + Refactor existing kernel parameters for clarity + +commit acd60e45d8cbc98ea935c9bf035f2840622ab58d +Author: Raja Grewal +Date: Sun Jul 14 20:07:31 2024 +1000 + + Add comment about enabling core dump files + +commit 5cf9afc21563712b851850e2041141807503807c +Author: Raja Grewal +Date: Sun Jul 14 17:05:49 2024 +1000 + + Include optional `sysctl`'s in README.md + +commit 2b9e174c9db69f2c30828aae236c631d46255e07 +Author: Raja Grewal +Date: Sun Jul 14 16:22:52 2024 +1000 + + Remove empty lines + +commit dd1741c4a1cd18f34f69437c00f3a78a9ebd402a +Author: Raja Grewal +Date: Sun Jul 14 13:40:53 2024 +1000 + + Some documentation additions and fixes + +commit 565597c9a282b08697d04204f5eb9c22153e77bd +Author: Raja Grewal +Date: Sun Jul 14 01:21:24 2024 +1000 + + Minor documentation changes and fixes + commit 5ba5a85ad09b74a29c5ed0e5c265d54d93da9d32 Author: Patrick Schleizer Date: Sat Jul 13 15:01:16 2024 +0000 @@ -144,6 +550,12 @@ Date: Sat Jul 13 23:29:52 2024 +1000 Update modprobe presentation +commit 2de3a795990234134be15be90aa55f547c064d92 +Author: Raja Grewal +Date: Sat Jul 13 22:41:40 2024 +1000 + + Refactor existing sysctl for clarity + commit f34b9d7c45cd723535eedd3df99896ee7f852388 Merge: 05c1711 5f10cc8 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index ce06bfd..574f110 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 18 Jul 2024 14:05:22 +0000 + security-misc (3:37.8-1) unstable; urgency=medium * New upstream version (local package). From 05cf438199ca75f96cf8e67131f4a409b465e7e7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 18 Jul 2024 10:11:03 -0400 Subject: [PATCH 1260/1650] no comments / copyright allowed in .displace-extension --- debian/security-misc.displace-extension | 3 --- 1 file changed, 3 deletions(-) diff --git a/debian/security-misc.displace-extension b/debian/security-misc.displace-extension index 2959324..6ecb033 100644 --- a/debian/security-misc.displace-extension +++ b/debian/security-misc.displace-extension @@ -1,4 +1 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - .security-misc From 61628c2baf58ca2859bc5fc99782985ef0822750 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 18 Jul 2024 14:11:35 +0000 Subject: [PATCH 1261/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c7b5c05..cd694ee 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 05cf438199ca75f96cf8e67131f4a409b465e7e7 +Author: Patrick Schleizer +Date: Thu Jul 18 10:11:03 2024 -0400 + + no comments / copyright allowed in .displace-extension + +commit 2ccc95f6d44bacd3da97d586542695f33d5faf38 +Author: Patrick Schleizer +Date: Thu Jul 18 14:05:23 2024 +0000 + + bumped changelog version + commit d454f36c63bd653e47353fb1c93107b2d5584fe2 Author: Patrick Schleizer Date: Wed Jul 17 11:52:29 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 574f110..934d9fb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 18 Jul 2024 14:11:35 +0000 + security-misc (3:37.9-1) unstable; urgency=medium * New upstream version (local package). From 21efacf1b111d9599e72cef23b791cf4961c04c3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 18 Jul 2024 14:00:28 -0400 Subject: [PATCH 1262/1650] cleanup duplicate comments which are already in `/etc/dkms/framework.conf` --- .../framework.conf.d/30_security-misc.conf | 42 ------------------- 1 file changed, 42 deletions(-) diff --git a/etc/dkms/framework.conf.d/30_security-misc.conf b/etc/dkms/framework.conf.d/30_security-misc.conf index 095e050..bd0f84e 100644 --- a/etc/dkms/framework.conf.d/30_security-misc.conf +++ b/etc/dkms/framework.conf.d/30_security-misc.conf @@ -1,48 +1,6 @@ ## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## This configuration file modifies the behavior of -## DKMS (Dynamic Kernel Module Support) and is sourced -## in by DKMS every time it is run. - -## Source Tree Location (default: /usr/src) -# source_tree="/usr/src" - -## DKMS Tree Location (default: /var/lib/dkms) -# dkms_tree="/var/lib/dkms" - -## Install Tree Location (default: /lib/modules) -# install_tree="/lib/modules" - -## tmp Location (default: /tmp) -# tmp_location="/tmp" - -## verbosity setting (verbose will be active if you set it to a non-null value) -# verbose="" - -## symlink kernel modules (will be active if you set it to a non-null value) -## This creates symlinks from the install_tree into the dkms_tree instead of -## copying the modules. This preserves some space on the costs of being less -## safe. -# symlink_modules="" - -## Automatic installation and upgrade for all installed kernels (if set to a -## non-null value) -# autoinstall_all_kernels="" - -## Script to sign modules during build, script is called with kernel version -## and module name -# sign_tool="/etc/dkms/sign_helper.sh" - -### BEGIN modifications by package security-misc ### - -## original: -## https://github.com/dell/dkms/blob/master/dkms_framework.conf - -## DKMS feature request: -## add /etc/dkms/framework.conf.d configuration file drop-in folder -## https://github.com/dell/dkms/issues/116 - ## Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing ## of virtual machines. ## From a5eed00eba76f83c310f62d000830f38b0e87d21 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 18 Jul 2024 14:02:38 -0400 Subject: [PATCH 1263/1650] cleanup comments --- etc/dkms/framework.conf.d/30_security-misc.conf | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/etc/dkms/framework.conf.d/30_security-misc.conf b/etc/dkms/framework.conf.d/30_security-misc.conf index bd0f84e..dda1ce7 100644 --- a/etc/dkms/framework.conf.d/30_security-misc.conf +++ b/etc/dkms/framework.conf.d/30_security-misc.conf @@ -1,13 +1,9 @@ ## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing -## of virtual machines. -## -## This does not necessarily belong into security-misc, however likely -## security-misc will need to modify /etc/dkms/framework.conf in the future to -## enable kernel module signing. See below. -## +## Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines. +## This does not necessarily belong into security-misc. +## Example here: ## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26 ENOUGH_RAM="1950" total_ram="$(free -m | sed -n -e '/^Mem:/s/^[^0-9]*\([0-9]*\) .*/\1/p')" @@ -17,9 +13,3 @@ else true "INFO: Not enough RAM available. Lowering compilation cores to 1." parallel_jobs=1 fi - -## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58 -## https://github.com/dell/dkms/blob/master/sign_helper.sh -#sign_tool="/etc/dkms/sign_helper.sh" - -### END modifications by package security-misc ### From cac5bbad99a9c083c5b5f85f07c7368287c64f72 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 18 Jul 2024 14:04:00 -0400 Subject: [PATCH 1264/1650] comment --- etc/dkms/framework.conf.d/30_security-misc.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/dkms/framework.conf.d/30_security-misc.conf b/etc/dkms/framework.conf.d/30_security-misc.conf index dda1ce7..abf9a78 100644 --- a/etc/dkms/framework.conf.d/30_security-misc.conf +++ b/etc/dkms/framework.conf.d/30_security-misc.conf @@ -3,8 +3,13 @@ ## Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines. ## This does not necessarily belong into security-misc. +## ## Example here: ## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26 +## +## This might no longer be possible in the future. See: +## "Stop handling dkms.conf as a bash/shell script" +## https://github.com/dell/dkms/issues/414 ENOUGH_RAM="1950" total_ram="$(free -m | sed -n -e '/^Mem:/s/^[^0-9]*\([0-9]*\) .*/\1/p')" if [ "$total_ram" -ge "$ENOUGH_RAM" ]; then From 2d11436432d3b2b75f84b05550de06cd77ec6e79 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 18 Jul 2024 18:05:07 +0000 Subject: [PATCH 1265/1650] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index cd694ee..8ba26aa 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit cac5bbad99a9c083c5b5f85f07c7368287c64f72 +Author: Patrick Schleizer +Date: Thu Jul 18 14:04:00 2024 -0400 + + comment + +commit a5eed00eba76f83c310f62d000830f38b0e87d21 +Author: Patrick Schleizer +Date: Thu Jul 18 14:02:38 2024 -0400 + + cleanup comments + +commit 21efacf1b111d9599e72cef23b791cf4961c04c3 +Author: Patrick Schleizer +Date: Thu Jul 18 14:00:28 2024 -0400 + + cleanup duplicate comments which are already in `/etc/dkms/framework.conf` + +commit 61628c2baf58ca2859bc5fc99782985ef0822750 +Author: Patrick Schleizer +Date: Thu Jul 18 14:11:35 2024 +0000 + + bumped changelog version + commit 05cf438199ca75f96cf8e67131f4a409b465e7e7 Author: Patrick Schleizer Date: Thu Jul 18 10:11:03 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 934d9fb..d5334b1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 18 Jul 2024 18:05:06 +0000 + security-misc (3:38.0-1) unstable; urgency=medium * New upstream version (local package). From 06894d1c98e91f43af58cc438559ea76b6a361e3 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 19 Jul 2024 18:30:42 +1000 Subject: [PATCH 1266/1650] Typo --- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 13ccac6..2bc07b5 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -5,7 +5,7 @@ kpkg="linux-image-$(dpkg --print-architecture)" || true kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true #echo "## kver: $kver" -## This configuration file is split into 3 sections: +## This configuration file is split into 4 sections: ## 1. Kernel Space ## 2. Direct Memory Access ## 3. Entropy From 9f53a0182b5f6a7cf8228bf19b04661d39c7a2fe Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 19 Jul 2024 07:20:59 -0400 Subject: [PATCH 1267/1650] undo io_uring related changes as these should be done in a separate pull request (if apprpriate) https://github.com/Kicksecure/security-misc/pull/244#issuecomment-2238889062 --- README.md | 2 +- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 29654c4..5e029c8 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ space, user space, core dumps, and swap space. - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. -- Provide the option to disable asynchronous I/O as `io_uring` has been the source +- Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits (when using Linux kernel version >= 6.6). - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e302047..7b07033 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -128,7 +128,7 @@ kernel.randomize_va_space=2 ## ## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). ## -#kernel.io_uring_disabled=2 +kernel.io_uring_disabled=2 ## 2. User Space: ## From c4965ed838b1df93ddb9e947fb2f0d23fa8ffc17 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 20 Jul 2024 14:55:10 +1000 Subject: [PATCH 1268/1650] Disable legacy framebuffer drivers These were all previously blacklisted for over 2 years. --- README.md | 6 ++-- .../30_security-misc_blacklist.conf | 33 ----------------- etc/modprobe.d/30_security-misc_disable.conf | 35 +++++++++++++++++++ usr/bin/disabled-framebuffer-by-security-misc | 10 ++++++ 4 files changed, 48 insertions(+), 36 deletions(-) create mode 100755 usr/bin/disabled-framebuffer-by-security-misc diff --git a/README.md b/README.md index 5e029c8..3a9c552 100644 --- a/README.md +++ b/README.md @@ -190,9 +190,6 @@ modules from automatically starting. - CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. -- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause - kernel panics, and are generally only used by legacy devices. - - Miscellaneous: Blacklist an assortment of other modules to prevent them from automatically loading. @@ -210,6 +207,9 @@ disabling should first be blacklisted for a suitable amount of time. - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. +- Framebuffer Drivers: Disabled as they are well-known to be buggy, cause + kernel panics, and are generally only used by legacy devices. + - GPS: Disable GPS-related modules such as those required for Global Navigation Satellite Systems (GNSS). diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index c35af0b..4f1b1be 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -21,39 +21,6 @@ blacklist sr_mod #install cdrom /usr/bin/disabled-cdrom-by-security-misc #install sr_mod /usr/bin/disabled-cdrom-by-security-misc -## Framebuffer Drivers: -## -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco -## -blacklist aty128fb -blacklist atyfb -blacklist cirrusfb -blacklist cyber2000fb -blacklist cyblafb -blacklist gx1fb -blacklist hgafb -blacklist i810fb -blacklist intelfb -blacklist kyrofb -blacklist lxfb -blacklist matroxfb_bases -blacklist neofb -blacklist nvidiafb -blacklist pm2fb -blacklist radeonfb -blacklist rivafb -blacklist s1d13xxxfb -blacklist savagefb -blacklist sisfb -blacklist sstfb -blacklist tdfxfb -blacklist tridentfb -blacklist vesafb -blacklist vfb -blacklist viafb -blacklist vt8623fb -blacklist udlfb - ## Miscellaneous: ## ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index d2408af..7ce6190 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -70,6 +70,41 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc +## Framebuffer Drivers: +## Known to be buggy, cause kernel panics, and are generally only used by legacy devices. +## These were all previously blacklisted. +## +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +## +install aty128fb /usr/bin/disabled-framebuffer-by-security-misc +install atyfb /usr/bin/disabled-framebuffer-by-security-misc +install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc +install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc +install cyblafb /usr/bin/disabled-framebuffer-by-security-misc +install gx1fb /usr/bin/disabled-framebuffer-by-security-misc +install hgafb /usr/bin/disabled-framebuffer-by-security-misc +install i810fb /usr/bin/disabled-framebuffer-by-security-misc +install intelfb /usr/bin/disabled-framebuffer-by-security-misc +install kyrofb /usr/bin/disabled-framebuffer-by-security-misc +install lxfb /usr/bin/disabled-framebuffer-by-security-misc +install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc +install neofb /usr/bin/disabled-framebuffer-by-security-misc +install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc +install pm2fb /usr/bin/disabled-framebuffer-by-security-misc +install radeonfb /usr/bin/disabled-framebuffer-by-security-misc +install rivafb /usr/bin/disabled-framebuffer-by-security-misc +install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc +install savagefb /usr/bin/disabled-framebuffer-by-security-misc +install sisfb /usr/bin/disabled-framebuffer-by-security-misc +install sstfb /usr/bin/disabled-framebuffer-by-security-misc +install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc +install tridentfb /usr/bin/disabled-framebuffer-by-security-misc +install vesafb /usr/bin/disabled-framebuffer-by-security-misc +install vfb /usr/bin/disabled-framebuffer-by-security-misc +install viafb /usr/bin/disabled-framebuffer-by-security-misc +install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc +install udlfb /usr/bin/disabled-framebuffer-by-security-misc + ## Global Positioning Systems (GPS): ## Disable GPS-related modules like GNSS (Global Navigation Satellite System). ## diff --git a/usr/bin/disabled-framebuffer-by-security-misc b/usr/bin/disabled-framebuffer-by-security-misc new file mode 100755 index 0000000..301f869 --- /dev/null +++ b/usr/bin/disabled-framebuffer-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This framebuffer driver kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 + +exit 1 From 3c720a0715191c858e8d1df9795dddfea5dbdcf1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 20 Jul 2024 15:03:21 +1000 Subject: [PATCH 1269/1650] Disable some legacy drivers These were all previously blacklisted for over 2 years. --- README.md | 3 ++- etc/modprobe.d/30_security-misc_blacklist.conf | 6 +----- etc/modprobe.d/30_security-misc_disable.conf | 11 +++++++++++ 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 3a9c552..331a5ce 100644 --- a/README.md +++ b/README.md @@ -226,7 +226,8 @@ disabling should first be blacklisted for a suitable amount of time. are disabled. - Miscellaneous: Disable an assortment of other modules such as those required - for amateur radio, floppy disks, and vivid. + for amateur radio, floppy disks, and vivid. Also disable legacy drivers that + have been entirely replaced by newer drivers. - Thunderbolt: Disabled as they are often vulnerable to DMA attacks. diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index 4f1b1be..2ef0d1a 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -26,14 +26,10 @@ blacklist sr_mod ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco ## -blacklist ath_pci blacklist amd76x_edac -blacklist asus_acpi -blacklist bcm43xx +blacklist ath_pci blacklist evbug -blacklist de4x5 blacklist pcspkr -blacklist prism54 blacklist snd_aw2 blacklist snd_intel8x0m blacklist snd_pcsp diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 7ce6190..c78ba2a 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -256,6 +256,17 @@ install hamradio /usr/bin/disabled-miscellaneous-by-security-misc ## install floppy /usr/bin/disabled-miscellaneous-by-security-misc ## +## Replaced: +## These legacy drivers have all been entirely replaced and superseded by newer drivers. +## These were all previously blacklisted. +## +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +## +install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc +install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc +install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc +install prism54 /usr/bin/disabled-miscellaneous-by-security-misc +## ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. ## From a189956adc2cf5a1c8311d0e0e9c7cfbc6e4afe3 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 20 Jul 2024 20:11:09 +1000 Subject: [PATCH 1270/1650] Typo --- usr/bin/disabled-bluetooth-by-security-misc | 2 +- usr/bin/disabled-cdrom-by-security-misc | 2 +- usr/bin/disabled-filesys-by-security-misc | 2 +- usr/bin/disabled-firewire-by-security-misc | 2 +- usr/bin/disabled-framebuffer-by-security-misc | 2 +- usr/bin/disabled-gps-by-security-misc | 2 +- usr/bin/disabled-intelme-by-security-misc | 2 +- usr/bin/disabled-intelpmt-by-security-misc | 2 +- usr/bin/disabled-miscellaneous-by-security-misc | 2 +- usr/bin/disabled-netfilesys-by-security-misc | 2 +- usr/bin/disabled-network-by-security-misc | 2 +- usr/bin/disabled-thunderbolt-by-security-misc | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc index 3669fc1..5b6992d 100755 --- a/usr/bin/disabled-bluetooth-by-security-misc +++ b/usr/bin/disabled-bluetooth-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc index 4a7b141..2bb8e4c 100755 --- a/usr/bin/disabled-cdrom-by-security-misc +++ b/usr/bin/disabled-cdrom-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc index 6c7dd5a..fad544b 100755 --- a/usr/bin/disabled-filesys-by-security-misc +++ b/usr/bin/disabled-filesys-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc index 2abc6bc..a7de567 100755 --- a/usr/bin/disabled-firewire-by-security-misc +++ b/usr/bin/disabled-firewire-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-framebuffer-by-security-misc b/usr/bin/disabled-framebuffer-by-security-misc index 301f869..dc0c9b8 100755 --- a/usr/bin/disabled-framebuffer-by-security-misc +++ b/usr/bin/disabled-framebuffer-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This framebuffer driver kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This framebuffer driver kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc index d43626e..1122adc 100755 --- a/usr/bin/disabled-gps-by-security-misc +++ b/usr/bin/disabled-gps-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This GPS (Global Positioning System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This GPS (Global Positioning System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc index 0913fcf..6eca99b 100755 --- a/usr/bin/disabled-intelme-by-security-misc +++ b/usr/bin/disabled-intelme-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-intelpmt-by-security-misc b/usr/bin/disabled-intelpmt-by-security-misc index 44f04bc..3e9139a 100755 --- a/usr/bin/disabled-intelpmt-by-security-misc +++ b/usr/bin/disabled-intelpmt-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This Intel Platform Monitoring Technology Telemetry (PMT) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This Intel Platform Monitoring Technology Telemetry (PMT) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-miscellaneous-by-security-misc b/usr/bin/disabled-miscellaneous-by-security-misc index 2c23909..c75dc6e 100755 --- a/usr/bin/disabled-miscellaneous-by-security-misc +++ b/usr/bin/disabled-miscellaneous-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc index bbb57a8..60c0c22 100755 --- a/usr/bin/disabled-netfilesys-by-security-misc +++ b/usr/bin/disabled-netfilesys-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc index 8035522..4b35716 100755 --- a/usr/bin/disabled-network-by-security-misc +++ b/usr/bin/disabled-network-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc index dbe89ec..03cf804 100755 --- a/usr/bin/disabled-thunderbolt-by-security-misc +++ b/usr/bin/disabled-thunderbolt-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 From f0a478c7c91697988926a73d3a1880dd8caaca68 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 20 Jul 2024 12:57:56 -0400 Subject: [PATCH 1271/1650] permission hardener: allow postfix postqueue matchwhitelist postdrop matchwhitelist --- .../25_default_whitelist_postfix.conf | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 etc/permission-hardener.d/25_default_whitelist_postfix.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_postfix.conf b/etc/permission-hardener.d/25_default_whitelist_postfix.conf new file mode 100644 index 0000000..d15b564 --- /dev/null +++ b/etc/permission-hardener.d/25_default_whitelist_postfix.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +postqueue matchwhitelist +postdrop matchwhitelist From 04fb00572f2e4c9bdfaaa0f6da8007999daab641 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 20 Jul 2024 17:02:05 +0000 Subject: [PATCH 1272/1650] bumped changelog version --- changelog.upstream | 62 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 68 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 8ba26aa..6e8633a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,41 @@ +commit f0a478c7c91697988926a73d3a1880dd8caaca68 +Author: Patrick Schleizer +Date: Sat Jul 20 12:57:56 2024 -0400 + + permission hardener: allow postfix + + postqueue matchwhitelist + postdrop matchwhitelist + +commit 9f53a0182b5f6a7cf8228bf19b04661d39c7a2fe +Author: Patrick Schleizer +Date: Fri Jul 19 07:20:59 2024 -0400 + + undo io_uring related changes + + as these should be done in a separate pull request (if apprpriate) + + https://github.com/Kicksecure/security-misc/pull/244#issuecomment-2238889062 + +commit 8791aecb38a41aa0b0c108505726bc6a1ace903e +Merge: 2d11436 06894d1 +Author: Patrick Schleizer +Date: Fri Jul 19 07:19:09 2024 -0400 + + Merge remote-tracking branch 'raja/fixes' + +commit 06894d1c98e91f43af58cc438559ea76b6a361e3 +Author: Raja Grewal +Date: Fri Jul 19 18:30:42 2024 +1000 + + Typo + +commit 2d11436432d3b2b75f84b05550de06cd77ec6e79 +Author: Patrick Schleizer +Date: Thu Jul 18 18:05:07 2024 +0000 + + bumped changelog version + commit cac5bbad99a9c083c5b5f85f07c7368287c64f72 Author: Patrick Schleizer Date: Thu Jul 18 14:04:00 2024 -0400 @@ -34,6 +72,30 @@ Date: Thu Jul 18 14:05:23 2024 +0000 bumped changelog version +commit 95286df50274953326accb615487e21d409b652a +Author: Raja Grewal +Date: Thu Jul 18 15:28:31 2024 +1000 + + Update README.md regarding secure ICMP redirects + +commit 13cc1f0986033855a399b50442a86a8d8552eb96 +Author: Raja Grewal +Date: Thu Jul 18 12:25:00 2024 +1000 + + Clarify (future) disabling of `io_uring` + +commit 9e6facda7017498e8310a9c39403e95e81c5a903 +Author: Raja Grewal +Date: Thu Jul 18 12:21:37 2024 +1000 + + Update module disabling presentation + +commit faa9181a6c0c78b9471c9a4e6bdd3291aec704f6 +Author: Raja Grewal +Date: Thu Jul 18 12:19:27 2024 +1000 + + Typos + commit d454f36c63bd653e47353fb1c93107b2d5584fe2 Author: Patrick Schleizer Date: Wed Jul 17 11:52:29 2024 -0400 diff --git a/debian/changelog b/debian/changelog index d5334b1..b6b4ff3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 20 Jul 2024 17:02:04 +0000 + security-misc (3:38.1-1) unstable; urgency=medium * New upstream version (local package). From 64f8b2eb5870664fca06aa060f2f50af358ced55 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 21 Jul 2024 06:36:22 -0400 Subject: [PATCH 1273/1650] Revert "no longer disable Intel ME related kernel modules" This reverts commit 6157e328f40a7f3780208489b1ffecef8e6d738a. https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Kernel_Modules https://github.com/Kicksecure/security-misc/issues/239 --- etc/modprobe.d/30_security-misc_disable.conf | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index d2408af..b6cfcbe 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -92,18 +92,18 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 ## https://github.com/Kicksecure/security-misc/issues/239 ## -#install mei /usr/bin/disabled-intelme-by-security-misc -#install mei-gsc /usr/bin/disabled-intelme-by-security-misc -#install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc -#install mei_hdcp /usr/bin/disabled-intelme-by-security-misc -#install mei-me /usr/bin/disabled-intelme-by-security-misc -#install mei_phy /usr/bin/disabled-intelme-by-security-misc -#install mei_pxp /usr/bin/disabled-intelme-by-security-misc -#install mei-txe /usr/bin/disabled-intelme-by-security-misc -#install mei-vsc /usr/bin/disabled-intelme-by-security-misc -#install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc -#install mei_wdt /usr/bin/disabled-intelme-by-security-misc -#install microread_mei /usr/bin/disabled-intelme-by-security-misc +install mei /usr/bin/disabled-intelme-by-security-misc +install mei-gsc /usr/bin/disabled-intelme-by-security-misc +install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc +install mei_hdcp /usr/bin/disabled-intelme-by-security-misc +install mei-me /usr/bin/disabled-intelme-by-security-misc +install mei_phy /usr/bin/disabled-intelme-by-security-misc +install mei_pxp /usr/bin/disabled-intelme-by-security-misc +install mei-txe /usr/bin/disabled-intelme-by-security-misc +install mei-vsc /usr/bin/disabled-intelme-by-security-misc +install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc +install mei_wdt /usr/bin/disabled-intelme-by-security-misc +install microread_mei /usr/bin/disabled-intelme-by-security-misc ## Intel Platform Monitoring Technology Telemetry (PMT): ## Disable some functionality of the Intel PMT components. From d2563ed92317a029340dbb83f30da008b01325f2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 21 Jul 2024 10:40:14 +0000 Subject: [PATCH 1274/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 6e8633a..32ec008 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 64f8b2eb5870664fca06aa060f2f50af358ced55 +Author: Patrick Schleizer +Date: Sun Jul 21 06:36:22 2024 -0400 + + Revert "no longer disable Intel ME related kernel modules" + + This reverts commit 6157e328f40a7f3780208489b1ffecef8e6d738a. + + https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Kernel_Modules + + https://github.com/Kicksecure/security-misc/issues/239 + +commit 04fb00572f2e4c9bdfaaa0f6da8007999daab641 +Author: Patrick Schleizer +Date: Sat Jul 20 17:02:05 2024 +0000 + + bumped changelog version + commit f0a478c7c91697988926a73d3a1880dd8caaca68 Author: Patrick Schleizer Date: Sat Jul 20 12:57:56 2024 -0400 diff --git a/debian/changelog b/debian/changelog index b6b4ff3..876e60b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 21 Jul 2024 10:40:13 +0000 + security-misc (3:38.2-1) unstable; urgency=medium * New upstream version (local package). From d6fc71dba78a9c871015ebdde3bef61943369b47 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 22 Jul 2024 17:26:00 +1000 Subject: [PATCH 1275/1650] Add option to switch (back) to using kCFI in the future --- README.md | 4 ++++ etc/default/grub.d/40_kernel_hardening.cfg | 19 +++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/README.md b/README.md index 5e029c8..7bac0c4 100644 --- a/README.md +++ b/README.md @@ -137,6 +137,10 @@ configuration file. - Provide the option to modify machine check exception handler. +- Provide the option to use kCFI as the default CFI implementation as it may be + slightly more resilient to attacks that can construct arbitrary executable + memory contents (when using Linux kernel version >= 6.5). + - Provide the option to disable support for all x86 processes and syscalls to reduce attack surface (when using Linux kernel version >= 6.7). diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 2bc07b5..ef9ed1f 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -112,6 +112,25 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" +## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. +## As of Linux kernel 6.2, FineIBT has been the default implementation. +## Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU. +## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. +## FineIBT may result in performance benefits as it only performs checking at destinations. +## FineIBT is weaker against attacks that can construct arbitrary executable memory contents. +## Choice of this parameter is dependant on user threat model as there are pros/cons to both. +## +## https://docs.kernel.org/next/x86/shstk.html +## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u +## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/ +## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/ +## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/ +## https://source.android.com/docs/security/test/kcfi +## +## Applicable when using Linux kernel >= 6.5 (retained here for future-proofing and completeness). +## +#cfi=kcfi + ## Disable support for x86 processes and syscalls. ## Unconditionally disables IA32 emulation to substantially reduce attack surface. ## From 9c3566f524f748b9f7c98a36b3f2b1064cdba3ed Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Mon, 22 Jul 2024 16:01:14 +0200 Subject: [PATCH 1276/1650] Delimit file names with null terminator --- usr/bin/permission-hardener | 55 ++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 29 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 1d4c868..026e290 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -65,18 +65,18 @@ add_nosuid_statoverride_entry() { counter_actual=0 local dummy_line - while read -r dummy_line; do + while IFS="" read -r -d "" dummy_line; do true "DEBUG: test would evaluate parse" "${dummy_line}" should_be_counter=$((should_be_counter + 1)) done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {}) local line - while read -r line; do + while IFS="" read -r -d "" line; do true "line: ${line}" counter_actual="$((counter_actual + 1))" local arr file_name existing_mode existing_owner existing_group - IFS=" " read -r -a arr <<< "${line}" + read -r -a arr <<< "${line}" file_name="${arr[0]}" existing_mode="${arr[1]}" existing_owner="${arr[2]}" @@ -153,7 +153,7 @@ add_nosuid_statoverride_entry() { local is_exact_whitelisted is_exact_whitelisted="" - for white_list_entry in ${exact_white_list}; do + for white_list_entry in "${exact_white_list[@]:-}"; do if test "${file_name}" = "${white_list_entry}"; then is_exact_whitelisted="true" ## Stop looping through the whitelist. @@ -163,7 +163,7 @@ add_nosuid_statoverride_entry() { local is_match_whitelisted is_match_whitelisted="" - for matchwhite_list_entry in ${match_white_list}; do + for matchwhite_list_entry in "${match_white_list[@]:-}"; do if echo "${file_name}" | grep --quiet --fixed-strings "${matchwhite_list_entry}"; then is_match_whitelisted="true" ## Stop looping through the match_white_list. @@ -173,7 +173,7 @@ add_nosuid_statoverride_entry() { local is_disable_whitelisted is_disable_whitelisted="" - for disablematch_list_entry in ${disable_white_list:-}; do + for disablematch_list_entry in "${disable_white_list[@]:-}"; do if echo "${file_name}" | grep --quiet --fixed-strings "${disablematch_list_entry}"; then is_disable_whitelisted="true" ## Stop looping through the disablewhitelist. @@ -234,10 +234,9 @@ add_nosuid_statoverride_entry() { ## Sanity test. if test ! "${should_be_counter}" = "${counter_actual}"; then - echo "INFO: fso_to_process: '${fso_to_process}' | counter_actual : '${counter_actual}'" - echo "INFO: fso_to_process: '${fso_to_process}' | should_be_counter: '${should_be_counter}'" + echo "INFO: file system object (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})" + echo "ERROR: expected number of files to be parsed was not met." >&2 exit_code=202 - echo "ERROR: counter does not check out." >&2 fi } @@ -249,7 +248,7 @@ set_file_perms() { continue fi - if [[ "${line}" =~ ^# ]]; then + if [[ "${line}" =~ ^\s*# ]]; then continue fi @@ -291,23 +290,21 @@ set_file_perms() { local fso_without_trailing_slash fso_without_trailing_slash="${fso%/}" - if test "${mode_from_config}" = "disablewhitelist"; then - ## TODO: test/add white spaces inside file name support - disable_white_list+="${fso} " - continue - fi - - if test "${mode_from_config}" = "exactwhitelist"; then - ## TODO: test/add white spaces inside file name support - exact_white_list+="${fso} " - continue - fi - - if test "${mode_from_config}" = "matchwhitelist"; then - ## TODO: test/add white spaces inside file name support - match_white_list+="${fso} " - continue - fi + ## TODO: test/add white spaces inside file name support + case "${mode_from_config}" in + disablewhitelist) + disable_white_list+=("${fso}") + continue + ;; + exactwhitelist) + exact_white_list+=("${fso}") + continue + ;; + matchwhitelist) + match_white_list+=("${fso}") + continue + ;; + esac if test ! -e "${fso}"; then true "INFO: fso: '${fso}' - does not exist. This is likely normal." @@ -358,7 +355,7 @@ set_file_perms() { fi local arr file_name existing_mode existing_owner existing_group - IFS=" " read -r -a arr <<< "${stat_output}" + read -r -a arr <<< "${stat_output}" file_name="${arr[0]}" existing_mode="${arr[1]}" existing_owner="${arr[2]}" @@ -548,7 +545,7 @@ spare() { fi local line - while read -r line; do + while IFS="" read -r -d "" line; do ## example line: ## root root 4755 /usr/lib/eject/dmcrypt-get-device From 7ee1ea2cc7dd62feee3243d64b414130e68d35e9 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Mon, 22 Jul 2024 17:06:07 +0200 Subject: [PATCH 1277/1650] Unify functions that evaluate commands --- usr/bin/permission-hardener | 58 +++++++++++++++---------------------- 1 file changed, 24 insertions(+), 34 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 026e290..1011372 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -14,33 +14,23 @@ dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" echo_wrapper_ignore() { - echo "INFO: run: $*" - "$@" 2>/dev/null || true -} - -echo_wrapper_silent_ignore() { - #echo "INFO: run: $@" + if test "${1}" = "verbose"; then + echo "INFO: run: $*" + fi + shift "$@" 2>/dev/null || true } echo_wrapper_audit() { - echo "INFO: run: $*" + if test "${1}" = "verbose"; then + echo "INFO: run: $*" + fi + shift return_code=0 "$@" || { return_code="$?" exit_code=203 - echo "ERROR: above command failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 - } -} - -echo_wrapper_silent_audit() { - #echo "run (debugging): $@" - return_code=0 - "$@" || - { - return_code="$?" - exit_code=204 echo "ERROR: above command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 } } @@ -52,7 +42,7 @@ make_store_dir(){ } sanity_tests() { - echo_wrapper_silent_audit which \ + echo_wrapper_audit silent which \ capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null } @@ -205,7 +195,7 @@ add_nosuid_statoverride_entry() { ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. # shellcheck disable=SC2086 - echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${file_name}" + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${file_name}" fi ## No need to check "dpkg-statoverride --list" for existing entries. @@ -214,18 +204,18 @@ add_nosuid_statoverride_entry() { ## and re-add. ## Remove from real database. - echo_wrapper_silent_ignore dpkg-statoverride --remove "${file_name}" + echo_wrapper_ignore silent dpkg-statoverride --remove "${file_name}" ## Remove from separate database. # shellcheck disable=SC2086 - echo_wrapper_silent_ignore dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" + echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" ## Add to real database and use --update to make changes on disk. - echo_wrapper_audit dpkg-statoverride --add --update "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" + echo_wrapper_audit verbose dpkg-statoverride --add --update "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" ## Not using --update as this is only for recording. # shellcheck disable=SC2086 - echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. @@ -414,20 +404,20 @@ set_file_perms() { ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. # shellcheck disable=SC2086 - echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" fi # shellcheck disable=SC2086 - echo_wrapper_silent_ignore dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${fso_without_trailing_slash}" + echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${fso_without_trailing_slash}" ## Remove from and add to real database. - echo_wrapper_silent_ignore dpkg-statoverride --remove "${fso_without_trailing_slash}" - echo_wrapper_audit dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + echo_wrapper_ignore silent dpkg-statoverride --remove "${fso_without_trailing_slash}" + echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" ## Save in separate database. ## Not using --update as this is only for saving. # shellcheck disable=SC2086 - echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" fi else true "There is no fso entry. Therefore add one." @@ -439,16 +429,16 @@ set_file_perms() { ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. # shellcheck disable=SC2086 - echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" fi ## Add to real database. - echo_wrapper_audit dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" ## Save in separate database. ## Not using --update as this is only for saving. # shellcheck disable=SC2086 - echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" fi fi if test -z "${capability_from_config}"; then @@ -462,7 +452,7 @@ set_file_perms() { ## The value of the capability argument is not permitted for a file. Or ## the file is not a regular (non-symlink) file ## Therefore use echo_wrapper_ignore. - echo_wrapper_ignore setcap -r "${fso}" + echo_wrapper_ignore verbose setcap -r "${fso}" getcap_output="$(getcap "${fso}")" if test -n "${getcap_output}"; then exit_code=205 @@ -477,7 +467,7 @@ set_file_perms() { ## feature request: dpkg-statoverride: support for capabilities ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 - echo_wrapper_audit setcap "${capability_from_config}+ep" "${fso}" + echo_wrapper_audit verbose setcap "${capability_from_config}+ep" "${fso}" fi done <"${config_file}" true "INFO: END parsing config_file: '${config_file}'" From fb494c2ba5b7fd0f864a59896710d9cddf92b458 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 23 Jul 2024 13:12:13 +1000 Subject: [PATCH 1278/1650] Update docs relating to the `cfi=kcfi` kernel parameter --- README.md | 6 +++--- etc/default/grub.d/40_kernel_hardening.cfg | 15 ++++++++++----- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 7bac0c4..71ae57c 100644 --- a/README.md +++ b/README.md @@ -137,9 +137,9 @@ configuration file. - Provide the option to modify machine check exception handler. -- Provide the option to use kCFI as the default CFI implementation as it may be - slightly more resilient to attacks that can construct arbitrary executable - memory contents (when using Linux kernel version >= 6.5). +- Provide the option to use kCFI as the default CFI implementation since it may be + slightly more resilient to attacks that are able to write arbitrary executables + in memory (when using Linux kernel version >= 6.2). - Provide the option to disable support for all x86 processes and syscalls to reduce attack surface (when using Linux kernel version >= 6.7). diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index ef9ed1f..5709f52 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -114,20 +114,25 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. ## As of Linux kernel 6.2, FineIBT has been the default implementation. -## Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU. +## The Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU. ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. ## FineIBT may result in performance benefits as it only performs checking at destinations. -## FineIBT is weaker against attacks that can construct arbitrary executable memory contents. -## Choice of this parameter is dependant on user threat model as there are pros/cons to both. +## FineIBT is weaker against attacks that can write arbitrary executable in memory. +## Upstream hardening has given users the ability to disable FineIBT based on requests. +## Choice of CFI implementation is dependent on user threat model as there are pros/cons to both. +## Do not modify this parameter if unsure of implications. ## -## https://docs.kernel.org/next/x86/shstk.html +## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/ ## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u ## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/ ## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/ ## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/ +## https://docs.kernel.org/next/x86/shstk.html ## https://source.android.com/docs/security/test/kcfi +## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf +## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561 ## -## Applicable when using Linux kernel >= 6.5 (retained here for future-proofing and completeness). +## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). ## #cfi=kcfi From 06fbcdac1de6f1830d911f05a4f7c14fd522fad4 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Tue, 23 Jul 2024 09:55:02 +0200 Subject: [PATCH 1279/1650] Prettify log messages --- usr/bin/permission-hardener | 107 +++++++++++++++++------------------- 1 file changed, 49 insertions(+), 58 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 1011372..6a78a28 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -31,7 +31,7 @@ echo_wrapper_audit() { { return_code="$?" exit_code=203 - echo "ERROR: above command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 + echo "ERROR: command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 } } @@ -56,13 +56,13 @@ add_nosuid_statoverride_entry() { local dummy_line while IFS="" read -r -d "" dummy_line; do - true "DEBUG: test would evaluate parse" "${dummy_line}" + true "DEBUG: test would parse line:" "${dummy_line}" should_be_counter=$((should_be_counter + 1)) done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {}) local line while IFS="" read -r -d "" line; do - true "line: ${line}" + true "DEBUG: line: ${line}" counter_actual="$((counter_actual + 1))" local arr file_name existing_mode existing_owner existing_group @@ -73,23 +73,23 @@ add_nosuid_statoverride_entry() { existing_group="${arr[3]}" if test "${#arr[@]}" = 0; then - echo "ERROR: arr is empty. line: '${line}'" >&2 + echo "ERROR: line is empty: '${line}'" >&2 continue fi if test -z "${file_name}"; then - echo "ERROR: file_name is empty. line: '${line}'" >&2 + echo "ERROR: file name is empty. line: '${line}'" >&2 continue fi if test -z "${existing_mode}"; then - echo "ERROR: existing_mode is empty. line: '${line}'" >&2 + echo "ERROR: existing mode is empty. line: '${line}'" >&2 continue fi if test -z "${existing_owner}"; then - echo "ERROR: existing_owner is empty. line: '${line}'" >&2 + echo "ERROR: existing owner is empty. line: '${line}'" >&2 continue fi if test -z "${existing_group}"; then - echo "ERROR: existing_group is empty. line: '${line}'" >&2 + echo "ERROR: existing group is empty. line: '${line}'" >&2 continue fi @@ -99,12 +99,12 @@ add_nosuid_statoverride_entry() { if test -h "${file_name}"; then ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - true "skip symlink: ${file_name}" + true "DEBUG: skip symlink: ${file_name}" continue fi if test -d "${file_name}"; then - true "skip directory: ${file_name}" + true "DEBUG: skip directory: ${file_name}" continue fi @@ -171,26 +171,27 @@ add_nosuid_statoverride_entry() { fi done + clean_output="setuid=${setuid_output} setgid=${setsgid_output} existing_mode=${existing_mode} new_mode=${new_mode} file='${file_name}'" if test "${whitelists_disable_all:-}" = "true"; then - true "INFO: whitelists_disable_all=true - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}'" + echo "INFO: whitelists_disable_all=true ${clean_output}" elif test "${is_disable_whitelisted}" = "true"; then - true "INFO: white list disabled - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}'" + true "INFO: white list disabled ${clean_output}" else if test "${is_exact_whitelisted}" = "true"; then - true "INFO: SKIP whitelisted - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}'" + true "INFO: is_exact_whitelisted=true ${clean_output}" continue fi if test "${is_match_whitelisted}" = "true"; then - true "INFO: SKIP matchwhitelisted - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}' | matchwhite_list_entry: '${matchwhite_list_entry}'" + true "INFO: is_match_whitelisted=true ${clean_output} matchwhite_list_entry: '${matchwhite_list_entry}'" continue fi fi - echo "INFO: ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}' | new_mode: '${new_mode}'" + echo "INFO: ${clean_output}" # shellcheck disable=SC2086 if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${file_name}" >/dev/null; then - true "OK Existing mode already saved previously. Not saving again." + true "INFO: Existing mode already saved previously. Not saving again." else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. @@ -224,14 +225,14 @@ add_nosuid_statoverride_entry() { ## Sanity test. if test ! "${should_be_counter}" = "${counter_actual}"; then - echo "INFO: file system object (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})" + echo "INFO: file (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})" echo "ERROR: expected number of files to be parsed was not met." >&2 exit_code=202 fi } set_file_perms() { - true "INFO: START parsing config_file: '${config_file}'" + true "INFO: START parsing config file: '${config_file}'" local line while read -r line || test -n "${line}"; do if test -z "${line}"; then @@ -243,10 +244,10 @@ set_file_perms() { fi if [[ "${line}" =~ [0-9a-zA-Z/] ]]; then - true "OK line contains only white listed characters." + true "INFO: line contains only white listed characters." else exit_code=200 - echo "ERROR: cannot parse line with invalid character. line: '${line}'" >&2 + echo "ERROR: cannot parse line with invalid character in line: '${line}'" >&2 ## Safer to exit with error in this case. ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 exit "${exit_code}" @@ -254,7 +255,7 @@ set_file_perms() { if test "${line}" = 'whitelists_disable_all=true'; then whitelists_disable_all=true - echo "INFO: whitelists_disable_all=true - all whitelists disabled." + echo "INFO: whitelists_disable_all=true" continue fi @@ -262,7 +263,7 @@ set_file_perms() { local mode_from_config owner_from_config group_from_config capability_from_config if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<<"${line}"; then exit_code=201 - echo "ERROR: cannot parse. line: '${line}'" >&2 + echo "ERROR: cannot parse line: '${line}'" >&2 ## Debugging. du -hs /tmp || true echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true @@ -297,7 +298,7 @@ set_file_perms() { esac if test ! -e "${fso}"; then - true "INFO: fso: '${fso}' - does not exist. This is likely normal." + true "INFO: file does not exist: '${fso}'" continue fi @@ -311,21 +312,21 @@ set_file_perms() { local string_length_of_mode_from_config string_length_of_mode_from_config="${#mode_from_config}" if test "${string_length_of_mode_from_config}" -gt "4"; then - echo "ERROR: Mode '${mode_from_config}' is invalid!" >&2 + echo "ERROR: Invalid mode: '${mode_from_config}'" >&2 continue fi if test "${string_length_of_mode_from_config}" -lt "3"; then - echo "ERROR: Mode '${mode_from_config}' is invalid!" >&2 + echo "ERROR: Invalid mode: '${mode_from_config}'" >&2 continue fi if ! grep --quiet --fixed-strings "${owner_from_config}:" "${store_dir}/private/passwd"; then - echo "ERROR: owner_from_config '${owner_from_config}' does not exist!" >&2 + echo "ERROR: owner from config does not exist: '${owner_from_config}'" >&2 continue fi if ! grep --quiet --fixed-strings "${group_from_config}:" "${store_dir}/private/group"; then - echo "ERROR: group_from_config '${group_from_config}' does not exist!" >&2 + echo "ERROR: group from config does not exist: '${group_from_config}'" >&2 continue fi @@ -340,7 +341,7 @@ set_file_perms() { local stat_output stat_output="" if ! stat_output="$(stat -c "%n %a %U %G" "${fso_without_trailing_slash}")"; then - echo "ERROR: failed to run 'stat' for fso_without_trailing_slash: '${fso_without_trailing_slash}'!" >&2 + echo "ERROR: failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2 continue fi @@ -352,15 +353,15 @@ set_file_perms() { existing_group="${arr[3]}" if test "${#arr[@]}" = 0; then - echo "ERROR: arr is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + echo "ERROR: line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi if test -z "${file_name}"; then - echo "ERROR: file_name is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + echo "ERROR: file name is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi if test -z "${existing_mode}"; then - echo "ERROR: existing_mode is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + echo "ERROR: existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi if test -z "${existing_owner}"; then @@ -368,7 +369,7 @@ set_file_perms() { continue fi if test -z "${existing_group}"; then - echo "ERROR: ${existing_group} is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + echo "ERROR: existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi @@ -387,19 +388,19 @@ set_file_perms() { } if test "${dpkg_statoverride_list_exit_code}" = "0"; then - true "There is an fso entry. Check if owner/group/mode match." + true "INFO: There is an fso entry. Check if owner/group/mode matches." local grep_line grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings "${grep_line}"; then - true "OK The owner/group/mode matches. No further action required." + true "INFO: The owner/group/mode matches. No further action required." else - true "The owner/group/mode do not match, therefore remove and re-add the entry to update it." + true "INFO: The owner/group/mode does not match, removing and re-adding the entry to update it." ## fso_without_trailing_slash instead of fso to prevent ## "dpkg-statoverride: warning: stripping trailing /" # shellcheck disable=SC2086 if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then - true "OK Existing mode already saved previously. No need to save again." + true "INFO: Existing mode already saved previously. Not saving again." else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. @@ -420,11 +421,11 @@ set_file_perms() { echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" fi else - true "There is no fso entry. Therefore add one." + true "INFO: There is no fso entry, adding one." # shellcheck disable=SC2086 if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then - true "OK Existing mode already saved previously. No need to save again." + true "INFO: Existing mode already saved previously. Not saving again." else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. @@ -456,12 +457,12 @@ set_file_perms() { getcap_output="$(getcap "${fso}")" if test -n "${getcap_output}"; then exit_code=205 - echo "ERROR: removing capabilities for fso '${fso}' failed!" >&2 + echo "ERROR: removing capabilities failed. File: '${fso}'" >&2 continue fi else if ! capsh --print | grep --fixed-strings "Bounding set" | grep --quiet "${capability_from_config}"; then - echo "ERROR: capability_from_config '${capability_from_config}' does not exist!" >&2 + echo "ERROR: capability from config does not exist: '${capability_from_config}'" >&2 continue fi @@ -470,7 +471,7 @@ set_file_perms() { echo_wrapper_audit verbose setcap "${capability_from_config}+ep" "${fso}" fi done <"${config_file}" - true "INFO: END parsing config_file: '${config_file}'" + true "INFO: END parsing config file: '${config_file}'" } parse_config_folder() { @@ -513,11 +514,8 @@ apply() { parse_config_folder echo "\ -INFO: To compare the current and previous permission modes: - Install 'meld' (or preferred diff tool) for comparison of file mode changes: +INFO: To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: sudo apt install --no-install-recommends meld - - Use 'meld' or another diff tool to view the differences: meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" } @@ -545,7 +543,7 @@ spare() { echo "ERROR: cannot parse line: ${line}" >&2 continue fi - true "owner: '${owner}' group: '${group}' mode: '${mode}' file_name: '${file_name}'" + true "INFO: owner=${owner} group=${group} mode=${mode} file_name='${file_name}'" if test "${remove_file}" = "all"; then verbose="" @@ -573,7 +571,7 @@ spare() { # shellcheck disable=SC2086 chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 else - echo "INFO: file_name: '${file_name}' - does not exist. This is likely normal." + echo "INFO: file doesn't exist: '${file_name}'" fi dpkg-statoverride --remove "${file_name}" &>/dev/null || true @@ -593,18 +591,11 @@ spare() { if test "$(cat "${store_dir}/remove_one")" = "false"; then echo "INFO: no file was removed. - File '${remove_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation of this program. + File '${remove_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if already done earlier. - Note: This is expected if already done earlier. - - Note: This program expects the full path to the file. Example: - $0 disable /usr/bin/newgrp - - The following syntax will not work: - $0 disable program-name - - The following example will not work: - $0 disable newgrp + This program expects the full path to the file. Example: + $0 disable /usr/bin/newgrp # absolute path: works + $0 disable newgrp # relative path: does not work To remove all: $0 disable all From aa99de68d307cd88462665424996d9b730ab5087 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Tue, 23 Jul 2024 18:46:47 +0200 Subject: [PATCH 1280/1650] Log output with defined levels --- usr/bin/permission-hardener | 140 ++++++++++++++++++++---------------- 1 file changed, 79 insertions(+), 61 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 6a78a28..9eff886 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -13,25 +13,33 @@ store_dir="/var/lib/permission-hardener" dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" +log_level=info +# shellcheck disable=SC1091 +source /usr/libexec/helper-scripts/log_run_die.sh + echo_wrapper_ignore() { if test "${1}" = "verbose"; then - echo "INFO: run: $*" + shift + log info "Run: $*" + else + shift fi - shift "$@" 2>/dev/null || true } echo_wrapper_audit() { if test "${1}" = "verbose"; then - echo "INFO: run: $*" + shift + log info "Run: $*" + else + shift fi - shift return_code=0 "$@" || { return_code="$?" exit_code=203 - echo "ERROR: command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 + log error "Command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 } } @@ -55,14 +63,13 @@ add_nosuid_statoverride_entry() { counter_actual=0 local dummy_line - while IFS="" read -r -d "" dummy_line; do - true "DEBUG: test would parse line:" "${dummy_line}" + while IFS="" read -r dummy_line; do + log info "Test would parse line: ${dummy_line}" should_be_counter=$((should_be_counter + 1)) done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {}) local line - while IFS="" read -r -d "" line; do - true "DEBUG: line: ${line}" + while IFS="" read -r line; do counter_actual="$((counter_actual + 1))" local arr file_name existing_mode existing_owner existing_group @@ -73,23 +80,23 @@ add_nosuid_statoverride_entry() { existing_group="${arr[3]}" if test "${#arr[@]}" = 0; then - echo "ERROR: line is empty: '${line}'" >&2 + log error "Line is empty: '${line}'" >&2 continue fi if test -z "${file_name}"; then - echo "ERROR: file name is empty. line: '${line}'" >&2 + log error "File name is empty. line: '${line}'" >&2 continue fi if test -z "${existing_mode}"; then - echo "ERROR: existing mode is empty. line: '${line}'" >&2 + log error "Existing mode is empty. line: '${line}'" >&2 continue fi if test -z "${existing_owner}"; then - echo "ERROR: existing owner is empty. line: '${line}'" >&2 + log error "Existing owner is empty. line: '${line}'" >&2 continue fi if test -z "${existing_group}"; then - echo "ERROR: existing group is empty. line: '${line}'" >&2 + log error "Existing group is empty. line: '${line}'" >&2 continue fi @@ -99,12 +106,12 @@ add_nosuid_statoverride_entry() { if test -h "${file_name}"; then ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - true "DEBUG: skip symlink: ${file_name}" + log info "Skip symlink: ${file_name}" continue fi if test -d "${file_name}"; then - true "DEBUG: skip directory: ${file_name}" + log info "Skip directory: ${file_name}" continue fi @@ -144,6 +151,9 @@ add_nosuid_statoverride_entry() { local is_exact_whitelisted is_exact_whitelisted="" for white_list_entry in "${exact_white_list[@]:-}"; do + if test -z "${white_list_entry}"; then + continue + fi if test "${file_name}" = "${white_list_entry}"; then is_exact_whitelisted="true" ## Stop looping through the whitelist. @@ -154,6 +164,9 @@ add_nosuid_statoverride_entry() { local is_match_whitelisted is_match_whitelisted="" for matchwhite_list_entry in "${match_white_list[@]:-}"; do + if test -z "${matchwhite_list_entry}"; then + continue + fi if echo "${file_name}" | grep --quiet --fixed-strings "${matchwhite_list_entry}"; then is_match_whitelisted="true" ## Stop looping through the match_white_list. @@ -164,6 +177,9 @@ add_nosuid_statoverride_entry() { local is_disable_whitelisted is_disable_whitelisted="" for disablematch_list_entry in "${disable_white_list[@]:-}"; do + if test -z "${disablematch_list_entry}"; then + continue + fi if echo "${file_name}" | grep --quiet --fixed-strings "${disablematch_list_entry}"; then is_disable_whitelisted="true" ## Stop looping through the disablewhitelist. @@ -171,27 +187,26 @@ add_nosuid_statoverride_entry() { fi done + clean_output_prefix="Managing (S|G)UID of line:" clean_output="setuid=${setuid_output} setgid=${setsgid_output} existing_mode=${existing_mode} new_mode=${new_mode} file='${file_name}'" if test "${whitelists_disable_all:-}" = "true"; then - echo "INFO: whitelists_disable_all=true ${clean_output}" + log info "${clean_output_prefix} whitelists_disable_all=true ${clean_output}" elif test "${is_disable_whitelisted}" = "true"; then - true "INFO: white list disabled ${clean_output}" + log info "${clean_output_prefix} is_disable_whitelisted=true ${clean_output}" else if test "${is_exact_whitelisted}" = "true"; then - true "INFO: is_exact_whitelisted=true ${clean_output}" + log info "${clean_output_prefix} is_exact_whitelisted=true ${clean_output}" continue fi if test "${is_match_whitelisted}" = "true"; then - true "INFO: is_match_whitelisted=true ${clean_output} matchwhite_list_entry: '${matchwhite_list_entry}'" + log info "${clean_output_prefix} is_match_whitelisted=true matchwhite_list_entry=${matchwhite_list_entry} ${clean_output}" continue fi fi - echo "INFO: ${clean_output}" - # shellcheck disable=SC2086 if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${file_name}" >/dev/null; then - true "INFO: Existing mode already saved previously. Not saving again." + log info "Existing mode already saved previously. Not saving again." else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. @@ -225,14 +240,14 @@ add_nosuid_statoverride_entry() { ## Sanity test. if test ! "${should_be_counter}" = "${counter_actual}"; then - echo "INFO: file (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})" - echo "ERROR: expected number of files to be parsed was not met." >&2 + log info "File (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})" + log error "Expected number of files to be parsed was not met." >&2 exit_code=202 fi } set_file_perms() { - true "INFO: START parsing config file: '${config_file}'" + log info "START parsing config file: ${config_file}" local line while read -r line || test -n "${line}"; do if test -z "${line}"; then @@ -243,11 +258,9 @@ set_file_perms() { continue fi - if [[ "${line}" =~ [0-9a-zA-Z/] ]]; then - true "INFO: line contains only white listed characters." - else + if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then exit_code=200 - echo "ERROR: cannot parse line with invalid character in line: '${line}'" >&2 + log error "Line contains invalid characters: ${line}" >&2 ## Safer to exit with error in this case. ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 exit "${exit_code}" @@ -255,7 +268,7 @@ set_file_perms() { if test "${line}" = 'whitelists_disable_all=true'; then whitelists_disable_all=true - echo "INFO: whitelists_disable_all=true" + log info "whitelists_disable_all=true" continue fi @@ -263,7 +276,7 @@ set_file_perms() { local mode_from_config owner_from_config group_from_config capability_from_config if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<<"${line}"; then exit_code=201 - echo "ERROR: cannot parse line: '${line}'" >&2 + log error "Cannot parse line: '${line}'" >&2 ## Debugging. du -hs /tmp || true echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true @@ -272,6 +285,8 @@ set_file_perms() { exit "${exit_code}" fi + log info "Parsing line: fso=${fso} mode_from_config=${mode_from_config} owner_from_config=${owner_from_config} group_from_config=${group_from_config} capability_from_config=${capability_from_config}" + ## Debugging. #echo "line: '${line}'" #echo "fso: '${fso}'" @@ -282,6 +297,7 @@ set_file_perms() { fso_without_trailing_slash="${fso%/}" ## TODO: test/add white spaces inside file name support + declare -g disable_white_list exact_white_list match_white_list case "${mode_from_config}" in disablewhitelist) disable_white_list+=("${fso}") @@ -298,7 +314,7 @@ set_file_perms() { esac if test ! -e "${fso}"; then - true "INFO: file does not exist: '${fso}'" + log warn "File does not exist: '${fso}'" continue fi @@ -312,21 +328,21 @@ set_file_perms() { local string_length_of_mode_from_config string_length_of_mode_from_config="${#mode_from_config}" if test "${string_length_of_mode_from_config}" -gt "4"; then - echo "ERROR: Invalid mode: '${mode_from_config}'" >&2 + log error "Invalid mode: '${mode_from_config}'" >&2 continue fi if test "${string_length_of_mode_from_config}" -lt "3"; then - echo "ERROR: Invalid mode: '${mode_from_config}'" >&2 + log error "Invalid mode: '${mode_from_config}'" >&2 continue fi if ! grep --quiet --fixed-strings "${owner_from_config}:" "${store_dir}/private/passwd"; then - echo "ERROR: owner from config does not exist: '${owner_from_config}'" >&2 + log error "Owner from config does not exist: '${owner_from_config}'" >&2 continue fi if ! grep --quiet --fixed-strings "${group_from_config}:" "${store_dir}/private/group"; then - echo "ERROR: group from config does not exist: '${group_from_config}'" >&2 + log error "Group from config does not exist: '${group_from_config}'" >&2 continue fi @@ -341,7 +357,7 @@ set_file_perms() { local stat_output stat_output="" if ! stat_output="$(stat -c "%n %a %U %G" "${fso_without_trailing_slash}")"; then - echo "ERROR: failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2 + log error "Failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2 continue fi @@ -353,23 +369,23 @@ set_file_perms() { existing_group="${arr[3]}" if test "${#arr[@]}" = 0; then - echo "ERROR: line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi if test -z "${file_name}"; then - echo "ERROR: file name is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + log error "File name is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi if test -z "${existing_mode}"; then - echo "ERROR: existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + log error "Existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi if test -z "${existing_owner}"; then - echo "ERROR: existing_owner is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + log error "Existing_owner is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 continue fi if test -z "${existing_group}"; then - echo "ERROR: existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + log error "Existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi @@ -388,19 +404,18 @@ set_file_perms() { } if test "${dpkg_statoverride_list_exit_code}" = "0"; then - true "INFO: There is an fso entry. Check if owner/group/mode matches." local grep_line grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings "${grep_line}"; then - true "INFO: The owner/group/mode matches. No further action required." + log info "The owner/group/mode matches fso entry. No further action required." else - true "INFO: The owner/group/mode does not match, removing and re-adding the entry to update it." + log info "The owner/group/mode does not match fso entry, updating entry." ## fso_without_trailing_slash instead of fso to prevent ## "dpkg-statoverride: warning: stripping trailing /" # shellcheck disable=SC2086 if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then - true "INFO: Existing mode already saved previously. Not saving again." + log info "Existing mode already saved previously. Not saving again." else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. @@ -421,11 +436,11 @@ set_file_perms() { echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" fi else - true "INFO: There is no fso entry, adding one." + log info "There is no fso entry, adding one." # shellcheck disable=SC2086 if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then - true "INFO: Existing mode already saved previously. Not saving again." + log info "Existing mode already saved previously. Not saving again." else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. @@ -457,12 +472,12 @@ set_file_perms() { getcap_output="$(getcap "${fso}")" if test -n "${getcap_output}"; then exit_code=205 - echo "ERROR: removing capabilities failed. File: '${fso}'" >&2 + log error "Removing capabilities failed. File: '${fso}'" >&2 continue fi else if ! capsh --print | grep --fixed-strings "Bounding set" | grep --quiet "${capability_from_config}"; then - echo "ERROR: capability from config does not exist: '${capability_from_config}'" >&2 + log error "Capability from config does not exist: '${capability_from_config}'" >&2 continue fi @@ -470,8 +485,9 @@ set_file_perms() { ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 echo_wrapper_audit verbose setcap "${capability_from_config}+ep" "${fso}" fi + done <"${config_file}" - true "INFO: END parsing config file: '${config_file}'" + log info "END parsing config file: ${config_file}" } parse_config_folder() { @@ -504,6 +520,7 @@ parse_config_folder() { /usr/local/etc/permission-hardening.d/*.conf do set_file_perms + done } @@ -513,8 +530,8 @@ apply() { sanity_tests parse_config_folder - echo "\ -INFO: To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: + log info "\ +To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: sudo apt install --no-install-recommends meld meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" } @@ -529,21 +546,22 @@ spare() { dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" if test ! -f "${store_dir}/existing_mode/statoverride"; then + true debug "Stat file does not exist, hardening was not applied not applied before" return 0 fi local line - while IFS="" read -r -d "" line; do + while read -r line; do ## example line: ## root root 4755 /usr/lib/eject/dmcrypt-get-device local owner group mode file_name if ! read -r owner group mode file_name <<< "${line}"; then exit_code=201 - echo "ERROR: cannot parse line: ${line}" >&2 + log error "Cannot parse line: ${line}" >&2 continue fi - true "INFO: owner=${owner} group=${group} mode=${mode} file_name='${file_name}'" + log info "Parsing line: owner=${owner} group=${group} mode=${mode} file_name='${file_name}'" if test "${remove_file}" = "all"; then verbose="" @@ -571,7 +589,7 @@ spare() { # shellcheck disable=SC2086 chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 else - echo "INFO: file doesn't exist: '${file_name}'" + log warn "File does not exist: '${file_name}'" fi dpkg-statoverride --remove "${file_name}" &>/dev/null || true @@ -589,7 +607,7 @@ spare() { if test ! "${remove_file}" = "all"; then if test "$(cat "${store_dir}/remove_one")" = "false"; then - echo "INFO: no file was removed. + log info "No file was removed. File '${remove_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if already done earlier. @@ -617,7 +635,7 @@ spare() { check_root(){ if test "$(id -u)" != "0"; then - echo "ERROR: Not running as root, aborting." + log error "Not running as root, aborting." exit 1 fi } @@ -647,7 +665,7 @@ case "${1:-}" in esac if test "${exit_code}" != "0"; then - echo "ERROR: Exiting with non-zero exit code: '${exit_code}'" >&2 + log error "Exiting with non-zero exit code: '${exit_code}'" >&2 fi exit "${exit_code}" From 8be21b6eff40fdd3909ef63468463fc52e8bf45f Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Tue, 23 Jul 2024 19:36:12 +0200 Subject: [PATCH 1281/1650] Handle newlines in file names --- usr/bin/permission-hardener | 45 +++++++++++++++++++++---------------- 1 file changed, 26 insertions(+), 19 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 9eff886..87f4307 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -63,40 +63,47 @@ add_nosuid_statoverride_entry() { counter_actual=0 local dummy_line - while IFS="" read -r dummy_line; do + while IFS="" read -r -d "" dummy_line; do log info "Test would parse line: ${dummy_line}" should_be_counter=$((should_be_counter + 1)) - done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {}) + done < <(find "${fso_to_process}" -perm /u=s,g=s -print0) local line - while IFS="" read -r line; do + while IFS="" read -r -d "" line; do counter_actual="$((counter_actual + 1))" local arr file_name existing_mode existing_owner existing_group - read -r -a arr <<< "${line}" - file_name="${arr[0]}" - existing_mode="${arr[1]}" - existing_owner="${arr[2]}" - existing_group="${arr[3]}" + file_name="${line}" + stat_output="$(stat -c "%a %U %G" "${line}")" + read -r -a arr <<< "${stat_output}" + existing_mode="${arr[0]}" + existing_owner="${arr[1]}" + existing_group="${arr[2]}" if test "${#arr[@]}" = 0; then log error "Line is empty: '${line}'" >&2 continue fi if test -z "${file_name}"; then - log error "File name is empty. line: '${line}'" >&2 + log error "File name is empty in line: ${line}" >&2 continue fi if test -z "${existing_mode}"; then - log error "Existing mode is empty. line: '${line}'" >&2 + log error "Existing mode is empty in line: ${line}" >&2 continue fi if test -z "${existing_owner}"; then - log error "Existing owner is empty. line: '${line}'" >&2 + log error "Existing owner is empty in line: ${line}" >&2 continue fi if test -z "${existing_group}"; then - log error "Existing group is empty. line: '${line}'" >&2 + log error "Existing group is empty in line: ${line}" >&2 + continue + fi + + ## dpkg-statoverride: error: path may not contain newlines + if [[ "${file_name}" == *$'\n'* ]]; then + log warn "Skipping file name that contains newlines: ${file_name}" >&2 continue fi @@ -236,7 +243,7 @@ add_nosuid_statoverride_entry() { ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 - done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {}) + done < <(find "${fso_to_process}" -perm /u=s,g=s -print0) ## Sanity test. if test ! "${should_be_counter}" = "${counter_actual}"; then @@ -356,17 +363,17 @@ set_file_perms() { local stat_output stat_output="" - if ! stat_output="$(stat -c "%n %a %U %G" "${fso_without_trailing_slash}")"; then + if ! stat_output="$(stat -c "%a %U %G" "${fso_without_trailing_slash}")"; then log error "Failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2 continue fi local arr file_name existing_mode existing_owner existing_group read -r -a arr <<< "${stat_output}" - file_name="${arr[0]}" - existing_mode="${arr[1]}" - existing_owner="${arr[2]}" - existing_group="${arr[3]}" + file_name="${fso_without_trailing_slash}" + existing_mode="${arr[0]}" + existing_owner="${arr[1]}" + existing_group="${arr[2]}" if test "${#arr[@]}" = 0; then log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 @@ -589,7 +596,7 @@ spare() { # shellcheck disable=SC2086 chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 else - log warn "File does not exist: '${file_name}'" + log warn "File does not exist: ${file_name}" fi dpkg-statoverride --remove "${file_name}" &>/dev/null || true From 88c88187f2909322211cc08598717068ea7cf1d1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 24 Jul 2024 17:26:50 +1000 Subject: [PATCH 1282/1650] Re-enable (default) `secure_redirects` for ICMP redirect messages --- README.md | 3 +-- usr/lib/sysctl.d/990-security-misc.conf | 9 +++------ 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 5e029c8..02fd18e 100644 --- a/README.md +++ b/README.md @@ -72,8 +72,7 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. from all interfaces to prevent IP spoofing. - Disable ICMP redirect acceptance and redirect sending messages to - prevent man-in-the-middle attacks and minimize information disclosure. If - ICMP redirect messages are permitted, only do so from approved gateways. + prevent man-in-the-middle attacks and minimize information disclosure. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 7b07033..8fe680c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -260,6 +260,9 @@ net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. ## Prevents man-in-the-middle attacks and minimizes information disclosure. ## +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing +## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html +## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked ## net.ipv4.conf.all.accept_redirects=0 @@ -269,12 +272,6 @@ net.ipv4.conf.default.send_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 -## Accept ICMP redirect messages only for approved gateways. -## If ICMP redirect messages are permitted, only useful if managing a default gateway list. -## -net.ipv4.conf.all.secure_redirects=0 -net.ipv4.conf.default.secure_redirects=0 - ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. ## From 7200e9bd8c793f5ea30c3448fd03fbd38c6292b5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 09:15:02 -0400 Subject: [PATCH 1283/1650] output --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 87f4307..2800e73 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -553,7 +553,7 @@ spare() { dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" if test ! -f "${store_dir}/existing_mode/statoverride"; then - true debug "Stat file does not exist, hardening was not applied not applied before" + true "DEBUG: Stat file does not exist, hardening was not applied before." return 0 fi From 1135d34ab334c9b39e51a147dc94df568f982512 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 24 Jul 2024 23:33:36 +1000 Subject: [PATCH 1284/1650] Reword description of `cfi=kcfi` kerenel parameter --- etc/default/grub.d/40_kernel_hardening.cfg | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 5709f52..9c179b2 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -113,14 +113,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. -## As of Linux kernel 6.2, FineIBT has been the default implementation. -## The Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU. +## As of Linux kernel 6.2, FineIBT has been selected to be the default implementation. +## The Intel-developed IBT (Indirect Branch Tracking) is only used if there is support by the CPU. ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. -## FineIBT may result in performance benefits as it only performs checking at destinations. -## FineIBT is weaker against attacks that can write arbitrary executable in memory. +## FineIBT may result in some performance benefits as it only performs checking at destinations. +## FineIBT is considered weaker against attacks that can write arbitrary executable in memory. ## Upstream hardening has given users the ability to disable FineIBT based on requests. -## Choice of CFI implementation is dependent on user threat model as there are pros/cons to both. -## Do not modify this parameter if unsure of implications. +## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both. +## Do not modify from default if unsure of implications. ## ## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/ ## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u From a077ae54ea050af8828813b781738cba24e27624 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 10:56:08 -0400 Subject: [PATCH 1285/1650] modify call of stat to use NUL delimiter for more robust string parsing --- usr/bin/permission-hardener | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 2800e73..36c21f1 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -74,11 +74,14 @@ add_nosuid_statoverride_entry() { local arr file_name existing_mode existing_owner existing_group file_name="${line}" - stat_output="$(stat -c "%a %U %G" "${line}")" - read -r -a arr <<< "${stat_output}" - existing_mode="${arr[0]}" - existing_owner="${arr[1]}" - existing_group="${arr[2]}" + ## Capture the stat output with fields separated by NUL characters. + ## Delimiter at the end to avoid the last field to be interpreted as having a newline. + stat_output=$(stat -c '%n\0%a\0%U\0%G\0%' "${line}") + readarray -d '\0' -t arr <<< "${stat_output}" + file_name_from_stat="${arr[0]}" + existing_mode="${arr[1]}" + existing_owner="${arr[2]}" + existing_group="${arr[3]}" if test "${#arr[@]}" = 0; then log error "Line is empty: '${line}'" >&2 @@ -363,7 +366,7 @@ set_file_perms() { local stat_output stat_output="" - if ! stat_output="$(stat -c "%a %U %G" "${fso_without_trailing_slash}")"; then + if ! stat_output="$(stat -c '%n\0%a\0%U\0%G\0%' "${fso_without_trailing_slash}")"; then log error "Failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2 continue fi From 1cbda7998196dc04e83c48526d15f9ad5f11e6c9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 10:57:13 -0400 Subject: [PATCH 1286/1650] check first if array is empty before parsing further --- usr/bin/permission-hardener | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 36c21f1..63786d3 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -77,16 +77,19 @@ add_nosuid_statoverride_entry() { ## Capture the stat output with fields separated by NUL characters. ## Delimiter at the end to avoid the last field to be interpreted as having a newline. stat_output=$(stat -c '%n\0%a\0%U\0%G\0%' "${line}") + readarray -d '\0' -t arr <<< "${stat_output}" - file_name_from_stat="${arr[0]}" - existing_mode="${arr[1]}" - existing_owner="${arr[2]}" - existing_group="${arr[3]}" if test "${#arr[@]}" = 0; then log error "Line is empty: '${line}'" >&2 continue fi + + file_name_from_stat="${arr[0]}" + existing_mode="${arr[1]}" + existing_owner="${arr[2]}" + existing_group="${arr[3]}" + if test -z "${file_name}"; then log error "File name is empty in line: ${line}" >&2 continue From b9dfe70a016e46e1f275918be19890526182cfa2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 10:58:05 -0400 Subject: [PATCH 1287/1650] check first if file_name is empty --- usr/bin/permission-hardener | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 63786d3..c2c6129 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -73,7 +73,14 @@ add_nosuid_statoverride_entry() { counter_actual="$((counter_actual + 1))" local arr file_name existing_mode existing_owner existing_group + file_name="${line}" + + if test -z "${file_name}"; then + log error "File name is empty in line: ${line}" >&2 + continue + fi + ## Capture the stat output with fields separated by NUL characters. ## Delimiter at the end to avoid the last field to be interpreted as having a newline. stat_output=$(stat -c '%n\0%a\0%U\0%G\0%' "${line}") @@ -90,10 +97,6 @@ add_nosuid_statoverride_entry() { existing_owner="${arr[2]}" existing_group="${arr[3]}" - if test -z "${file_name}"; then - log error "File name is empty in line: ${line}" >&2 - continue - fi if test -z "${existing_mode}"; then log error "Existing mode is empty in line: ${line}" >&2 continue From ced02fb9e03e12c7d51923511e7d6a54b09a6274 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:01:24 -0400 Subject: [PATCH 1288/1650] add sanity test for file_name output from stat --- usr/bin/permission-hardener | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index c2c6129..17d0abe 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -97,6 +97,15 @@ add_nosuid_statoverride_entry() { existing_owner="${arr[2]}" existing_group="${arr[3]}" + if [ ! "$file_name" = "$file_name_from_stat" ]; then + log error "\ +file_name is different from file_name_from_stat: +line: '${line}' +file_name '${file_name}' +file_name_from_stat: '${file_name_from_stat}'" >&2 + continue + fi + if test -z "${existing_mode}"; then log error "Existing mode is empty in line: ${line}" >&2 continue From a6e517736b83c124cf8cec52bac184612a29ad0d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:02:25 -0400 Subject: [PATCH 1289/1650] local stat_output --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 17d0abe..571d176 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -72,7 +72,7 @@ add_nosuid_statoverride_entry() { while IFS="" read -r -d "" line; do counter_actual="$((counter_actual + 1))" - local arr file_name existing_mode existing_owner existing_group + local arr file_name existing_mode existing_owner existing_group stat_output file_name="${line}" From d5366835112cc5fabef7ec46a9c582c08121cb14 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:03:28 -0400 Subject: [PATCH 1290/1650] local clean_output_prefix clean_output --- usr/bin/permission-hardener | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 571d176..978c6a9 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -212,6 +212,7 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 fi done + local clean_output_prefix clean_output clean_output_prefix="Managing (S|G)UID of line:" clean_output="setuid=${setuid_output} setgid=${setsgid_output} existing_mode=${existing_mode} new_mode=${new_mode} file='${file_name}'" if test "${whitelists_disable_all:-}" = "true"; then From 00911df5c1de24960ad6d21b4cd99450f2d08a88 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:10:56 -0400 Subject: [PATCH 1291/1650] modify call of stat to use NUL delimiter for more robust string parsing --- usr/bin/permission-hardener | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 978c6a9..ed42723 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -72,7 +72,7 @@ add_nosuid_statoverride_entry() { while IFS="" read -r -d "" line; do counter_actual="$((counter_actual + 1))" - local arr file_name existing_mode existing_owner existing_group stat_output + local arr file_name file_name_from_stat existing_mode existing_owner existing_group stat_output file_name="${line}" @@ -88,7 +88,7 @@ add_nosuid_statoverride_entry() { readarray -d '\0' -t arr <<< "${stat_output}" if test "${#arr[@]}" = 0; then - log error "Line is empty: '${line}'" >&2 + log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi @@ -387,12 +387,19 @@ set_file_perms() { continue fi - local arr file_name existing_mode existing_owner existing_group - read -r -a arr <<< "${stat_output}" + local arr file_name file_name_from_stat existing_mode existing_owner existing_group + readarray -d '\0' -t arr <<< "${stat_output}" file_name="${fso_without_trailing_slash}" - existing_mode="${arr[0]}" - existing_owner="${arr[1]}" - existing_group="${arr[2]}" + + if test "${#arr[@]}" = 0; then + log error "Line is empty: '${line}'" >&2 + continue + fi + + file_name_from_stat="${arr[0]}" + existing_mode="${arr[1]}" + existing_owner="${arr[2]}" + existing_group="${arr[3]}" if test "${#arr[@]}" = 0; then log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 From 9712b5b4e3cff3eac8ef03b5e562ff89d74ef4b8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:12:18 -0400 Subject: [PATCH 1292/1650] output --- usr/bin/permission-hardener | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index ed42723..0ca91ec 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -392,7 +392,7 @@ set_file_perms() { file_name="${fso_without_trailing_slash}" if test "${#arr[@]}" = 0; then - log error "Line is empty: '${line}'" >&2 + log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi @@ -414,7 +414,7 @@ set_file_perms() { continue fi if test -z "${existing_owner}"; then - log error "Existing_owner is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + log error "Existing_owner is empty. Stat output: '${stat_output}' | line: '${line}'" >&2 continue fi if test -z "${existing_group}"; then From 721392901be384014298f59deb57747b825c8b37 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:12:39 -0400 Subject: [PATCH 1293/1650] remove duplicate test --- usr/bin/permission-hardener | 4 ---- 1 file changed, 4 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 0ca91ec..933cb55 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -401,10 +401,6 @@ set_file_perms() { existing_owner="${arr[2]}" existing_group="${arr[3]}" - if test "${#arr[@]}" = 0; then - log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 - continue - fi if test -z "${file_name}"; then log error "File name is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue From c9fd2ceb61ea176c731432f02a9fa40652fbddc8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:13:35 -0400 Subject: [PATCH 1294/1650] downgrade warning of non-existing files to info to avoid all users by default getting a warning for expected non-existing files --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 933cb55..4689973 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -618,7 +618,7 @@ spare() { # shellcheck disable=SC2086 chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 else - log warn "File does not exist: ${file_name}" + log info "File does not exist: ${file_name}" fi dpkg-statoverride --remove "${file_name}" &>/dev/null || true From 151ca659a9f5565744ff57f3b581c8c051def148 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:19:15 -0400 Subject: [PATCH 1295/1650] output --- usr/bin/permission-hardener | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 4689973..3e43dbf 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -64,7 +64,7 @@ add_nosuid_statoverride_entry() { local dummy_line while IFS="" read -r -d "" dummy_line; do - log info "Test would parse line: ${dummy_line}" + log info "Test would parse line: '${dummy_line}'" should_be_counter=$((should_be_counter + 1)) done < <(find "${fso_to_process}" -perm /u=s,g=s -print0) @@ -77,7 +77,7 @@ add_nosuid_statoverride_entry() { file_name="${line}" if test -z "${file_name}"; then - log error "File name is empty in line: ${line}" >&2 + log error "File name is empty in line: '${line}'" >&2 continue fi @@ -107,21 +107,21 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 fi if test -z "${existing_mode}"; then - log error "Existing mode is empty in line: ${line}" >&2 + log error "Existing mode is empty in line: '${line}'" >&2 continue fi if test -z "${existing_owner}"; then - log error "Existing owner is empty in line: ${line}" >&2 + log error "Existing owner is empty in line: '${line}'" >&2 continue fi if test -z "${existing_group}"; then - log error "Existing group is empty in line: ${line}" >&2 + log error "Existing group is empty in line: '${line}'" >&2 continue fi ## dpkg-statoverride: error: path may not contain newlines if [[ "${file_name}" == *$'\n'* ]]; then - log warn "Skipping file name that contains newlines: ${file_name}" >&2 + log warn "Skipping file name that contains newlines: '${file_name}'" >&2 continue fi @@ -131,12 +131,12 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 if test -h "${file_name}"; then ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - log info "Skip symlink: ${file_name}" + log info "Skip symlink: '${file_name}'" continue fi if test -d "${file_name}"; then - log info "Skip directory: ${file_name}" + log info "Skip directory: '${file_name}'" continue fi @@ -214,7 +214,7 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 local clean_output_prefix clean_output clean_output_prefix="Managing (S|G)UID of line:" - clean_output="setuid=${setuid_output} setgid=${setsgid_output} existing_mode=${existing_mode} new_mode=${new_mode} file='${file_name}'" + clean_output="setuid='${setuid_output}' setgid='${setsgid_output}' existing_mode='${existing_mode}' new_mode='${new_mode}' file='${file_name}'" if test "${whitelists_disable_all:-}" = "true"; then log info "${clean_output_prefix} whitelists_disable_all=true ${clean_output}" elif test "${is_disable_whitelisted}" = "true"; then @@ -225,7 +225,7 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 continue fi if test "${is_match_whitelisted}" = "true"; then - log info "${clean_output_prefix} is_match_whitelisted=true matchwhite_list_entry=${matchwhite_list_entry} ${clean_output}" + log info "${clean_output_prefix} is_match_whitelisted=true matchwhite_list_entry='${matchwhite_list_entry}' ${clean_output}" continue fi fi @@ -273,7 +273,7 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 } set_file_perms() { - log info "START parsing config file: ${config_file}" + log info "START parsing config file: '${config_file}'" local line while read -r line || test -n "${line}"; do if test -z "${line}"; then @@ -286,7 +286,7 @@ set_file_perms() { if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then exit_code=200 - log error "Line contains invalid characters: ${line}" >&2 + log error "Line contains invalid characters: '${line}'" >&2 ## Safer to exit with error in this case. ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 exit "${exit_code}" @@ -311,7 +311,7 @@ set_file_perms() { exit "${exit_code}" fi - log info "Parsing line: fso=${fso} mode_from_config=${mode_from_config} owner_from_config=${owner_from_config} group_from_config=${group_from_config} capability_from_config=${capability_from_config}" + log info "Parsing line: fso='${fso}' mode_from_config='${mode_from_config}' owner_from_config='${owner_from_config}' group_from_config='${group_from_config}' capability_from_config='${capability_from_config}'" ## Debugging. #echo "line: '${line}'" @@ -516,7 +516,7 @@ set_file_perms() { fi done <"${config_file}" - log info "END parsing config file: ${config_file}" + log info "END parsing config file: '${config_file}'" } parse_config_folder() { @@ -587,10 +587,10 @@ spare() { local owner group mode file_name if ! read -r owner group mode file_name <<< "${line}"; then exit_code=201 - log error "Cannot parse line: ${line}" >&2 + log error "Cannot parse line: '${line}'" >&2 continue fi - log info "Parsing line: owner=${owner} group=${group} mode=${mode} file_name='${file_name}'" + log info "Parsing line: owner='${owner}' group='${group}' mode='${mode}' file_name='${file_name}'" if test "${remove_file}" = "all"; then verbose="" @@ -618,7 +618,7 @@ spare() { # shellcheck disable=SC2086 chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 else - log info "File does not exist: ${file_name}" + log info "File does not exist: '${file_name}'" fi dpkg-statoverride --remove "${file_name}" &>/dev/null || true From 3bf1f26c0bb271d63c16b314e4da040abf5b3713 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:20:26 -0400 Subject: [PATCH 1296/1650] downgrade warning of non-existing folders to info to avoid all users by default getting a warning for expected non-existing folders --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 3e43dbf..a71e9e6 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -340,7 +340,7 @@ set_file_perms() { esac if test ! -e "${fso}"; then - log warn "File does not exist: '${fso}'" + log info "File does not exist: '${fso}'" continue fi From 4a5312b3a9419c8b3e07dda2b650d5fbf9a38d34 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:27:51 -0400 Subject: [PATCH 1297/1650] output --- usr/bin/permission-hardener | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index a71e9e6..b66db0f 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -13,14 +13,14 @@ store_dir="/var/lib/permission-hardener" dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" -log_level=info +log_level=notice # shellcheck disable=SC1091 source /usr/libexec/helper-scripts/log_run_die.sh echo_wrapper_ignore() { if test "${1}" = "verbose"; then shift - log info "Run: $*" + log notice "Run: $*" else shift fi @@ -30,7 +30,7 @@ echo_wrapper_ignore() { echo_wrapper_audit() { if test "${1}" = "verbose"; then shift - log info "Run: $*" + log notice "Run: $*" else shift fi @@ -559,7 +559,7 @@ apply() { sanity_tests parse_config_folder - log info "\ + log notice "\ To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: sudo apt install --no-install-recommends meld meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" From cda0d26af7c057dab8edf4897f98c2e8f83e3d56 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:45:13 -0400 Subject: [PATCH 1298/1650] cannot use NULL inside a bash variable use custom delimiter instead --- usr/bin/permission-hardener | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index b66db0f..0637ed9 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -12,6 +12,7 @@ exit_code=0 store_dir="/var/lib/permission-hardener" dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" +delimiter="#permission-hardener-delimiter#" log_level=notice # shellcheck disable=SC1091 @@ -81,11 +82,11 @@ add_nosuid_statoverride_entry() { continue fi - ## Capture the stat output with fields separated by NUL characters. ## Delimiter at the end to avoid the last field to be interpreted as having a newline. - stat_output=$(stat -c '%n\0%a\0%U\0%G\0%' "${line}") + stat_output=$(stat -c "%n${delimiter}%a${delimiter}%U${delimiter}%G${delimiter}%" "${line}") + stat_output_simple=$(stat -c '%n %a %U %G' "${line}") - readarray -d '\0' -t arr <<< "${stat_output}" + readarray -d "${delimiter}" -t arr <<< "${stat_output}" if test "${#arr[@]}" = 0; then log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 @@ -382,13 +383,13 @@ set_file_perms() { local stat_output stat_output="" - if ! stat_output="$(stat -c '%n\0%a\0%U\0%G\0%' "${fso_without_trailing_slash}")"; then + if ! stat_output=$(stat -c "%n${delimiter}%a${delimiter}%U${delimiter}%G${delimiter}%" "${fso_without_trailing_slash}"); then log error "Failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2 continue fi local arr file_name file_name_from_stat existing_mode existing_owner existing_group - readarray -d '\0' -t arr <<< "${stat_output}" + readarray -d "${delimiter}" -t arr <<< "${stat_output}" file_name="${fso_without_trailing_slash}" if test "${#arr[@]}" = 0; then From 6cadc70a96cd709fb7a94abcb14e7dd97c57fdb8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:47:52 -0400 Subject: [PATCH 1299/1650] output --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 0637ed9..bea2abe 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -411,7 +411,7 @@ set_file_perms() { continue fi if test -z "${existing_owner}"; then - log error "Existing_owner is empty. Stat output: '${stat_output}' | line: '${line}'" >&2 + log error "Existing owner is empty. Stat output: '${stat_output}' | line: '${line}'" >&2 continue fi if test -z "${existing_group}"; then From cc2b335ee692cc04a2c4e298902f3503927b2c50 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:48:32 -0400 Subject: [PATCH 1300/1650] cleanup --- usr/bin/permission-hardener | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index bea2abe..2612b2a 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -84,7 +84,6 @@ add_nosuid_statoverride_entry() { ## Delimiter at the end to avoid the last field to be interpreted as having a newline. stat_output=$(stat -c "%n${delimiter}%a${delimiter}%U${delimiter}%G${delimiter}%" "${line}") - stat_output_simple=$(stat -c '%n %a %U %G' "${line}") readarray -d "${delimiter}" -t arr <<< "${stat_output}" From a16dd8474bf72c2b8c63adc7500140e89d19fedb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:50:30 -0400 Subject: [PATCH 1301/1650] sanity test --- usr/bin/permission-hardener | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 2612b2a..61090bf 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -99,6 +99,7 @@ add_nosuid_statoverride_entry() { if [ ! "$file_name" = "$file_name_from_stat" ]; then log error "\ +function add_nosuid_statoverride_entry: file_name is different from file_name_from_stat: line: '${line}' file_name '${file_name}' @@ -401,6 +402,16 @@ set_file_perms() { existing_owner="${arr[2]}" existing_group="${arr[3]}" + if [ ! "$file_name" = "$file_name_from_stat" ]; then + log error "\ +function set_file_perms: +file_name is different from file_name_from_stat: +line: '${line}' +file_name '${file_name}' +file_name_from_stat: '${file_name_from_stat}'" >&2 + continue + fi + if test -z "${file_name}"; then log error "File name is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue From 10c73b326f824f783169383888b9464965a53cbb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 12:07:26 -0400 Subject: [PATCH 1302/1650] fix delimiter parsing --- usr/bin/permission-hardener | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 61090bf..b843ad2 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -73,7 +73,7 @@ add_nosuid_statoverride_entry() { while IFS="" read -r -d "" line; do counter_actual="$((counter_actual + 1))" - local arr file_name file_name_from_stat existing_mode existing_owner existing_group stat_output + local arr file_name file_name_from_stat existing_mode existing_owner existing_group stat_output stat_output_newlined file_name="${line}" @@ -82,10 +82,9 @@ add_nosuid_statoverride_entry() { continue fi - ## Delimiter at the end to avoid the last field to be interpreted as having a newline. - stat_output=$(stat -c "%n${delimiter}%a${delimiter}%U${delimiter}%G${delimiter}%" "${line}") - - readarray -d "${delimiter}" -t arr <<< "${stat_output}" + stat_output=$(stat -c "%n${delimiter}%a${delimiter}%U${delimiter}%G${delimiter}" "${line}") + stat_output_newlined=$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}") + readarray -t arr <<< "${stat_output_newlined}" if test "${#arr[@]}" = 0; then log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 @@ -381,15 +380,16 @@ set_file_perms() { mode_for_grep="${mode_from_config:1}" fi - local stat_output + local stat_output stat_output_newlined stat_output="" - if ! stat_output=$(stat -c "%n${delimiter}%a${delimiter}%U${delimiter}%G${delimiter}%" "${fso_without_trailing_slash}"); then + if ! stat_output=$(stat -c "%n${delimiter}%a${delimiter}%U${delimiter}%G${delimiter}" "${fso_without_trailing_slash}"); then log error "Failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2 continue fi + stat_output_newlined=$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}") local arr file_name file_name_from_stat existing_mode existing_owner existing_group - readarray -d "${delimiter}" -t arr <<< "${stat_output}" + readarray -t arr <<< "${stat_output_newlined}" file_name="${fso_without_trailing_slash}" if test "${#arr[@]}" = 0; then From 4cc1289e89b341e15725d65e405e607ea4784f9f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 13:30:30 -0400 Subject: [PATCH 1303/1650] output --- usr/bin/permission-hardener | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index b843ad2..cef71b9 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -160,6 +160,7 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 setuid_or_setsgid=true fi if test -z "${setuid_or_setsgid}"; then + log info "Neither setuid nor setsgid. Skipping. file_name: '${file_name}'" continue fi @@ -177,10 +178,12 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 is_exact_whitelisted="" for white_list_entry in "${exact_white_list[@]:-}"; do if test -z "${white_list_entry}"; then + log info "white_list_entry unset. Skipping. file_name: '${file_name}'" continue fi if test "${file_name}" = "${white_list_entry}"; then is_exact_whitelisted="true" + log info "is_exact_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the whitelist. break fi @@ -190,10 +193,12 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 is_match_whitelisted="" for matchwhite_list_entry in "${match_white_list[@]:-}"; do if test -z "${matchwhite_list_entry}"; then + log info "matchwhite_list_entry unset. Skipping. file_name: '${file_name}'" continue fi if echo "${file_name}" | grep --quiet --fixed-strings "${matchwhite_list_entry}"; then is_match_whitelisted="true" + log info "is_match_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the match_white_list. break fi @@ -203,10 +208,12 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 is_disable_whitelisted="" for disablematch_list_entry in "${disable_white_list[@]:-}"; do if test -z "${disablematch_list_entry}"; then + log info "disablematch_list_entry unset. Skipping. file_name: '${file_name}'" continue fi if echo "${file_name}" | grep --quiet --fixed-strings "${disablematch_list_entry}"; then is_disable_whitelisted="true" + log info "is_disable_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the disablewhitelist. break fi @@ -230,6 +237,8 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 fi fi + log notice "${clean_output_prefix} ${clean_output}" + # shellcheck disable=SC2086 if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${file_name}" >/dev/null; then log info "Existing mode already saved previously. Not saving again." @@ -277,6 +286,7 @@ set_file_perms() { local line while read -r line || test -n "${line}"; do if test -z "${line}"; then + true "DEBUG: line is empty. Skipping." continue fi @@ -498,6 +508,7 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 fi fi if test -z "${capability_from_config}"; then + log info "capability_from_config is empty. Skipping. file_name: '${file_name}'" continue fi From 9231f058911ab9059e91c4c0c1677ef66b5bb666 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 13:31:49 -0400 Subject: [PATCH 1304/1650] todo --- usr/bin/permission-hardener | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index cef71b9..1c21df2 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -6,6 +6,9 @@ ## https://forums.whonix.org/t/disable-suid-binaries/7706 ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 +## TODO: +## - unduplicate stat_output related source code + set -o errexit -o nounset -o pipefail exit_code=0 From f699eb02a27ef54b9ced5866447b63152984af66 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 25 Jul 2024 10:11:33 +1000 Subject: [PATCH 1305/1650] Set `sysctl fs.binfmt_misc.status=0` --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 16 ++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/README.md b/README.md index 5e029c8..d4dd706 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,9 @@ space, user space, core dumps, and swap space. - Increase the maximum number of memory map areas a process is able to utilize. +- Disallow registering interpreters for various (miscellaneous) binary formats based + on a magic number or their file extension to prevent unintended code execution. + - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 7b07033..334fb68 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -193,6 +193,22 @@ fs.protected_regular=2 ## vm.max_map_count=1048576 +## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. +## Prevents registering interpreters for various binary formats based on a magic number or their file extension. +## If arbitrary executable file formats are recognised, they will be passed to relevant user space applications. +## These interpreters will run with root permissions when a setuid binary is owned by root. +## Can stop maliciously crafted files with specific file extensions from automatically executing. +## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). +## +## https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html +## https://salsa.debian.org/debian/binfmt-support +## https://access.redhat.com/solutions/1985633 +## https://en.wikipedia.org/wiki/Binfmt_misc +## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil +## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al +## +fs.binfmt_misc.status=0 + ## 3. Core Dumps: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps From 3926b91dcf371377d38c747e5c7718ac2fed3c83 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 25 Jul 2024 10:26:23 +1000 Subject: [PATCH 1306/1650] Add documentation on `sysctl kernel.panic_on_oops=1` --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/README.md b/README.md index 5e029c8..e28549f 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,9 @@ space, user space, core dumps, and swap space. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. +- Force the kernel to panic on "oopses" that can potentially indicate and thwart + certain kernel exploitation attempts. + - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. - Disable asynchronous I/O as `io_uring` has been the source diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 7b07033..b05b3bf 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -109,6 +109,17 @@ kernel.sysrq=0 ## kernel.perf_event_paranoid=3 +## Force the kernel to panic on "oopses". +## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. +## Also cause panics on machine check exceptions. +## Panics may be due to false-positives such as bad drivers. +## +## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 +## +## See /usr/libexec/security-misc/panic-on-oops for implementation. +## +#kernel.panic_on_oops=1 + ## Enable ASLR for mmap base, stack, VDSO pages, and heap. ## Heap randomization can lead to breakages with legacy applications. ## From ed3336694ce35614ab47db42bce29d3c69d46752 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 25 Jul 2024 10:28:27 +1000 Subject: [PATCH 1307/1650] Provide the option to immediately reboot on a kernel panics --- README.md | 3 ++- usr/lib/sysctl.d/990-security-misc.conf | 1 + usr/libexec/security-misc/panic-on-oops | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e28549f..34ea2b2 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,8 @@ space, user space, core dumps, and swap space. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. - Force the kernel to panic on "oopses" that can potentially indicate and thwart - certain kernel exploitation attempts. + certain kernel exploitation attempts. Provide the option to reboot immediately + on a kernel panic. - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index b05b3bf..7eb1a73 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -119,6 +119,7 @@ kernel.perf_event_paranoid=3 ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## #kernel.panic_on_oops=1 +#kernel.panic=-1 ## Enable ASLR for mmap base, stack, VDSO pages, and heap. ## Heap randomization can lead to breakages with legacy applications. diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 907ee69..2fc25c8 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -16,3 +16,4 @@ fi ## from continuing to run a flawed processes. Many kernel exploits ## will also cause an oops which this will make the kernel kill. sysctl kernel.panic_on_oops=1 +#sysctl kernel.panic=-1 From 28b25bda3f51c7d5a6ee6d28446cb5f731f452d0 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 25 Jul 2024 15:51:32 +1000 Subject: [PATCH 1308/1650] Partial inclusion of GrapheneOS infrastructure blacklist --- .../30_security-misc_blacklist.conf | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index 2ef0d1a..34e1124 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -23,6 +23,26 @@ blacklist sr_mod ## Miscellaneous: ## +## GrapheneOS: +## Partial selection of their infrastructure blacklist. +## Duplicate and already disabled modules have been omitted. +## +## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf +## +#blacklist cfg80211 +#blacklist intel_agp +#blacklist ip_tables +blacklist joydev +#blacklist mousedev +#blacklist psmouse +blacklist snd_intel8x0 +#blacklist tls +#blacklist virtio_balloon +#blacklist virtio_console +## +## Ubuntu: +## Already disabled modules have been omitted. +## ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco ## From 3b8a3f9b832ee1eee959fbcce8b5eed417d4712e Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Thu, 25 Jul 2024 12:20:16 +0200 Subject: [PATCH 1309/1650] Unduplicate stat call --- usr/bin/permission-hardener | 187 ++++++++++++++++++------------------ 1 file changed, 91 insertions(+), 96 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 1c21df2..10fad42 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -6,9 +6,6 @@ ## https://forums.whonix.org/t/disable-suid-binaries/7706 ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 -## TODO: -## - unduplicate stat_output related source code - set -o errexit -o nounset -o pipefail exit_code=0 @@ -17,6 +14,7 @@ dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" delimiter="#permission-hardener-delimiter#" +# shellcheck disable=SC2034 log_level=notice # shellcheck disable=SC1091 source /usr/libexec/helper-scripts/log_run_die.sh @@ -53,6 +51,78 @@ make_store_dir(){ mkdir --parents "${store_dir}/new_mode" } +## Some tools may fail on newlines and even variable assignment to array may +## fail if a variable that will be assigned to an array element contains +## characters that are used as delimiters. +block_newlines(){ + local newline_variable newline_value + newline_variable="${1}" + newline_value="${2}" + ## dpkg-statoverride: error: path may not contain newlines + #if [[ "${newline_value}" == *$'\n'* ]]; then + if [[ "${newline_value}" != "${newline_value//$'\n'/NEWLINE}" ]]; then + log warn "Skipping ${newline_variable} that contains newlines: '${newline_value}'" >&2 + return 1 + fi +} + +output_stat(){ + local file_name + file_name="${1}" + + if test -z "${file_name}"; then + log error "File name is empty. file_name: '${file_name}'" >&2 + return 1 + fi + + block_newlines file "${file_name}" + + declare -a arr + local file_name_from_stat existing_mode existing_owner existing_group stat_output stat_output_newlined + + if ! stat_output="$(stat -c "%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" "${file_name}")"; then + log error "Failed to run 'stat' on file: '${file_name}'!" >&2 + return 1 + fi + + stat_output_newlined="$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}")" + readarray -t arr <<< "${stat_output_newlined}" + + if test "${#arr[@]}" = 0; then + log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + return 1 + fi + + existing_mode="${arr[0]}" + existing_owner="${arr[1]}" + existing_group="${arr[2]}" + file_name_from_stat="${arr[3]}" + + if [ ! "$file_name" = "$file_name_from_stat" ]; then + log error "\ +function ${FUNCNAME[1]}: +File name is different from file name received from stat: +File name '${file_name}' +File name from stat: '${file_name_from_stat}'" >&2 + return 1 + fi + + if test -z "${existing_mode}"; then + log error "Existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + return 1 + fi + if test -z "${existing_owner}"; then + log error "Existing owner is empty. Stat output: '${stat_output}' | line: '${line}'" >&2 + return 1 + fi + if test -z "${existing_group}"; then + log error "Existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + return 1 + fi + + (IFS=$'\n'; echo "${arr[*]}") +} + sanity_tests() { echo_wrapper_audit silent which \ capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null @@ -73,60 +143,21 @@ add_nosuid_statoverride_entry() { done < <(find "${fso_to_process}" -perm /u=s,g=s -print0) local line - while IFS="" read -r -d "" line; do - counter_actual="$((counter_actual + 1))" + while IFS="" read -r -d "" file_name; do + counter_actual=$((counter_actual + 1)) - local arr file_name file_name_from_stat existing_mode existing_owner existing_group stat_output stat_output_newlined - - file_name="${line}" - - if test -z "${file_name}"; then - log error "File name is empty in line: '${line}'" >&2 - continue - fi - - stat_output=$(stat -c "%n${delimiter}%a${delimiter}%U${delimiter}%G${delimiter}" "${line}") - stat_output_newlined=$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}") - readarray -t arr <<< "${stat_output_newlined}" + declare -a arr + local existing_mode existing_owner existing_group + readarray -t arr < <(output_stat "${file_name}") + ## Above command creates a subshell that cannot be returned. if test "${#arr[@]}" = 0; then - log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi - file_name_from_stat="${arr[0]}" - existing_mode="${arr[1]}" - existing_owner="${arr[2]}" - existing_group="${arr[3]}" - - if [ ! "$file_name" = "$file_name_from_stat" ]; then - log error "\ -function add_nosuid_statoverride_entry: -file_name is different from file_name_from_stat: -line: '${line}' -file_name '${file_name}' -file_name_from_stat: '${file_name_from_stat}'" >&2 - continue - fi - - if test -z "${existing_mode}"; then - log error "Existing mode is empty in line: '${line}'" >&2 - continue - fi - if test -z "${existing_owner}"; then - log error "Existing owner is empty in line: '${line}'" >&2 - continue - fi - if test -z "${existing_group}"; then - log error "Existing group is empty in line: '${line}'" >&2 - continue - fi - - ## dpkg-statoverride: error: path may not contain newlines - if [[ "${file_name}" == *$'\n'* ]]; then - log warn "Skipping file name that contains newlines: '${file_name}'" >&2 - continue - fi + existing_mode="${arr[0]}" + existing_owner="${arr[1]}" + existing_group="${arr[2]}" ## -h file True if file is a symbolic Link. ## -u file True if file has its set-user-id bit set. @@ -335,7 +366,6 @@ set_file_perms() { local fso_without_trailing_slash fso_without_trailing_slash="${fso%/}" - ## TODO: test/add white spaces inside file name support declare -g disable_white_list exact_white_list match_white_list case "${mode_from_config}" in disablewhitelist) @@ -393,54 +423,19 @@ set_file_perms() { mode_for_grep="${mode_from_config:1}" fi - local stat_output stat_output_newlined - stat_output="" - if ! stat_output=$(stat -c "%n${delimiter}%a${delimiter}%U${delimiter}%G${delimiter}" "${fso_without_trailing_slash}"); then - log error "Failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2 - continue - fi - stat_output_newlined=$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}") + declare -a arr + local existing_mode existing_owner existing_group - local arr file_name file_name_from_stat existing_mode existing_owner existing_group - readarray -t arr <<< "${stat_output_newlined}" file_name="${fso_without_trailing_slash}" - + readarray -t arr < <(output_stat "${file_name}") + ## Above command creates a subshell that cannot be returned from. if test "${#arr[@]}" = 0; then - log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi - file_name_from_stat="${arr[0]}" - existing_mode="${arr[1]}" - existing_owner="${arr[2]}" - existing_group="${arr[3]}" - - if [ ! "$file_name" = "$file_name_from_stat" ]; then - log error "\ -function set_file_perms: -file_name is different from file_name_from_stat: -line: '${line}' -file_name '${file_name}' -file_name_from_stat: '${file_name_from_stat}'" >&2 - continue - fi - - if test -z "${file_name}"; then - log error "File name is empty. Stat output: '${stat_output}', line: '${line}'" >&2 - continue - fi - if test -z "${existing_mode}"; then - log error "Existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2 - continue - fi - if test -z "${existing_owner}"; then - log error "Existing owner is empty. Stat output: '${stat_output}' | line: '${line}'" >&2 - continue - fi - if test -z "${existing_group}"; then - log error "Existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2 - continue - fi + existing_mode="${arr[0]}" + existing_owner="${arr[1]}" + existing_group="${arr[2]}" ## Check there is an entry for the fso. ## @@ -558,9 +553,9 @@ parse_config_folder() { ## 'grep' exits after the first match in this case causing 'getent' to ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is ## set for this script. - passwd_file_contents_temp=$(getent passwd) + passwd_file_contents_temp="$(getent passwd)" echo "${passwd_file_contents_temp}" | tee "${store_dir}/private/passwd" >/dev/null - group_file_contents_temp=$(getent group) + group_file_contents_temp="$(getent group)" echo "${group_file_contents_temp}" | tee "${store_dir}/private/group" >/dev/null #passwd_file_contents="$(cat "${store_dir}/private/passwd")" From 652a06c8e9f841e043cc5b5fb030b149cb70dc85 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Thu, 25 Jul 2024 12:37:21 +0200 Subject: [PATCH 1310/1650] Only print SUID or SGID values when set --- usr/bin/permission-hardener | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 10fad42..3196cfa 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -174,27 +174,23 @@ add_nosuid_statoverride_entry() { continue fi - local setuid setuid_output setsgid setsgid_output + local setuid setgid setuid="" - setuid_output="" if test -u "${file_name}"; then setuid=true - setuid_output="set-user-id" fi - setsgid="" - setsgid_output="" + setgid="" if test -g "${file_name}"; then - setsgid=true - setsgid_output="set-group-id" + setgid=true fi - local setuid_or_setsgid - setuid_or_setsgid="" - if test "${setuid}" = "true" || test "${setsgid}" = "true"; then - setuid_or_setsgid=true + local setuid_or_setgid + setuid_or_setgid="" + if test "${setuid}" = "true" || test "${setgid}" = "true"; then + setuid_or_setgid=true fi - if test -z "${setuid_or_setsgid}"; then - log info "Neither setuid nor setsgid. Skipping. file_name: '${file_name}'" + if test -z "${setuid_or_setgid}"; then + log info "Neither setuid nor setgid. Skipping. file_name: '${file_name}'" continue fi @@ -255,7 +251,7 @@ add_nosuid_statoverride_entry() { local clean_output_prefix clean_output clean_output_prefix="Managing (S|G)UID of line:" - clean_output="setuid='${setuid_output}' setgid='${setsgid_output}' existing_mode='${existing_mode}' new_mode='${new_mode}' file='${file_name}'" + clean_output="${setuid:+setuid='true'} ${setgid:+setgid='true'} existing_mode='${existing_mode}' new_mode='${new_mode}' file='${file_name}'" if test "${whitelists_disable_all:-}" = "true"; then log info "${clean_output_prefix} whitelists_disable_all=true ${clean_output}" elif test "${is_disable_whitelisted}" = "true"; then From 4397de0138dac47aee66570fcfe4ef38c8179321 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 26 Jul 2024 11:30:46 +1000 Subject: [PATCH 1311/1650] Update description of `cfi=kcfi` kerenel parameter --- etc/default/grub.d/40_kernel_hardening.cfg | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 9c179b2..172c3c8 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -113,14 +113,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. -## As of Linux kernel 6.2, FineIBT has been selected to be the default implementation. -## The Intel-developed IBT (Indirect Branch Tracking) is only used if there is support by the CPU. +## The default implementation is FIneIBT as of Linux kernel 6.2. +## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. ## FineIBT may result in some performance benefits as it only performs checking at destinations. -## FineIBT is considered weaker against attacks that can write arbitrary executable in memory. -## Upstream hardening has given users the ability to disable FineIBT based on requests. +## FineIBT is considered weaker against attacks that can write arbitrary executables into memory. +## Upstream hardening work has provided users the ability to disable FineIBT based on requests. ## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both. -## Do not modify from default if unsure of implications. +## Do not modify from the default setting if unsure of implications. ## ## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/ ## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u @@ -132,6 +132,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf ## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561 ## +## TODO: Debian 13 Trixie ## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). ## #cfi=kcfi From f616da7c0690fc0dffc21be59174ed8754ec55fb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 09:40:59 +0000 Subject: [PATCH 1312/1650] bumped changelog version --- changelog.upstream | 179 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 185 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 32ec008..9095f50 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,182 @@ +commit 9231f058911ab9059e91c4c0c1677ef66b5bb666 +Author: Patrick Schleizer +Date: Wed Jul 24 13:31:49 2024 -0400 + + todo + +commit 4cc1289e89b341e15725d65e405e607ea4784f9f +Author: Patrick Schleizer +Date: Wed Jul 24 13:30:30 2024 -0400 + + output + +commit 10c73b326f824f783169383888b9464965a53cbb +Author: Patrick Schleizer +Date: Wed Jul 24 12:07:26 2024 -0400 + + fix delimiter parsing + +commit a16dd8474bf72c2b8c63adc7500140e89d19fedb +Author: Patrick Schleizer +Date: Wed Jul 24 11:50:30 2024 -0400 + + sanity test + +commit cc2b335ee692cc04a2c4e298902f3503927b2c50 +Author: Patrick Schleizer +Date: Wed Jul 24 11:48:32 2024 -0400 + + cleanup + +commit 6cadc70a96cd709fb7a94abcb14e7dd97c57fdb8 +Author: Patrick Schleizer +Date: Wed Jul 24 11:47:52 2024 -0400 + + output + +commit cda0d26af7c057dab8edf4897f98c2e8f83e3d56 +Author: Patrick Schleizer +Date: Wed Jul 24 11:45:13 2024 -0400 + + cannot use NULL inside a bash variable + + use custom delimiter instead + +commit 4a5312b3a9419c8b3e07dda2b650d5fbf9a38d34 +Author: Patrick Schleizer +Date: Wed Jul 24 11:27:51 2024 -0400 + + output + +commit 3bf1f26c0bb271d63c16b314e4da040abf5b3713 +Author: Patrick Schleizer +Date: Wed Jul 24 11:20:26 2024 -0400 + + downgrade warning of non-existing folders to info + + to avoid all users by default getting a warning for expected non-existing folders + +commit 151ca659a9f5565744ff57f3b581c8c051def148 +Author: Patrick Schleizer +Date: Wed Jul 24 11:19:15 2024 -0400 + + output + +commit c9fd2ceb61ea176c731432f02a9fa40652fbddc8 +Author: Patrick Schleizer +Date: Wed Jul 24 11:13:35 2024 -0400 + + downgrade warning of non-existing files to info + + to avoid all users by default getting a warning for expected non-existing files + +commit 721392901be384014298f59deb57747b825c8b37 +Author: Patrick Schleizer +Date: Wed Jul 24 11:12:39 2024 -0400 + + remove duplicate test + +commit 9712b5b4e3cff3eac8ef03b5e562ff89d74ef4b8 +Author: Patrick Schleizer +Date: Wed Jul 24 11:12:18 2024 -0400 + + output + +commit 00911df5c1de24960ad6d21b4cd99450f2d08a88 +Author: Patrick Schleizer +Date: Wed Jul 24 11:10:56 2024 -0400 + + modify call of stat to use NUL delimiter + + for more robust string parsing + +commit d5366835112cc5fabef7ec46a9c582c08121cb14 +Author: Patrick Schleizer +Date: Wed Jul 24 11:03:28 2024 -0400 + + local clean_output_prefix clean_output + +commit a6e517736b83c124cf8cec52bac184612a29ad0d +Author: Patrick Schleizer +Date: Wed Jul 24 11:02:25 2024 -0400 + + local stat_output + +commit ced02fb9e03e12c7d51923511e7d6a54b09a6274 +Author: Patrick Schleizer +Date: Wed Jul 24 11:01:24 2024 -0400 + + add sanity test for file_name output from stat + +commit b9dfe70a016e46e1f275918be19890526182cfa2 +Author: Patrick Schleizer +Date: Wed Jul 24 10:58:05 2024 -0400 + + check first if file_name is empty + +commit 1cbda7998196dc04e83c48526d15f9ad5f11e6c9 +Author: Patrick Schleizer +Date: Wed Jul 24 10:57:13 2024 -0400 + + check first if array is empty before parsing further + +commit a077ae54ea050af8828813b781738cba24e27624 +Author: Patrick Schleizer +Date: Wed Jul 24 10:56:08 2024 -0400 + + modify call of stat to use NUL delimiter + + for more robust string parsing + +commit 7200e9bd8c793f5ea30c3448fd03fbd38c6292b5 +Author: Patrick Schleizer +Date: Wed Jul 24 09:15:02 2024 -0400 + + output + +commit 1b6161c2dcd9a0686503c84cda4c9f6a29fe4e02 +Merge: d2563ed 8be21b6 +Author: Patrick Schleizer +Date: Wed Jul 24 09:13:48 2024 -0400 + + Merge remote-tracking branch 'ben-grande/fuzz' + +commit 8be21b6eff40fdd3909ef63468463fc52e8bf45f +Author: Ben Grande +Date: Tue Jul 23 19:36:12 2024 +0200 + + Handle newlines in file names + +commit aa99de68d307cd88462665424996d9b730ab5087 +Author: Ben Grande +Date: Tue Jul 23 18:46:47 2024 +0200 + + Log output with defined levels + +commit 06fbcdac1de6f1830d911f05a4f7c14fd522fad4 +Author: Ben Grande +Date: Tue Jul 23 09:55:02 2024 +0200 + + Prettify log messages + +commit 7ee1ea2cc7dd62feee3243d64b414130e68d35e9 +Author: Ben Grande +Date: Mon Jul 22 17:06:07 2024 +0200 + + Unify functions that evaluate commands + +commit 9c3566f524f748b9f7c98a36b3f2b1064cdba3ed +Author: Ben Grande +Date: Mon Jul 22 16:01:14 2024 +0200 + + Delimit file names with null terminator + +commit d2563ed92317a029340dbb83f30da008b01325f2 +Author: Patrick Schleizer +Date: Sun Jul 21 10:40:14 2024 +0000 + + bumped changelog version + commit 64f8b2eb5870664fca06aa060f2f50af358ced55 Author: Patrick Schleizer Date: Sun Jul 21 06:36:22 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 876e60b..06a9a4c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 26 Jul 2024 09:40:58 +0000 + security-misc (3:38.3-1) unstable; urgency=medium * New upstream version (local package). From 9f135231ccdc3f6eba27db2e1794eff23f03fc0f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 06:43:01 -0400 Subject: [PATCH 1313/1650] no longer disable Intel ME related kernel modules because that might break firmware updates This reverts commit 64f8b2eb5870664fca06aa060f2f50af358ced55. https://github.com/Kicksecure/security-misc/issues/239 --- etc/modprobe.d/30_security-misc_disable.conf | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index b6cfcbe..d2408af 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -92,18 +92,18 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 ## https://github.com/Kicksecure/security-misc/issues/239 ## -install mei /usr/bin/disabled-intelme-by-security-misc -install mei-gsc /usr/bin/disabled-intelme-by-security-misc -install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc -install mei_hdcp /usr/bin/disabled-intelme-by-security-misc -install mei-me /usr/bin/disabled-intelme-by-security-misc -install mei_phy /usr/bin/disabled-intelme-by-security-misc -install mei_pxp /usr/bin/disabled-intelme-by-security-misc -install mei-txe /usr/bin/disabled-intelme-by-security-misc -install mei-vsc /usr/bin/disabled-intelme-by-security-misc -install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc -install mei_wdt /usr/bin/disabled-intelme-by-security-misc -install microread_mei /usr/bin/disabled-intelme-by-security-misc +#install mei /usr/bin/disabled-intelme-by-security-misc +#install mei-gsc /usr/bin/disabled-intelme-by-security-misc +#install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc +#install mei_hdcp /usr/bin/disabled-intelme-by-security-misc +#install mei-me /usr/bin/disabled-intelme-by-security-misc +#install mei_phy /usr/bin/disabled-intelme-by-security-misc +#install mei_pxp /usr/bin/disabled-intelme-by-security-misc +#install mei-txe /usr/bin/disabled-intelme-by-security-misc +#install mei-vsc /usr/bin/disabled-intelme-by-security-misc +#install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc +#install mei_wdt /usr/bin/disabled-intelme-by-security-misc +#install microread_mei /usr/bin/disabled-intelme-by-security-misc ## Intel Platform Monitoring Technology Telemetry (PMT): ## Disable some functionality of the Intel PMT components. From 9694cf0cd1a225c68d45814e0f4d6995659a0066 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 07:43:59 -0400 Subject: [PATCH 1314/1650] output --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 3196cfa..58f8918 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -112,7 +112,7 @@ File name from stat: '${file_name_from_stat}'" >&2 return 1 fi if test -z "${existing_owner}"; then - log error "Existing owner is empty. Stat output: '${stat_output}' | line: '${line}'" >&2 + log error "Existing owner is empty. Stat output: '${stat_output}', line: '${line}'" >&2 return 1 fi if test -z "${existing_group}"; then From 19f131c7426aaa5199504e75aba180a7771a2520 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:07:08 -0400 Subject: [PATCH 1315/1650] code simplification https://github.com/Kicksecure/security-misc/pull/251 --- usr/bin/permission-hardener | 37 +++++++++++-------------------------- 1 file changed, 11 insertions(+), 26 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 58f8918..98f4824 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -78,7 +78,7 @@ output_stat(){ block_newlines file "${file_name}" declare -a arr - local file_name_from_stat existing_mode existing_owner existing_group stat_output stat_output_newlined + local file_name_from_stat stat_output stat_output_newlined if ! stat_output="$(stat -c "%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" "${file_name}")"; then log error "Failed to run 'stat' on file: '${file_name}'!" >&2 @@ -119,8 +119,6 @@ File name from stat: '${file_name_from_stat}'" >&2 log error "Existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2 return 1 fi - - (IFS=$'\n'; echo "${arr[*]}") } sanity_tests() { @@ -146,18 +144,11 @@ add_nosuid_statoverride_entry() { while IFS="" read -r -d "" file_name; do counter_actual=$((counter_actual + 1)) - declare -a arr - local existing_mode existing_owner existing_group - - readarray -t arr < <(output_stat "${file_name}") - ## Above command creates a subshell that cannot be returned. - if test "${#arr[@]}" = 0; then - continue - fi - - existing_mode="${arr[0]}" - existing_owner="${arr[1]}" - existing_group="${arr[2]}" + ## sets: + ## exiting_mode + ## existing_owner + ## existing_group + output_stat "${file_name}" ## -h file True if file is a symbolic Link. ## -u file True if file has its set-user-id bit set. @@ -419,19 +410,13 @@ set_file_perms() { mode_for_grep="${mode_from_config:1}" fi - declare -a arr - local existing_mode existing_owner existing_group - file_name="${fso_without_trailing_slash}" - readarray -t arr < <(output_stat "${file_name}") - ## Above command creates a subshell that cannot be returned from. - if test "${#arr[@]}" = 0; then - continue - fi - existing_mode="${arr[0]}" - existing_owner="${arr[1]}" - existing_group="${arr[2]}" + ## sets: + ## exiting_mode + ## existing_owner + ## existing_group + output_stat "${file_name}" ## Check there is an entry for the fso. ## From 95722d6d7902367afb44175263a8628df9ad01b2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:13:33 -0400 Subject: [PATCH 1316/1650] use long option name --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 98f4824..a3b68d2 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -80,7 +80,7 @@ output_stat(){ declare -a arr local file_name_from_stat stat_output stat_output_newlined - if ! stat_output="$(stat -c "%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" "${file_name}")"; then + if ! stat_output="$(stat --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" "${file_name}")"; then log error "Failed to run 'stat' on file: '${file_name}'!" >&2 return 1 fi From 30f46790a4df7662926fa43d44ac34c3286dd590 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:21:21 -0400 Subject: [PATCH 1317/1650] use end of options whenever possible --- usr/bin/permission-hardener | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index a3b68d2..412f3f2 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -80,7 +80,7 @@ output_stat(){ declare -a arr local file_name_from_stat stat_output stat_output_newlined - if ! stat_output="$(stat --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" "${file_name}")"; then + if ! stat_output="$(stat --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" -- "${file_name}")"; then log error "Failed to run 'stat' on file: '${file_name}'!" >&2 return 1 fi @@ -217,7 +217,7 @@ add_nosuid_statoverride_entry() { log info "matchwhite_list_entry unset. Skipping. file_name: '${file_name}'" continue fi - if echo "${file_name}" | grep --quiet --fixed-strings "${matchwhite_list_entry}"; then + if echo "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then is_match_whitelisted="true" log info "is_match_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the match_white_list. @@ -232,7 +232,7 @@ add_nosuid_statoverride_entry() { log info "disablematch_list_entry unset. Skipping. file_name: '${file_name}'" continue fi - if echo "${file_name}" | grep --quiet --fixed-strings "${disablematch_list_entry}"; then + if echo "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then is_disable_whitelisted="true" log info "is_disable_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the disablewhitelist. @@ -392,12 +392,12 @@ set_file_perms() { continue fi - if ! grep --quiet --fixed-strings "${owner_from_config}:" "${store_dir}/private/passwd"; then + if ! grep --quiet --fixed-strings -- "${owner_from_config}:" "${store_dir}/private/passwd"; then log error "Owner from config does not exist: '${owner_from_config}'" >&2 continue fi - if ! grep --quiet --fixed-strings "${group_from_config}:" "${store_dir}/private/group"; then + if ! grep --quiet --fixed-strings -- "${group_from_config}:" "${store_dir}/private/group"; then log error "Group from config does not exist: '${group_from_config}'" >&2 continue fi @@ -435,7 +435,7 @@ set_file_perms() { if test "${dpkg_statoverride_list_exit_code}" = "0"; then local grep_line grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" - if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings "${grep_line}"; then + if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then log info "The owner/group/mode matches fso entry. No further action required." else log info "The owner/group/mode does not match fso entry, updating entry." @@ -498,22 +498,22 @@ set_file_perms() { ## The value of the capability argument is not permitted for a file. Or ## the file is not a regular (non-symlink) file ## Therefore use echo_wrapper_ignore. - echo_wrapper_ignore verbose setcap -r "${fso}" - getcap_output="$(getcap "${fso}")" + echo_wrapper_ignore verbose setcap -r -- "${fso}" + getcap_output="$(getcap -- "${fso}")" if test -n "${getcap_output}"; then exit_code=205 log error "Removing capabilities failed. File: '${fso}'" >&2 continue fi else - if ! capsh --print | grep --fixed-strings "Bounding set" | grep --quiet "${capability_from_config}"; then + if ! capsh --print | grep --fixed-strings -- "Bounding set" | grep --quiet -- "${capability_from_config}"; then log error "Capability from config does not exist: '${capability_from_config}'" >&2 continue fi ## feature request: dpkg-statoverride: support for capabilities ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 - echo_wrapper_audit verbose setcap "${capability_from_config}+ep" "${fso}" + echo_wrapper_audit verbose setcap "${capability_from_config}+ep" -- "${fso}" fi done <"${config_file}" @@ -530,7 +530,7 @@ parse_config_folder() { ## Query contents of password and group databases only once and buffer them ## ## If we don't buffer we sometimes get incorrect results when checking for - ## entries using 'if getent passwd | grep --quiet '^root:'; ...' since + ## entries using 'if getent passwd | grep --quiet -- '^root:'; ...' since ## 'grep' exits after the first match in this case causing 'getent' to ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is ## set for this script. From aac450f80836b03478b9e2632afc5a4519f9b37a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:22:04 -0400 Subject: [PATCH 1318/1650] refactoring --- usr/bin/permission-hardener | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 412f3f2..34ba038 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -122,8 +122,8 @@ File name from stat: '${file_name_from_stat}'" >&2 } sanity_tests() { - echo_wrapper_audit silent which \ - capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null + echo_wrapper_audit silent \ + which capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null } add_nosuid_statoverride_entry() { From 6f0551b944cbf83d82f7a1a554c4461bc971520b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:23:54 -0400 Subject: [PATCH 1319/1650] refactoring --- usr/bin/permission-hardener | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 34ba038..d84fd6e 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -123,7 +123,8 @@ File name from stat: '${file_name_from_stat}'" >&2 sanity_tests() { echo_wrapper_audit silent \ - which capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null + which \ + capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null } add_nosuid_statoverride_entry() { From 2b40ea75e9c3f679fd09ae331a56f294c3ac7607 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:24:23 -0400 Subject: [PATCH 1320/1650] cleanup --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index d84fd6e..cb51993 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -124,7 +124,7 @@ File name from stat: '${file_name_from_stat}'" >&2 sanity_tests() { echo_wrapper_audit silent \ which \ - capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null + capsh getcap setcap stat find dpkg-statoverride getent grep 1>/dev/null } add_nosuid_statoverride_entry() { From f2c9c2f5d1b59127b22fae4dd4b8bb7a6f98a485 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:26:16 -0400 Subject: [PATCH 1321/1650] output --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index cb51993..a11e6a6 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -89,7 +89,7 @@ output_stat(){ readarray -t arr <<< "${stat_output_newlined}" if test "${#arr[@]}" = 0; then - log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + log error "Array is empty. Stat output: '${stat_output}', line: '${line}'" >&2 return 1 fi From 8e40c10c319a76e0256c8f135182b0ca7f532f85 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:31:17 -0400 Subject: [PATCH 1322/1650] comment --- usr/bin/permission-hardener | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index a11e6a6..2e1345b 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -6,6 +6,8 @@ ## https://forums.whonix.org/t/disable-suid-binaries/7706 ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 +## dpkg-statoverride does not support end-of-options ("--"). + set -o errexit -o nounset -o pipefail exit_code=0 From d96c0633d431dafd034ae8d1ae0ffbb59c49be4a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:39:11 -0400 Subject: [PATCH 1323/1650] more use of end of options --- usr/bin/permission-hardener | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 2e1345b..a7f02f4 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -220,7 +220,7 @@ add_nosuid_statoverride_entry() { log info "matchwhite_list_entry unset. Skipping. file_name: '${file_name}'" continue fi - if echo "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then + if echo -- "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then is_match_whitelisted="true" log info "is_match_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the match_white_list. @@ -235,7 +235,7 @@ add_nosuid_statoverride_entry() { log info "disablematch_list_entry unset. Skipping. file_name: '${file_name}'" continue fi - if echo "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then + if echo -- "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then is_disable_whitelisted="true" log info "is_disable_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the disablewhitelist. @@ -339,7 +339,7 @@ set_file_perms() { log error "Cannot parse line: '${line}'" >&2 ## Debugging. du -hs /tmp || true - echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true + echo -- "test -w /tmp: '$(test -w /tmp)'" >&2 || true ## Safer to exit with error in this case. ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 exit "${exit_code}" @@ -438,7 +438,7 @@ set_file_perms() { if test "${dpkg_statoverride_list_exit_code}" = "0"; then local grep_line grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" - if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then + if echo -- "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then log info "The owner/group/mode matches fso entry. No further action required." else log info "The owner/group/mode does not match fso entry, updating entry." @@ -538,9 +538,9 @@ parse_config_folder() { ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is ## set for this script. passwd_file_contents_temp="$(getent passwd)" - echo "${passwd_file_contents_temp}" | tee "${store_dir}/private/passwd" >/dev/null + echo -- "${passwd_file_contents_temp}" | tee -- "${store_dir}/private/passwd" >/dev/null group_file_contents_temp="$(getent group)" - echo "${group_file_contents_temp}" | tee "${store_dir}/private/group" >/dev/null + echo -- "${group_file_contents_temp}" | tee -- "${store_dir}/private/group" >/dev/null #passwd_file_contents="$(cat "${store_dir}/private/passwd")" #group_file_contents="$(cat "${store_dir}/private/group")" @@ -603,9 +603,9 @@ spare() { if test "${remove_file}" = "${file_name}"; then verbose="--verbose" remove_one=true - echo "${remove_one}" | tee "${store_dir}/remove_one" >/dev/null + echo -- "${remove_one}" | tee -- "${store_dir}/remove_one" >/dev/null else - echo "false" | tee "${store_dir}/remove_one" >/dev/null + echo -- "false" | tee -- "${store_dir}/remove_one" >/dev/null continue fi fi @@ -674,7 +674,7 @@ check_root(){ } usage(){ - echo "Usage: ${0##*/} enable + echo -- "Usage: ${0##*/} enable ${0##*/} disable [FILE|all] Examples: From 05504b9ab251ae6e48b5d28eb5fdcd12d730ea8a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:40:10 -0400 Subject: [PATCH 1324/1650] minor --- usr/bin/permission-hardener | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index a7f02f4..c12f13f 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -307,6 +307,7 @@ add_nosuid_statoverride_entry() { set_file_perms() { log info "START parsing config file: '${config_file}'" + local line while read -r line || test -n "${line}"; do if test -z "${line}"; then From d144f68d1a06a1153c4178b2f6ba9643dededbb8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:46:08 -0400 Subject: [PATCH 1325/1650] output --- usr/bin/permission-hardener | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index c12f13f..72f404f 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -91,7 +91,12 @@ output_stat(){ readarray -t arr <<< "${stat_output_newlined}" if test "${#arr[@]}" = 0; then - log error "Array is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + log error "Array is empty. +File name: '${file_name}' +Stat output: '${stat_output}' +stat_output_newlined: '${stat_output_newlined}' +line: '${line}' +" >&2 return 1 fi @@ -102,10 +107,11 @@ output_stat(){ if [ ! "$file_name" = "$file_name_from_stat" ]; then log error "\ -function ${FUNCNAME[1]}: File name is different from file name received from stat: -File name '${file_name}' -File name from stat: '${file_name_from_stat}'" >&2 +File name: '${file_name}' +File name from stat: '${file_name_from_stat}' +line: '${line}' +" >&2 return 1 fi From 0e661bc688c7222840c9d83fb3ccab6549b3ac11 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:49:14 -0400 Subject: [PATCH 1326/1650] output --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 72f404f..bdc5233 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -91,7 +91,7 @@ output_stat(){ readarray -t arr <<< "${stat_output_newlined}" if test "${#arr[@]}" = 0; then - log error "Array is empty. + log error "Array length is 0. File name: '${file_name}' Stat output: '${stat_output}' stat_output_newlined: '${stat_output_newlined}' From 82d401a7de58b74448113bed36c8f0cc073c7f82 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:52:42 -0400 Subject: [PATCH 1327/1650] sanity test --- usr/bin/permission-hardener | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index bdc5233..dae1fd1 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -87,7 +87,28 @@ output_stat(){ return 1 fi + if [ "$stat_output" = "" ]; then + log error "stat_output is empty. +File name: '${file_name}' +Stat output: '${stat_output}' +stat_output_newlined: '${stat_output_newlined}' +line: '${line}' +" >&2 + return 1 + fi + stat_output_newlined="$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}")" + + if test "${stat_output_newlined}" = ""; then + log error "stat_output_newlined is empty. +File name: '${file_name}' +Stat output: '${stat_output}' +stat_output_newlined: '${stat_output_newlined}' +line: '${line}' +" >&2 + return 1 + fi + readarray -t arr <<< "${stat_output_newlined}" if test "${#arr[@]}" = 0; then From ee037c01a1208b9247c3ae144fa3faa68657ffdb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:58:44 -0400 Subject: [PATCH 1328/1650] Skip file names starting with '--', because this would be interpreted by dpkg-statoverride as an option. --- usr/bin/permission-hardener | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index dae1fd1..61298e6 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -79,6 +79,11 @@ output_stat(){ block_newlines file "${file_name}" + if [[ $file_name == --* ]]; then + log warn "File name starts with '--'. This would be interpreted by dpkg-statoverride as an option. Skipping. file_name: '${file_name}'" >&2 + return 1 + fi + declare -a arr local file_name_from_stat stat_output stat_output_newlined From 7e0f1a87010674c63963b70c87e903cf27b288ef Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 09:08:04 -0400 Subject: [PATCH 1329/1650] dpkg-statoverride can actually handle '--file-name'. --- usr/bin/permission-hardener | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 61298e6..e643ada 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -79,10 +79,11 @@ output_stat(){ block_newlines file "${file_name}" - if [[ $file_name == --* ]]; then - log warn "File name starts with '--'. This would be interpreted by dpkg-statoverride as an option. Skipping. file_name: '${file_name}'" >&2 - return 1 - fi + ## dpkg-statoverride can acttually handle '--file-name'. +# if [[ $file_name == --* ]]; then +# log warn "File name starts with '--'. This would be interpreted by dpkg-statoverride as an option. Skipping. file_name: '${file_name}'" >&2 +# return 1 +# fi declare -a arr local file_name_from_stat stat_output stat_output_newlined From 794f6a25fa87a9d6d796b07ee06b690ea0badc92 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 09:08:29 -0400 Subject: [PATCH 1330/1650] comment --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index e643ada..1c7a12e 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -79,7 +79,7 @@ output_stat(){ block_newlines file "${file_name}" - ## dpkg-statoverride can acttually handle '--file-name'. + ## dpkg-statoverride can actually handle '--file-name'. # if [[ $file_name == --* ]]; then # log warn "File name starts with '--'. This would be interpreted by dpkg-statoverride as an option. Skipping. file_name: '${file_name}'" >&2 # return 1 From 6bbf176e3b91f842cf4cdeaf8cb1f4c60e159a0c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 09:33:45 -0400 Subject: [PATCH 1331/1650] consider end-of-options for `find` --- usr/bin/permission-hardener | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 1c7a12e..6dab5c6 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -174,7 +174,7 @@ add_nosuid_statoverride_entry() { while IFS="" read -r -d "" dummy_line; do log info "Test would parse line: '${dummy_line}'" should_be_counter=$((should_be_counter + 1)) - done < <(find "${fso_to_process}" -perm /u=s,g=s -print0) + done < <(printf -- "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) local line while IFS="" read -r -d "" file_name; do @@ -328,7 +328,7 @@ add_nosuid_statoverride_entry() { ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 - done < <(find "${fso_to_process}" -perm /u=s,g=s -print0) + done < <(printf -- "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) ## Sanity test. if test ! "${should_be_counter}" = "${counter_actual}"; then From 04d9ca1ebe79cae5cce04b6533285b8d1299d692 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 10:16:20 -0400 Subject: [PATCH 1332/1650] use `find` with `safe_echo_nonewline` --- usr/bin/permission-hardener | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 6dab5c6..43d3789 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -16,6 +16,7 @@ dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" delimiter="#permission-hardener-delimiter#" +source /usr/libexec/helper-scripts/safe_echo.sh # shellcheck disable=SC2034 log_level=notice # shellcheck disable=SC1091 @@ -174,7 +175,7 @@ add_nosuid_statoverride_entry() { while IFS="" read -r -d "" dummy_line; do log info "Test would parse line: '${dummy_line}'" should_be_counter=$((should_be_counter + 1)) - done < <(printf -- "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) + done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) local line while IFS="" read -r -d "" file_name; do @@ -328,7 +329,7 @@ add_nosuid_statoverride_entry() { ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 - done < <(printf -- "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) + done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) ## Sanity test. if test ! "${should_be_counter}" = "${counter_actual}"; then From 3b033ceba24e5e14056d54710d782397e5c669df Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 10:17:24 -0400 Subject: [PATCH 1333/1650] shellcheck --- usr/bin/permission-hardener | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 43d3789..3724f92 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -16,6 +16,7 @@ dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" delimiter="#permission-hardener-delimiter#" +# shellcheck disable=SC1091 source /usr/libexec/helper-scripts/safe_echo.sh # shellcheck disable=SC2034 log_level=notice From ac41d1cfff8b722248a5ef1dfe38a8c704f04134 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 10:25:59 -0400 Subject: [PATCH 1334/1650] comment --- usr/bin/permission-hardener | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 3724f92..834aaf5 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -177,6 +177,8 @@ add_nosuid_statoverride_entry() { log info "Test would parse line: '${dummy_line}'" should_be_counter=$((should_be_counter + 1)) done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) + ## False positive on SC2185 (find without path argument) #1748 + ## https://github.com/koalaman/shellcheck/issues/1748 local line while IFS="" read -r -d "" file_name; do From 6096ed1109a0d5a62a844552fee500ebe66071c8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 10:26:43 -0400 Subject: [PATCH 1335/1650] comment --- usr/bin/permission-hardener | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 834aaf5..2818560 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -179,6 +179,10 @@ add_nosuid_statoverride_entry() { done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) ## False positive on SC2185 (find without path argument) #1748 ## https://github.com/koalaman/shellcheck/issues/1748 + ## + ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. + ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 local line while IFS="" read -r -d "" file_name; do @@ -328,10 +332,6 @@ add_nosuid_statoverride_entry() { ## Not using --update as this is only for recording. # shellcheck disable=SC2086 echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" - - ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. - ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) ## Sanity test. From 8ec23ed7128580ed0092df43945ba55e94163a6d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 10:28:57 -0400 Subject: [PATCH 1336/1650] echo does not support end-of-options --- usr/bin/permission-hardener | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 2818560..84d1a0d 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -261,7 +261,7 @@ add_nosuid_statoverride_entry() { log info "matchwhite_list_entry unset. Skipping. file_name: '${file_name}'" continue fi - if echo -- "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then + if echo "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then is_match_whitelisted="true" log info "is_match_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the match_white_list. @@ -276,7 +276,7 @@ add_nosuid_statoverride_entry() { log info "disablematch_list_entry unset. Skipping. file_name: '${file_name}'" continue fi - if echo -- "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then + if echo "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then is_disable_whitelisted="true" log info "is_disable_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the disablewhitelist. @@ -377,7 +377,7 @@ set_file_perms() { log error "Cannot parse line: '${line}'" >&2 ## Debugging. du -hs /tmp || true - echo -- "test -w /tmp: '$(test -w /tmp)'" >&2 || true + echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true ## Safer to exit with error in this case. ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 exit "${exit_code}" @@ -476,7 +476,7 @@ set_file_perms() { if test "${dpkg_statoverride_list_exit_code}" = "0"; then local grep_line grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" - if echo -- "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then + if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then log info "The owner/group/mode matches fso entry. No further action required." else log info "The owner/group/mode does not match fso entry, updating entry." @@ -576,9 +576,9 @@ parse_config_folder() { ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is ## set for this script. passwd_file_contents_temp="$(getent passwd)" - echo -- "${passwd_file_contents_temp}" | tee -- "${store_dir}/private/passwd" >/dev/null + echo "${passwd_file_contents_temp}" | tee -- "${store_dir}/private/passwd" >/dev/null group_file_contents_temp="$(getent group)" - echo -- "${group_file_contents_temp}" | tee -- "${store_dir}/private/group" >/dev/null + echo "${group_file_contents_temp}" | tee -- "${store_dir}/private/group" >/dev/null #passwd_file_contents="$(cat "${store_dir}/private/passwd")" #group_file_contents="$(cat "${store_dir}/private/group")" @@ -641,9 +641,9 @@ spare() { if test "${remove_file}" = "${file_name}"; then verbose="--verbose" remove_one=true - echo -- "${remove_one}" | tee -- "${store_dir}/remove_one" >/dev/null + echo "${remove_one}" | tee -- "${store_dir}/remove_one" >/dev/null else - echo -- "false" | tee -- "${store_dir}/remove_one" >/dev/null + echo "false" | tee -- "${store_dir}/remove_one" >/dev/null continue fi fi @@ -712,7 +712,7 @@ check_root(){ } usage(){ - echo -- "Usage: ${0##*/} enable + echo "Usage: ${0##*/} enable ${0##*/} disable [FILE|all] Examples: From e2ae93a9571f2f0c9077ea61436a540a3be5a894 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 10:30:45 -0400 Subject: [PATCH 1337/1650] port to safe_echo --- usr/bin/permission-hardener | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 84d1a0d..ad6f9b8 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -261,7 +261,7 @@ add_nosuid_statoverride_entry() { log info "matchwhite_list_entry unset. Skipping. file_name: '${file_name}'" continue fi - if echo "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then + if safe_echo "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then is_match_whitelisted="true" log info "is_match_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the match_white_list. @@ -276,7 +276,7 @@ add_nosuid_statoverride_entry() { log info "disablematch_list_entry unset. Skipping. file_name: '${file_name}'" continue fi - if echo "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then + if safe_echo "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then is_disable_whitelisted="true" log info "is_disable_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the disablewhitelist. @@ -377,7 +377,7 @@ set_file_perms() { log error "Cannot parse line: '${line}'" >&2 ## Debugging. du -hs /tmp || true - echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true + safe_echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true ## Safer to exit with error in this case. ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 exit "${exit_code}" @@ -386,10 +386,10 @@ set_file_perms() { log info "Parsing line: fso='${fso}' mode_from_config='${mode_from_config}' owner_from_config='${owner_from_config}' group_from_config='${group_from_config}' capability_from_config='${capability_from_config}'" ## Debugging. - #echo "line: '${line}'" - #echo "fso: '${fso}'" - #echo "mode_from_config: '${mode_from_config}'" - #echo "owner_from_config: '${owner_from_config}'" + #safe_echo "line: '${line}'" + #safe_echo "fso: '${fso}'" + #safe_echo "mode_from_config: '${mode_from_config}'" + #safe_echo "owner_from_config: '${owner_from_config}'" local fso_without_trailing_slash fso_without_trailing_slash="${fso%/}" @@ -476,7 +476,7 @@ set_file_perms() { if test "${dpkg_statoverride_list_exit_code}" = "0"; then local grep_line grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" - if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then + if safe_echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then log info "The owner/group/mode matches fso entry. No further action required." else log info "The owner/group/mode does not match fso entry, updating entry." @@ -576,9 +576,9 @@ parse_config_folder() { ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is ## set for this script. passwd_file_contents_temp="$(getent passwd)" - echo "${passwd_file_contents_temp}" | tee -- "${store_dir}/private/passwd" >/dev/null + safe_echo "${passwd_file_contents_temp}" | tee -- "${store_dir}/private/passwd" >/dev/null group_file_contents_temp="$(getent group)" - echo "${group_file_contents_temp}" | tee -- "${store_dir}/private/group" >/dev/null + safe_echo "${group_file_contents_temp}" | tee -- "${store_dir}/private/group" >/dev/null #passwd_file_contents="$(cat "${store_dir}/private/passwd")" #group_file_contents="$(cat "${store_dir}/private/group")" @@ -641,9 +641,9 @@ spare() { if test "${remove_file}" = "${file_name}"; then verbose="--verbose" remove_one=true - echo "${remove_one}" | tee -- "${store_dir}/remove_one" >/dev/null + safe_echo "${remove_one}" | tee -- "${store_dir}/remove_one" >/dev/null else - echo "false" | tee -- "${store_dir}/remove_one" >/dev/null + safe_echo "false" | tee -- "${store_dir}/remove_one" >/dev/null continue fi fi @@ -712,7 +712,7 @@ check_root(){ } usage(){ - echo "Usage: ${0##*/} enable + safe_echo "Usage: ${0##*/} enable ${0##*/} disable [FILE|all] Examples: From 330cf14eab248d035fa467dba4f7bc3eb92a33bb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 15:40:24 +0000 Subject: [PATCH 1338/1650] bumped changelog version --- changelog.upstream | 253 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 259 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 9095f50..7954835 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,238 @@ +commit 62bb4bc6269a0603c15f1efaad7ca365ea15c9d7 +Merge: 7969e86 886f609 +Author: Patrick Schleizer +Date: Fri Jul 26 11:10:25 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 886f6095dba71d76d5fd98277374417657e0cd31 +Merge: 7969e86 ed33366 +Author: Patrick Schleizer +Date: Fri Jul 26 11:08:30 2024 -0400 + + Merge pull request #250 from raja-grewal/Panik-Kalm + + Add details on "oopes" and kernel panics + +commit 7969e8607160eae0cb5a3adddeec8d07c1d6e097 +Merge: e2ae93a 0318f57 +Author: Patrick Schleizer +Date: Fri Jul 26 11:06:13 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0318f577ab554ae2ac0f9417b18134723ea2b580 +Merge: e2ae93a 4397de0 +Author: Patrick Schleizer +Date: Fri Jul 26 11:04:29 2024 -0400 + + Merge pull request #246 from raja-grewal/cfi + + Provide the option to change the default CFI implementation in the future + +commit e2ae93a9571f2f0c9077ea61436a540a3be5a894 +Author: Patrick Schleizer +Date: Fri Jul 26 10:30:45 2024 -0400 + + port to safe_echo + +commit 8ec23ed7128580ed0092df43945ba55e94163a6d +Author: Patrick Schleizer +Date: Fri Jul 26 10:28:57 2024 -0400 + + echo does not support end-of-options + +commit 6096ed1109a0d5a62a844552fee500ebe66071c8 +Author: Patrick Schleizer +Date: Fri Jul 26 10:26:43 2024 -0400 + + comment + +commit ac41d1cfff8b722248a5ef1dfe38a8c704f04134 +Author: Patrick Schleizer +Date: Fri Jul 26 10:25:59 2024 -0400 + + comment + +commit 3b033ceba24e5e14056d54710d782397e5c669df +Author: Patrick Schleizer +Date: Fri Jul 26 10:17:24 2024 -0400 + + shellcheck + +commit 04d9ca1ebe79cae5cce04b6533285b8d1299d692 +Author: Patrick Schleizer +Date: Fri Jul 26 10:16:20 2024 -0400 + + use `find` with `safe_echo_nonewline` + +commit 6bbf176e3b91f842cf4cdeaf8cb1f4c60e159a0c +Author: Patrick Schleizer +Date: Fri Jul 26 09:33:45 2024 -0400 + + consider end-of-options for `find` + +commit 794f6a25fa87a9d6d796b07ee06b690ea0badc92 +Author: Patrick Schleizer +Date: Fri Jul 26 09:08:29 2024 -0400 + + comment + +commit 7e0f1a87010674c63963b70c87e903cf27b288ef +Author: Patrick Schleizer +Date: Fri Jul 26 09:08:04 2024 -0400 + + dpkg-statoverride can actually handle '--file-name'. + +commit ee037c01a1208b9247c3ae144fa3faa68657ffdb +Author: Patrick Schleizer +Date: Fri Jul 26 08:58:44 2024 -0400 + + Skip file names starting with '--', + + because this would be interpreted by dpkg-statoverride as an option. + +commit 82d401a7de58b74448113bed36c8f0cc073c7f82 +Author: Patrick Schleizer +Date: Fri Jul 26 08:52:42 2024 -0400 + + sanity test + +commit 0e661bc688c7222840c9d83fb3ccab6549b3ac11 +Author: Patrick Schleizer +Date: Fri Jul 26 08:49:14 2024 -0400 + + output + +commit d144f68d1a06a1153c4178b2f6ba9643dededbb8 +Author: Patrick Schleizer +Date: Fri Jul 26 08:46:08 2024 -0400 + + output + +commit 05504b9ab251ae6e48b5d28eb5fdcd12d730ea8a +Author: Patrick Schleizer +Date: Fri Jul 26 08:40:10 2024 -0400 + + minor + +commit d96c0633d431dafd034ae8d1ae0ffbb59c49be4a +Author: Patrick Schleizer +Date: Fri Jul 26 08:39:11 2024 -0400 + + more use of end of options + +commit 8e40c10c319a76e0256c8f135182b0ca7f532f85 +Author: Patrick Schleizer +Date: Fri Jul 26 08:31:17 2024 -0400 + + comment + +commit f2c9c2f5d1b59127b22fae4dd4b8bb7a6f98a485 +Author: Patrick Schleizer +Date: Fri Jul 26 08:26:16 2024 -0400 + + output + +commit 2b40ea75e9c3f679fd09ae331a56f294c3ac7607 +Author: Patrick Schleizer +Date: Fri Jul 26 08:24:23 2024 -0400 + + cleanup + +commit 6f0551b944cbf83d82f7a1a554c4461bc971520b +Author: Patrick Schleizer +Date: Fri Jul 26 08:23:54 2024 -0400 + + refactoring + +commit aac450f80836b03478b9e2632afc5a4519f9b37a +Author: Patrick Schleizer +Date: Fri Jul 26 08:22:04 2024 -0400 + + refactoring + +commit 30f46790a4df7662926fa43d44ac34c3286dd590 +Author: Patrick Schleizer +Date: Fri Jul 26 08:21:21 2024 -0400 + + use end of options whenever possible + +commit 95722d6d7902367afb44175263a8628df9ad01b2 +Author: Patrick Schleizer +Date: Fri Jul 26 08:13:33 2024 -0400 + + use long option name + +commit 19f131c7426aaa5199504e75aba180a7771a2520 +Author: Patrick Schleizer +Date: Fri Jul 26 08:07:08 2024 -0400 + + code simplification + + https://github.com/Kicksecure/security-misc/pull/251 + +commit 9694cf0cd1a225c68d45814e0f4d6995659a0066 +Author: Patrick Schleizer +Date: Fri Jul 26 07:43:59 2024 -0400 + + output + +commit bdfe764f9d805b14dca4196e623e81ce95145d9b +Merge: 9f13523 652a06c +Author: Patrick Schleizer +Date: Fri Jul 26 07:19:05 2024 -0400 + + Merge remote-tracking branch 'ben-grande/stat-dedup' + +commit 9f135231ccdc3f6eba27db2e1794eff23f03fc0f +Author: Patrick Schleizer +Date: Fri Jul 26 06:43:01 2024 -0400 + + no longer disable Intel ME related kernel modules + + because that might break firmware updates + + This reverts commit 64f8b2eb5870664fca06aa060f2f50af358ced55. + + https://github.com/Kicksecure/security-misc/issues/239 + +commit f616da7c0690fc0dffc21be59174ed8754ec55fb +Author: Patrick Schleizer +Date: Fri Jul 26 09:40:59 2024 +0000 + + bumped changelog version + +commit 4397de0138dac47aee66570fcfe4ef38c8179321 +Author: Raja Grewal +Date: Fri Jul 26 11:30:46 2024 +1000 + + Update description of `cfi=kcfi` kerenel parameter + +commit 652a06c8e9f841e043cc5b5fb030b149cb70dc85 +Author: Ben Grande +Date: Thu Jul 25 12:37:21 2024 +0200 + + Only print SUID or SGID values when set + +commit 3b8a3f9b832ee1eee959fbcce8b5eed417d4712e +Author: Ben Grande +Date: Thu Jul 25 12:20:16 2024 +0200 + + Unduplicate stat call + +commit ed3336694ce35614ab47db42bce29d3c69d46752 +Author: Raja Grewal +Date: Thu Jul 25 10:28:27 2024 +1000 + + Provide the option to immediately reboot on a kernel panics + +commit 3926b91dcf371377d38c747e5c7718ac2fed3c83 +Author: Raja Grewal +Date: Thu Jul 25 10:26:23 2024 +1000 + + Add documentation on `sysctl kernel.panic_on_oops=1` + commit 9231f058911ab9059e91c4c0c1677ef66b5bb666 Author: Patrick Schleizer Date: Wed Jul 24 13:31:49 2024 -0400 @@ -128,6 +363,12 @@ Date: Wed Jul 24 10:56:08 2024 -0400 for more robust string parsing +commit 1135d34ab334c9b39e51a147dc94df568f982512 +Author: Raja Grewal +Date: Wed Jul 24 23:33:36 2024 +1000 + + Reword description of `cfi=kcfi` kerenel parameter + commit 7200e9bd8c793f5ea30c3448fd03fbd38c6292b5 Author: Patrick Schleizer Date: Wed Jul 24 09:15:02 2024 -0400 @@ -159,6 +400,12 @@ Date: Tue Jul 23 09:55:02 2024 +0200 Prettify log messages +commit fb494c2ba5b7fd0f864a59896710d9cddf92b458 +Author: Raja Grewal +Date: Tue Jul 23 13:12:13 2024 +1000 + + Update docs relating to the `cfi=kcfi` kernel parameter + commit 7ee1ea2cc7dd62feee3243d64b414130e68d35e9 Author: Ben Grande Date: Mon Jul 22 17:06:07 2024 +0200 @@ -171,6 +418,12 @@ Date: Mon Jul 22 16:01:14 2024 +0200 Delimit file names with null terminator +commit d6fc71dba78a9c871015ebdde3bef61943369b47 +Author: Raja Grewal +Date: Mon Jul 22 17:26:00 2024 +1000 + + Add option to switch (back) to using kCFI in the future + commit d2563ed92317a029340dbb83f30da008b01325f2 Author: Patrick Schleizer Date: Sun Jul 21 10:40:14 2024 +0000 diff --git a/debian/changelog b/debian/changelog index 06a9a4c..6249588 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 26 Jul 2024 15:40:23 +0000 + security-misc (3:38.4-1) unstable; urgency=medium * New upstream version (local package). From 1c9f33f90606fb930744f1b9afc11caf87626194 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 27 Jul 2024 13:24:08 +1000 Subject: [PATCH 1339/1650] Revert "Disable the usage of `ptrace()` by all processes" This reverts commit b04828f858fa6d101099773d3156841fd6d33b6f. --- README.md | 5 +++-- usr/lib/sysctl.d/990-security-misc.conf | 6 ++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index cbd2530..b6aa965 100644 --- a/README.md +++ b/README.md @@ -45,8 +45,9 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel version >= 6.6). -- Disable the usage of `ptrace()` by all processes as it enables programs to - inspect and modify other active processes. +- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it + enables programs to inspect and modify other active processes. Provide the + option to entirely disable the use of `ptrace()` for all processes. - Prevent hardlink and symlink TOCTOU races in world-writable directories. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 1131b77..60440e5 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -128,7 +128,7 @@ kernel.io_uring_disabled=2 ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace -## Disable the usage of ptrace() system calls by all processes. +## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. ## Limit ptrace() as it enables programs to inspect and modify other active processes. ## Prevents native code debugging which some programs use as a method to detect tampering. ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. @@ -139,7 +139,9 @@ kernel.io_uring_disabled=2 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 ## https://github.com/netblue30/firejail/issues/2860 ## -kernel.yama.ptrace_scope=3 +## It is possible to harden further by disabling ptrace() for all users, see documentation. +## +kernel.yama.ptrace_scope=2 ## Maximize bits of entropy for improved effectiveness of mmap ASLR. ## The maximum number of bits depends on CPU architecture (the ones shown below are for x86). From 73979d4342dae2017be52d5182bb66fa28be398d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 27 Jul 2024 13:28:59 +1000 Subject: [PATCH 1340/1650] Link to `ptrace()` discussion --- usr/lib/sysctl.d/990-security-misc.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 60440e5..9a95486 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -140,6 +140,7 @@ kernel.io_uring_disabled=2 ## https://github.com/netblue30/firejail/issues/2860 ## ## It is possible to harden further by disabling ptrace() for all users, see documentation. +## https://github.com/Kicksecure/security-misc/pull/242 ## kernel.yama.ptrace_scope=2 From 144545762674e914046bb94100237329320e8ece Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 27 Jul 2024 14:00:30 +1000 Subject: [PATCH 1341/1650] Show details regarding `secure_redirects` (again) --- README.md | 3 ++- usr/lib/sysctl.d/990-security-misc.conf | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 02fd18e..5e029c8 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,8 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. from all interfaces to prevent IP spoofing. - Disable ICMP redirect acceptance and redirect sending messages to - prevent man-in-the-middle attacks and minimize information disclosure. + prevent man-in-the-middle attacks and minimize information disclosure. If + ICMP redirect messages are permitted, only do so from approved gateways. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 8fe680c..39d0539 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -272,6 +272,12 @@ net.ipv4.conf.default.send_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 +## Accept ICMP redirect messages only for approved gateways. +## If ICMP redirect messages are permitted, only useful if managing a default gateway list. +## +net.ipv4.conf.all.secure_redirects=1 +net.ipv4.conf.default.secure_redirects=1 + ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. ## From e86b2e7f8fcda5727b158579610cb6a0354e89cf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 27 Jul 2024 12:13:18 -0400 Subject: [PATCH 1342/1650] output --- debian/security-misc.postinst | 2 -- 1 file changed, 2 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 6dd7738..e232778 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -36,12 +36,10 @@ permission_hardening() { echo "Running SUID Disabler and Permission Hardener... See also:" echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener" echo "$0: INFO: running: permission-hardener enable" - echo "" if ! permission-hardener enable ; then echo "$0: ERROR: Permission hardening failed." >&2 return 0 fi - echo "" echo "$0: INFO: Permission hardening success." } From e60ce50d30c8981f13d8bab1d6ca8b8efb9d8928 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 27 Jul 2024 16:13:35 +0000 Subject: [PATCH 1343/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7954835..c6f06d8 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit e86b2e7f8fcda5727b158579610cb6a0354e89cf +Author: Patrick Schleizer +Date: Sat Jul 27 12:13:18 2024 -0400 + + output + +commit 330cf14eab248d035fa467dba4f7bc3eb92a33bb +Author: Patrick Schleizer +Date: Fri Jul 26 15:40:24 2024 +0000 + + bumped changelog version + commit 62bb4bc6269a0603c15f1efaad7ca365ea15c9d7 Merge: 7969e86 886f609 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 6249588..07496aa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 27 Jul 2024 16:13:34 +0000 + security-misc (3:38.5-1) unstable; urgency=medium * New upstream version (local package). From 9fbee9fc82768c3b436307459d174378ee471335 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 28 Jul 2024 21:57:25 +1000 Subject: [PATCH 1344/1650] Clarify --- usr/lib/sysctl.d/990-security-misc.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 334fb68..9b350d3 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -195,8 +195,8 @@ vm.max_map_count=1048576 ## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. ## Prevents registering interpreters for various binary formats based on a magic number or their file extension. -## If arbitrary executable file formats are recognised, they will be passed to relevant user space applications. -## These interpreters will run with root permissions when a setuid binary is owned by root. +## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications. +## These interpreters will the run with root permissions when a setuid binary is owned by root. ## Can stop maliciously crafted files with specific file extensions from automatically executing. ## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). ## From d2d024ebe9a371eaf90b7b72f8a227e5d2e9babe Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 28 Jul 2024 22:03:33 +1000 Subject: [PATCH 1345/1650] Typo --- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 9b350d3..adb80c7 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -196,7 +196,7 @@ vm.max_map_count=1048576 ## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. ## Prevents registering interpreters for various binary formats based on a magic number or their file extension. ## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications. -## These interpreters will the run with root permissions when a setuid binary is owned by root. +## These interpreters will thn run with root permissions when a setuid binary is owned by root. ## Can stop maliciously crafted files with specific file extensions from automatically executing. ## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). ## From 9cabaa1bd15a0639c87bf2e965755d06ff0a7bb4 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 28 Jul 2024 22:04:30 +1000 Subject: [PATCH 1346/1650] Typo --- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index adb80c7..747ca67 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -196,7 +196,7 @@ vm.max_map_count=1048576 ## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. ## Prevents registering interpreters for various binary formats based on a magic number or their file extension. ## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications. -## These interpreters will thn run with root permissions when a setuid binary is owned by root. +## These interpreters will then run with root permissions when a setuid binary is owned by root. ## Can stop maliciously crafted files with specific file extensions from automatically executing. ## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). ## From de6f3ea74a5a1408e4351c955ecb7010825364c5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 28 Jul 2024 20:50:22 +0000 Subject: [PATCH 1347/1650] bumped changelog version --- changelog.upstream | 42 ++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 48 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c6f06d8..934cc7d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,9 +1,45 @@ +commit d036094089e3e3a74df981c50882481273fcb6c0 +Merge: e60ce50 0f86fbd +Author: Patrick Schleizer +Date: Sun Jul 28 15:44:40 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0f86fbd8ceea3157ee035eb9f4a0ff13024f1bc9 +Merge: e60ce50 73979d4 +Author: Patrick Schleizer +Date: Sun Jul 28 15:43:54 2024 -0400 + + Merge pull request #242 from raja-grewal/ptrace + + Disable the usage of `ptrace()` by all processes + +commit e60ce50d30c8981f13d8bab1d6ca8b8efb9d8928 +Author: Patrick Schleizer +Date: Sat Jul 27 16:13:35 2024 +0000 + + bumped changelog version + commit e86b2e7f8fcda5727b158579610cb6a0354e89cf Author: Patrick Schleizer Date: Sat Jul 27 12:13:18 2024 -0400 output +commit 73979d4342dae2017be52d5182bb66fa28be398d +Author: Raja Grewal +Date: Sat Jul 27 13:28:59 2024 +1000 + + Link to `ptrace()` discussion + +commit 1c9f33f90606fb930744f1b9afc11caf87626194 +Author: Raja Grewal +Date: Sat Jul 27 13:24:08 2024 +1000 + + Revert "Disable the usage of `ptrace()` by all processes" + + This reverts commit b04828f858fa6d101099773d3156841fd6d33b6f. + commit 330cf14eab248d035fa467dba4f7bc3eb92a33bb Author: Patrick Schleizer Date: Fri Jul 26 15:40:24 2024 +0000 @@ -558,6 +594,12 @@ Date: Thu Jul 18 12:19:27 2024 +1000 Typos +commit b04828f858fa6d101099773d3156841fd6d33b6f +Author: Raja Grewal +Date: Thu Jul 18 11:01:41 2024 +1000 + + Disable the usage of `ptrace()` by all processes + commit d454f36c63bd653e47353fb1c93107b2d5584fe2 Author: Patrick Schleizer Date: Wed Jul 17 11:52:29 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 07496aa..5d90f8d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 28 Jul 2024 20:50:21 +0000 + security-misc (3:38.6-1) unstable; urgency=medium * New upstream version (local package). From e53d24fc48b51a21fc182cc59890e97a1d7ac647 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 00:09:42 +1000 Subject: [PATCH 1348/1650] Add missing GRUB command lines for disabled boot parameters --- etc/default/grub.d/40_kernel_hardening.cfg | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 172c3c8..f36dac0 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -135,7 +135,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## TODO: Debian 13 Trixie ## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). ## -#cfi=kcfi +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" ## Disable support for x86 processes and syscalls. ## Unconditionally disables IA32 emulation to substantially reduce attack surface. @@ -144,7 +144,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## ## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). ## -#ia32_emulation=0 +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" ## 2. Direct Memory Access: ## @@ -222,4 +222,4 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" ## ## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf. ## -#ipv6.disable=1 +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ipv6.disable=1" From f6a16258a116ce5c5f4f6bad9d8ab9b6e1ec6bb7 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 00:11:06 +1000 Subject: [PATCH 1349/1650] Add references to KSPP --- etc/default/grub.d/40_kernel_hardening.cfg | 1 + usr/lib/sysctl.d/990-security-misc.conf | 1 + 2 files changed, 2 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index f36dac0..b1b3055 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -18,6 +18,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## 1. Kernel Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters +## https://kspp.github.io/Recommended_Settings#kernel-command-line-options ## Disable merging of slabs with similar size. ## Reduces the risk of triggering heap overflows. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 40ab0ff..e795339 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -23,6 +23,7 @@ ## 1. Kernel Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +## https://kspp.github.io/Recommended_Settings#sysctls ## https://wiki.archlinux.org/title/Security#Kernel_hardening ## Restrict kernel address visibility via /proc and other interfaces, regardless of user privileges. From 9099ecce8ae12352f2b739d3d7adf6069488ff49 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 00:12:50 +1000 Subject: [PATCH 1350/1650] Provide option to enable the kernel Electric-Fence --- README.md | 4 ++++ etc/default/grub.d/40_kernel_hardening.cfg | 9 +++++++++ 2 files changed, 13 insertions(+) diff --git a/README.md b/README.md index b6a6c60..b23f852 100644 --- a/README.md +++ b/README.md @@ -141,6 +141,10 @@ configuration file. - Provide the option to modify machine check exception handler. +- Provide the option to enable the kernel Electric-Fence sampling-based memory + safety error detector which can identify heap out-of-bounds access, use-after-free, + and invalid-free errors. + - Provide the option to use kCFI as the default CFI implementation since it may be slightly more resilient to attacks that are able to write arbitrary executables in memory (when using Linux kernel version >= 6.2). diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b1b3055..390f75b 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -113,6 +113,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" +## Enable the kernel "Electric-Fence" sampling-based memory safety error detector. +## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors. +## Aims to have very low processing overhead at each sampling interval +## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation. +## +## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" + ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. ## The default implementation is FIneIBT as of Linux kernel 6.2. ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. From 52aeacb4da4a8458b0ffdc1ade4094a178def6f4 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 00:13:38 +1000 Subject: [PATCH 1351/1650] Provide option to disable 32 bit vDSO mappings --- README.md | 2 ++ etc/default/grub.d/40_kernel_hardening.cfg | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/README.md b/README.md index b23f852..457fe0e 100644 --- a/README.md +++ b/README.md @@ -145,6 +145,8 @@ configuration file. safety error detector which can identify heap out-of-bounds access, use-after-free, and invalid-free errors. +- Provide the option to disable 32 bit vDSO mappings. + - Provide the option to use kCFI as the default CFI implementation since it may be slightly more resilient to attacks that are able to write arbitrary executables in memory (when using Linux kernel version >= 6.2). diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 390f75b..d34f0ca 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -122,6 +122,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" +## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings. +## +## https://en.wikipedia.org/wiki/VDSO +## +## The use of 32 bit vDSO mappings is currently enabled. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" + ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. ## The default implementation is FIneIBT as of Linux kernel 6.2. ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. From ca2179bb6a01e3ebbb1e04e3507cc305f25bca4e Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 00:25:49 +1000 Subject: [PATCH 1352/1650] Provide the option to disable legacy TIOCSTI operation --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/README.md b/README.md index 457fe0e..42fba56 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,9 @@ space, user space, core dumps, and swap space. - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. +- Provide the option to disable the use of legacy TIOCSTI operation which can be + used to inject keypresses. + - Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits (when using Linux kernel version >= 6.6). diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e795339..ef550e4 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -129,6 +129,13 @@ kernel.perf_event_paranoid=3 ## kernel.randomize_va_space=2 +## Disable use of the legacy TIOCSTI operation which can be used to inject keypresses. +## Will break screen readers as can no longer push characters into a controlling TTY. +## +## This is disabled by default when using Linux kernel >= 6.2. +## +#dev.tty.legacy_tiocsti=0 + ## Disable asynchronous I/O for all processes. ## Leading cause of numerous kernel exploits. ## Disabling will reduce the read/write performance of storage devices. From b77d1a2b980ae20158aa628eec67b016282d0a40 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 14:49:48 +1000 Subject: [PATCH 1353/1650] Revert "Remove the optional `slub_debug` parameter since it is no longer recommended" This reverts commit 48e1ac416314d2c66f3a0d5044a3c51cb6fb4093. --- README.md | 3 +++ etc/default/grub.d/40_kernel_hardening.cfg | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/README.md b/README.md index b6a6c60..f9bad76 100644 --- a/README.md +++ b/README.md @@ -118,6 +118,9 @@ configuration file. - Disable merging of slabs with similar size, which reduces the risk of triggering heap overflows and limits influencing slab cache layout. +- Provides option to enable sanity checks and red zoning via slab debugging. + Not reccommened due to implicit disabling of kernel pointer hashing. + - Enable memory zeroing at both allocation and free time, which mitigates some use-after-free vulnerabilities by erasing sensitive information in memory. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 172c3c8..a9d223e 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -28,6 +28,15 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" +## Enable sanity checks and red zoning of slabs. +## +## https://www.kernel.org/doc/html/latest/mm/slub.html +## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u +## +## Disabled as enabling this implicitly disables kernel pointer hashing. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" + ## Zero memory at allocation time and free time. ## Fills newly allocated pages, freed pages, and heap objects with zeros. ## Mitigates use-after-free exploits by erasing sensitive information in memory. From 22b6cee80c74aff3d0f9cd36822ae88f8fa8e601 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 15:11:14 +1000 Subject: [PATCH 1354/1650] Add details about `slub_debug` --- README.md | 4 ++-- etc/default/grub.d/40_kernel_hardening.cfg | 9 +++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f9bad76..f3acb5e 100644 --- a/README.md +++ b/README.md @@ -118,8 +118,8 @@ configuration file. - Disable merging of slabs with similar size, which reduces the risk of triggering heap overflows and limits influencing slab cache layout. -- Provides option to enable sanity checks and red zoning via slab debugging. - Not reccommened due to implicit disabling of kernel pointer hashing. +- Provide the option to enable sanity checks and red zoning via slab debugging. + Enabling this feature will implicitly disable kernel pointer hashing. - Enable memory zeroing at both allocation and free time, which mitigates some use-after-free vulnerabilities by erasing sensitive information in memory. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index a9d223e..0e6dd08 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -28,12 +28,17 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -## Enable sanity checks and red zoning of slabs. +## Enable sanity checks and red zoning of slabs via debugging options to detect corruption. +## As a by product of debugging, this will implicitly disabling kernel pointer hashing. +## Enabling will therefore leak exact and all kernel memory addresses to root. +## Has the potential to cause a noticeable performance decrease. ## ## https://www.kernel.org/doc/html/latest/mm/slub.html ## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u +## https://gitlab.tails.boum.org/tails/tails/-/issues/19613 ## -## Disabled as enabling this implicitly disables kernel pointer hashing. +## The default kernel setting will be utilized until provided sufficient evidence to modify. +## https://github.com/Kicksecure/security-misc/issues/253 ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" From 6f14d68cdcad3784311e33029eba6906ea0784c2 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 15:12:15 +1000 Subject: [PATCH 1355/1650] Update legacy name `slub_debug` -> `slab_debug` --- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 0e6dd08..2986a54 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -40,7 +40,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" ## The default kernel setting will be utilized until provided sufficient evidence to modify. ## https://github.com/Kicksecure/security-misc/issues/253 ## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ" ## Zero memory at allocation time and free time. ## Fills newly allocated pages, freed pages, and heap objects with zeros. From 4f7f82016015f61002ac8f778b61968c572dc7dc Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 5 Aug 2024 14:16:33 +1000 Subject: [PATCH 1356/1650] Add reference --- usr/lib/sysctl.d/990-security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 39d0539..ba33bae 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -275,6 +275,8 @@ net.ipv6.conf.default.accept_redirects=0 ## Accept ICMP redirect messages only for approved gateways. ## If ICMP redirect messages are permitted, only useful if managing a default gateway list. ## +## https://github.com/Kicksecure/security-misc/pull/248 +## net.ipv4.conf.all.secure_redirects=1 net.ipv4.conf.default.secure_redirects=1 From aa34d86598f5b846b007730104e4c99c59f9984d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 5 Aug 2024 14:27:17 +1000 Subject: [PATCH 1357/1650] Enable `slab_debug=FZ` --- README.md | 4 ++-- etc/default/grub.d/40_kernel_hardening.cfg | 4 +--- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index a187056..3ac2ab4 100644 --- a/README.md +++ b/README.md @@ -121,8 +121,8 @@ configuration file. - Disable merging of slabs with similar size, which reduces the risk of triggering heap overflows and limits influencing slab cache layout. -- Provide the option to enable sanity checks and red zoning via slab debugging. - Enabling this feature will implicitly disable kernel pointer hashing. +- Enable sanity checks and red zoning via slab debugging. This will implicitly + disable kernel pointer hashing, leaking very sensitive information to root. - Enable memory zeroing at both allocation and free time, which mitigates some use-after-free vulnerabilities by erasing sensitive information in memory. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index fab54cf..44cfbd9 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -37,11 +37,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" ## https://www.kernel.org/doc/html/latest/mm/slub.html ## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u ## https://gitlab.tails.boum.org/tails/tails/-/issues/19613 -## -## The default kernel setting will be utilized until provided sufficient evidence to modify. ## https://github.com/Kicksecure/security-misc/issues/253 ## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ" ## Zero memory at allocation time and free time. ## Fills newly allocated pages, freed pages, and heap objects with zeros. From c0d140f2211e6490d13e3cd327005027c668905f Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 5 Aug 2024 15:06:34 +1000 Subject: [PATCH 1358/1650] Enable `dev.tty.legacy_tiocsti=0` --- README.md | 3 +-- usr/lib/sysctl.d/990-security-misc.conf | 10 ++++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index a187056..efe9e32 100644 --- a/README.md +++ b/README.md @@ -47,8 +47,7 @@ space, user space, core dumps, and swap space. - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. -- Provide the option to disable the use of legacy TIOCSTI operation which can be - used to inject keypresses. +- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. - Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits (when using Linux kernel version >= 6.6). diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index b68f833..0b46477 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -127,12 +127,14 @@ kernel.perf_event_paranoid=3 ## kernel.randomize_va_space=2 -## Disable use of the legacy TIOCSTI operation which can be used to inject keypresses. -## Will break screen readers as can no longer push characters into a controlling TTY. -## +## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. +## Can lead to privilege escalation by pushing characters into a controlling TTY. +## Will break out-dated screen readers that continue to rely on this legacy functionality. ## This is disabled by default when using Linux kernel >= 6.2. ## -#dev.tty.legacy_tiocsti=0 +## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ +## +dev.tty.legacy_tiocsti=0 ## Disable asynchronous I/O for all processes. ## Leading cause of numerous kernel exploits. From d102ec19972865032f12f90bffe3e592546f0267 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 5 Aug 2024 15:07:56 +1000 Subject: [PATCH 1359/1650] Enable `kfence.sample_interval=100` --- README.md | 5 ++--- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a187056..16f7df3 100644 --- a/README.md +++ b/README.md @@ -147,9 +147,8 @@ configuration file. - Provide the option to modify machine check exception handler. -- Provide the option to enable the kernel Electric-Fence sampling-based memory - safety error detector which can identify heap out-of-bounds access, use-after-free, - and invalid-free errors. +- Enable the kernel Electric-Fence sampling-based memory safety error detector + which can identify heap out-of-bounds access, use-after-free, and invalid-free errors. - Provide the option to disable 32 bit vDSO mappings. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index fab54cf..bbfee13 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -134,7 +134,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## ## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html ## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" ## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings. ## From 8559079312adb4ed92e5f478120b408dfe7a1124 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 5 Aug 2024 15:10:02 +1000 Subject: [PATCH 1360/1650] Enable `vdso32=0` --- README.md | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index a187056..8b12b71 100644 --- a/README.md +++ b/README.md @@ -151,7 +151,7 @@ configuration file. safety error detector which can identify heap out-of-bounds access, use-after-free, and invalid-free errors. -- Provide the option to disable 32 bit vDSO mappings. +- Disable 32-bit vDSO mappings as they are a legacy compatibility feature. - Provide the option to use kCFI as the default CFI implementation since it may be slightly more resilient to attacks that are able to write arbitrary executables diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index fab54cf..7e92bdb 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -136,13 +136,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" -## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings. +## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings. +## Legacy compatibility feature for superseded glibc versions. ## -## https://en.wikipedia.org/wiki/VDSO +## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/ +## https://lists.openwall.net/linux-kernel/2014/03/11/3 ## -## The use of 32 bit vDSO mappings is currently enabled. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. ## The default implementation is FIneIBT as of Linux kernel 6.2. From 89e816dda6c5a00512b276071c4d9fe108ee63b5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 6 Aug 2024 14:01:39 +0000 Subject: [PATCH 1361/1650] bumped changelog version --- changelog.upstream | 177 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 183 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 934cc7d..81a58c9 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,174 @@ +commit 967f9e257b09bc73ddb579292d507f7cb9832643 +Merge: fa90918 a25aaf9 +Author: Patrick Schleizer +Date: Tue Aug 6 09:57:56 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit a25aaf900a12666046278a9fab6933b3d5670679 +Merge: 6bc039a 8559079 +Author: Patrick Schleizer +Date: Tue Aug 6 09:55:20 2024 -0400 + + Merge pull request #260 from raja-grewal/vdso32 + + Enable `vdso32=0` + +commit 6bc039a430289342f06857a52a5f13829d6e50f5 +Merge: ce60d56 d102ec1 +Author: Patrick Schleizer +Date: Tue Aug 6 09:52:56 2024 -0400 + + Merge pull request #259 from raja-grewal/kfence + + Enable `kfence.sample_interval=100` + +commit ce60d5615fe99e41c48d459f562d581a688c295a +Merge: b027842 c0d140f +Author: Patrick Schleizer +Date: Tue Aug 6 09:48:08 2024 -0400 + + Merge pull request #258 from raja-grewal/legacy_tiocsti + + Enable `dev.tty.legacy_tiocsti=0` + +commit b0278428a73cd3d329aaa36626005e0c593331f0 +Merge: fa90918 aa34d86 +Author: Patrick Schleizer +Date: Tue Aug 6 09:39:04 2024 -0400 + + Merge pull request #257 from raja-grewal/slab_debug + + Enable `slab_debug=FZ` + +commit 8559079312adb4ed92e5f478120b408dfe7a1124 +Author: Raja Grewal +Date: Mon Aug 5 15:10:02 2024 +1000 + + Enable `vdso32=0` + +commit d102ec19972865032f12f90bffe3e592546f0267 +Author: Raja Grewal +Date: Mon Aug 5 15:07:56 2024 +1000 + + Enable `kfence.sample_interval=100` + +commit c0d140f2211e6490d13e3cd327005027c668905f +Author: Raja Grewal +Date: Mon Aug 5 15:06:34 2024 +1000 + + Enable `dev.tty.legacy_tiocsti=0` + +commit aa34d86598f5b846b007730104e4c99c59f9984d +Author: Raja Grewal +Date: Mon Aug 5 14:27:17 2024 +1000 + + Enable `slab_debug=FZ` + +commit fa9091869d417c6494840d0cb32623037d70c8be +Merge: 06f0c27 725118c +Author: Patrick Schleizer +Date: Sun Aug 4 16:20:36 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 725118c5759b45118bbd2804492526ea2a7c1a81 +Merge: 6d97408 6d211fa +Author: Patrick Schleizer +Date: Sun Aug 4 16:19:52 2024 -0400 + + Merge pull request #243 from raja-grewal/namespaces + + Restrict unprivileged user namespaces + +commit 06f0c27128a66c1074f405de3139651519e48204 +Merge: 8abc5ae 6d97408 +Author: Patrick Schleizer +Date: Sun Aug 4 16:15:01 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 6d97408a6d2f002461ae6ca1d647fbf24bf1b99e +Merge: 8abc5ae 6f14d68 +Author: Patrick Schleizer +Date: Sun Aug 4 16:11:46 2024 -0400 + + Merge pull request #255 from raja-grewal/SLUB + + Restore option to enable `slub_debug=FZ` + +commit 8abc5ae8f0f152c68f855f0e8d993880589c5d5c +Merge: de6f3ea eab66da +Author: Patrick Schleizer +Date: Sun Aug 4 16:09:52 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit eab66dad0994e408c1beaade3fdcf2cd1d605b31 +Merge: de6f3ea ca2179b +Author: Patrick Schleizer +Date: Sun Aug 4 16:08:32 2024 -0400 + + Merge pull request #254 from raja-grewal/patch + + Updates to kernel and `sysctl` hardening + +commit 6f14d68cdcad3784311e33029eba6906ea0784c2 +Author: Raja Grewal +Date: Sat Aug 3 15:12:15 2024 +1000 + + Update legacy name `slub_debug` -> `slab_debug` + +commit 22b6cee80c74aff3d0f9cd36822ae88f8fa8e601 +Author: Raja Grewal +Date: Sat Aug 3 15:11:14 2024 +1000 + + Add details about `slub_debug` + +commit b77d1a2b980ae20158aa628eec67b016282d0a40 +Author: Raja Grewal +Date: Sat Aug 3 14:49:48 2024 +1000 + + Revert "Remove the optional `slub_debug` parameter since it is no longer recommended" + + This reverts commit 48e1ac416314d2c66f3a0d5044a3c51cb6fb4093. + +commit ca2179bb6a01e3ebbb1e04e3507cc305f25bca4e +Author: Raja Grewal +Date: Sat Aug 3 00:25:49 2024 +1000 + + Provide the option to disable legacy TIOCSTI operation + +commit 52aeacb4da4a8458b0ffdc1ade4094a178def6f4 +Author: Raja Grewal +Date: Sat Aug 3 00:13:38 2024 +1000 + + Provide option to disable 32 bit vDSO mappings + +commit 9099ecce8ae12352f2b739d3d7adf6069488ff49 +Author: Raja Grewal +Date: Sat Aug 3 00:12:50 2024 +1000 + + Provide option to enable the kernel Electric-Fence + +commit f6a16258a116ce5c5f4f6bad9d8ab9b6e1ec6bb7 +Author: Raja Grewal +Date: Sat Aug 3 00:11:06 2024 +1000 + + Add references to KSPP + +commit e53d24fc48b51a21fc182cc59890e97a1d7ac647 +Author: Raja Grewal +Date: Sat Aug 3 00:09:42 2024 +1000 + + Add missing GRUB command lines for disabled boot parameters + +commit de6f3ea74a5a1408e4351c955ecb7010825364c5 +Author: Patrick Schleizer +Date: Sun Jul 28 20:50:22 2024 +0000 + + bumped changelog version + commit d036094089e3e3a74df981c50882481273fcb6c0 Merge: e60ce50 0f86fbd Author: Patrick Schleizer @@ -594,6 +765,12 @@ Date: Thu Jul 18 12:19:27 2024 +1000 Typos +commit 6d211faf591608ea6e7f484e8bc69dd567877abf +Author: Raja Grewal +Date: Thu Jul 18 11:04:54 2024 +1000 + + Restrict unprivileged user namespaces + commit b04828f858fa6d101099773d3156841fd6d33b6f Author: Raja Grewal Date: Thu Jul 18 11:01:41 2024 +1000 diff --git a/debian/changelog b/debian/changelog index 5d90f8d..50c5315 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 06 Aug 2024 14:01:38 +0000 + security-misc (3:38.7-1) unstable; urgency=medium * New upstream version (local package). From debd7a7b7ae8b03e04d2c8597bcccf2c79000570 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 7 Aug 2024 13:33:44 +1000 Subject: [PATCH 1362/1650] Provide optional `sysctl fs.binfmt_misc.status=0` --- README.md | 5 +++-- usr/lib/sysctl.d/990-security-misc.conf | 5 ++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index d4dd706..96f8b14 100644 --- a/README.md +++ b/README.md @@ -57,8 +57,9 @@ space, user space, core dumps, and swap space. - Increase the maximum number of memory map areas a process is able to utilize. -- Disallow registering interpreters for various (miscellaneous) binary formats based - on a magic number or their file extension to prevent unintended code execution. +- Provide the option to disallow registering interpreters for various (miscellaneous) + binary formats based on a magic number or their file extension to prevent + unintended code execution. - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 747ca67..4de859c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -206,8 +206,11 @@ vm.max_map_count=1048576 ## https://en.wikipedia.org/wiki/Binfmt_misc ## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil ## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al +## https://github.com/Kicksecure/security-misc/pull/249 ## -fs.binfmt_misc.status=0 +## The default kernel setting will be utilized until provided sufficient evidence to modify. +## +#fs.binfmt_misc.status=0 ## 3. Core Dumps: ## From ec3038c7bc625f6c8eddb753ffe295ff2697a717 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 7 Aug 2024 13:48:53 +1000 Subject: [PATCH 1363/1650] Clarify `secure_redirects` --- README.md | 5 ++--- usr/lib/sysctl.d/990-security-misc.conf | 13 +++++-------- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 5e029c8..4c31d90 100644 --- a/README.md +++ b/README.md @@ -71,9 +71,8 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Enable reverse path filtering (source validation) of packets received from all interfaces to prevent IP spoofing. -- Disable ICMP redirect acceptance and redirect sending messages to - prevent man-in-the-middle attacks and minimize information disclosure. If - ICMP redirect messages are permitted, only do so from approved gateways. +- Disable ICMP redirect acceptance and redirect sending messages to prevent + man-in-the-middle attacks and minimize information disclosure. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index ba33bae..9efb03a 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -259,11 +259,14 @@ net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. ## Prevents man-in-the-middle attacks and minimizes information disclosure. +## If ICMP redirects are permitted, accept messages only through approved gateways (kernel default). +## Approving gateways requires the managing of a default gateway list. ## ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing ## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html ## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked +## https://github.com/Kicksecure/security-misc/pull/248 ## net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 @@ -271,14 +274,8 @@ net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 - -## Accept ICMP redirect messages only for approved gateways. -## If ICMP redirect messages are permitted, only useful if managing a default gateway list. -## -## https://github.com/Kicksecure/security-misc/pull/248 -## -net.ipv4.conf.all.secure_redirects=1 -net.ipv4.conf.default.secure_redirects=1 +#net.ipv4.conf.all.secure_redirects=1 +#net.ipv4.conf.default.secure_redirects=1 ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. From 50fa721fd54cd696ae90a35bc7df7c8f1eb17a13 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 7 Aug 2024 14:01:49 +1000 Subject: [PATCH 1364/1650] Update docs regarding Intel module disabling --- README.md | 6 +++--- etc/modprobe.d/30_security-misc_disable.conf | 5 +++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 331a5ce..0ed55ef 100644 --- a/README.md +++ b/README.md @@ -214,10 +214,10 @@ disabling should first be blacklisted for a suitable amount of time. Satellite Systems (GNSS). - Optional - Intel Management Engine (ME): Provides some disabling of the interface - between the Intel ME and the OS. May lead to breakages in places such as security, - power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239 + between the Intel ME and the OS. May lead to breakages in places such as firmware + updates, security, power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239 -- Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality +- Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality of the Intel PMT components. - Network File Systems: Disable uncommon and legacy network file systems. diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index c78ba2a..d6c5974 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -119,7 +119,8 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Management Engine (ME): ## Partially disable the Intel ME interface with the OS. ## ME functionality has increasing become more intertwined with basic Intel system operation. -## Disabling may lead to breakages in places such as security, power management, display, and DRM. +## Disabling may lead to breakages in numerous places without clear debugging/error messages. +## May cause issues with firmware updates, security, power management, display, and DRM. ## ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html ## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities @@ -140,7 +141,7 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc #install mei_wdt /usr/bin/disabled-intelme-by-security-misc #install microread_mei /usr/bin/disabled-intelme-by-security-misc -## Intel Platform Monitoring Technology Telemetry (PMT): +## Intel Platform Monitoring Technology (PMT) Telemetry: ## Disable some functionality of the Intel PMT components. ## ## https://github.com/intel/Intel-PMT From e98dc8c4f8af32dd3b10c034477fd2154df189ac Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 7 Aug 2024 14:14:47 +1000 Subject: [PATCH 1365/1650] Update notifications for disabled kernel modules --- usr/bin/disabled-bluetooth-by-security-misc | 4 ++-- usr/bin/disabled-cdrom-by-security-misc | 4 ++-- usr/bin/disabled-filesys-by-security-misc | 4 ++-- usr/bin/disabled-firewire-by-security-misc | 4 ++-- usr/bin/disabled-framebuffer-by-security-misc | 4 ++-- usr/bin/disabled-gps-by-security-misc | 4 ++-- usr/bin/disabled-intelme-by-security-misc | 4 ++-- usr/bin/disabled-intelpmt-by-security-misc | 4 ++-- usr/bin/disabled-miscellaneous-by-security-misc | 4 ++-- usr/bin/disabled-netfilesys-by-security-misc | 4 ++-- usr/bin/disabled-network-by-security-misc | 4 ++-- usr/bin/disabled-thunderbolt-by-security-misc | 4 ++-- 12 files changed, 24 insertions(+), 24 deletions(-) diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc index 5b6992d..d576b26 100755 --- a/usr/bin/disabled-bluetooth-by-security-misc +++ b/usr/bin/disabled-bluetooth-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc index 2bb8e4c..af27e08 100755 --- a/usr/bin/disabled-cdrom-by-security-misc +++ b/usr/bin/disabled-cdrom-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc index fad544b..faffe58 100755 --- a/usr/bin/disabled-filesys-by-security-misc +++ b/usr/bin/disabled-filesys-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc index a7de567..4886755 100755 --- a/usr/bin/disabled-firewire-by-security-misc +++ b/usr/bin/disabled-firewire-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-framebuffer-by-security-misc b/usr/bin/disabled-framebuffer-by-security-misc index dc0c9b8..2933f95 100755 --- a/usr/bin/disabled-framebuffer-by-security-misc +++ b/usr/bin/disabled-framebuffer-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This framebuffer driver kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This framebuffer kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc index 1122adc..51997c1 100755 --- a/usr/bin/disabled-gps-by-security-misc +++ b/usr/bin/disabled-gps-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This GPS (Global Positioning System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This Global Positioning System (GPS) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc index 6eca99b..dc2bb72 100755 --- a/usr/bin/disabled-intelme-by-security-misc +++ b/usr/bin/disabled-intelme-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-intelpmt-by-security-misc b/usr/bin/disabled-intelpmt-by-security-misc index 3e9139a..76daa06 100755 --- a/usr/bin/disabled-intelpmt-by-security-misc +++ b/usr/bin/disabled-intelpmt-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This Intel Platform Monitoring Technology Telemetry (PMT) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This Intel Platform Monitoring Technology (PMT) Telemetry kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-miscellaneous-by-security-misc b/usr/bin/disabled-miscellaneous-by-security-misc index c75dc6e..6eff13c 100755 --- a/usr/bin/disabled-miscellaneous-by-security-misc +++ b/usr/bin/disabled-miscellaneous-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc index 60c0c22..8775acb 100755 --- a/usr/bin/disabled-netfilesys-by-security-misc +++ b/usr/bin/disabled-netfilesys-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc index 4b35716..a6a87db 100755 --- a/usr/bin/disabled-network-by-security-misc +++ b/usr/bin/disabled-network-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc index 03cf804..5bac656 100755 --- a/usr/bin/disabled-thunderbolt-by-security-misc +++ b/usr/bin/disabled-thunderbolt-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 From a5373afc55e789f4657f3d843243e878e4afffa2 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 7 Aug 2024 14:44:14 +1000 Subject: [PATCH 1366/1650] Details on disabled `fbdev` kernel modules --- README.md | 2 +- etc/modprobe.d/30_security-misc_disable.conf | 6 ++++-- usr/bin/disabled-framebuffer-by-security-misc | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 0ed55ef..0ed1240 100644 --- a/README.md +++ b/README.md @@ -207,7 +207,7 @@ disabling should first be blacklisted for a suitable amount of time. - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. -- Framebuffer Drivers: Disabled as they are well-known to be buggy, cause +- Framebuffer (fbdev): Disabled as drivers are well-known to be buggy, cause kernel panics, and are generally only used by legacy devices. - GPS: Disable GPS-related modules such as those required for Global Navigation diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index d6c5974..3a72b0e 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -70,10 +70,12 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc -## Framebuffer Drivers: -## Known to be buggy, cause kernel panics, and are generally only used by legacy devices. +## Framebuffer (fbdev): +## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices. ## These were all previously blacklisted. ## +## https://docs.kernel.org/fb/index.html +## https://en.wikipedia.org/wiki/Linux_framebuffer ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco ## install aty128fb /usr/bin/disabled-framebuffer-by-security-misc diff --git a/usr/bin/disabled-framebuffer-by-security-misc b/usr/bin/disabled-framebuffer-by-security-misc index 2933f95..681bc40 100755 --- a/usr/bin/disabled-framebuffer-by-security-misc +++ b/usr/bin/disabled-framebuffer-by-security-misc @@ -5,6 +5,6 @@ ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ALERT: This framebuffer kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 +echo "$0: ALERT: This framebuffer (fbdev) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 From e5a38fc856c66d2bd6abc35fc08d4f2083ea8e54 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 9 Aug 2024 13:30:15 +1000 Subject: [PATCH 1367/1650] Typo --- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 33f98fc..b526ee7 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -143,7 +143,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. -## The default implementation is FIneIBT as of Linux kernel 6.2. +## The default implementation is FineIBT as of Linux kernel 6.2. ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. ## FineIBT may result in some performance benefits as it only performs checking at destinations. From 0b0683499a6a21e3995a115c377eb19008bc4cd1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 9 Aug 2024 13:30:39 +1000 Subject: [PATCH 1368/1650] Consistent line length formatting --- README.md | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 3c41728..500833c 100644 --- a/README.md +++ b/README.md @@ -305,13 +305,24 @@ See: ### Bluetooth Status: Enabled but Defaulted to Off -- **Default Behavior**: Although Bluetooth capability is 'enabled' in the kernel, security-misc deviates from the usual behavior by starting with Bluetooth turned off at system start. This setting remains until the user explicitly opts to activate Bluetooth. +- **Default Behavior**: Although Bluetooth capability is 'enabled' in the kernel, + security-misc deviates from the usual behavior by starting with Bluetooth + turned off at system start. This setting remains until the user explicitly opts + to activate Bluetooth. -- **User Control**: Users have the freedom to easily switch Bluetooth on and off in the usual way, exercising their own discretion. This can be done via the Bluetooth toggle through the usual way, that is either through GUI settings application or command line commands. +- **User Control**: Users have the freedom to easily switch Bluetooth on and off + in the usual way, exercising their own discretion. This can be done via the + Bluetooth toggle through the usual way, that is either through GUI settings + application or command line commands. -- **Enhanced Privacy Settings**: We enforce more private defaults for Bluetooth connections. This includes the use of private addresses and strict timeout settings for discoverability and visibility. +- **Enhanced Privacy Settings**: We enforce more private defaults for Bluetooth + connections. This includes the use of private addresses and strict timeout + settings for discoverability and visibility. -- **Security Considerations**: Despite these measures, it's important to note that Bluetooth technology, by its nature, may still be prone to exploits due to its history of security vulnerabilities. Thus, we recommend users to opt-out of using Bluetooth when possible. +- **Security Considerations**: Despite these measures, it's important to note that + Bluetooth technology, by its nature, may still be prone to exploits due to its + history of security vulnerabilities. Thus, we recommend users to opt-out of + using Bluetooth when possible. ### Configuration Details @@ -320,15 +331,25 @@ See: ### Understanding Bluetooth Terms -- **Disabling Bluetooth**: This means the absence of the Bluetooth kernel module. When disabled, Bluetooth is non-existent in the system - it cannot be seen, set, configured, or interacted with in any way. +- **Disabling Bluetooth**: This means the absence of the Bluetooth kernel module. + When disabled, Bluetooth is non-existent in the system - it cannot be seen, set, + configured, or interacted with in any way. -- **Turning Bluetooth On/Off**: This refers to a software toggle. Normally, on Debian systems, Bluetooth is 'on' when the system boots up. It actively searches for known devices to auto-connect and may be discoverable or visible under certain conditions. Our default ensures that Bluetooth is off on startup. However, it remains 'enabled' in the kernel, meaning the kernel can use the Bluetooth protocol and has the necessary modules. +- **Turning Bluetooth On/Off**: This refers to a software toggle. Normally, on + Debian systems, Bluetooth is 'on' when the system boots up. It actively searches + for known devices to auto-connect and may be discoverable or visible under certain + conditions. Our default ensures that Bluetooth is off on startup. However, it + remains 'enabled' in the kernel, meaning the kernel can use the Bluetooth protocol + and has the necessary modules. ### Quick Toggle Guide -- **Turning Bluetooth On**: Simply click the Bluetooth button in the settings application or on the tray, and switch the toggle. It's a straightforward action that can be completed in less than a second. +- **Turning Bluetooth On**: Simply click the Bluetooth button in the settings + application or on the tray, and switch the toggle. It's a straightforward action + that can be completed in less than a second. -- **Turning Bluetooth Off**: Follow the same procedure as turning it on but switch the toggle to the off position. +- **Turning Bluetooth Off**: Follow the same procedure as turning it on but switch + the toggle to the off position. ## Entropy collection improvements From d8bcec881f66604e29d6e0c1426635e2ad4979f1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 9 Aug 2024 13:33:32 +1000 Subject: [PATCH 1369/1650] Add some notices for future Debian 13 rebase --- etc/default/grub.d/40_kernel_hardening.cfg | 1 + usr/lib/sysctl.d/990-security-misc.conf | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b526ee7..b813b48 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -172,6 +172,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ ## +## TODO: Debian 13 Trixie ## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 0b46477..1194489 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -130,10 +130,12 @@ kernel.randomize_va_space=2 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. ## Will break out-dated screen readers that continue to rely on this legacy functionality. -## This is disabled by default when using Linux kernel >= 6.2. ## ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ ## +## TODO: Debian 13 Trixie +## This is disabled by default when using Linux kernel >= 6.2. +## dev.tty.legacy_tiocsti=0 ## Disable asynchronous I/O for all processes. @@ -146,6 +148,7 @@ dev.tty.legacy_tiocsti=0 ## https://github.com/moby/moby/pull/46762 ## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890 ## +## TODO: Debian 13 Trixie ## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). ## kernel.io_uring_disabled=2 From 077bc48a26d1d3f5d1f758d7e251edccba64742b Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 9 Aug 2024 13:35:33 +1000 Subject: [PATCH 1370/1650] Add reference on `rp_filter` --- usr/lib/sysctl.d/990-security-misc.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 1194489..800e626 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -275,6 +275,7 @@ net.ipv4.tcp_rfc1337=1 ## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899. ## ## https://en.wikipedia.org/wiki/IP_address_spoofing +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-reverse_path_forwarding#sect-Security_Guide-Server_Security-Reverse_Path_Forwarding ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 ## https://seclists.org/oss-sec/2019/q4/122 ## From 15c638acad64cc3dcc7b5c43d9a6be2fa2350654 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 9 Aug 2024 13:36:47 +1000 Subject: [PATCH 1371/1650] Add reference on RDRAND --- etc/default/grub.d/40_kernel_hardening.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b813b48..8a90108 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -221,6 +221,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## ## https://en.wikipedia.org/wiki/RDRAND#Reception ## https://systemd.io/RANDOM_SEEDS/ +## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND ## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ ## https://x.com/pid_eins/status/1149649806056280069 ## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html From 3456f1c1d7725846ec201c28dd693bf9b07bab89 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 9 Aug 2024 13:39:25 +1000 Subject: [PATCH 1372/1650] Minor consistency update in README.md --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 500833c..df451f4 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,8 @@ space, user space, core dumps, and swap space. enables programs to inspect and modify other active processes. Provide the option to entirely disable the use of `ptrace()` for all processes. +- Maximize the bits of entropy used for mmap ASLR across all architectures. + - Prevent hardlink and symlink TOCTOU races in world-writable directories. - Disallow unintentional writes to files in world-writable directories unless @@ -146,6 +148,8 @@ configuration file. - Provide the option to modify machine check exception handler. +- Disallow sensitive kernel information leaks in the console during boot. + - Enable the kernel Electric-Fence sampling-based memory safety error detector which can identify heap out-of-bounds access, use-after-free, and invalid-free errors. @@ -169,9 +173,6 @@ configuration file. - Provide the option to disable the entire IPv6 stack to reduce attack surface. -Disallow sensitive kernel information leaks in the console during boot. See -the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file. - ### Kernel Modules #### Kernel Module Signature Verification From f8fa89b245d929aee9884937fdcf44a6551df4cf Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 9 Aug 2024 14:21:59 +1000 Subject: [PATCH 1373/1650] Add details on `tcp_timestamps` --- usr/lib/sysctl.d/990-security-misc.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 800e626..481f463 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -347,9 +347,14 @@ net.ipv6.conf.default.accept_ra=0 #net.ipv4.tcp_dsack=0 ## Disable TCP timestamps to limit device fingerprinting via system time. +## Timestamps allows round-trip time measurement and protection against wrapped sequence numbers. +## Disabling timestamps on very fast links is likely to cause TCP Sequence Numbers to wrap. +## Segments with wrapped numbers will be incorrectly discarded, reducing network performance. ## +## https://datatracker.ietf.org/doc/html/rfc1323 ## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824 ## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html +## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf ## net.ipv4.tcp_timestamps=0 From 73db68dbf9a1f9ded95a593db36a4960ce06a173 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 9 Aug 2024 14:27:30 +1000 Subject: [PATCH 1374/1650] Add details on KFENCE --- etc/default/grub.d/40_kernel_hardening.cfg | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 8a90108..aa55e94 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -127,10 +127,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Enable the kernel "Electric-Fence" sampling-based memory safety error detector. ## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors. -## Aims to have very low processing overhead at each sampling interval +## Aims to have very low processing overhead at each sampling interval. ## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation. ## ## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html +## https://google.github.io/kernel-sanitizers/KFENCE.html +## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4 +## https://lwn.net/Articles/835542/ ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" From 326d82a9beee130956dd817812016a6ee16fccbc Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 15 Aug 2024 11:46:56 +1000 Subject: [PATCH 1375/1650] Revert "Provide optional `sysctl fs.binfmt_misc.status=0`" This reverts commit debd7a7b7ae8b03e04d2c8597bcccf2c79000570. --- README.md | 5 ++--- usr/lib/sysctl.d/990-security-misc.conf | 5 +---- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 96f8b14..d4dd706 100644 --- a/README.md +++ b/README.md @@ -57,9 +57,8 @@ space, user space, core dumps, and swap space. - Increase the maximum number of memory map areas a process is able to utilize. -- Provide the option to disallow registering interpreters for various (miscellaneous) - binary formats based on a magic number or their file extension to prevent - unintended code execution. +- Disallow registering interpreters for various (miscellaneous) binary formats based + on a magic number or their file extension to prevent unintended code execution. - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 4de859c..747ca67 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -206,11 +206,8 @@ vm.max_map_count=1048576 ## https://en.wikipedia.org/wiki/Binfmt_misc ## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil ## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al -## https://github.com/Kicksecure/security-misc/pull/249 ## -## The default kernel setting will be utilized until provided sufficient evidence to modify. -## -#fs.binfmt_misc.status=0 +fs.binfmt_misc.status=0 ## 3. Core Dumps: ## From b552b92401f67d59e12ac6fda2f7fe1c54b0c8a7 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 15 Aug 2024 11:54:21 +1000 Subject: [PATCH 1376/1650] Add references on `fs.binfmt_misc.status` --- usr/lib/sysctl.d/990-security-misc.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 747ca67..7df6f03 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -206,6 +206,10 @@ vm.max_map_count=1048576 ## https://en.wikipedia.org/wiki/Binfmt_misc ## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil ## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al +## https://github.com/Kicksecure/security-misc/pull/249 +## +## KSPP=yes +## KSPP does not set CONFIG_BINFMT_MISC. ## fs.binfmt_misc.status=0 From 4bc12b07b42def786862b938e3f63c18cf874158 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 15 Aug 2024 17:51:18 +0000 Subject: [PATCH 1377/1650] bumped changelog version --- changelog.upstream | 46 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 52 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 81a58c9..7bab75d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,31 @@ +commit 9e61e37c17524b57f185b796f2ac19ba193205a8 +Merge: 89e816d dfd1c97 +Author: Patrick Schleizer +Date: Thu Aug 15 13:47:33 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit dfd1c97168249b229495cbd873d4d8493e244663 +Merge: 89e816d ec3038c +Author: Patrick Schleizer +Date: Thu Aug 15 13:46:30 2024 -0400 + + Merge pull request #248 from raja-grewal/secure_redirects + + Re-enable (default) `secure_redirects` for ICMP redirect messages + +commit ec3038c7bc625f6c8eddb753ffe295ff2697a717 +Author: Raja Grewal +Date: Wed Aug 7 13:48:53 2024 +1000 + + Clarify `secure_redirects` + +commit 89e816dda6c5a00512b276071c4d9fe108ee63b5 +Author: Patrick Schleizer +Date: Tue Aug 6 14:01:39 2024 +0000 + + bumped changelog version + commit 967f9e257b09bc73ddb579292d507f7cb9832643 Merge: fa90918 a25aaf9 Author: Patrick Schleizer @@ -65,6 +93,12 @@ Date: Mon Aug 5 14:27:17 2024 +1000 Enable `slab_debug=FZ` +commit 4f7f82016015f61002ac8f778b61968c572dc7dc +Author: Raja Grewal +Date: Mon Aug 5 14:16:33 2024 +1000 + + Add reference + commit fa9091869d417c6494840d0cb32623037d70c8be Merge: 06f0c27 725118c Author: Patrick Schleizer @@ -197,6 +231,12 @@ Date: Sat Jul 27 12:13:18 2024 -0400 output +commit 144545762674e914046bb94100237329320e8ece +Author: Raja Grewal +Date: Sat Jul 27 14:00:30 2024 +1000 + + Show details regarding `secure_redirects` (again) + commit 73979d4342dae2017be52d5182bb66fa28be398d Author: Raja Grewal Date: Sat Jul 27 13:28:59 2024 +1000 @@ -601,6 +641,12 @@ Date: Wed Jul 24 09:13:48 2024 -0400 Merge remote-tracking branch 'ben-grande/fuzz' +commit 88c88187f2909322211cc08598717068ea7cf1d1 +Author: Raja Grewal +Date: Wed Jul 24 17:26:50 2024 +1000 + + Re-enable (default) `secure_redirects` for ICMP redirect messages + commit 8be21b6eff40fdd3909ef63468463fc52e8bf45f Author: Ben Grande Date: Tue Jul 23 19:36:12 2024 +0200 diff --git a/debian/changelog b/debian/changelog index 50c5315..9f574d5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 15 Aug 2024 17:51:18 +0000 + security-misc (3:38.8-1) unstable; urgency=medium * New upstream version (local package). From e3a3207a4447568a17129afe9dde34debc465e21 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 12:41:36 +1000 Subject: [PATCH 1378/1650] Clarify DMA hardening --- README.md | 7 +++++-- etc/default/grub.d/40_kernel_hardening.cfg | 12 +++++++----- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index b1c0a89..e8e3083 100644 --- a/README.md +++ b/README.md @@ -161,8 +161,11 @@ configuration file. - Provide the option to disable support for all x86 processes and syscalls to reduce attack surface (when using Linux kernel version >= 6.7). -- Enable strict IOMMU translation to protect against DMA attacks and disable - the busmaster bit on all PCI bridges during the early boot process. +- Enable strict IOMMU translation to protect against some DMA attacks via the use + of both CPU manufacturer-specific drivers and kernel settings. + +- Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables + DMA before the IOMMU is configured. May cause boot failure on certain hardware. - Do not credit the CPU or bootloader as entropy sources at boot in order to maximize the absolute quantity of entropy in the combined pool. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index aa55e94..b6cc9df 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -184,12 +184,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks -## Enable CPU manufacturer-specific IOMMU drivers to protect against DMA attacks. +## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks. ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" -## Enable and force use of IOMMU translation to protect against DMA attacks. +## Enable and force use of IOMMU translation to protect against some DMA attacks. ## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs. ## Ensures devices will never be able to access stale data contents. ## @@ -201,9 +201,11 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" -## Disable the busmaster bit on all PCI bridges during the early boot process. -## Patches weak points in some existing IOMMU implementations. -## May lead to issues such as complete system boot failure on certain devices. +## Clear the busmaster bit on all PCI bridges during the EFI hand-off. +## Terminates all existing DMA transactions prior to the kernel's IOMMU setup. +## Forces third party PCI devices to then re-set their busmaster bit in order to perform DMA. +## Assumes that the motherboard chipset and firmware are not malicious. +## May cause complete boot failure on certain hardware with incompatible firmware. ## ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 ## https://mjg59.dreamwidth.org/54433.html From 23a77d4973ec20b2aaab6a9c3a9fd8a98034923e Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 12:46:51 +1000 Subject: [PATCH 1379/1650] Simplify syntax of some network-related `sysctl`'s --- usr/lib/sysctl.d/990-security-misc.conf | 30 +++++++++---------------- 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 8e49235..f6b49f0 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -275,8 +275,7 @@ net.ipv4.tcp_rfc1337=1 ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 ## https://seclists.org/oss-sec/2019/q4/122 ## -net.ipv4.conf.all.rp_filter=1 -net.ipv4.conf.default.rp_filter=1 +net.ipv4.conf.*.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. ## Prevents man-in-the-middle attacks and minimizes information disclosure. @@ -289,14 +288,10 @@ net.ipv4.conf.default.rp_filter=1 ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked ## https://github.com/Kicksecure/security-misc/pull/248 ## -net.ipv4.conf.all.accept_redirects=0 -net.ipv4.conf.default.accept_redirects=0 -net.ipv4.conf.all.send_redirects=0 -net.ipv4.conf.default.send_redirects=0 -net.ipv6.conf.all.accept_redirects=0 -net.ipv6.conf.default.accept_redirects=0 -#net.ipv4.conf.all.secure_redirects=1 -#net.ipv4.conf.default.secure_redirects=1 +net.ipv4.conf.*.accept_redirects=0 +net.ipv4.conf.*.send_redirects=0 +net.ipv6.conf.*.accept_redirects=0 +#net.ipv4.conf.*.secure_redirects=1 ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. @@ -316,15 +311,12 @@ net.ipv4.icmp_ignore_bogus_error_responses=1 ## ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing ## -net.ipv4.conf.all.accept_source_route=0 -net.ipv4.conf.default.accept_source_route=0 -net.ipv6.conf.all.accept_source_route=0 -net.ipv6.conf.default.accept_source_route=0 +net.ipv4.conf.*.accept_source_route=0 +net.ipv6.conf.*.accept_source_route=0 ## Do not accept IPv6 router advertisements and solicitations. ## -net.ipv6.conf.all.accept_ra=0 -net.ipv6.conf.default.accept_ra=0 +net.ipv6.conf.*.accept_ra=0 ## Disable SACK and DSACK. ## Select acknowledgements (SACKs) are a known common vector of exploitation. @@ -362,8 +354,7 @@ net.ipv4.tcp_timestamps=0 ## ## The logging of martian packets is currently disabled. ## -#net.ipv4.conf.all.log_martians=1 -#net.ipv4.conf.default.log_martians=1 +#net.ipv4.conf.*.log_martians=1 ## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses. ## The temporary/privacy address is used as the source for all outgoing traffic. @@ -379,5 +370,4 @@ net.ipv4.tcp_timestamps=0 ## ## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. ## -#net.ipv6.conf.all.use_tempaddr=2 -#net.ipv6.conf.default.use_tempaddr=2 +#net.ipv6.conf.*.use_tempaddr=2 From 9212a4e93754a4505be3fcf0ff4b029c073d2f07 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 13:12:07 +1000 Subject: [PATCH 1380/1650] Typos --- README.md | 4 ++-- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e8e3083..5d81c69 100644 --- a/README.md +++ b/README.md @@ -145,9 +145,9 @@ configuration file. - Force kernel panics on "oopses" to potentially indicate and thwart certain kernel exploitation attempts. -- Provide the option to modify machine check exception handler. +- Provide the option to modify the machine check exception handler. -- Disallow sensitive kernel information leaks in the console during boot. +- Prevent sensitive kernel information leaks in the console during boot. - Enable the kernel Electric-Fence sampling-based memory safety error detector which can identify heap out-of-bounds access, use-after-free, and invalid-free errors. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index b72fa90..a245693 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -349,7 +349,7 @@ net.ipv6.conf.default.accept_ra=0 #net.ipv4.tcp_dsack=0 ## Disable TCP timestamps to limit device fingerprinting via system time. -## Timestamps allows round-trip time measurement and protection against wrapped sequence numbers. +## Timestamps allow round-trip time measurement and protection against wrapped sequence numbers. ## Disabling timestamps on very fast links is likely to cause TCP Sequence Numbers to wrap. ## Segments with wrapped numbers will be incorrectly discarded, reducing network performance. ## From a13298002350a39491a509d15633edb95a2e3edd Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 13:24:25 +1000 Subject: [PATCH 1381/1650] Update README.md --- README.md | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 5d81c69..81f3ca7 100644 --- a/README.md +++ b/README.md @@ -42,19 +42,19 @@ space, user space, core dumps, and swap space. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. - Force the kernel to panic on "oopses" that can potentially indicate and thwart - certain kernel exploitation attempts. Provide the option to reboot immediately - on a kernel panic. + certain kernel exploitation attempts. Optional - Force immediate reboot on the + occurrence of a kernel panic. - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. -- Disable asynchronous I/O as `io_uring` has been the source - of numerous kernel exploits (when using Linux kernel version >= 6.6). +- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been + the source of numerous kernel exploits. - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - enables programs to inspect and modify other active processes. Provide the - option to entirely disable the use of `ptrace()` for all processes. + enables programs to inspect and modify other active processes. Optional - Disable + usage of `ptrace()` by all processes. - Maximize the bits of entropy used for mmap ASLR across all architectures. @@ -91,15 +91,15 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Do not accept IPv6 router advertisements and solicitations. -- Provide the option to disable SACK and DSACK as they have historically been - a known vector for exploitation. +- Optional - Disable SACK and DSACK as they have historically been a known + vector for exploitation. - Disable TCP timestamps as they can allow detecting the system time. -- Provide the option to log packets with impossible source or destination - addresses to enable further inspection and analysis. +- Optional - Log packets with impossible source or destination addresses to + enable further inspection and analysis. -- Provide the option to enable IPv6 Privacy Extensions. +- Optional - Enable IPv6 Privacy Extensions. ### mmap ASLR @@ -145,7 +145,7 @@ configuration file. - Force kernel panics on "oopses" to potentially indicate and thwart certain kernel exploitation attempts. -- Provide the option to modify the machine check exception handler. +- Optional - Modify the machine check exception handler. - Prevent sensitive kernel information leaks in the console during boot. @@ -154,12 +154,12 @@ configuration file. - Disable 32-bit vDSO mappings as they are a legacy compatibility feature. -- Provide the option to use kCFI as the default CFI implementation since it may be - slightly more resilient to attacks that are able to write arbitrary executables - in memory (when using Linux kernel version >= 6.2). +- Optional - Use kCFI as the default CFI implementation (when using Linux kernel >= 6.2) + since it may be slightly more resilient to attacks that are able to write + arbitrary executables in memory. -- Provide the option to disable support for all x86 processes and syscalls to reduce - attack surface (when using Linux kernel version >= 6.7). +- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) + to reduce attack surface. - Enable strict IOMMU translation to protect against some DMA attacks via the use of both CPU manufacturer-specific drivers and kernel settings. @@ -173,7 +173,7 @@ configuration file. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. -- Provide the option to disable the entire IPv6 stack to reduce attack surface. +- Optional - Disable the entire IPv6 stack to reduce attack surface. ### Kernel Modules From 84376d23fc17d2ced890ffca0b05d15907d42a6f Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 13:39:11 +1000 Subject: [PATCH 1382/1650] Add details on ASLR and move to user space section --- README.md | 4 ++-- usr/lib/sysctl.d/990-security-misc.conf | 16 +++++++++------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 81f3ca7..1d869a1 100644 --- a/README.md +++ b/README.md @@ -45,8 +45,6 @@ space, user space, core dumps, and swap space. certain kernel exploitation attempts. Optional - Force immediate reboot on the occurrence of a kernel panic. -- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. - - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. - Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been @@ -63,6 +61,8 @@ space, user space, core dumps, and swap space. - Disallow unintentional writes to files in world-writable directories unless they are owned by the directory owner to mitigate some data spoofing attacks. +- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. + - Increase the maximum number of memory map areas a process is able to utilize. - Disable core dump files and prevent their creation. If core dump files are diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index a245693..39aa63c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -120,13 +120,6 @@ kernel.perf_event_paranoid=3 #kernel.panic_on_oops=1 #kernel.panic=-1 -## Enable ASLR for mmap base, stack, VDSO pages, and heap. -## Heap randomization can lead to breakages with legacy applications. -## -## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux -## -kernel.randomize_va_space=2 - ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. ## Will break out-dated screen readers that continue to rely on this legacy functionality. @@ -205,6 +198,15 @@ fs.protected_symlinks=1 fs.protected_fifos=2 fs.protected_regular=2 +## Enable ASLR for mmap base, stack, VDSO pages, and heap. +## Forces shared libraries to be loaded to random addresses +## Start location of PIE-linked binaries is randomized. +## Heap randomization can lead to breakages with legacy applications. +## +## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux +## +kernel.randomize_va_space=2 + ## Increase the maximum number of memory map areas a process is permitted to utilize. ## Addresses performance, crash, and start-up issues for some memory-intensive applications. ## Required to accommodate the very large number of guard pages created by hardened_malloc. From cea8e753786d100ebe961ad74a99925e54d47771 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 14:55:22 +1000 Subject: [PATCH 1383/1650] Consistent formating --- usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 3 +-- usr/lib/sysctl.d/30_silent-kernel-printk.conf | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index b61a762..0400ad1 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -10,9 +10,8 @@ ## Instead, ram-wipe will config-package-dev 'hide' this file. ## Disables kexec, which can be used to replace the running kernel. -## Kexec is useful for live kernel patching without rebooting. +## Useful for live kernel patching without rebooting. ## -## For more information, see: ## https://en.wikipedia.org/wiki/Kexec ## kernel.kexec_load_disabled=1 diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index 0d5e4aa..f8baa3f 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -2,10 +2,9 @@ ## See the file COPYING for copying conditions. ## Prevent kernel information leaks in the console during boot. -## Must be used in combination with the kernel boot parameters. +## Must be used in conjunction with kernel boot parameters. ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. ## -## For more information, refer to: ## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html ## kernel.printk=3 3 3 3 From e962153f84c4cb8e13fb0cc25d611ae481c7a0c7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 16 Aug 2024 08:38:12 +0000 Subject: [PATCH 1384/1650] bumped changelog version --- changelog.upstream | 241 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 247 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7bab75d..7c57922 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,94 @@ +commit 40b12f5a2a4a40d7033569b11ad4e1c228e7389b +Merge: 12296c6 305467c +Author: Patrick Schleizer +Date: Fri Aug 16 04:30:29 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 305467c652af933bb5aa5a677b10a992a5f19cab +Merge: 12296c6 a5373af +Author: Patrick Schleizer +Date: Fri Aug 16 04:25:43 2024 -0400 + + Merge pull request #245 from raja-grewal/blacklist_to_disable + + Update `/etc/modprobe.d/*` + +commit 12296c68dc0aaa3703e1c36f854a02de8db412fe +Merge: 4bc12b0 036bcea +Author: Patrick Schleizer +Date: Fri Aug 16 04:22:43 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 036bcea4e6757de094fcafdadcf56aaa90729d79 +Merge: ef60c5b 81bf7a8 +Author: Patrick Schleizer +Date: Fri Aug 16 04:20:32 2024 -0400 + + Merge pull request #262 from raja-grewal/docs + + Miscellaneous updates to presentation + +commit 81bf7a8f90098a7107dcb3c783b87a168f5c090f +Merge: cea8e75 ef60c5b +Author: raja-grewal +Date: Fri Aug 16 16:57:01 2024 +1000 + + Merge branch 'Kicksecure:master' into docs + +commit ef60c5b153a521e1cfd522ac471a8ca6dc076d90 +Merge: 4bc12b0 b552b92 +Author: Patrick Schleizer +Date: Fri Aug 16 02:43:57 2024 -0400 + + Merge pull request #249 from raja-grewal/binfmt_misc + + Disallow registering interpreters for miscellaneous binary formats + +commit cea8e753786d100ebe961ad74a99925e54d47771 +Author: Raja Grewal +Date: Fri Aug 16 14:55:22 2024 +1000 + + Consistent formating + +commit 84376d23fc17d2ced890ffca0b05d15907d42a6f +Author: Raja Grewal +Date: Fri Aug 16 13:39:11 2024 +1000 + + Add details on ASLR and move to user space section + +commit a13298002350a39491a509d15633edb95a2e3edd +Author: Raja Grewal +Date: Fri Aug 16 13:24:25 2024 +1000 + + Update README.md + +commit 9212a4e93754a4505be3fcf0ff4b029c073d2f07 +Author: Raja Grewal +Date: Fri Aug 16 13:12:07 2024 +1000 + + Typos + +commit e3a3207a4447568a17129afe9dde34debc465e21 +Author: Raja Grewal +Date: Fri Aug 16 12:41:36 2024 +1000 + + Clarify DMA hardening + +commit be9308e490f79a7b7788a744524d1d91cc870726 +Merge: 73db68d 4bc12b0 +Author: raja-grewal +Date: Fri Aug 16 11:45:43 2024 +1000 + + Merge branch 'Kicksecure:master' into docs + +commit 4bc12b07b42def786862b938e3f63c18cf874158 +Author: Patrick Schleizer +Date: Thu Aug 15 17:51:18 2024 +0000 + + bumped changelog version + commit 9e61e37c17524b57f185b796f2ac19ba193205a8 Merge: 89e816d dfd1c97 Author: Patrick Schleizer @@ -14,12 +105,98 @@ Date: Thu Aug 15 13:46:30 2024 -0400 Re-enable (default) `secure_redirects` for ICMP redirect messages +commit b552b92401f67d59e12ac6fda2f7fe1c54b0c8a7 +Author: Raja Grewal +Date: Thu Aug 15 11:54:21 2024 +1000 + + Add references on `fs.binfmt_misc.status` + +commit 326d82a9beee130956dd817812016a6ee16fccbc +Author: Raja Grewal +Date: Thu Aug 15 11:46:56 2024 +1000 + + Revert "Provide optional `sysctl fs.binfmt_misc.status=0`" + + This reverts commit debd7a7b7ae8b03e04d2c8597bcccf2c79000570. + +commit 73db68dbf9a1f9ded95a593db36a4960ce06a173 +Author: Raja Grewal +Date: Fri Aug 9 14:27:30 2024 +1000 + + Add details on KFENCE + +commit f8fa89b245d929aee9884937fdcf44a6551df4cf +Author: Raja Grewal +Date: Fri Aug 9 14:21:59 2024 +1000 + + Add details on `tcp_timestamps` + +commit 3456f1c1d7725846ec201c28dd693bf9b07bab89 +Author: Raja Grewal +Date: Fri Aug 9 13:39:25 2024 +1000 + + Minor consistency update in README.md + +commit 15c638acad64cc3dcc7b5c43d9a6be2fa2350654 +Author: Raja Grewal +Date: Fri Aug 9 13:36:47 2024 +1000 + + Add reference on RDRAND + +commit 077bc48a26d1d3f5d1f758d7e251edccba64742b +Author: Raja Grewal +Date: Fri Aug 9 13:35:33 2024 +1000 + + Add reference on `rp_filter` + +commit d8bcec881f66604e29d6e0c1426635e2ad4979f1 +Author: Raja Grewal +Date: Fri Aug 9 13:33:32 2024 +1000 + + Add some notices for future Debian 13 rebase + +commit 0b0683499a6a21e3995a115c377eb19008bc4cd1 +Author: Raja Grewal +Date: Fri Aug 9 13:30:39 2024 +1000 + + Consistent line length formatting + +commit e5a38fc856c66d2bd6abc35fc08d4f2083ea8e54 +Author: Raja Grewal +Date: Fri Aug 9 13:30:15 2024 +1000 + + Typo + +commit a5373afc55e789f4657f3d843243e878e4afffa2 +Author: Raja Grewal +Date: Wed Aug 7 14:44:14 2024 +1000 + + Details on disabled `fbdev` kernel modules + +commit e98dc8c4f8af32dd3b10c034477fd2154df189ac +Author: Raja Grewal +Date: Wed Aug 7 14:14:47 2024 +1000 + + Update notifications for disabled kernel modules + +commit 50fa721fd54cd696ae90a35bc7df7c8f1eb17a13 +Author: Raja Grewal +Date: Wed Aug 7 14:01:49 2024 +1000 + + Update docs regarding Intel module disabling + commit ec3038c7bc625f6c8eddb753ffe295ff2697a717 Author: Raja Grewal Date: Wed Aug 7 13:48:53 2024 +1000 Clarify `secure_redirects` +commit debd7a7b7ae8b03e04d2c8597bcccf2c79000570 +Author: Raja Grewal +Date: Wed Aug 7 13:33:44 2024 +1000 + + Provide optional `sysctl fs.binfmt_misc.status=0` + commit 89e816dda6c5a00512b276071c4d9fe108ee63b5 Author: Patrick Schleizer Date: Tue Aug 6 14:01:39 2024 +0000 @@ -219,6 +396,24 @@ Date: Sun Jul 28 15:43:54 2024 -0400 Disable the usage of `ptrace()` by all processes +commit 9cabaa1bd15a0639c87bf2e965755d06ff0a7bb4 +Author: Raja Grewal +Date: Sun Jul 28 22:04:30 2024 +1000 + + Typo + +commit d2d024ebe9a371eaf90b7b72f8a227e5d2e9babe +Author: Raja Grewal +Date: Sun Jul 28 22:03:33 2024 +1000 + + Typo + +commit 9fbee9fc82768c3b436307459d174378ee471335 +Author: Raja Grewal +Date: Sun Jul 28 21:57:25 2024 +1000 + + Clarify + commit e60ce50d30c8981f13d8bab1d6ca8b8efb9d8928 Author: Patrick Schleizer Date: Sat Jul 27 16:13:35 2024 +0000 @@ -325,6 +520,13 @@ Date: Fri Jul 26 10:16:20 2024 -0400 use `find` with `safe_echo_nonewline` +commit 20454fb81157f1f962f36d9c37d34f4ac650a1e6 +Merge: 28b25bd 6bbf176 +Author: raja-grewal +Date: Sat Jul 27 00:09:30 2024 +1000 + + Merge branch 'Kicksecure:master' into blacklist_to_disable + commit 6bbf176e3b91f842cf4cdeaf8cb1f4c60e159a0c Author: Patrick Schleizer Date: Fri Jul 26 09:33:45 2024 -0400 @@ -480,6 +682,12 @@ Date: Thu Jul 25 12:20:16 2024 +0200 Unduplicate stat call +commit 28b25bda3f51c7d5a6ee6d28446cb5f731f452d0 +Author: Raja Grewal +Date: Thu Jul 25 15:51:32 2024 +1000 + + Partial inclusion of GrapheneOS infrastructure blacklist + commit ed3336694ce35614ab47db42bce29d3c69d46752 Author: Raja Grewal Date: Thu Jul 25 10:28:27 2024 +1000 @@ -492,6 +700,12 @@ Date: Thu Jul 25 10:26:23 2024 +1000 Add documentation on `sysctl kernel.panic_on_oops=1` +commit f699eb02a27ef54b9ced5866447b63152984af66 +Author: Raja Grewal +Date: Thu Jul 25 10:11:33 2024 +1000 + + Set `sysctl fs.binfmt_misc.status=0` + commit 9231f058911ab9059e91c4c0c1677ef66b5bb666 Author: Patrick Schleizer Date: Wed Jul 24 13:31:49 2024 -0400 @@ -689,6 +903,13 @@ Date: Mon Jul 22 17:26:00 2024 +1000 Add option to switch (back) to using kCFI in the future +commit f582e543434ba20a2fb7f7300058f7c8a7d62878 +Merge: a189956 d2563ed +Author: raja-grewal +Date: Mon Jul 22 15:12:00 2024 +1000 + + Merge branch 'Kicksecure:master' into blacklist_to_disable + commit d2563ed92317a029340dbb83f30da008b01325f2 Author: Patrick Schleizer Date: Sun Jul 21 10:40:14 2024 +0000 @@ -722,6 +943,26 @@ Date: Sat Jul 20 12:57:56 2024 -0400 postqueue matchwhitelist postdrop matchwhitelist +commit a189956adc2cf5a1c8311d0e0e9c7cfbc6e4afe3 +Author: Raja Grewal +Date: Sat Jul 20 20:11:09 2024 +1000 + + Typo + +commit 3c720a0715191c858e8d1df9795dddfea5dbdcf1 +Author: Raja Grewal +Date: Sat Jul 20 15:03:21 2024 +1000 + + Disable some legacy drivers + These were all previously blacklisted for over 2 years. + +commit c4965ed838b1df93ddb9e947fb2f0d23fa8ffc17 +Author: Raja Grewal +Date: Sat Jul 20 14:55:10 2024 +1000 + + Disable legacy framebuffer drivers + These were all previously blacklisted for over 2 years. + commit 9f53a0182b5f6a7cf8228bf19b04661d39c7a2fe Author: Patrick Schleizer Date: Fri Jul 19 07:20:59 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 9f574d5..2bc634a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 16 Aug 2024 08:38:11 +0000 + security-misc (3:38.9-1) unstable; urgency=medium * New upstream version (local package). From fae586c3c5e8382ca01c60f810b26d88189a5514 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 19:23:48 +1000 Subject: [PATCH 1385/1650] Patch bug in existing `rp_filter` `sysctl` --- usr/lib/sysctl.d/990-security-misc.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index f6b49f0..1e675ca 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -270,12 +270,15 @@ net.ipv4.tcp_rfc1337=1 ## Enable reverse path filtering (source validation) of packets received from all interfaces. ## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899. +## The second "default" command fixes a bug in the existing kernel implementation. ## ## https://en.wikipedia.org/wiki/IP_address_spoofing ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 ## https://seclists.org/oss-sec/2019/q4/122 +## https://github.com/Kicksecure/security-misc/pull/261 ## net.ipv4.conf.*.rp_filter=1 +net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. ## Prevents man-in-the-middle attacks and minimizes information disclosure. From 759aee8150a2d1258d73217c071b25432d47496f Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 22:54:57 +1000 Subject: [PATCH 1386/1650] Provide option to disable user namespaces --- README.md | 2 +- usr/lib/sysctl.d/990-security-misc.conf | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index da9254a..4644c6a 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ space, user space, core dumps, and swap space. can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial - privilege escalation. + privilege escalation. Optional - Disable all use of user namespaces. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 9836bc2..f576dbc 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -93,11 +93,16 @@ kernel.sysrq=0 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. ## Unprivileged user namespaces pose substantial privilege escalation risks. ## Restricting may lead to breakages in numerous software packages. +## Uncomment the second sysctl to entirely disable user namespaces. ## ## https://madaidans-insecurities.github.io/linux.html#kernel ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## +## KSPP=partial +## KSPP sets the stricter sysctl user.max_user_namespaces=0. +## kernel.unprivileged_userns_clone=0 +#user.max_user_namespaces=0 ## Restricts kernel profiling to users with CAP_PERFMON. ## The performance events system should not be accessible by unprivileged users. From 248e094b8e0bbf7892f79ad1c3ec77c7ed00d008 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 17 Aug 2024 01:06:21 +1000 Subject: [PATCH 1387/1650] Include KSPP compliance notices --- etc/default/grub.d/40_cpu_mitigations.cfg | 6 +++ etc/default/grub.d/40_kernel_hardening.cfg | 48 +++++++++++++++++++ etc/default/grub.d/40_signed_modules.cfg | 8 +++- .../30_security-misc_kexec-disable.conf | 3 ++ usr/lib/sysctl.d/990-security-misc.conf | 48 +++++++++++++++++++ 5 files changed, 112 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 99eee7d..486b63b 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -13,6 +13,9 @@ ## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. ## +## KSPP=yes +## KSPP sets the kernel parameters. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## Disable SMT as it has been the cause of and amplified numerous CPU exploits. @@ -24,6 +27,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 ## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365 ## +## KSPP=yes +## KSPP sets the kernel parameter. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" ## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b6cc9df..35472ba 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -27,6 +27,9 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33 ## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10 ## +## KSPP=yes +## KSPP sets the kernel parameter and does not set CONFIG_SLAB_MERGE_DEFAULT. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" ## Enable sanity checks and red zoning of slabs via debugging options to detect corruption. @@ -39,6 +42,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" ## https://gitlab.tails.boum.org/tails/tails/-/issues/19613 ## https://github.com/Kicksecure/security-misc/issues/253 ## +## KSPP=yes +## KSPP sets the kernel parameters and CONFIG_SLUB_DEBUG. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ" ## Zero memory at allocation time and free time. @@ -47,6 +53,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ" ## ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef ## +## KSPP=yes +## KSPP sets the kernel parameters, CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y, and CONFIG_INIT_ON_FREE_DEFAULT_ON=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" @@ -58,6 +67,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692 ## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks ## +## KSPP=yes +## KSPP sets the kernel parameter and CONFIG_SHUFFLE_PAGE_ALLOCATOR=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" ## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses. @@ -65,6 +77,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" ## ## https://en.wikipedia.org/wiki/Kernel_page-table_isolation ## +## KSPP=yes +## KSPP sets the kernel parameter and CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" ## Enable randomization of the kernel stack offset on syscall entries. @@ -74,6 +89,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" ## https://lkml.org/lkml/2019/3/18/246 ## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html ## +## KSPP=yes +## KSPP sets the kernel parameter and CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" ## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO. @@ -82,6 +100,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" ## https://lwn.net/Articles/446528/ ## https://en.wikipedia.org/wiki/VDSO ## +## KSPP=yes +## KSPP sets the kernel parameter, CONFIG_LEGACY_VSYSCALL_NONE=y and does not set CONFIG_X86_VSYSCALL_EMULATION. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" ## Restrict access to debugfs by not registering the file system. @@ -98,6 +119,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## +## KSPP=yes +## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1. +## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" @@ -135,6 +159,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4 ## https://lwn.net/Articles/835542/ ## +## KSPP=yes +## KSPP sets the kernel parameter, CONFIG_KFENCE=y, and CONFIG_KFENCE_SAMPLE_INTERVAL=100. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" ## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings. @@ -143,6 +170,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" ## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/ ## https://lists.openwall.net/linux-kernel/2014/03/11/3 ## +## KSPP=yes +## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. @@ -165,6 +195,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf ## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561 ## +## KSPP=yes +## KSPP sets the kernel parameter. +## ## TODO: Debian 13 Trixie ## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). ## @@ -175,6 +208,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ ## +## KSPP=yes +## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL. +## ## TODO: Debian 13 Trixie ## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). ## @@ -186,6 +222,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks. ## +## KSPP=yes +## KSPP sets CONFIG_INTEL_IOMMU=y, CONFIG_INTEL_IOMMU_DEFAULT_ON=y, CONFIG_INTEL_IOMMU_SVM=y, CONFIG_AMD_IOMMU=y, and CONFIG_AMD_IOMMU_V2=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" @@ -197,6 +236,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" ## https://en.wikipedia.org/wiki/DMA_attack ## https://lenovopress.lenovo.com/lp1467.pdf ## +## KSPP=yes +## KSPP sets the kernel parameters, CONFIG_IOMMU_SUPPORT=y, CONFIG_IOMMU_DEFAULT_DMA_STRICT=y, and does not set CONFIG_IOMMU_DEFAULT_PASSTHROUGH. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" @@ -210,6 +252,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 ## https://mjg59.dreamwidth.org/54433.html ## +## KSPP=yes +## KSPP sets CONFIG_EFI_DISABLE_PCI_DMA=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## 3. Entropy: @@ -234,6 +279,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## https://github.com/NixOS/nixpkgs/pull/165355 ## https://lkml.org/lkml/2022/6/5/271 ## +## KSPP=yes +## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg index 9a6a101..5e6fce7 100644 --- a/etc/default/grub.d/40_signed_modules.cfg +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -9,6 +9,9 @@ ## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61 ## https://github.com/dell/dkms/issues/359 ## +## KSPP=yes +## KSPP sets CONFIG_MODULE_SIG=y, CONFIG_MODULE_SIG_FORCE=y, and CONFIG_MODULE_SIG_ALL=y. +## ## Not enabled by default yet due to several issues. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" @@ -18,7 +21,10 @@ ## ## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 ## -## ## Not enabled by default yet due to several issues. +## KSPP=yes +## KSPP sets CONFIG_SECURITY_LOCKDOWN_LSM=y, CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y, and CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y. +## +## Not enabled by default yet due to several issues. ## #if dpkg --compare-versions "${kver}" ge "5.4"; then # GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index 0400ad1..eb785cc 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -14,4 +14,7 @@ ## ## https://en.wikipedia.org/wiki/Kexec ## +## KSPP=yes +## KSPP sets the sysctl and does not set CONFIG_KEXEC. +## kernel.kexec_load_disabled=1 diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 9836bc2..3bd7ea1 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -31,11 +31,17 @@ ## ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak ## +## KSPP=yes +## KSPP sets the sysctl. +## kernel.kptr_restrict=2 ## Restrict access to the kernel log buffer to users with CAP_SYSLOG. ## Kernel logs often contain sensitive information such as kernel pointers. ## +## KSPP=yes +## KSPP sets the sysctl and CONFIG_SECURITY_DMESG_RESTRICT=y. +## kernel.dmesg_restrict=1 ## Prevent kernel information leaks in the console during boot. @@ -52,6 +58,9 @@ kernel.dmesg_restrict=1 ## ## https://en.wikipedia.org/wiki/EBPF#Security ## +## KSPP=yes +## KSPP sets the sysctls. +## kernel.unprivileged_bpf_disabled=1 net.core.bpf_jit_harden=2 @@ -61,6 +70,9 @@ net.core.bpf_jit_harden=2 ## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html ## https://lkml.org/lkml/2019/4/15/890 ## +## KSPP=yes +## KSPP sets the sysctl does not set CONFIG_LDISC_AUTOLOAD. +## dev.tty.ldisc_autoload=0 ## Restrict the userfaultfd() syscall to users with SYS_CAP_PTRACE. @@ -69,6 +81,9 @@ dev.tty.ldisc_autoload=0 ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0 ## https://duasynt.com/blog/linux-kernel-heap-spray ## +## KSPP=yes +## KSPP sets the sysctl. +## vm.unprivileged_userfaultfd=0 ## Disables kexec, which can be used to replace the running kernel. @@ -78,6 +93,9 @@ vm.unprivileged_userfaultfd=0 ## ## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation. ## +## KSPP=yes +## KSPP sets the sysctl and does not set CONFIG_KEXEC. +## #kernel.kexec_load_disabled=1 ## Disable the SysRq key to prevent leakage of kernel information. @@ -87,6 +105,9 @@ vm.unprivileged_userfaultfd=0 ## https://www.kicksecure.com/wiki/SysRq ## https://github.com/xairy/unlockdown ## +## KSPP=yes +## KSPP sets the less strict CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176. +## kernel.sysrq=0 ## Restrict user namespaces to users with CAP_SYS_ADMIN. @@ -106,6 +127,9 @@ kernel.unprivileged_userns_clone=0 ## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users ## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ ## +## KSPP=yes +## KSPP sets the sysctl. +## kernel.perf_event_paranoid=3 ## Force the kernel to panic on "oopses". @@ -115,6 +139,9 @@ kernel.perf_event_paranoid=3 ## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## +## KSPP=yes +## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1. +## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## #kernel.panic_on_oops=1 @@ -126,6 +153,9 @@ kernel.perf_event_paranoid=3 ## ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ ## +## KSPP=yes +## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI. +## ## TODO: Debian 13 Trixie ## This is disabled by default when using Linux kernel >= 6.2. ## @@ -161,6 +191,9 @@ kernel.io_uring_disabled=2 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 ## https://github.com/netblue30/firejail/issues/2860 ## +## KSPP=partial +## KSPP sets the stricter sysctl kernel.yama.ptrace_scope=3. +## ## It is possible to harden further by disabling ptrace() for all users, see documentation. ## https://github.com/Kicksecure/security-misc/pull/242 ## @@ -188,6 +221,9 @@ kernel.yama.ptrace_scope=2 ## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp ## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU ## +## KSPP=yes +## KSPP sets the sysctls. +## fs.protected_hardlinks=1 fs.protected_symlinks=1 @@ -195,6 +231,9 @@ fs.protected_symlinks=1 ## Also applies to group-writable sticky directories to make data spoofing attacks more difficult. ## Prevents unintentional writes to attacker-controlled files. ## +## KSPP=yes +## KSPP sets the sysctls. +## fs.protected_fifos=2 fs.protected_regular=2 @@ -205,6 +244,9 @@ fs.protected_regular=2 ## ## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux ## +## KSPP=yes +## KSPP sets the sysctl. +## kernel.randomize_va_space=2 ## Increase the maximum number of memory map areas a process is permitted to utilize. @@ -254,6 +296,9 @@ kernel.core_pattern=|/bin/false ## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps. ## Any process which has changed privilege levels or is execute-only will not be dumped. ## +## KSPP=yes +## KSPP sets the sysctl. +## fs.suid_dumpable=0 ## Set core dump file name to 'core.PID' instead of 'core' as a form of defense-in-depth. @@ -284,6 +329,9 @@ vm.swappiness=1 ## https://en.wikipedia.org/wiki/SYN_flood ## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html ## +## KSPP=yes +## KSPP sets CONFIG_SYN_COOKIES=y. +## net.ipv4.tcp_syncookies=1 ## Protect against TCP time-wait assassination hazards. From 1f51d4eeb2b0c6e23ce64fb272eecb97e089324d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 18 Aug 2024 13:53:11 +1000 Subject: [PATCH 1388/1650] Add details on user namespaces --- usr/lib/sysctl.d/990-security-misc.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index f576dbc..ad049b2 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -94,9 +94,13 @@ kernel.sysrq=0 ## Unprivileged user namespaces pose substantial privilege escalation risks. ## Restricting may lead to breakages in numerous software packages. ## Uncomment the second sysctl to entirely disable user namespaces. +## Disabling entirely will reduce compatibility with some AppArmor profiles. ## +## https://lwn.net/Articles/673597/ ## https://madaidans-insecurities.github.io/linux.html#kernel ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers +## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 +## https://github.com/Kicksecure/security-misc/pull/263 ## ## KSPP=partial ## KSPP sets the stricter sysctl user.max_user_namespaces=0. From 683110e7f02fa5fc6415354386552640cdb8758b Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 19 Aug 2024 01:34:14 +1000 Subject: [PATCH 1389/1650] Correction --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index da9254a..1ec228f 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,8 @@ ## Kernel hardening This section is inspired by the Kernel Self Protection Project (KSPP). It -implements all recommended Linux kernel settings by the KSPP and many more. +attempts to implement all recommended Linux kernel settings by the KSPP and +many more sources. - https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project - https://kspp.github.io/Recommended_Settings From 94dab1b7c503429e2fa91019a0183b2f36c6693f Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 19 Aug 2024 10:53:05 +1000 Subject: [PATCH 1390/1650] Partial compliance with the KSPP on kernel panics --- etc/default/grub.d/40_kernel_hardening.cfg | 4 ++-- usr/lib/sysctl.d/990-security-misc.conf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 35472ba..32f58ac 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -119,8 +119,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## -## KSPP=yes -## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1. +## KSPP=partial +## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requries CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 3bd7ea1..e9057dc 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -139,8 +139,8 @@ kernel.perf_event_paranoid=3 ## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## -## KSPP=yes -## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1. +## KSPP=partial +## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requries CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## From e61027a40e2ab82fac3ae4cfd5f91fd0a47f31e5 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 19 Aug 2024 11:32:20 +1000 Subject: [PATCH 1391/1650] Set `sysctl vm.mmap_min_addr=65536` --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 14 ++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/README.md b/README.md index da9254a..a7a0128 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,9 @@ space, user space, core dumps, and swap space. - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. +- Raise the minimum address a process can request for memory mapping to 64KB to + protect against kernel null pointer dereference vulnerabilities. + - Increase the maximum number of memory map areas a process is able to utilize. - Disallow registering interpreters for various (miscellaneous) binary formats based diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 9836bc2..4a16ad0 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -207,6 +207,20 @@ fs.protected_regular=2 ## kernel.randomize_va_space=2 +## Raise the minimum address a process can request for memory mapping to 64KB as a form of defense-in-depth. +## Prevents kernel null pointer dereference vulnerabilities which may trigger kernel panics. +## Protects against local unprivileged users gaining root privileges by mapping data to low memory pages. +## Some legacy applications may still depend on low virtual memory addresses for proper functionality. +## +## https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html +## https://access.redhat.com/articles/20484 +## https://wiki.debian.org/mmap_min_addr +## +## KSPP=yes +## KSPP sets CONFIG_DEFAULT_MMAP_MIN_ADDR=65536. +## +vm.mmap_min_addr=65536 + ## Increase the maximum number of memory map areas a process is permitted to utilize. ## Addresses performance, crash, and start-up issues for some memory-intensive applications. ## Required to accommodate the very large number of guard pages created by hardened_malloc. From 56b28e38264fe742b8d694176f1057c15574fc08 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 19 Aug 2024 11:50:08 +1000 Subject: [PATCH 1392/1650] Typo --- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 32f58ac..aaf5be8 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -120,7 +120,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=partial -## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requries CONFIG_PANIC_TIMEOUT=-1. +## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e9057dc..f13f193 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -140,7 +140,7 @@ kernel.perf_event_paranoid=3 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=partial -## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requries CONFIG_PANIC_TIMEOUT=-1. +## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## From 18ed77ecc93e9ee759a4990a32edb3dd671b8c26 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 21 Aug 2024 12:50:14 +1000 Subject: [PATCH 1393/1650] Refactor modprobe.d to minimise potential future merge conflicts --- README.md | 35 ++-- .../30_security-misc_blacklist.conf | 4 +- etc/modprobe.d/30_security-misc_disable.conf | 162 ++++++++++-------- 3 files changed, 113 insertions(+), 88 deletions(-) diff --git a/README.md b/README.md index da9254a..4742384 100644 --- a/README.md +++ b/README.md @@ -223,17 +223,12 @@ modules from starting. This approach should not be considered comprehensive; rather, it is a form of badness enumeration. Any potential candidates for future disabling should first be blacklisted for a suitable amount of time. +Hardware modules: + - Optional - Bluetooth: Disabled to reduce attack surface. -- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. - -- File Systems: Disable uncommon and legacy file systems. - - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. -- Framebuffer (fbdev): Disabled as drivers are well-known to be buggy, cause - kernel panics, and are generally only used by legacy devices. - - GPS: Disable GPS-related modules such as those required for Global Navigation Satellite Systems (GNSS). @@ -244,20 +239,38 @@ disabling should first be blacklisted for a suitable amount of time. - Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality of the Intel PMT components. +- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. + +File system modules: + +- File Systems: Disable uncommon and legacy file systems. + - Network File Systems: Disable uncommon and legacy network file systems. +Networking modules: + - Network Protocols: A wide array of uncommon and legacy network protocols and drivers are disabled. -- Miscellaneous: Disable an assortment of other modules such as those required - for amateur radio, floppy disks, and vivid. Also disable legacy drivers that - have been entirely replaced by newer drivers. +Miscellaneous modules: -- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. +- Amateur Radios: Disabled to reduce attack surface. + +- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. + +- Floppy Disks: Disabled to reduce attack surface. + +- Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause + kernel panics, and are generally only used by legacy devices. + +- Replaced Modules: Disabled legacy drivers that have been entirely replaced and + superseded by newer drivers. - Optional - USB Video Device Class: Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. +- Vivid: Disabled to reduce attack surface given previous vulnerabilities. + ### Other - A systemd service clears the System.map file on boot as these contain kernel diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index 34e1124..8386800 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -22,7 +22,7 @@ blacklist sr_mod #install sr_mod /usr/bin/disabled-cdrom-by-security-misc ## Miscellaneous: -## + ## GrapheneOS: ## Partial selection of their infrastructure blacklist. ## Duplicate and already disabled modules have been omitted. @@ -39,7 +39,7 @@ blacklist snd_intel8x0 #blacklist tls #blacklist virtio_balloon #blacklist virtio_console -## + ## Ubuntu: ## Already disabled modules have been omitted. ## diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 3a72b0e..3df5a51 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -8,6 +8,14 @@ ## Blacklisting prevents kernel modules from automatically starting. ## Disabling prohibits kernel modules from starting. +## This configuration file is split into 4 sections: +## 1. Hardware +## 2. File Systems +## 3. Networking +## 4. Miscellaneous + +## 1. Hardware: + ## Bluetooth: ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. ## @@ -34,27 +42,6 @@ #install btusb /usr/bin/disabled-bluetooth-by-security-misc #install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc -## CPU Model-Specific Registers (MSRs): -## Disable CPU MSRs as they can be abused to write to arbitrary memory. -## -## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -## https://github.com/Kicksecure/security-misc/issues/215 -## -#install msr /usr/bin/disabled-miscellaneous-by-security-misc - -## File Systems: -## Disable uncommon file systems to reduce attack surface. -## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. -## -install cramfs /usr/bin/disabled-filesys-by-security-misc -install freevxfs /usr/bin/disabled-filesys-by-security-misc -install hfs /usr/bin/disabled-filesys-by-security-misc -install hfsplus /usr/bin/disabled-filesys-by-security-misc -install jffs2 /usr/bin/disabled-filesys-by-security-misc -install jfs /usr/bin/disabled-filesys-by-security-misc -install reiserfs /usr/bin/disabled-filesys-by-security-misc -install udf /usr/bin/disabled-filesys-by-security-misc - ## FireWire (IEEE 1394): ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. ## @@ -70,43 +57,6 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc -## Framebuffer (fbdev): -## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices. -## These were all previously blacklisted. -## -## https://docs.kernel.org/fb/index.html -## https://en.wikipedia.org/wiki/Linux_framebuffer -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco -## -install aty128fb /usr/bin/disabled-framebuffer-by-security-misc -install atyfb /usr/bin/disabled-framebuffer-by-security-misc -install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc -install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc -install cyblafb /usr/bin/disabled-framebuffer-by-security-misc -install gx1fb /usr/bin/disabled-framebuffer-by-security-misc -install hgafb /usr/bin/disabled-framebuffer-by-security-misc -install i810fb /usr/bin/disabled-framebuffer-by-security-misc -install intelfb /usr/bin/disabled-framebuffer-by-security-misc -install kyrofb /usr/bin/disabled-framebuffer-by-security-misc -install lxfb /usr/bin/disabled-framebuffer-by-security-misc -install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc -install neofb /usr/bin/disabled-framebuffer-by-security-misc -install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc -install pm2fb /usr/bin/disabled-framebuffer-by-security-misc -install radeonfb /usr/bin/disabled-framebuffer-by-security-misc -install rivafb /usr/bin/disabled-framebuffer-by-security-misc -install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc -install savagefb /usr/bin/disabled-framebuffer-by-security-misc -install sisfb /usr/bin/disabled-framebuffer-by-security-misc -install sstfb /usr/bin/disabled-framebuffer-by-security-misc -install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc -install tridentfb /usr/bin/disabled-framebuffer-by-security-misc -install vesafb /usr/bin/disabled-framebuffer-by-security-misc -install vfb /usr/bin/disabled-framebuffer-by-security-misc -install viafb /usr/bin/disabled-framebuffer-by-security-misc -install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc -install udlfb /usr/bin/disabled-framebuffer-by-security-misc - ## Global Positioning Systems (GPS): ## Disable GPS-related modules like GNSS (Global Navigation Satellite System). ## @@ -152,6 +102,30 @@ install pmt_class /usr/bin/disabled-intelpmt-by-security-misc install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc +## Thunderbolt: +## Disables Thunderbolt modules to prevent some DMA attacks. +## +## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities +## +install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc +install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc +install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc + +## 2. File Systems: + +## File Systems: +## Disable uncommon file systems to reduce attack surface. +## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. +## +install cramfs /usr/bin/disabled-filesys-by-security-misc +install freevxfs /usr/bin/disabled-filesys-by-security-misc +install hfs /usr/bin/disabled-filesys-by-security-misc +install hfsplus /usr/bin/disabled-filesys-by-security-misc +install jffs2 /usr/bin/disabled-filesys-by-security-misc +install jfs /usr/bin/disabled-filesys-by-security-misc +install reiserfs /usr/bin/disabled-filesys-by-security-misc +install udf /usr/bin/disabled-filesys-by-security-misc + ## Network File Systems: ## Disable uncommon network file systems to reduce attack surface. ## @@ -175,6 +149,8 @@ install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc +## 2. Networking: + ## Network Protocols: ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. ## Previously had blacklisted eepro100 and eth1394. @@ -249,17 +225,62 @@ install rds_tcp /usr/bin/disabled-network-by-security-misc install sctp /usr/bin/disabled-network-by-security-misc install sctp_diag /usr/bin/disabled-network-by-security-misc -## Miscellaneous: -## +## 4. Miscellaneous: + ## Amateur Radios: ## install hamradio /usr/bin/disabled-miscellaneous-by-security-misc + +## CPU Model-Specific Registers (MSRs): +## Disable CPU MSRs as they can be abused to write to arbitrary memory. ## +## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode +## https://github.com/Kicksecure/security-misc/issues/215 +## +#install msr /usr/bin/disabled-miscellaneous-by-security-misc + ## Floppy Disks: ## install floppy /usr/bin/disabled-miscellaneous-by-security-misc + +## Framebuffer (fbdev): +## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices. +## These were all previously blacklisted. ## -## Replaced: +## https://docs.kernel.org/fb/index.html +## https://en.wikipedia.org/wiki/Linux_framebuffer +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +## +install aty128fb /usr/bin/disabled-framebuffer-by-security-misc +install atyfb /usr/bin/disabled-framebuffer-by-security-misc +install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc +install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc +install cyblafb /usr/bin/disabled-framebuffer-by-security-misc +install gx1fb /usr/bin/disabled-framebuffer-by-security-misc +install hgafb /usr/bin/disabled-framebuffer-by-security-misc +install i810fb /usr/bin/disabled-framebuffer-by-security-misc +install intelfb /usr/bin/disabled-framebuffer-by-security-misc +install kyrofb /usr/bin/disabled-framebuffer-by-security-misc +install lxfb /usr/bin/disabled-framebuffer-by-security-misc +install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc +install neofb /usr/bin/disabled-framebuffer-by-security-misc +install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc +install pm2fb /usr/bin/disabled-framebuffer-by-security-misc +install radeonfb /usr/bin/disabled-framebuffer-by-security-misc +install rivafb /usr/bin/disabled-framebuffer-by-security-misc +install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc +install savagefb /usr/bin/disabled-framebuffer-by-security-misc +install sisfb /usr/bin/disabled-framebuffer-by-security-misc +install sstfb /usr/bin/disabled-framebuffer-by-security-misc +install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc +install tridentfb /usr/bin/disabled-framebuffer-by-security-misc +install vesafb /usr/bin/disabled-framebuffer-by-security-misc +install vfb /usr/bin/disabled-framebuffer-by-security-misc +install viafb /usr/bin/disabled-framebuffer-by-security-misc +install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc +install udlfb /usr/bin/disabled-framebuffer-by-security-misc + +## Replaced Modules: ## These legacy drivers have all been entirely replaced and superseded by newer drivers. ## These were all previously blacklisted. ## @@ -269,7 +290,12 @@ install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc install prism54 /usr/bin/disabled-miscellaneous-by-security-misc + +## USB Video Device Class: +## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. ## +#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc + ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. ## @@ -278,17 +304,3 @@ install prism54 /usr/bin/disabled-miscellaneous-by-security-misc ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 ## install vivid /usr/bin/disabled-miscellaneous-by-security-misc - -## Thunderbolt: -## Disables Thunderbolt modules to prevent some DMA attacks. -## -## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities -## -install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc -install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc -install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc - -## USB Video Device Class: -## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. -## -#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc From b87a18d4050bbf2add5cc4920684876a440e65bb Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 21 Aug 2024 12:51:51 +1000 Subject: [PATCH 1394/1650] README.md: Organise `sysctl`s --- README.md | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 4742384..b33ae5f 100644 --- a/README.md +++ b/README.md @@ -11,10 +11,9 @@ implements all recommended Linux kernel settings by the KSPP and many more. ### sysctl sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf` -configuration file. +configuration file and significant hardening is applied to a myriad of components. -Significant hardening is applied by default to a myriad of components within kernel -space, user space, core dumps, and swap space. +Kernel space: - Restrict access to kernel addresses through the use of kernel pointers regardless of user privileges. @@ -50,6 +49,8 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been the source of numerous kernel exploits. +User space: + - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it enables programs to inspect and modify other active processes. Optional - Disable usage of `ptrace()` by all processes. @@ -68,12 +69,14 @@ space, user space, core dumps, and swap space. - Disallow registering interpreters for various (miscellaneous) binary formats based on a magic number or their file extension to prevent unintended code execution. +Core dumps: + - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. - Limit the copying of potentially sensitive content in memory to the swap device. -Various networking components of the TCP/IP stack are hardened for IPv4/6. +Networking: - Enable TCP SYN cookie protection to assist against SYN flood attacks. @@ -104,13 +107,6 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Optional - Enable IPv6 Privacy Extensions. -### mmap ASLR - -- The bits of entropy used for mmap ASLR are maxed out via - `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of - `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` - that the kernel was built with), therefore improving its effectiveness. - ### Boot parameters Mitigations for known CPU vulnerabilities are enabled in their strictest form @@ -178,6 +174,13 @@ configuration file. - Optional - Disable the entire IPv6 stack to reduce attack surface. +### mmap ASLR + +- The bits of entropy used for mmap ASLR are maxed out via + `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of + `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` + that the kernel was built with), therefore improving its effectiveness. + ### Kernel Modules #### Kernel Module Signature Verification From 342caf82b20acc2931563449fafe9a98cbedaba2 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 21 Aug 2024 12:52:48 +1000 Subject: [PATCH 1395/1650] README.md: Organise kernel boot parameters --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index b33ae5f..65b188c 100644 --- a/README.md +++ b/README.md @@ -117,6 +117,8 @@ Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` configuration file. +Kernel space: + - Disable merging of slabs with similar size, which reduces the risk of triggering heap overflows and limits influencing slab cache layout. @@ -160,18 +162,24 @@ configuration file. - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) to reduce attack surface. +Direct memory access: + - Enable strict IOMMU translation to protect against some DMA attacks via the use of both CPU manufacturer-specific drivers and kernel settings. - Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables DMA before the IOMMU is configured. May cause boot failure on certain hardware. +Entropy: + - Do not credit the CPU or bootloader as entropy sources at boot in order to maximize the absolute quantity of entropy in the combined pool. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. +Networking: + - Optional - Disable the entire IPv6 stack to reduce attack surface. ### mmap ASLR From e4909b5e28e16f09de0e548c9221578ebe1190a3 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 25 Aug 2024 12:47:04 +1000 Subject: [PATCH 1396/1650] Add details on kernel panics --- README.md | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 3 ++- usr/lib/sysctl.d/990-security-misc.conf | 18 +++++++++++++----- usr/libexec/security-misc/panic-on-oops | 5 ++++- 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 1ec228f..ecbf3ef 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ space, user space, core dumps, and swap space. - Force the kernel to panic on "oopses" that can potentially indicate and thwart certain kernel exploitation attempts. Optional - Force immediate reboot on the - occurrence of a kernel panic. + occurrence of a kernel panic and also set panic limit to one (when using Linux kernel >= 6.2). - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index aaf5be8..c8a7eab 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -114,9 +114,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Force the kernel to panic on "oopses". ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. -## Also cause panics on machine check exceptions. ## Panics may be due to false-positives such as bad drivers. ## +## https://en.wikipedia.org/wiki/Kernel_panic#Linux +## https://en.wikipedia.org/wiki/Linux_kernel_oops ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=partial diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index f13f193..e305fa6 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -132,20 +132,28 @@ kernel.unprivileged_userns_clone=0 ## kernel.perf_event_paranoid=3 -## Force the kernel to panic on "oopses". +## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path. ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. -## Also cause panics on machine check exceptions. ## Panics may be due to false-positives such as bad drivers. ## -## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 +## https://en.wikipedia.org/wiki/Kernel_panic#Linux +## https://en.wikipedia.org/wiki/Linux_kernel_oops +## https://en.wikipedia.org/wiki/Kdump_(Linux) +## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=partial -## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. +## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## -#kernel.panic_on_oops=1 +## TODO: Debian 13 Trixie +## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). +## #kernel.panic=-1 +kernel.panic_on_oops=1 +#kernel.panic_on_warn=1 +#kernel.oops_limit=1 +#kernel.warn_limit=1 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 2fc25c8..8d647f1 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -15,5 +15,8 @@ fi ## Makes the kernel panic on oopses. This prevents the kernel ## from continuing to run a flawed processes. Many kernel exploits ## will also cause an oops which this will make the kernel kill. -sysctl kernel.panic_on_oops=1 #sysctl kernel.panic=-1 +sysctl kernel.panic_on_oops=1 +#sysctl kernel.panic_on_warn=1 +#sysctl kernel.oops_limit=1 +#sysctl kernel.warn_limit=1 From 32de5e7c49d301b62b838ba88550f58b02b6562b Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 25 Aug 2024 12:57:22 +1000 Subject: [PATCH 1397/1650] Add details on oopses and warnings --- usr/lib/sysctl.d/990-security-misc.conf | 4 +++- usr/libexec/security-misc/panic-on-oops | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e305fa6..9f79277 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -135,6 +135,8 @@ kernel.perf_event_paranoid=3 ## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path. ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. ## Panics may be due to false-positives such as bad drivers. +## Oopses are serious but non-fatal errors. +## Kernel warnings are useful to avoid a when attempting to access the location of a WARN(). ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops @@ -150,7 +152,7 @@ kernel.perf_event_paranoid=3 ## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). ## #kernel.panic=-1 -kernel.panic_on_oops=1 +#kernel.panic_on_oops=1 #kernel.panic_on_warn=1 #kernel.oops_limit=1 #kernel.warn_limit=1 diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 8d647f1..caeb950 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -14,7 +14,8 @@ fi ## Makes the kernel panic on oopses. This prevents the kernel ## from continuing to run a flawed processes. Many kernel exploits -## will also cause an oops which this will make the kernel kill. +## will also cause an oops which this will make the kernel kill +## the offending processes. #sysctl kernel.panic=-1 sysctl kernel.panic_on_oops=1 #sysctl kernel.panic_on_warn=1 From af87a84b4f40b2ad9ac05dd9bce837665f239454 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 21 Aug 2024 12:52:48 +1000 Subject: [PATCH 1398/1650] README.md: Organise kernel boot parameters --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index da9254a..4d5410c 100644 --- a/README.md +++ b/README.md @@ -121,6 +121,8 @@ Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` configuration file. +Kernel space: + - Disable merging of slabs with similar size, which reduces the risk of triggering heap overflows and limits influencing slab cache layout. @@ -164,18 +166,24 @@ configuration file. - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) to reduce attack surface. +Direct memory access: + - Enable strict IOMMU translation to protect against some DMA attacks via the use of both CPU manufacturer-specific drivers and kernel settings. - Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables DMA before the IOMMU is configured. May cause boot failure on certain hardware. +Entropy: + - Do not credit the CPU or bootloader as entropy sources at boot in order to maximize the absolute quantity of entropy in the combined pool. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. +Networking: + - Optional - Disable the entire IPv6 stack to reduce attack surface. ### Kernel Modules From 433b15f985545f531b87d09659bbbb89993b5a67 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 21 Aug 2024 12:51:51 +1000 Subject: [PATCH 1399/1650] README.md: Organise `sysctl`s --- README.md | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 4d5410c..cf8d54c 100644 --- a/README.md +++ b/README.md @@ -11,10 +11,9 @@ implements all recommended Linux kernel settings by the KSPP and many more. ### sysctl sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf` -configuration file. +configuration file and significant hardening is applied to a myriad of components. -Significant hardening is applied by default to a myriad of components within kernel -space, user space, core dumps, and swap space. +Kernel space: - Restrict access to kernel addresses through the use of kernel pointers regardless of user privileges. @@ -50,6 +49,8 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been the source of numerous kernel exploits. +User space: + - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it enables programs to inspect and modify other active processes. Optional - Disable usage of `ptrace()` by all processes. @@ -68,12 +69,14 @@ space, user space, core dumps, and swap space. - Disallow registering interpreters for various (miscellaneous) binary formats based on a magic number or their file extension to prevent unintended code execution. +Core dumps: + - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. - Limit the copying of potentially sensitive content in memory to the swap device. -Various networking components of the TCP/IP stack are hardened for IPv4/6. +Networking: - Enable TCP SYN cookie protection to assist against SYN flood attacks. @@ -104,13 +107,6 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Optional - Enable IPv6 Privacy Extensions. -### mmap ASLR - -- The bits of entropy used for mmap ASLR are maxed out via - `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of - `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` - that the kernel was built with), therefore improving its effectiveness. - ### Boot parameters Mitigations for known CPU vulnerabilities are enabled in their strictest form @@ -186,6 +182,13 @@ Networking: - Optional - Disable the entire IPv6 stack to reduce attack surface. +### mmap ASLR + +- The bits of entropy used for mmap ASLR are maxed out via + `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of + `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` + that the kernel was built with), therefore improving its effectiveness. + ### Kernel Modules #### Kernel Module Signature Verification From ae85fd5b4ce6f4716f95332c19b79d3daa8f7220 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 25 Aug 2024 14:33:40 +0000 Subject: [PATCH 1400/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7c57922..3dd86f4 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 433b15f985545f531b87d09659bbbb89993b5a67 +Author: Raja Grewal +Date: Wed Aug 21 12:51:51 2024 +1000 + + README.md: Organise `sysctl`s + +commit af87a84b4f40b2ad9ac05dd9bce837665f239454 +Author: Raja Grewal +Date: Wed Aug 21 12:52:48 2024 +1000 + + README.md: Organise kernel boot parameters + +commit e962153f84c4cb8e13fb0cc25d611ae481c7a0c7 +Author: Patrick Schleizer +Date: Fri Aug 16 08:38:12 2024 +0000 + + bumped changelog version + commit 40b12f5a2a4a40d7033569b11ad4e1c228e7389b Merge: 12296c6 305467c Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 2bc634a..f86a0c9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 25 Aug 2024 14:33:39 +0000 + security-misc (3:39.0-1) unstable; urgency=medium * New upstream version (local package). From cf824ddb248957fd9e542c1a5adc5e90381f684c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 25 Aug 2024 15:34:55 +0000 Subject: [PATCH 1401/1650] bumped changelog version --- changelog.upstream | 78 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 84 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3dd86f4..42493c9 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,39 @@ +commit 500568e322b2e3623fc649209d671c7b9d9fa097 +Merge: 43d13b7 73900b5 +Author: Patrick Schleizer +Date: Sun Aug 25 11:01:58 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 73900b59db37d77bc24bd5088aae3cc760aacc69 +Merge: 43d13b7 1f51d4e +Author: Patrick Schleizer +Date: Sun Aug 25 11:00:51 2024 -0400 + + Merge pull request #263 from raja-grewal/max_user_namespaces + + Provide option to disable user namespaces + +commit 43d13b70f12d2198a800054ce4d1ff901cc474f9 +Merge: 8353764 fae586c +Author: Patrick Schleizer +Date: Sun Aug 25 10:55:52 2024 -0400 + + Merge remote-tracking branch 'raja/syntax' + +commit 835376418d616699023f8e638666f43d34241863 +Merge: ae85fd5 342caf8 +Author: Patrick Schleizer +Date: Sun Aug 25 10:48:25 2024 -0400 + + Merge remote-tracking branch 'raja/mod' + +commit ae85fd5b4ce6f4716f95332c19b79d3daa8f7220 +Author: Patrick Schleizer +Date: Sun Aug 25 14:33:40 2024 +0000 + + bumped changelog version + commit 433b15f985545f531b87d09659bbbb89993b5a67 Author: Raja Grewal Date: Wed Aug 21 12:51:51 2024 +1000 @@ -10,6 +46,42 @@ Date: Wed Aug 21 12:52:48 2024 +1000 README.md: Organise kernel boot parameters +commit 342caf82b20acc2931563449fafe9a98cbedaba2 +Author: Raja Grewal +Date: Wed Aug 21 12:52:48 2024 +1000 + + README.md: Organise kernel boot parameters + +commit b87a18d4050bbf2add5cc4920684876a440e65bb +Author: Raja Grewal +Date: Wed Aug 21 12:51:51 2024 +1000 + + README.md: Organise `sysctl`s + +commit 18ed77ecc93e9ee759a4990a32edb3dd671b8c26 +Author: Raja Grewal +Date: Wed Aug 21 12:50:14 2024 +1000 + + Refactor modprobe.d to minimise potential future merge conflicts + +commit 1f51d4eeb2b0c6e23ce64fb272eecb97e089324d +Author: Raja Grewal +Date: Sun Aug 18 13:53:11 2024 +1000 + + Add details on user namespaces + +commit 759aee8150a2d1258d73217c071b25432d47496f +Author: Raja Grewal +Date: Fri Aug 16 22:54:57 2024 +1000 + + Provide option to disable user namespaces + +commit fae586c3c5e8382ca01c60f810b26d88189a5514 +Author: Raja Grewal +Date: Fri Aug 16 19:23:48 2024 +1000 + + Patch bug in existing `rp_filter` `sysctl` + commit e962153f84c4cb8e13fb0cc25d611ae481c7a0c7 Author: Patrick Schleizer Date: Fri Aug 16 08:38:12 2024 +0000 @@ -88,6 +160,12 @@ Date: Fri Aug 16 13:12:07 2024 +1000 Typos +commit 23a77d4973ec20b2aaab6a9c3a9fd8a98034923e +Author: Raja Grewal +Date: Fri Aug 16 12:46:51 2024 +1000 + + Simplify syntax of some network-related `sysctl`'s + commit e3a3207a4447568a17129afe9dde34debc465e21 Author: Raja Grewal Date: Fri Aug 16 12:41:36 2024 +1000 diff --git a/debian/changelog b/debian/changelog index f86a0c9..309ed08 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 25 Aug 2024 15:34:54 +0000 + security-misc (3:39.1-1) unstable; urgency=medium * New upstream version (local package). From ac6602ac3531ae57603e8a9e5ac2ee1652164b23 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 26 Aug 2024 11:19:20 +1000 Subject: [PATCH 1402/1650] Add detail on disabling user namespaces breaking UPower --- usr/lib/sysctl.d/990-security-misc.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 484761e..d244a01 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -116,6 +116,7 @@ kernel.sysrq=0 ## Restricting may lead to breakages in numerous software packages. ## Uncomment the second sysctl to entirely disable user namespaces. ## Disabling entirely will reduce compatibility with some AppArmor profiles. +## Disabling entirely is known to break the UPower systemd servince. ## ## https://lwn.net/Articles/673597/ ## https://madaidans-insecurities.github.io/linux.html#kernel From 2841d789bebbd43f855b6ffb92a3a6f017007a72 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 26 Aug 2024 11:21:26 +1000 Subject: [PATCH 1403/1650] README: Update --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 946e646..7183675 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ many more sources. - https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project - https://kspp.github.io/Recommended_Settings +- https://github.com/KSPP/kspp.github.io ### sysctl @@ -75,6 +76,8 @@ Core dumps: - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. +Swap space: + - Limit the copying of potentially sensitive content in memory to the swap device. Networking: From 2c356e8b0ef7db56e7b453535c8cb6c83fc2e3c6 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 26 Aug 2024 11:34:12 +1000 Subject: [PATCH 1404/1650] Add KSPP notice definitions --- etc/default/grub.d/40_cpu_mitigations.cfg | 4 ++++ etc/default/grub.d/40_kernel_hardening.cfg | 4 ++++ etc/default/grub.d/40_remount_secure.cfg | 4 ++++ etc/default/grub.d/40_signed_modules.cfg | 4 ++++ etc/default/grub.d/41_quiet_boot.cfg | 4 ++++ usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 4 ++++ usr/lib/sysctl.d/30_silent-kernel-printk.conf | 4 ++++ usr/lib/sysctl.d/990-security-misc.conf | 4 ++++ 8 files changed, 32 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 486b63b..529b626 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,6 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## Enable known mitigations for CPU vulnerabilities. ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index c8a7eab..49435d9 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -5,6 +5,10 @@ kpkg="linux-image-$(dpkg --print-architecture)" || true kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true #echo "## kver: $kver" +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## This configuration file is split into 4 sections: ## 1. Kernel Space ## 2. Direct Memory Access diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg index db6db11..4593820 100644 --- a/etc/default/grub.d/40_remount_secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -1,6 +1,10 @@ ## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## Remount Secure provides enhanced security via mount options: ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg index 5e6fce7..788eeb1 100644 --- a/etc/default/grub.d/40_signed_modules.cfg +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -1,6 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## Require every kernel module to be signed before being loaded. ## Any module that is unsigned or signed with an invalid key cannot be loaded. ## This prevents all out-of-tree kernel modules unless signed. diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 4806484..86c8660 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -1,6 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## Some default configuration files automatically include the "quiet" parameter. ## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. ## LANG=C str_replace is provided by package helper-scripts. diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index eb785cc..74ab6f5 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -1,6 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## NOTE: ## This configuration is in a dedicated file because the ram-wipe package ## requires kexec. However, ram-wipe cannot ship a config file diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index f8baa3f..b07fae9 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -1,6 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## Prevent kernel information leaks in the console during boot. ## Must be used in conjunction with kernel boot parameters. ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index d244a01..a0bb243 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -6,6 +6,10 @@ ## is parsed first, followed by /usr/lib/sysctl.d/990-security-misc.conf. ## https://github.com/Kicksecure/security-misc/pull/135 +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## This configuration file is divided into 5 sections: ## 1. Kernel Space ## 2. User Space From 9e91c98cc926e7a166458cd78e3c1d1ced23c753 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 26 Aug 2024 12:40:04 +1000 Subject: [PATCH 1405/1650] Add details on BPF hardening and split the `sysctl`s --- README.md | 5 ++++- usr/lib/sysctl.d/990-security-misc.conf | 20 +++++++++++++++++--- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 7183675..8af16ae 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,8 @@ Kernel space: - Prevent kernel information leaks in the console during boot. -- Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening. +- Restrict usage of `bpf()` to `CAP_BPF` to prevent the loading of BPF programs + by unprivileged users. - Restrict loading TTY line disciplines to `CAP_SYS_MODULE`. @@ -82,6 +83,8 @@ Swap space: Networking: +- Enable hardening of the BPF JIT compiler protect against JIT spraying. + - Enable TCP SYN cookie protection to assist against SYN flood attacks. - Protect against TCP time-wait assassination hazards. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index a0bb243..bd74a3a 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -58,15 +58,16 @@ kernel.dmesg_restrict=1 ## #kernel.printk=3 3 3 3 -## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening. +## Restrict eBPF access to CAP_BPF. +## Disables unprivileged calls to bpf() without recovery. ## ## https://en.wikipedia.org/wiki/EBPF#Security +## https://lwn.net/Articles/660331/ ## ## KSPP=yes -## KSPP sets the sysctls. +## KSPP sets the sysctl. ## kernel.unprivileged_bpf_disabled=1 -net.core.bpf_jit_harden=2 ## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE. ## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl. @@ -348,6 +349,19 @@ vm.swappiness=1 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network ## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening +## Enable hardening of the BPF JIT compiler for all users. +## Provides some mitigation against JIT spraying. +## +## https://en.wikipedia.org/wiki/JIT_spraying +## https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray-wp.pdf +## https://lwn.net/Articles/686098/ +## https://lwn.net/Articles/525609/ +## +## KSPP=yes +## KSPP sets the sysctl. +## +net.core.bpf_jit_harden=2 + ## Enable TCP SYN cookie protection to assist against SYN flood attacks. ## ## https://en.wikipedia.org/wiki/SYN_flood From f70fe308a9f65873d34de2d1906d825f3a56e272 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 28 Aug 2024 06:49:50 -0400 Subject: [PATCH 1406/1650] no longer set sysctl `fs.binfmt_misc.status=0` / no longer disallow registering interpreters for miscellaneous binary formats causing file/folder permissions issue `d????????? ? ? ? ? ? .` Firefox no longer starting (probably not not a Firefox issue) https://github.com/Kicksecure/security-misc/issues/267 --- README.md | 3 ++- usr/lib/sysctl.d/990-security-misc.conf | 5 ++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8af16ae..93403b9 100644 --- a/README.md +++ b/README.md @@ -69,8 +69,9 @@ User space: - Increase the maximum number of memory map areas a process is able to utilize. -- Disallow registering interpreters for various (miscellaneous) binary formats based +- Optional - Disallow registering interpreters for various (miscellaneous) binary formats based on a magic number or their file extension to prevent unintended code execution. + See issue: https://github.com/Kicksecure/security-misc/issues/267 Core dumps: diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index bd74a3a..bbef5bd 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -304,7 +304,10 @@ vm.max_map_count=1048576 ## KSPP=yes ## KSPP does not set CONFIG_BINFMT_MISC. ## -fs.binfmt_misc.status=0 +## This is disabled by default due to file/folder permission issues: +## https://github.com/Kicksecure/security-misc/issues/267 +## +#fs.binfmt_misc.status=0 ## 3. Core Dumps: ## From 9c918eb4313b60dc15aa9fa4474a7977602030c1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 28 Aug 2024 11:01:37 +0000 Subject: [PATCH 1407/1650] bumped changelog version --- changelog.upstream | 102 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++ 2 files changed, 108 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 42493c9..b0c969c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,69 @@ +commit f70fe308a9f65873d34de2d1906d825f3a56e272 +Author: Patrick Schleizer +Date: Wed Aug 28 06:49:50 2024 -0400 + + no longer set sysctl `fs.binfmt_misc.status=0` / + no longer disallow registering interpreters for miscellaneous binary formats + + causing file/folder permissions issue `d????????? ? ? ? ? ? .` + + Firefox no longer starting (probably not not a Firefox issue) + + https://github.com/Kicksecure/security-misc/issues/267 + +commit 463aa58f28b6389d0925fed87096b348b652cc16 +Merge: cf824dd 328840c +Author: Patrick Schleizer +Date: Wed Aug 28 06:42:49 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 328840c933a583adc5458aa08c63fb627b31b298 +Merge: cf824dd 9e91c98 +Author: Patrick Schleizer +Date: Wed Aug 28 06:38:57 2024 -0400 + + Merge pull request #264 from raja-grewal/kspp_compliance + + Add KSPP compliance notices to corresponding parameters and `sysctls` + +commit 9e91c98cc926e7a166458cd78e3c1d1ced23c753 +Author: Raja Grewal +Date: Mon Aug 26 12:40:04 2024 +1000 + + Add details on BPF hardening and split the `sysctl`s + +commit 2c356e8b0ef7db56e7b453535c8cb6c83fc2e3c6 +Author: Raja Grewal +Date: Mon Aug 26 11:34:12 2024 +1000 + + Add KSPP notice definitions + +commit 2841d789bebbd43f855b6ffb92a3a6f017007a72 +Author: Raja Grewal +Date: Mon Aug 26 11:21:26 2024 +1000 + + README: Update + +commit ac6602ac3531ae57603e8a9e5ac2ee1652164b23 +Author: Raja Grewal +Date: Mon Aug 26 11:19:20 2024 +1000 + + Add detail on disabling user namespaces breaking UPower + +commit 9dbd200be415c86e7039463c6269fad8395a4373 +Merge: 32de5e7 cf824dd +Author: raja-grewal +Date: Mon Aug 26 11:08:21 2024 +1000 + + Merge branch 'Kicksecure:master' into kspp_compliance + +commit cf824ddb248957fd9e542c1a5adc5e90381f684c +Author: Patrick Schleizer +Date: Sun Aug 25 15:34:55 2024 +0000 + + bumped changelog version + commit 500568e322b2e3623fc649209d671c7b9d9fa097 Merge: 43d13b7 73900b5 Author: Patrick Schleizer @@ -46,6 +112,18 @@ Date: Wed Aug 21 12:52:48 2024 +1000 README.md: Organise kernel boot parameters +commit 32de5e7c49d301b62b838ba88550f58b02b6562b +Author: Raja Grewal +Date: Sun Aug 25 12:57:22 2024 +1000 + + Add details on oopses and warnings + +commit e4909b5e28e16f09de0e548c9221578ebe1190a3 +Author: Raja Grewal +Date: Sun Aug 25 12:47:04 2024 +1000 + + Add details on kernel panics + commit 342caf82b20acc2931563449fafe9a98cbedaba2 Author: Raja Grewal Date: Wed Aug 21 12:52:48 2024 +1000 @@ -64,12 +142,36 @@ Date: Wed Aug 21 12:50:14 2024 +1000 Refactor modprobe.d to minimise potential future merge conflicts +commit 56b28e38264fe742b8d694176f1057c15574fc08 +Author: Raja Grewal +Date: Mon Aug 19 11:50:08 2024 +1000 + + Typo + +commit 94dab1b7c503429e2fa91019a0183b2f36c6693f +Author: Raja Grewal +Date: Mon Aug 19 10:53:05 2024 +1000 + + Partial compliance with the KSPP on kernel panics + +commit 683110e7f02fa5fc6415354386552640cdb8758b +Author: Raja Grewal +Date: Mon Aug 19 01:34:14 2024 +1000 + + Correction + commit 1f51d4eeb2b0c6e23ce64fb272eecb97e089324d Author: Raja Grewal Date: Sun Aug 18 13:53:11 2024 +1000 Add details on user namespaces +commit 248e094b8e0bbf7892f79ad1c3ec77c7ed00d008 +Author: Raja Grewal +Date: Sat Aug 17 01:06:21 2024 +1000 + + Include KSPP compliance notices + commit 759aee8150a2d1258d73217c071b25432d47496f Author: Raja Grewal Date: Fri Aug 16 22:54:57 2024 +1000 diff --git a/debian/changelog b/debian/changelog index 309ed08..b9cd9a3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 28 Aug 2024 11:01:36 +0000 + security-misc (3:39.2-1) unstable; urgency=medium * New upstream version (local package). From 3101035a3fd5fbe87c79e95e51dc2da39fee93d5 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 29 Aug 2024 01:57:32 +1000 Subject: [PATCH 1408/1650] Enable `panic_on_warn=1` --- README.md | 7 ++++--- usr/libexec/security-misc/panic-on-oops | 10 +++++----- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 93403b9..c1f1144 100644 --- a/README.md +++ b/README.md @@ -43,9 +43,10 @@ Kernel space: - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. -- Force the kernel to panic on "oopses" that can potentially indicate and thwart - certain kernel exploitation attempts. Optional - Force immediate reboot on the - occurrence of a kernel panic and also set panic limit to one (when using Linux kernel >= 6.2). +- Force the kernel to panic on both "oopses", which can potentially indicate and thwart + certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. + Optional - Force immediate reboot on the occurrence of a single kernel panic and also + (when using Linux kernel >= 6.2) limit the number of allowed panics to one. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index caeb950..73c22d0 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -12,12 +12,12 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then source /usr/libexec/helper-scripts/pre.bsh fi -## Makes the kernel panic on oopses. This prevents the kernel -## from continuing to run a flawed processes. Many kernel exploits -## will also cause an oops which this will make the kernel kill -## the offending processes. +## Makes the kernel panic on oopses and warnings. This prevents the +## kernel from continuing to run a flawed processes. Many kernel +## exploits will also cause an oops, these settings will make the +## kernel kill the offending processes. #sysctl kernel.panic=-1 sysctl kernel.panic_on_oops=1 -#sysctl kernel.panic_on_warn=1 +sysctl kernel.panic_on_warn=1 #sysctl kernel.oops_limit=1 #sysctl kernel.warn_limit=1 From 6294729c8ef24077cd342b4557653806c3aacd34 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 29 Aug 2024 15:34:24 +1000 Subject: [PATCH 1409/1650] Follow-up on https://github.com/Kicksecure/security-misc/commit/f70fe308a9f65873d34de2d1906d825f3a56e272 --- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index bbef5bd..cbb03a3 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -301,7 +301,7 @@ vm.max_map_count=1048576 ## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al ## https://github.com/Kicksecure/security-misc/pull/249 ## -## KSPP=yes +## KSPP=no ## KSPP does not set CONFIG_BINFMT_MISC. ## ## This is disabled by default due to file/folder permission issues: From 59374ce902127e2125addc2ebb57d0d856a63671 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 29 Aug 2024 09:49:51 +0000 Subject: [PATCH 1410/1650] bumped changelog version --- changelog.upstream | 28 ++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b0c969c..3797cca 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,31 @@ +commit 7e2838ec077b53e41d468d5655290152761c8745 +Merge: 9c918eb 0762794 +Author: Patrick Schleizer +Date: Thu Aug 29 05:06:07 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0762794ff684049a62b5b92b61177615a5376ad7 +Merge: 9c918eb 6294729 +Author: Patrick Schleizer +Date: Thu Aug 29 04:46:26 2024 -0400 + + Merge pull request #269 from raja-grewal/tidy + + Minor correction + +commit 6294729c8ef24077cd342b4557653806c3aacd34 +Author: Raja Grewal +Date: Thu Aug 29 15:34:24 2024 +1000 + + Follow-up on https://github.com/Kicksecure/security-misc/commit/f70fe308a9f65873d34de2d1906d825f3a56e272 + +commit 9c918eb4313b60dc15aa9fa4474a7977602030c1 +Author: Patrick Schleizer +Date: Wed Aug 28 11:01:37 2024 +0000 + + bumped changelog version + commit f70fe308a9f65873d34de2d1906d825f3a56e272 Author: Patrick Schleizer Date: Wed Aug 28 06:49:50 2024 -0400 diff --git a/debian/changelog b/debian/changelog index b9cd9a3..b07ee8e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 29 Aug 2024 09:49:51 +0000 + security-misc (3:39.3-1) unstable; urgency=medium * New upstream version (local package). From 7393ba159192fdfc45ef31a3fa60786f899dbf25 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 4 Sep 2024 23:23:24 +1000 Subject: [PATCH 1411/1650] Typo --- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index cbb03a3..3ec3b73 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -121,7 +121,7 @@ kernel.sysrq=0 ## Restricting may lead to breakages in numerous software packages. ## Uncomment the second sysctl to entirely disable user namespaces. ## Disabling entirely will reduce compatibility with some AppArmor profiles. -## Disabling entirely is known to break the UPower systemd servince. +## Disabling entirely is known to break the UPower systemd service. ## ## https://lwn.net/Articles/673597/ ## https://madaidans-insecurities.github.io/linux.html#kernel From 40fb14c654df94e9bdfb30ae55fc3bc4f0a0aef4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 4 Sep 2024 14:13:15 +0000 Subject: [PATCH 1412/1650] bumped changelog version --- changelog.upstream | 65 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 71 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3797cca..368d456 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,56 @@ +commit 5a255d4831470449a26b324a8f16594432bf834b +Merge: d618f9f 563a898 +Author: Patrick Schleizer +Date: Wed Sep 4 10:12:34 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 563a8980133e15e33ac95a631e37ecfff88f6f8f +Merge: 175945e e61027a +Author: Patrick Schleizer +Date: Wed Sep 4 10:11:48 2024 -0400 + + Merge pull request #265 from raja-grewal/mmap_min_addr + + Set `sysctl vm.mmap_min_addr=65536` + +commit d618f9f35b8e8c6eee1e164a6ec300d63b1ee797 +Merge: 59374ce 175945e +Author: Patrick Schleizer +Date: Wed Sep 4 10:07:50 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 175945ec9a28bf1e5b0fa0d2ae2bd6546d6c6172 +Merge: b0a8544 3101035 +Author: Patrick Schleizer +Date: Wed Sep 4 10:05:47 2024 -0400 + + Merge pull request #268 from raja-grewal/panic_on_warn + + Enable `panic_on_warn=1` + +commit b0a8544182f6ff3c8c3f1068176ff5e9e4f557ef +Merge: 59374ce 7393ba1 +Author: Patrick Schleizer +Date: Wed Sep 4 10:04:45 2024 -0400 + + Merge pull request #270 from raja-grewal/typo + + Small typo + +commit 7393ba159192fdfc45ef31a3fa60786f899dbf25 +Author: raja-grewal +Date: Wed Sep 4 23:23:24 2024 +1000 + + Typo + +commit 59374ce902127e2125addc2ebb57d0d856a63671 +Author: Patrick Schleizer +Date: Thu Aug 29 09:49:51 2024 +0000 + + bumped changelog version + commit 7e2838ec077b53e41d468d5655290152761c8745 Merge: 9c918eb 0762794 Author: Patrick Schleizer @@ -20,6 +73,12 @@ Date: Thu Aug 29 15:34:24 2024 +1000 Follow-up on https://github.com/Kicksecure/security-misc/commit/f70fe308a9f65873d34de2d1906d825f3a56e272 +commit 3101035a3fd5fbe87c79e95e51dc2da39fee93d5 +Author: Raja Grewal +Date: Thu Aug 29 01:57:32 2024 +1000 + + Enable `panic_on_warn=1` + commit 9c918eb4313b60dc15aa9fa4474a7977602030c1 Author: Patrick Schleizer Date: Wed Aug 28 11:01:37 2024 +0000 @@ -176,6 +235,12 @@ Date: Mon Aug 19 11:50:08 2024 +1000 Typo +commit e61027a40e2ab82fac3ae4cfd5f91fd0a47f31e5 +Author: Raja Grewal +Date: Mon Aug 19 11:32:20 2024 +1000 + + Set `sysctl vm.mmap_min_addr=65536` + commit 94dab1b7c503429e2fa91019a0183b2f36c6693f Author: Raja Grewal Date: Mon Aug 19 10:53:05 2024 +1000 diff --git a/debian/changelog b/debian/changelog index b07ee8e..7ccf2ff 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 04 Sep 2024 14:13:15 +0000 + security-misc (3:39.4-1) unstable; urgency=medium * New upstream version (local package). From e914028be7a48a3bfdf86e09c029011807f080d7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 5 Sep 2024 06:03:05 -0400 Subject: [PATCH 1413/1650] add KSPP compliance status to readme based on comment by @raja-grewal https://github.com/Kicksecure/security-misc/issues/256#issuecomment-2330376651 --- README.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/README.md b/README.md index b4021d9..6706e8d 100644 --- a/README.md +++ b/README.md @@ -194,6 +194,48 @@ Networking: - Optional - Disable the entire IPv6 stack to reduce attack surface. +## Kernel Self Protection Project (KSPP) Compliance Status + +**Summary:*** + +security-misc is in full compliance with KSPP as much as reasonable. In a few exception cases there is only partial compliance or non-compliance. + +* https://kspp.github.io/Recommended_Settings + +**Full compliance:** + +More than 30 kernel boot parameters and more than 30 sysctl settings are fully compliant with recommendations by KSPP. + +**Partial compliance:** + +1. `sysctl kernel.yama.ptrace_scope=3` + +Disable `ptrace()` entirely. Can easily enable. + +* https://github.com/Kicksecure/security-misc/pull/242 + +2. `sysctl kernel.panic=-1` + +Force immediate reboot upon a kernel panic. Can enable but may cause system crashes. + +* https://github.com/Kicksecure/security-misc/pull/264 +* https://github.com/Kicksecure/security-misc/pull/268 + +3. `sysctl user.max_user_namespaces=0` + +Disable user namespaces entirely. Unadvisable due to numerous potential breakages. + +* https://github.com/Kicksecure/security-misc/pull/263 + +**Non-compliance:** + +4. `sysctl fs.binfmt_misc.status=0` + +Disable registering interpreters for miscellaneous binary formats. Currently unadvisable due to breakage with Firefox. + +* https://github.com/Kicksecure/security-misc/pull/249 +* https://github.com/Kicksecure/security-misc/issues/267 + ### mmap ASLR - The bits of entropy used for mmap ASLR are maxed out via From 01908d505a59e7ec37cc3de3e1d49ff35ba127aa Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 5 Sep 2024 07:00:11 -0400 Subject: [PATCH 1414/1650] readme --- README.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 6706e8d..d746f59 100644 --- a/README.md +++ b/README.md @@ -196,45 +196,45 @@ Networking: ## Kernel Self Protection Project (KSPP) Compliance Status -**Summary:*** +**Summary:** -security-misc is in full compliance with KSPP as much as reasonable. In a few exception cases there is only partial compliance or non-compliance. +`security-misc` is in full compliance with KSPP recommendations wherever feasible. However, there are a few cases of partial or non-compliance due to technical limitations. -* https://kspp.github.io/Recommended_Settings +* [KSPP Recommended Settings](https://kspp.github.io/Recommended_Settings) **Full compliance:** -More than 30 kernel boot parameters and more than 30 sysctl settings are fully compliant with recommendations by KSPP. +More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with KSPP's recommendations. **Partial compliance:** 1. `sysctl kernel.yama.ptrace_scope=3` -Disable `ptrace()` entirely. Can easily enable. +Completely disables `ptrace()`. Can be enabled easily if needed. -* https://github.com/Kicksecure/security-misc/pull/242 +* [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242) 2. `sysctl kernel.panic=-1` -Force immediate reboot upon a kernel panic. Can enable but may cause system crashes. +Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected system crashes. -* https://github.com/Kicksecure/security-misc/pull/264 -* https://github.com/Kicksecure/security-misc/pull/268 +* [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) +* [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) 3. `sysctl user.max_user_namespaces=0` -Disable user namespaces entirely. Unadvisable due to numerous potential breakages. +Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. -* https://github.com/Kicksecure/security-misc/pull/263 +* [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263) **Non-compliance:** 4. `sysctl fs.binfmt_misc.status=0` -Disable registering interpreters for miscellaneous binary formats. Currently unadvisable due to breakage with Firefox. +Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox. -* https://github.com/Kicksecure/security-misc/pull/249 -* https://github.com/Kicksecure/security-misc/issues/267 +* [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) +* [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267) ### mmap ASLR From 1bc694fa124eaeb6e1517d2191a8fd97446872c4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 8 Sep 2024 17:41:30 +0000 Subject: [PATCH 1415/1650] bumped changelog version --- changelog.upstream | 20 ++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 26 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 368d456..cab2526 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,23 @@ +commit 01908d505a59e7ec37cc3de3e1d49ff35ba127aa +Author: Patrick Schleizer +Date: Thu Sep 5 07:00:11 2024 -0400 + + readme + +commit e914028be7a48a3bfdf86e09c029011807f080d7 +Author: Patrick Schleizer +Date: Thu Sep 5 06:03:05 2024 -0400 + + add KSPP compliance status to readme based on comment by @raja-grewal + + https://github.com/Kicksecure/security-misc/issues/256#issuecomment-2330376651 + +commit 40fb14c654df94e9bdfb30ae55fc3bc4f0a0aef4 +Author: Patrick Schleizer +Date: Wed Sep 4 14:13:15 2024 +0000 + + bumped changelog version + commit 5a255d4831470449a26b324a8f16594432bf834b Merge: d618f9f 563a898 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 7ccf2ff..2de7eac 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 08 Sep 2024 17:41:30 +0000 + security-misc (3:39.5-1) unstable; urgency=medium * New upstream version (local package). From 3280dbd5d562d7f6b50118ac0da36c3285493be6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 13 Sep 2024 22:52:47 -0400 Subject: [PATCH 1416/1650] Fix VirtualBox audio device ICH AC97. no longer `blacklist snd_intel8x0` Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users. https://www.kicksecure.com/wiki/Dev/audio Fixes https://github.com/Kicksecure/security-misc/issues/271 --- etc/modprobe.d/30_security-misc_blacklist.conf | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index 8386800..af312b2 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -35,7 +35,13 @@ blacklist sr_mod blacklist joydev #blacklist mousedev #blacklist psmouse -blacklist snd_intel8x0 +## TODO: Re-check in Debian trixie +## In GrapheneOS list, yes, "should" be out-commented here. +## But not actually out-commented. +## Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users. +## https://www.kicksecure.com/wiki/Dev/audio +## https://github.com/Kicksecure/security-misc/issues/271 +#blacklist snd_intel8x0 #blacklist tls #blacklist virtio_balloon #blacklist virtio_console From 18d426f521b2b1369fe68e143dc8a0be064d0dcc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 14 Sep 2024 02:56:09 +0000 Subject: [PATCH 1417/1650] bumped changelog version --- changelog.upstream | 19 +++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 25 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index cab2526..bd0c006 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,22 @@ +commit 3280dbd5d562d7f6b50118ac0da36c3285493be6 +Author: Patrick Schleizer +Date: Fri Sep 13 22:52:47 2024 -0400 + + Fix VirtualBox audio device ICH AC97. + + no longer `blacklist snd_intel8x0` + + Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users. + https://www.kicksecure.com/wiki/Dev/audio + + Fixes https://github.com/Kicksecure/security-misc/issues/271 + +commit 1bc694fa124eaeb6e1517d2191a8fd97446872c4 +Author: Patrick Schleizer +Date: Sun Sep 8 17:41:30 2024 +0000 + + bumped changelog version + commit 01908d505a59e7ec37cc3de3e1d49ff35ba127aa Author: Patrick Schleizer Date: Thu Sep 5 07:00:11 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 2de7eac..1b10682 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 14 Sep 2024 02:56:08 +0000 + security-misc (3:39.6-1) unstable; urgency=medium * New upstream version (local package). From 769767a96a5de2a8bc05e70ca490d8340b553061 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 25 Sep 2024 09:54:49 +1000 Subject: [PATCH 1418/1650] Update mmap ASLR docs --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index d746f59..e55a1ec 100644 --- a/README.md +++ b/README.md @@ -59,7 +59,7 @@ User space: enables programs to inspect and modify other active processes. Optional - Disable usage of `ptrace()` by all processes. -- Maximize the bits of entropy used for mmap ASLR across all architectures. +- Maximize the bits of entropy used for mmap ASLR across all CPU architectures. - Prevent hardlink and symlink TOCTOU races in world-writable directories. @@ -194,6 +194,13 @@ Networking: - Optional - Disable the entire IPv6 stack to reduce attack surface. +### mmap ASLR + +- The bits of entropy used for mmap ASLR for all CPU architectures are maxed + out via `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of + `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` + that the kernel was built with), therefore improving its effectiveness. + ## Kernel Self Protection Project (KSPP) Compliance Status **Summary:** @@ -236,13 +243,6 @@ Disables the registration of interpreters for miscellaneous binary formats. Curr * [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) * [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267) -### mmap ASLR - -- The bits of entropy used for mmap ASLR are maxed out via - `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of - `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` - that the kernel was built with), therefore improving its effectiveness. - ### Kernel Modules #### Kernel Module Signature Verification From 870ff88605b8167c8882162cc3da005d71ca0cd3 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 25 Sep 2024 10:01:45 +1000 Subject: [PATCH 1419/1650] Comment on Flatpak requiring unprivileged user namespaces --- usr/lib/sysctl.d/990-security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 7329e77..e633df1 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -119,6 +119,7 @@ kernel.sysrq=0 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. ## Unprivileged user namespaces pose substantial privilege escalation risks. ## Restricting may lead to breakages in numerous software packages. +## Flatpak requires unprivileged users to create new user namespaces for sandboxing. ## Uncomment the second sysctl to entirely disable user namespaces. ## Disabling entirely will reduce compatibility with some AppArmor profiles. ## Disabling entirely is known to break the UPower systemd service. @@ -127,6 +128,7 @@ kernel.sysrq=0 ## https://madaidans-insecurities.github.io/linux.html#kernel ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 +## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements ## https://github.com/Kicksecure/security-misc/pull/263 ## ## KSPP=partial From 5572eb897a10455041df8abec6b6be6de29431a0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 25 Sep 2024 01:03:42 +0000 Subject: [PATCH 1420/1650] bumped changelog version --- changelog.upstream | 34 ++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 40 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index bd0c006..d4a84ed 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,37 @@ +commit e04f9cd4c17305d5201aa973c34778e81508734b +Merge: 18d426f 65aa910 +Author: Patrick Schleizer +Date: Tue Sep 24 20:16:06 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 65aa910503c07f708abf20f78be2f519ef58764a +Merge: 18d426f 870ff88 +Author: Patrick Schleizer +Date: Tue Sep 24 20:15:03 2024 -0400 + + Merge pull request #272 from raja-grewal/text + + Documentation update + +commit 870ff88605b8167c8882162cc3da005d71ca0cd3 +Author: raja-grewal +Date: Wed Sep 25 10:01:45 2024 +1000 + + Comment on Flatpak requiring unprivileged user namespaces + +commit 769767a96a5de2a8bc05e70ca490d8340b553061 +Author: raja-grewal +Date: Wed Sep 25 09:54:49 2024 +1000 + + Update mmap ASLR docs + +commit 18d426f521b2b1369fe68e143dc8a0be064d0dcc +Author: Patrick Schleizer +Date: Sat Sep 14 02:56:09 2024 +0000 + + bumped changelog version + commit 3280dbd5d562d7f6b50118ac0da36c3285493be6 Author: Patrick Schleizer Date: Fri Sep 13 22:52:47 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 1b10682..57ee04b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 25 Sep 2024 01:03:42 +0000 + security-misc (3:39.7-1) unstable; urgency=medium * New upstream version (local package). From 39d063d494cb540f45747f6253ab896200ba03c3 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 26 Sep 2024 13:09:21 +0000 Subject: [PATCH 1421/1650] Add KSPP=no definition --- etc/default/grub.d/40_cpu_mitigations.cfg | 1 + etc/default/grub.d/40_kernel_hardening.cfg | 1 + etc/default/grub.d/40_remount_secure.cfg | 1 + etc/default/grub.d/40_signed_modules.cfg | 1 + etc/default/grub.d/41_quiet_boot.cfg | 1 + usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 1 + usr/lib/sysctl.d/30_silent-kernel-printk.conf | 1 + usr/lib/sysctl.d/990-security-misc.conf | 1 + 8 files changed, 8 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 529b626..5960e14 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -4,6 +4,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## Enable known mitigations for CPU vulnerabilities. ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 49435d9..ad7e61a 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -8,6 +8,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## This configuration file is split into 4 sections: ## 1. Kernel Space diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg index 4593820..f92991a 100644 --- a/etc/default/grub.d/40_remount_secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -4,6 +4,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## Remount Secure provides enhanced security via mount options: ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg index 788eeb1..b33dceb 100644 --- a/etc/default/grub.d/40_signed_modules.cfg +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -4,6 +4,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## Require every kernel module to be signed before being loaded. ## Any module that is unsigned or signed with an invalid key cannot be loaded. diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 86c8660..33b412d 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -4,6 +4,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## Some default configuration files automatically include the "quiet" parameter. ## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index 74ab6f5..da77fd7 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -4,6 +4,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## NOTE: ## This configuration is in a dedicated file because the ram-wipe package diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index b07fae9..44b0b25 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -4,6 +4,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## Prevent kernel information leaks in the console during boot. ## Must be used in conjunction with kernel boot parameters. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e633df1..c404553 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -9,6 +9,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## This configuration file is divided into 5 sections: ## 1. Kernel Space From f3b50a23c976ba4feff34eee721c50f698ecc5bf Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 26 Sep 2024 13:10:01 +0000 Subject: [PATCH 1422/1650] Add reference on unprivileged_userns_restriction --- usr/lib/sysctl.d/990-security-misc.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index c404553..eb160ef 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -127,6 +127,7 @@ kernel.sysrq=0 ## ## https://lwn.net/Articles/673597/ ## https://madaidans-insecurities.github.io/linux.html#kernel +## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 ## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements From eae38e72f30ff9b9f8d0b8b0b33182a918333e48 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 26 Sep 2024 13:10:36 +0000 Subject: [PATCH 1423/1650] README.md: Show the current max_map_count --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e55a1ec..a849c91 100644 --- a/README.md +++ b/README.md @@ -71,7 +71,7 @@ User space: - Raise the minimum address a process can request for memory mapping to 64KB to protect against kernel null pointer dereference vulnerabilities. -- Increase the maximum number of memory map areas a process is able to utilize. +- Increase the maximum number of memory map areas a process is able to utilize to 1,048,576. - Optional - Disallow registering interpreters for various (miscellaneous) binary formats based on a magic number or their file extension to prevent unintended code execution. From ac1378743c7448c9a7e7e02bebcf3270592d42a5 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 30 Sep 2024 16:56:18 +1000 Subject: [PATCH 1424/1650] Consistent formatting --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a849c91..481a6c0 100644 --- a/README.md +++ b/README.md @@ -201,7 +201,7 @@ Networking: `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` that the kernel was built with), therefore improving its effectiveness. -## Kernel Self Protection Project (KSPP) Compliance Status +### Kernel Self Protection Project (KSPP) compliance status **Summary:** From f401d94d5e0d0f26e93be55deda440fe565a6b22 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 3 Oct 2024 02:44:06 -0400 Subject: [PATCH 1425/1650] expand documentation on `kernel.unprivileged_userns_clone=0` sysctl https://github.com/Kicksecure/security-misc/issues/274 --- usr/lib/sysctl.d/990-security-misc.conf | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e633df1..897ba59 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -119,22 +119,34 @@ kernel.sysrq=0 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. ## Unprivileged user namespaces pose substantial privilege escalation risks. ## Restricting may lead to breakages in numerous software packages. +## ## Flatpak requires unprivileged users to create new user namespaces for sandboxing. -## Uncomment the second sysctl to entirely disable user namespaces. +## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements +## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian +## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592 +## ## Disabling entirely will reduce compatibility with some AppArmor profiles. ## Disabling entirely is known to break the UPower systemd service. ## +## Also breaks (some?) AppImages. +## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594 +## +## Might also break evolution (e-mail client): +## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601 +## ## https://lwn.net/Articles/673597/ ## https://madaidans-insecurities.github.io/linux.html#kernel ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 ## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements ## https://github.com/Kicksecure/security-misc/pull/263 +## https://github.com/Kicksecure/security-misc/issues/274 ## ## KSPP=partial -## KSPP sets the stricter sysctl user.max_user_namespaces=0. +## KSPP sets sysctls kernel.unprivileged_userns_clone=0 and user.max_user_namespaces=0. ## kernel.unprivileged_userns_clone=0 +## Uncomment the following sysctl to entirely disable user namespaces. #user.max_user_namespaces=0 ## Restricts kernel profiling to users with CAP_PERFMON. From 0e3ffa3f11a0049e57803c8f2e75dbb7d8ceb22c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 3 Oct 2024 02:58:58 -0400 Subject: [PATCH 1426/1650] no longer set `kernel.unprivileged_userns_clone=0` because it breaks too much fixes https://github.com/Kicksecure/security-misc/issues/274 --- README.md | 12 +++++++----- usr/lib/sysctl.d/990-security-misc.conf | 7 ++++--- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index e55a1ec..bc43280 100644 --- a/README.md +++ b/README.md @@ -38,8 +38,10 @@ Kernel space: - Entirely disable the SysRq key so that the Secure Attention Key (SAK) can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). -- Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial - privilege escalation. Optional - Disable all use of user namespaces. +- Optional - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial + privilege escalation. + +- Optional - Disable all use of user namespaces. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. @@ -200,7 +202,7 @@ Networking: out via `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` that the kernel was built with), therefore improving its effectiveness. - + ## Kernel Self Protection Project (KSPP) Compliance Status **Summary:** @@ -228,14 +230,14 @@ Forces an immediate reboot on kernel panic. This can be enabled, but it may lead * [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) * [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) +**Non-compliance:** + 3. `sysctl user.max_user_namespaces=0` Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263) -**Non-compliance:** - 4. `sysctl fs.binfmt_misc.status=0` Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 897ba59..f7763b1 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -142,10 +142,11 @@ kernel.sysrq=0 ## https://github.com/Kicksecure/security-misc/pull/263 ## https://github.com/Kicksecure/security-misc/issues/274 ## -## KSPP=partial -## KSPP sets sysctls kernel.unprivileged_userns_clone=0 and user.max_user_namespaces=0. +## KSPP=no +## KSPP sets user.max_user_namespaces=0 sysctl, a Linux mainline, stricter setting. ## -kernel.unprivileged_userns_clone=0 +## kernel.unprivileged_userns_clone is a Debian specific kernel feature. Not Linux mainline. +#kernel.unprivileged_userns_clone=0 ## Uncomment the following sysctl to entirely disable user namespaces. #user.max_user_namespaces=0 From 8a2d432ffe6d4eb661026b6e7dbf534bb1db971b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 3 Oct 2024 07:22:23 +0000 Subject: [PATCH 1427/1650] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d4a84ed..f86e577 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit 0e3ffa3f11a0049e57803c8f2e75dbb7d8ceb22c +Author: Patrick Schleizer +Date: Thu Oct 3 02:58:58 2024 -0400 + + no longer set `kernel.unprivileged_userns_clone=0` + + because it breaks too much + + fixes https://github.com/Kicksecure/security-misc/issues/274 + +commit f401d94d5e0d0f26e93be55deda440fe565a6b22 +Author: Patrick Schleizer +Date: Thu Oct 3 02:44:06 2024 -0400 + + expand documentation on `kernel.unprivileged_userns_clone=0` sysctl + + https://github.com/Kicksecure/security-misc/issues/274 + +commit 5572eb897a10455041df8abec6b6be6de29431a0 +Author: Patrick Schleizer +Date: Wed Sep 25 01:03:42 2024 +0000 + + bumped changelog version + commit e04f9cd4c17305d5201aa973c34778e81508734b Merge: 18d426f 65aa910 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 57ee04b..dc8edc6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 03 Oct 2024 07:22:23 +0000 + security-misc (3:39.8-1) unstable; urgency=medium * New upstream version (local package). From dc470cac1d93656354aeaaac0a6f8cbbd39f9f0f Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 6 Oct 2024 10:46:05 +0000 Subject: [PATCH 1428/1650] Remmove deprecated link --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 481a6c0..071af7f 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,6 @@ This section is inspired by the Kernel Self Protection Project (KSPP). It attempts to implement all recommended Linux kernel settings by the KSPP and many more sources. -- https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project - https://kspp.github.io/Recommended_Settings - https://github.com/KSPP/kspp.github.io @@ -200,7 +199,7 @@ Networking: out via `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` that the kernel was built with), therefore improving its effectiveness. - + ### Kernel Self Protection Project (KSPP) compliance status **Summary:** From 263335f74ea0f050f9c259e20141c3345e7fa789 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 8 Oct 2024 11:24:56 +0000 Subject: [PATCH 1429/1650] bumped changelog version --- changelog.upstream | 59 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 65 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f86e577..6209403 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,38 @@ +commit 9169611645d0cd5a308ff48862f351ef5ea5f7e8 +Merge: 8a2d432 8227a3d +Author: Patrick Schleizer +Date: Tue Oct 8 05:54:50 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 8227a3dde2995ceb113164baf49591d52c2b53e1 +Merge: 8a2d432 0c0774f +Author: Patrick Schleizer +Date: Tue Oct 8 05:53:48 2024 -0400 + + Merge pull request #273 from raja-grewal/text_2 + + Documentation update 2 + +commit 0c0774f6c0927ed1cc599f931175985b8f01ec30 +Merge: dc470ca 8a2d432 +Author: raja-grewal +Date: Sun Oct 6 10:48:52 2024 +0000 + + Merge branch 'master' into text_2 + +commit dc470cac1d93656354aeaaac0a6f8cbbd39f9f0f +Author: raja-grewal +Date: Sun Oct 6 10:46:05 2024 +0000 + + Remmove deprecated link + +commit 8a2d432ffe6d4eb661026b6e7dbf534bb1db971b +Author: Patrick Schleizer +Date: Thu Oct 3 07:22:23 2024 +0000 + + bumped changelog version + commit 0e3ffa3f11a0049e57803c8f2e75dbb7d8ceb22c Author: Patrick Schleizer Date: Thu Oct 3 02:58:58 2024 -0400 @@ -16,6 +51,30 @@ Date: Thu Oct 3 02:44:06 2024 -0400 https://github.com/Kicksecure/security-misc/issues/274 +commit ac1378743c7448c9a7e7e02bebcf3270592d42a5 +Author: raja-grewal +Date: Mon Sep 30 16:56:18 2024 +1000 + + Consistent formatting + +commit eae38e72f30ff9b9f8d0b8b0b33182a918333e48 +Author: raja-grewal +Date: Thu Sep 26 13:10:36 2024 +0000 + + README.md: Show the current max_map_count + +commit f3b50a23c976ba4feff34eee721c50f698ecc5bf +Author: raja-grewal +Date: Thu Sep 26 13:10:01 2024 +0000 + + Add reference on unprivileged_userns_restriction + +commit 39d063d494cb540f45747f6253ab896200ba03c3 +Author: raja-grewal +Date: Thu Sep 26 13:09:21 2024 +0000 + + Add KSPP=no definition + commit 5572eb897a10455041df8abec6b6be6de29431a0 Author: Patrick Schleizer Date: Wed Sep 25 01:03:42 2024 +0000 diff --git a/debian/changelog b/debian/changelog index dc8edc6..c607a93 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 08 Oct 2024 11:24:55 +0000 + security-misc (3:39.9-1) unstable; urgency=medium * New upstream version (local package). From 09fe46adc956e8c6de232f1093c37cdd30933acd Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 14 Oct 2024 02:54:30 +0000 Subject: [PATCH 1430/1650] Clarify KSPP compliance header for the undocumented case --- etc/default/grub.d/40_cpu_mitigations.cfg | 1 + etc/default/grub.d/40_kernel_hardening.cfg | 1 + etc/default/grub.d/40_remount_secure.cfg | 1 + etc/default/grub.d/40_signed_modules.cfg | 1 + etc/default/grub.d/41_quiet_boot.cfg | 1 + usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 1 + usr/lib/sysctl.d/30_silent-kernel-printk.conf | 1 + usr/lib/sysctl.d/990-security-misc.conf | 1 + 8 files changed, 8 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 5960e14..e426673 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Enable known mitigations for CPU vulnerabilities. ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index ad7e61a..e41dabb 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -9,6 +9,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## This configuration file is split into 4 sections: ## 1. Kernel Space diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg index f92991a..f06235b 100644 --- a/etc/default/grub.d/40_remount_secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Remount Secure provides enhanced security via mount options: ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg index b33dceb..75cd3bb 100644 --- a/etc/default/grub.d/40_signed_modules.cfg +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Require every kernel module to be signed before being loaded. ## Any module that is unsigned or signed with an invalid key cannot be loaded. diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 33b412d..9623625 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Some default configuration files automatically include the "quiet" parameter. ## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index da77fd7..5c38e38 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## NOTE: ## This configuration is in a dedicated file because the ram-wipe package diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index 44b0b25..a1fd57e 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Prevent kernel information leaks in the console during boot. ## Must be used in conjunction with kernel boot parameters. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e4ae584..6009fc4 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -10,6 +10,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## This configuration file is divided into 5 sections: ## 1. Kernel Space From a9f238fe048acfeff49f96c00570acc6ca4c37e8 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 14 Oct 2024 02:57:31 +0000 Subject: [PATCH 1431/1650] README.md: Split optional setting to new line --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c700ba8..a29cc29 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,8 @@ Kernel space: - Force the kernel to panic on both "oopses", which can potentially indicate and thwart certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. - Optional - Force immediate reboot on the occurrence of a single kernel panic and also + +- Optional - Force immediate reboot on the occurrence of a single kernel panic and also (when using Linux kernel >= 6.2) limit the number of allowed panics to one. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. From eb72163d5707c7673db1f12405d2e04261bd43c8 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 14 Oct 2024 03:01:15 +0000 Subject: [PATCH 1432/1650] README.md: Make line lengths consistent --- README.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a29cc29..c23d261 100644 --- a/README.md +++ b/README.md @@ -207,13 +207,15 @@ Networking: **Summary:** -`security-misc` is in full compliance with KSPP recommendations wherever feasible. However, there are a few cases of partial or non-compliance due to technical limitations. +`security-misc` is in full compliance with KSPP recommendations wherever feasible. However, +there are a few cases of partial or non-compliance due to technical limitations. * [KSPP Recommended Settings](https://kspp.github.io/Recommended_Settings) **Full compliance:** -More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with KSPP's recommendations. +More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with +the KSPP's recommendations. **Partial compliance:** @@ -225,7 +227,8 @@ Completely disables `ptrace()`. Can be enabled easily if needed. 2. `sysctl kernel.panic=-1` -Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected system crashes. +Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected +system crashes. * [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) * [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) @@ -240,7 +243,8 @@ Disables user namespaces entirely. Not recommended due to the potential for wide 4. `sysctl fs.binfmt_misc.status=0` -Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox. +Disables the registration of interpreters for miscellaneous binary formats. Currently not +feasible due to compatibility issues with Firefox. * [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) * [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267) From 0cfcdf4f89dc75f2a8e3f8a9e8c69dc3ba3da78a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 16 Oct 2024 10:57:20 +0000 Subject: [PATCH 1433/1650] bumped changelog version --- changelog.upstream | 40 ++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 46 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 6209403..0d74dbf 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,43 @@ +commit 0adb9b7c0609a51d503b61ab40ae7d8e55635043 +Merge: 263335f e50ad80 +Author: Patrick Schleizer +Date: Wed Oct 16 06:31:09 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit e50ad807c01b5753c67d579126d7b79d38070c0a +Merge: 263335f eb72163 +Author: Patrick Schleizer +Date: Wed Oct 16 06:29:25 2024 -0400 + + Merge pull request #276 from raja-grewal/KSPP_header + + Clarify KSPP compliance header + +commit eb72163d5707c7673db1f12405d2e04261bd43c8 +Author: raja-grewal +Date: Mon Oct 14 03:01:15 2024 +0000 + + README.md: Make line lengths consistent + +commit a9f238fe048acfeff49f96c00570acc6ca4c37e8 +Author: raja-grewal +Date: Mon Oct 14 02:57:31 2024 +0000 + + README.md: Split optional setting to new line + +commit 09fe46adc956e8c6de232f1093c37cdd30933acd +Author: raja-grewal +Date: Mon Oct 14 02:54:30 2024 +0000 + + Clarify KSPP compliance header for the undocumented case + +commit 263335f74ea0f050f9c259e20141c3345e7fa789 +Author: Patrick Schleizer +Date: Tue Oct 8 11:24:56 2024 +0000 + + bumped changelog version + commit 9169611645d0cd5a308ff48862f351ef5ea5f7e8 Merge: 8a2d432 8227a3d Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index c607a93..6931cd6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 16 Oct 2024 10:57:20 +0000 + security-misc (3:40.0-1) unstable; urgency=medium * New upstream version (local package). From b6433309fd7d6839cfba89e1197590e1ff62ef58 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 18 Oct 2024 12:45:02 -0400 Subject: [PATCH 1434/1650] use end-of-options --- .../security-misc/pam-abort-on-locked-password | 4 ++-- usr/libexec/security-misc/pam-info | 14 +++++++------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password index bb1a3ee..4e02f3c 100755 --- a/usr/libexec/security-misc/pam-abort-on-locked-password +++ b/usr/libexec/security-misc/pam-abort-on-locked-password @@ -7,7 +7,7 @@ ## counter. This is not a security feature. ## https://forums.whonix.org/t/restrict-root-access/7658/1 -passwd_bin="$(type -P "passwd")" +passwd_bin="$(type -P -- "passwd")" if ! test -x "$passwd_bin" ; then echo "\ @@ -17,7 +17,7 @@ See https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >& exit 2 fi -if ! passwd_output="$("$passwd_bin" -S "$PAM_USER" 2>/dev/null)" ; then +if ! passwd_output="$("$passwd_bin" -S -- "$PAM_USER" 2>/dev/null)" ; then echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2 exit 3 fi diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index aa730de..6f2172c 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -32,22 +32,22 @@ if [ "$PAM_USER" = "" ]; then exit 0 fi -grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" +grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" ## Check if grep matched something. if [ ! "$grep_result" = "" ]; then ## Yes, grep matched. ## Check if not out commented. - if ! echo "$grep_result" | grep -q "#" ; then + if ! echo "$grep_result" | grep --quiet -- "#" ; then ## Not out commented indeed. ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 - if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console"; then + if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console"; then console_allowed=true fi - if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console-unrestricted"; then + if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console-unrestricted"; then console_allowed=true fi @@ -102,7 +102,7 @@ fi ## ## Checking exit code to avoid breaking when read-only disk boot but ## without ro-mode-init or grub-live being used. -if ! pam_faillock_output="$(faillock --user "$PAM_USER")" ; then +if ! pam_faillock_output="$(faillock --user -- "$PAM_USER")" ; then true "$0: faillock non-zero exit code." exit 0 fi @@ -159,7 +159,7 @@ fi deny=3 if test -f /etc/security/faillock.conf ; then - deny_line=$(grep --invert-match "#" /etc/security/faillock.conf | grep "deny =") + deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =") deny="$(echo "$deny_line" | LANG=C str_replace "=" "" | LANG=C str_replace "deny" "" | LANG=C str_replace " " "")" ## Example: #deny=50 @@ -181,7 +181,7 @@ $0: ERROR: Login blocked after $failed_login_counter attempts. To unlock, run the following command as superuser: (If you still have a sudo/root shell somewhere.) -faillock --reset --user $PAM_USER +faillock --reset --user -- $PAM_USER However, most likely unlock procedure is required. First boot into recovery mode at grub boot menu and then run above command. From 690e8dd826d1cb39c0c12c03792781862cc2dd23 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sat, 19 Oct 2024 23:49:07 -0500 Subject: [PATCH 1435/1650] Avoid faillock lock/tally reset on reboot or timeout --- debian/security-misc.postinst | 3 +++ etc/security/faillock.conf.security-misc | 11 +++++++--- usr/libexec/security-misc/pam-info | 5 ++++- ...ty-misc => faillock-preauth-security-misc} | 7 ++----- usr/share/pam-configs/faillock2-security-misc | 8 -------- .../pam-configs/unix-faillock-security-misc | 20 +++++++++++++++++++ 6 files changed, 37 insertions(+), 17 deletions(-) rename usr/share/pam-configs/{faillock-security-misc => faillock-preauth-security-misc} (60%) delete mode 100644 usr/share/pam-configs/faillock2-security-misc create mode 100644 usr/share/pam-configs/unix-faillock-security-misc diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index e232778..41aa3dc 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -52,6 +52,9 @@ case "$1" in ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override glib-compile-schemas /usr/share/glib-2.0/schemas || true + + ## state dir for faillock + mkdir -p /var/lib/security-misc/faillock ;; abort-upgrade|abort-remove|abort-deconfigure) diff --git a/etc/security/faillock.conf.security-misc b/etc/security/faillock.conf.security-misc index d52c196..3442279 100644 --- a/etc/security/faillock.conf.security-misc +++ b/etc/security/faillock.conf.security-misc @@ -6,7 +6,7 @@ # # The directory where the user files with the failure records are kept. # The default is /var/run/faillock. -# dir = /var/run/faillock +dir = /var/lib/security-misc/faillock # # Will log the user name into the system log if the user is not found. # Enabled if option is present. @@ -38,14 +38,19 @@ deny = 50 # authentication failures must happen for the user account # lock out is n seconds. # The default is 900 (15 minutes). -# fail_interval = 900 +# security-misc note: the interval should be set to infinity if possible, +# however pam_faillock arbitrarily limits this variable to a maximum of 604800 +# seconds (7 days). See +# https://github.com/linux-pam/linux-pam/blob/539816e4a0a277dbb632412be91e482fff9d9d09/modules/pam_faillock/faillock_config.h#L59 +# for details. Therefore we set this to the maximum allowable value of 7 days. +fail_interval = 604800 # # The access will be re-enabled after n seconds after the lock out. # The value 0 has the same meaning as value `never` - the access # will not be re-enabled without resetting the faillock # entries by the `faillock` command. # The default is 600 (10 minutes). -# unlock_time = 600 +unlock_time = never # # Root account can become locked as well as regular accounts. # Enabled if option is present. diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 6f2172c..50dd9d7 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -21,6 +21,9 @@ true "$0: START PHASE 2" set -o pipefail +## Named constants. +pam_faillock_state_dir="/var/lib/security-misc/faillock" + ## Debugging. who_ami="$(whoami)" true "$0: who_ami: $who_ami" @@ -102,7 +105,7 @@ fi ## ## Checking exit code to avoid breaking when read-only disk boot but ## without ro-mode-init or grub-live being used. -if ! pam_faillock_output="$(faillock --user -- "$PAM_USER")" ; then +if ! pam_faillock_output="$(faillock --dir "$pam_faillock_state_dir" --user "$PAM_USER")" ; then true "$0: faillock non-zero exit code." exit 0 fi diff --git a/usr/share/pam-configs/faillock-security-misc b/usr/share/pam-configs/faillock-preauth-security-misc similarity index 60% rename from usr/share/pam-configs/faillock-security-misc rename to usr/share/pam-configs/faillock-preauth-security-misc index d337690..f72826c 100644 --- a/usr/share/pam-configs/faillock-security-misc +++ b/usr/share/pam-configs/faillock-preauth-security-misc @@ -1,11 +1,8 @@ -Name: lock accounts after 50 failed authentication attempts (part 1) (by package security-misc) +Name: lock accounts after 50 failed authentication attempts (preauth component) (by package security-misc) Default: yes -Priority: 290 +Priority: 1024 Auth-Type: Primary Auth: optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-info [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x required pam_faillock.so preauth -Account-Type: Primary -Account: - requisite pam_faillock.so diff --git a/usr/share/pam-configs/faillock2-security-misc b/usr/share/pam-configs/faillock2-security-misc deleted file mode 100644 index 7bc5fb7..0000000 --- a/usr/share/pam-configs/faillock2-security-misc +++ /dev/null @@ -1,8 +0,0 @@ -Name: lock accounts after 50 failed authentication attempts (part 2) (by package security-misc) -Default: yes -Priority: 245 -Auth-Type: Primary -Auth: - [success=2 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x - [default=die] pam_faillock.so authfail - sufficient pam_faillock.so authsucc diff --git a/usr/share/pam-configs/unix-faillock-security-misc b/usr/share/pam-configs/unix-faillock-security-misc new file mode 100644 index 0000000..876ffa8 --- /dev/null +++ b/usr/share/pam-configs/unix-faillock-security-misc @@ -0,0 +1,20 @@ +Name: Unix authentication with faillock (by package security-misc) +Default: yes +Priority: 384 +Auth-Type: Primary +Auth: + [success=3 default=ignore] pam_unix.so nullok try_first_pass + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + [default=die] pam_faillock.so authfail + requisite pam_deny.so + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + optional pam_faillock.so authsucc + required pam_permit.so +Auth-Initial: + [success=3 default=ignore] pam_unix.so nullok + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + [default=die] pam_faillock.so authfail + requisite pam_deny.so + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + optional pam_faillock.so authsucc + required pam_permit.so From 5991a23049491dd04c19d9ea80f7d7381dd494a0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 21 Oct 2024 05:47:25 -0400 Subject: [PATCH 1436/1650] comment --- usr/libexec/security-misc/pam-info | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 50dd9d7..930679a 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -105,6 +105,8 @@ fi ## ## Checking exit code to avoid breaking when read-only disk boot but ## without ro-mode-init or grub-live being used. +## +## end-of-options ("--") unsupported by faillock. if ! pam_faillock_output="$(faillock --dir "$pam_faillock_state_dir" --user "$PAM_USER")" ; then true "$0: faillock non-zero exit code." exit 0 From 566cda5e4bc69f54d63d72f1e30703074fdf0ce8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 21 Oct 2024 05:47:38 -0400 Subject: [PATCH 1437/1650] output --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 930679a..32fdeaf 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -186,7 +186,7 @@ $0: ERROR: Login blocked after $failed_login_counter attempts. To unlock, run the following command as superuser: (If you still have a sudo/root shell somewhere.) -faillock --reset --user -- $PAM_USER +faillock --reset --user $PAM_USER However, most likely unlock procedure is required. First boot into recovery mode at grub boot menu and then run above command. From b44e507900defe3db68f31f3e110b1c3e5aa684c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 23 Oct 2024 09:56:05 +0000 Subject: [PATCH 1438/1650] bumped changelog version --- changelog.upstream | 37 +++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 43 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0d74dbf..733892c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,40 @@ +commit 566cda5e4bc69f54d63d72f1e30703074fdf0ce8 +Author: Patrick Schleizer +Date: Mon Oct 21 05:47:38 2024 -0400 + + output + +commit 5991a23049491dd04c19d9ea80f7d7381dd494a0 +Author: Patrick Schleizer +Date: Mon Oct 21 05:47:25 2024 -0400 + + comment + +commit fd34baff8ff17ed572469d9d6d884e6c0d881d20 +Merge: b643330 690e8dd +Author: Patrick Schleizer +Date: Mon Oct 21 05:43:53 2024 -0400 + + Merge remote-tracking branch 'ArrayBolt3/master' + +commit 690e8dd826d1cb39c0c12c03792781862cc2dd23 +Author: Aaron Rainbolt +Date: Sat Oct 19 23:49:07 2024 -0500 + + Avoid faillock lock/tally reset on reboot or timeout + +commit b6433309fd7d6839cfba89e1197590e1ff62ef58 +Author: Patrick Schleizer +Date: Fri Oct 18 12:45:02 2024 -0400 + + use end-of-options + +commit 0cfcdf4f89dc75f2a8e3f8a9e8c69dc3ba3da78a +Author: Patrick Schleizer +Date: Wed Oct 16 10:57:20 2024 +0000 + + bumped changelog version + commit 0adb9b7c0609a51d503b61ab40ae7d8e55635043 Merge: 263335f e50ad80 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 6931cd6..6750d26 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 23 Oct 2024 09:56:05 +0000 + security-misc (3:40.1-1) unstable; urgency=medium * New upstream version (local package). From 6c2e808b9f34900840bd2857fed10d1ffd4cc4c2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 28 Oct 2024 05:03:20 -0400 Subject: [PATCH 1439/1650] refactoring --- usr/libexec/security-misc/hide-hardware-info | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index f6a963b..c61f41b 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -28,8 +28,7 @@ selinux=0 shopt -s nullglob ## Allows for disabling the whitelist. -for i in /etc/hide-hardware-info.d/*.conf -do +for i in /etc/hide-hardware-info.d/*.conf ; do bash -n "${i}" source "${i}" done @@ -63,8 +62,7 @@ create_whitelist() { ## and /proc/scsi to the root user only. This hides ## many hardware identifiers from ordinary users ## and increases security. -for i in /proc/cpuinfo /proc/bus /proc/scsi /sys -do +for i in /proc/cpuinfo /proc/bus /proc/scsi /sys ; do if [ -e "${i}" ]; then if [ "${i}" = "/sys" ]; then if [ "${sysfs}" = "1" ]; then @@ -99,8 +97,7 @@ done if [ "${sysfs}" = "1" ]; then ## restrict permissions on everything but ## what is needed - for i in /sys/* /sys/fs/* - do + for i in /sys/* /sys/fs/* ; do ## Using '|| true': ## https://github.com/Kicksecure/security-misc/pull/108 if [ "${sysfs_whitelist}" = "1" ]; then From d00235897d686895a7e2e7da7435832fee008164 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 28 Oct 2024 05:03:59 -0400 Subject: [PATCH 1440/1650] hide-hardware-info: also parse `/usr/local/etc/hide-hardware-info.d/*.conf` --- usr/libexec/security-misc/hide-hardware-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index c61f41b..40e31c2 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -28,7 +28,7 @@ selinux=0 shopt -s nullglob ## Allows for disabling the whitelist. -for i in /etc/hide-hardware-info.d/*.conf ; do +for i in /usr/local/etc/hide-hardware-info.d/*.conf /etc/hide-hardware-info.d/*.conf ; do bash -n "${i}" source "${i}" done From fdd1f4b7f88efc22bb57c2ad3e83c0c2e8cbb064 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 28 Oct 2024 05:06:05 -0400 Subject: [PATCH 1441/1650] refactoring --- usr/libexec/security-misc/hide-hardware-info | 27 ++++++++++++-------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 40e31c2..9eaae72 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -17,21 +17,25 @@ run_cmd_whitelist() { echo "$0: INFO: START" -sysfs_whitelist=1 -cpuinfo_whitelist=1 +default_variables_set() { + sysfs_whitelist=1 + cpuinfo_whitelist=1 -sysfs=1 + sysfs=1 -## https://www.kicksecure.com/wiki/Security-misc#selinux -selinux=0 + ## https://www.kicksecure.com/wiki/Security-misc#selinux + selinux=0 +} shopt -s nullglob -## Allows for disabling the whitelist. -for i in /usr/local/etc/hide-hardware-info.d/*.conf /etc/hide-hardware-info.d/*.conf ; do - bash -n "${i}" - source "${i}" -done +parse_configuration() { + ## Allows for disabling the whitelist. + for i in /usr/local/etc/hide-hardware-info.d/*.conf /etc/hide-hardware-info.d/*.conf ; do + bash -n "${i}" + source "${i}" + done +} create_whitelist() { if [ "${1}" = "sysfs" ]; then @@ -55,6 +59,9 @@ create_whitelist() { fi } +default_variables_set +parse_configuration + ## sysfs and debugfs expose a lot of information ## that should not be accessible by an unprivileged ## user which includes hardware info, debug info and From ef0eb5f7a0c5a62c5d26bf6dc534f6aa3decc4b0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 28 Oct 2024 05:06:26 -0400 Subject: [PATCH 1442/1650] refactoring --- usr/libexec/security-misc/hide-hardware-info | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 9eaae72..2929d83 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -4,6 +4,7 @@ ## See the file COPYING for copying conditions. set -e +shopt -s nullglob run_cmd() { echo "INFO: normal executing : $@" @@ -27,8 +28,6 @@ default_variables_set() { selinux=0 } -shopt -s nullglob - parse_configuration() { ## Allows for disabling the whitelist. for i in /usr/local/etc/hide-hardware-info.d/*.conf /etc/hide-hardware-info.d/*.conf ; do From 0d506156587f87a303184f22259ffb57dd92cbc8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 28 Oct 2024 05:07:00 -0400 Subject: [PATCH 1443/1650] local --- usr/libexec/security-misc/hide-hardware-info | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 2929d83..68ec73c 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -30,6 +30,7 @@ default_variables_set() { parse_configuration() { ## Allows for disabling the whitelist. + local i for i in /usr/local/etc/hide-hardware-info.d/*.conf /etc/hide-hardware-info.d/*.conf ; do bash -n "${i}" source "${i}" From cfe19e31d858d7899f4d95e21117c992d236d328 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 28 Oct 2024 05:09:53 -0400 Subject: [PATCH 1444/1650] shell options --- usr/libexec/security-misc/hide-hardware-info | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 68ec73c..df335bd 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -3,7 +3,10 @@ ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -set -e +set -o errexit +set -o nounset +set -o errtrace +set -o pipefail shopt -s nullglob run_cmd() { From 71c58442ca6d57cd95b72a76ed87f8c248cdbd98 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 28 Oct 2024 05:10:19 -0400 Subject: [PATCH 1445/1650] minor --- usr/libexec/security-misc/hide-hardware-info | 2 -- 1 file changed, 2 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index df335bd..ad532b5 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -24,9 +24,7 @@ echo "$0: INFO: START" default_variables_set() { sysfs_whitelist=1 cpuinfo_whitelist=1 - sysfs=1 - ## https://www.kicksecure.com/wiki/Security-misc#selinux selinux=0 } From 3af2684134279ba6f5b18b40986f02a50baa5604 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 30 Oct 2024 09:43:05 +0000 Subject: [PATCH 1446/1650] bumped changelog version --- changelog.upstream | 48 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 54 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 733892c..4516505 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,51 @@ +commit 71c58442ca6d57cd95b72a76ed87f8c248cdbd98 +Author: Patrick Schleizer +Date: Mon Oct 28 05:10:19 2024 -0400 + + minor + +commit cfe19e31d858d7899f4d95e21117c992d236d328 +Author: Patrick Schleizer +Date: Mon Oct 28 05:09:53 2024 -0400 + + shell options + +commit 0d506156587f87a303184f22259ffb57dd92cbc8 +Author: Patrick Schleizer +Date: Mon Oct 28 05:07:00 2024 -0400 + + local + +commit ef0eb5f7a0c5a62c5d26bf6dc534f6aa3decc4b0 +Author: Patrick Schleizer +Date: Mon Oct 28 05:06:26 2024 -0400 + + refactoring + +commit fdd1f4b7f88efc22bb57c2ad3e83c0c2e8cbb064 +Author: Patrick Schleizer +Date: Mon Oct 28 05:06:05 2024 -0400 + + refactoring + +commit d00235897d686895a7e2e7da7435832fee008164 +Author: Patrick Schleizer +Date: Mon Oct 28 05:03:59 2024 -0400 + + hide-hardware-info: also parse `/usr/local/etc/hide-hardware-info.d/*.conf` + +commit 6c2e808b9f34900840bd2857fed10d1ffd4cc4c2 +Author: Patrick Schleizer +Date: Mon Oct 28 05:03:20 2024 -0400 + + refactoring + +commit b44e507900defe3db68f31f3e110b1c3e5aa684c +Author: Patrick Schleizer +Date: Wed Oct 23 09:56:05 2024 +0000 + + bumped changelog version + commit 566cda5e4bc69f54d63d72f1e30703074fdf0ce8 Author: Patrick Schleizer Date: Mon Oct 21 05:47:38 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 6750d26..ce0a844 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 30 Oct 2024 09:43:05 +0000 + security-misc (3:40.2-1) unstable; urgency=medium * New upstream version (local package). From a1d1f97955fd9fd3cee77dc04e2eb5e5fa29d243 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 8 Nov 2024 03:58:23 +0000 Subject: [PATCH 1447/1650] Provide option to drop gratuitous ARP packets --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/README.md b/README.md index c23d261..3404414 100644 --- a/README.md +++ b/README.md @@ -121,6 +121,9 @@ Networking: - Optional - Enable IPv6 Privacy Extensions. +- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning + via man-in-the-middle and denial-of-service attacks. + ### Boot parameters Mitigations for known CPU vulnerabilities are enabled in their strictest form diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 6009fc4..2bec703 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -526,3 +526,14 @@ net.ipv4.tcp_timestamps=0 ## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. ## #net.ipv6.conf.*.use_tempaddr=2 + +## Drop gratuitous ARP (Address Resolution Protocol) packets. +## Stops ARP responses sent by a device without being explicitly requested. +## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. +## Prevents man-in-the-middle and denial-of-service attacks. +## May cause breakages when ARP proxies are used in the network. +## +## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/ +## https://www.practicalnetworking.net/series/arp/gratuitous-arp/ +## +#net.ipv4.conf.*.drop_gratuitous_arp=1 From 8107782fa54ec0e21893e6bd4a6baabb71eb864b Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 8 Nov 2024 15:36:04 +1100 Subject: [PATCH 1448/1650] Enable `ssbd=force-on` --- etc/default/grub.d/40_cpu_mitigations.cfg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index e426673..1b900c0 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -47,10 +47,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" ## Disable Speculative Store Bypass (Spectre Variant 4). +## Unconditionally enable mitigation for both kernel and userspace. ## ## https://www.suse.com/support/kb/doc/?id=000019189 ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on" ## Enable mitigations for the L1TF vulnerability through disabling SMT ## and L1D flush runtime control. From 5bd0a277bf39812c6adf40a7a3ef6390935fa08e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 10 Nov 2024 06:29:17 -0500 Subject: [PATCH 1449/1650] fix permission-hardener issue "Removing capabilities failed. File: '/bin/ping'" no longer user end-of-options marker (`--`) for `setcap` since setcap does not support it Fixes https://github.com/QubesOS/qubes-issues/issues/9569 https://forums.whonix.org/t/permission-hardener-error/20719 --- usr/bin/permission-hardener | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index ad6f9b8..e5039c0 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -539,7 +539,12 @@ set_file_perms() { ## The value of the capability argument is not permitted for a file. Or ## the file is not a regular (non-symlink) file ## Therefore use echo_wrapper_ignore. - echo_wrapper_ignore verbose setcap -r -- "${fso}" + ## + ## NOTE: setcap does not support End-of-Options Marker ('--') yet. + ## setcap bug report: + ## setcap Command Does Not Support End-of-Options Marker ('--') + ## https://bugzilla.kernel.org/show_bug.cgi?id=219487 + echo_wrapper_ignore verbose setcap -r "${fso}" getcap_output="$(getcap -- "${fso}")" if test -n "${getcap_output}"; then exit_code=205 From 4c649577f053af12bcd02c20576bf2d8aec1476d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 10 Nov 2024 11:52:42 +0000 Subject: [PATCH 1450/1650] bumped changelog version --- changelog.upstream | 41 +++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 47 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 4516505..df7fcb6 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,44 @@ +commit 29b1f1ec5f3a4bf3991fc1b862751c8eb9769ecd +Merge: 5bd0a27 238f32e +Author: Patrick Schleizer +Date: Sun Nov 10 06:32:30 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 5bd0a277bf39812c6adf40a7a3ef6390935fa08e +Author: Patrick Schleizer +Date: Sun Nov 10 06:29:17 2024 -0500 + + fix permission-hardener issue "Removing capabilities failed. File: '/bin/ping'" + + no longer user end-of-options marker (`--`) for `setcap` + since setcap does not support it + + Fixes https://github.com/QubesOS/qubes-issues/issues/9569 + + https://forums.whonix.org/t/permission-hardener-error/20719 + +commit 238f32e81d835e5b9d3bc43a0654d05efa4c4313 +Merge: 3af2684 8107782 +Author: Patrick Schleizer +Date: Fri Nov 8 07:39:40 2024 -0500 + + Merge pull request #280 from raja-grewal/ssbd + + Enable `ssbd=force-on` + +commit 8107782fa54ec0e21893e6bd4a6baabb71eb864b +Author: raja-grewal +Date: Fri Nov 8 15:36:04 2024 +1100 + + Enable `ssbd=force-on` + +commit 3af2684134279ba6f5b18b40986f02a50baa5604 +Author: Patrick Schleizer +Date: Wed Oct 30 09:43:05 2024 +0000 + + bumped changelog version + commit 71c58442ca6d57cd95b72a76ed87f8c248cdbd98 Author: Patrick Schleizer Date: Mon Oct 28 05:10:19 2024 -0400 diff --git a/debian/changelog b/debian/changelog index ce0a844..6fcb3e3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 10 Nov 2024 11:52:42 +0000 + security-misc (3:40.3-1) unstable; urgency=medium * New upstream version (local package). From 29ae5f5980d521f6a4b468f5bf41210f78fdf10a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 11 Nov 2024 05:28:31 -0500 Subject: [PATCH 1451/1650] fix optional opt-in `harden-module-loading.service` by making `/usr/libexec/security-misc/disable-kernel-module-loading` executable Thanks to @ArrayBolt3 for the bug report! --- usr/libexec/security-misc/disable-kernel-module-loading | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 usr/libexec/security-misc/disable-kernel-module-loading diff --git a/usr/libexec/security-misc/disable-kernel-module-loading b/usr/libexec/security-misc/disable-kernel-module-loading old mode 100644 new mode 100755 From 862d23cb10b7687084f8e7e207d1e2c9c1ef6751 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 11 Nov 2024 05:36:41 -0500 Subject: [PATCH 1452/1650] fix `panic-on-oops.service` remove `After=multi-user.target` because already using `WantedBy=multi-user.target` Thanks to @ArrayBolt3 for the bug report! --- usr/lib/systemd/system/panic-on-oops.service | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/lib/systemd/system/panic-on-oops.service b/usr/lib/systemd/system/panic-on-oops.service index cf13053..425ab5c 100644 --- a/usr/lib/systemd/system/panic-on-oops.service +++ b/usr/lib/systemd/system/panic-on-oops.service @@ -7,7 +7,6 @@ Documentation=https://github.com/Kicksecure/security-misc ConditionKernelCommandLine=!panic-on-oops=0 -After=multi-user.target After=graphical.target After=getty.target From ef05b1a160b24d5aa42da9cc15009d94a37cf120 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 11 Nov 2024 05:40:41 -0500 Subject: [PATCH 1453/1650] disable legacy matroxfb_base framebuffer driver fix typo matroxfb_bases -> matroxfb_base Thanks to @ArrayBolt3 for the bug report! --- etc/modprobe.d/30_security-misc_disable.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 3df5a51..561441a 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -262,7 +262,7 @@ install i810fb /usr/bin/disabled-framebuffer-by-security-misc install intelfb /usr/bin/disabled-framebuffer-by-security-misc install kyrofb /usr/bin/disabled-framebuffer-by-security-misc install lxfb /usr/bin/disabled-framebuffer-by-security-misc -install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc +install matroxfb_base /usr/bin/disabled-framebuffer-by-security-misc install neofb /usr/bin/disabled-framebuffer-by-security-misc install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc install pm2fb /usr/bin/disabled-framebuffer-by-security-misc From 7c06e22c7d11c345428f3ad42ba43805ebc8d810 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 11 Nov 2024 05:43:25 -0500 Subject: [PATCH 1454/1650] deleted `/usr/bin/pkexec.security-misc` This was not used anymore for anything. In the past, we used to `config-package-dev` `replace` `/usr/bin/pkexec` with `/usr/bin/pkexec.security-misc` for the purpose of: > Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 * https://forums.whonix.org/t/cannot-use-pkexec/8129 This was a worthwhile effort, interesting approach but ultimately a dead-end. --- usr/bin/pkexec.security-misc | 132 ----------------------------------- 1 file changed, 132 deletions(-) delete mode 100755 usr/bin/pkexec.security-misc diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc deleted file mode 100755 index 3739391..0000000 --- a/usr/bin/pkexec.security-misc +++ /dev/null @@ -1,132 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with -## hidepid. -## * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 -## * https://forums.whonix.org/t/cannot-use-pkexec/8129 - -set -e - -my_real_path="$(realpath "$0")" || true -identifier="$my_real_path wrapper" -exec > >(systemd-cat --identifier="$identifier output by program:") 2>&1 - -log_to_journal() { - echo "$@" | systemd-cat --identifier="$identifier output by wrapper:" || true -} - -log_to_journal "$0 $@" -log_to_journal "DISPLAY: '$DISPLAY'" -my_pstree="$(pstree -p $$)" || true -log_to_journal "my_pstree: '$my_pstree'" - -## If hidepid is not in use, just use pkexec normally. -if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then - pkexec.security-misc-orig "$@" - exit $? -fi - -switch_user=false - -original_args="$@" - -## Thanks to: -## https://mywiki.wooledge.org/BashFAQ/035 - -while : -do - case $1 in - ## Should show 'pkexec --version' or fail? - --version) - shift - pkexec.security-misc-orig "$original_args" - exit $? - ;; - ## Should show 'pkexec --help' or fail? - --help) - shift - pkexec.security-misc-orig "$original_args" - exit $? - ;; - ## Drop --disable-internal-agent as not needed and breaking both, - ## lxqt-sudo and sudo. - --disable-internal-agent) - shift - ;; - --user) - ## lxqt-sudo does not support "--user". - ## We should not make this wrapper run something as root which - ## is supposed to run under a different user. Try using - ## "sudo -A --user user --set-home" instead. - user_pkexec_wrapper="$2" - if [ "$user_pkexec_wrapper" = "" ]; then - shift - else - shift 2 - fi - switch_user=true - maybe_switch_to_user="--user $user_pkexec_wrapper" - ;; - --) - shift - break - ;; - *) - break - ;; - esac -done - -## If there are input files (for example) that follow the options, they -## will remain in the "$@" positional parameters. - -if [ "$PKEXEC_UID" = "" ]; then - if [ ! "$user_pkexec_wrapper" = "" ]; then - PKEXEC_UID="$user_pkexec_wrapper" - elif [ ! "$SUDO_USER" = "" ]; then - PKEXEC_UID="$SUDO_USER" - else - PKEXEC_UID="$(whoami)" - fi -fi -export PKEXEC_UID - -if [[ "$@" = "" ]]; then - ## Call original pkexec in case there are no arguments. - pkexec.security-misc-orig $original_args - exit $? -fi - -exit_code=0 - -## lxqt-sudo does not check /etc/sudoers / /etc/sudoers.d exceptions. -## Therefore use 'sudo -l' to see if there is any already existing sudoers exception. -## Did not work. 'sudo -l' will always exit with exit code '0'. -# if sudo -l --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" ; then -# log_to_journal "sudoers exception: yes" -# sudo --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; }; -# log_to_journal "sudo --user | exit_code: '$exit_code'" -# exit "$exit_code" -# fi -# -# log_to_journal "sudoers exception: no" - -if [ "$switch_user" = "true" ]; then - ## 'sudo --user user' clears environment variables such as PATH. - lxqt-sudo sudo $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; }; -else - ## set PATH same as root - ## This is required for gdebi. - ## REVIEW: is it ok that users can find out the PATH setting of root? - ## lxqt-sudo does not clear environment variable PATH. - PATH="$(sudo --non-interactive /usr/libexec/security-misc/echo-path)" - export PATH - lxqt-sudo "$@" || { exit_code=$? ; true; }; -fi - -log_to_journal "exit_code: '$exit_code'" - -exit "$exit_code" From 50161f5d79eea2ab796863e4eb30eccc17e0b41d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 11 Nov 2024 05:48:11 -0500 Subject: [PATCH 1455/1650] moved /etc/dkms/framework.conf.d/30_security-misc.conf (renamed) to usability-misc --- debian/security-misc.maintscript | 3 +++ .../framework.conf.d/30_security-misc.conf | 20 ------------------- 2 files changed, 3 insertions(+), 20 deletions(-) delete mode 100644 etc/dkms/framework.conf.d/30_security-misc.conf diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index b875fd4..f6d6a83 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -81,3 +81,6 @@ rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg ## renamed to /etc/default/grub.d/41_quiet_boot.cfg rm_conffile /etc/default/grub.d/41_quiet.cfg + +## moved to usability-misc +rm_conffile /etc/dkms/framework.conf.d/30_security-misc.conf diff --git a/etc/dkms/framework.conf.d/30_security-misc.conf b/etc/dkms/framework.conf.d/30_security-misc.conf deleted file mode 100644 index abf9a78..0000000 --- a/etc/dkms/framework.conf.d/30_security-misc.conf +++ /dev/null @@ -1,20 +0,0 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines. -## This does not necessarily belong into security-misc. -## -## Example here: -## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26 -## -## This might no longer be possible in the future. See: -## "Stop handling dkms.conf as a bash/shell script" -## https://github.com/dell/dkms/issues/414 -ENOUGH_RAM="1950" -total_ram="$(free -m | sed -n -e '/^Mem:/s/^[^0-9]*\([0-9]*\) .*/\1/p')" -if [ "$total_ram" -ge "$ENOUGH_RAM" ]; then - true "INFO: Enough RAM available. Not lowering compilation cores." -else - true "INFO: Not enough RAM available. Lowering compilation cores to 1." - parallel_jobs=1 -fi From 65fc0419a84d62e07c61d7e37ef27d144b6b6794 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 11 Nov 2024 11:07:57 +0000 Subject: [PATCH 1456/1650] bumped changelog version --- changelog.upstream | 57 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 63 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index df7fcb6..40e9b99 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,60 @@ +commit 50161f5d79eea2ab796863e4eb30eccc17e0b41d +Author: Patrick Schleizer +Date: Mon Nov 11 05:48:11 2024 -0500 + + moved /etc/dkms/framework.conf.d/30_security-misc.conf (renamed) to usability-misc + +commit 7c06e22c7d11c345428f3ad42ba43805ebc8d810 +Author: Patrick Schleizer +Date: Mon Nov 11 05:43:25 2024 -0500 + + deleted `/usr/bin/pkexec.security-misc` + + This was not used anymore for anything. In the past, we used to `config-package-dev` `replace` `/usr/bin/pkexec` with `/usr/bin/pkexec.security-misc` for the purpose of: + + > Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. + + * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 + * https://forums.whonix.org/t/cannot-use-pkexec/8129 + + This was a worthwhile effort, interesting approach but ultimately a dead-end. + +commit ef05b1a160b24d5aa42da9cc15009d94a37cf120 +Author: Patrick Schleizer +Date: Mon Nov 11 05:40:41 2024 -0500 + + disable legacy matroxfb_base framebuffer driver + + fix typo matroxfb_bases -> matroxfb_base + + Thanks to @ArrayBolt3 for the bug report! + +commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751 +Author: Patrick Schleizer +Date: Mon Nov 11 05:36:41 2024 -0500 + + fix `panic-on-oops.service` + + remove `After=multi-user.target` because already using `WantedBy=multi-user.target` + + Thanks to @ArrayBolt3 for the bug report! + +commit 29ae5f5980d521f6a4b468f5bf41210f78fdf10a +Author: Patrick Schleizer +Date: Mon Nov 11 05:28:31 2024 -0500 + + fix optional opt-in `harden-module-loading.service` + + by making `/usr/libexec/security-misc/disable-kernel-module-loading` executable + + Thanks to @ArrayBolt3 for the bug report! + +commit 4c649577f053af12bcd02c20576bf2d8aec1476d +Author: Patrick Schleizer +Date: Sun Nov 10 11:52:42 2024 +0000 + + bumped changelog version + commit 29b1f1ec5f3a4bf3991fc1b862751c8eb9769ecd Merge: 5bd0a27 238f32e Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 6fcb3e3..9ce2b90 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 11 Nov 2024 11:07:57 +0000 + security-misc (3:40.4-1) unstable; urgency=medium * New upstream version (local package). From 8c2e8e69798e5255529ab3dbee6ca07b8b293100 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 12 Nov 2024 01:41:12 -0500 Subject: [PATCH 1457/1650] deleted no longer used and out-commented `etc/sudoers.d/pkexec-security-misc` leftover --- etc/sudoers.d/pkexec-security-misc | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 etc/sudoers.d/pkexec-security-misc diff --git a/etc/sudoers.d/pkexec-security-misc b/etc/sudoers.d/pkexec-security-misc deleted file mode 100644 index bd78bde..0000000 --- a/etc/sudoers.d/pkexec-security-misc +++ /dev/null @@ -1,11 +0,0 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## REVIEW: is it ok that users can find out the PATH setting of root? -#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/echo-path - -## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be -## set. Would otherwise error out with the following error message: -## "This program must only be run through pkexec" -## REVIEW: Can bad things be done by spoofing PKEXEC_UID? -#Defaults:ALL env_keep += "PKEXEC_UID" From 7987a3914d364e674eb7479b15708c450041af02 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 12 Nov 2024 02:29:42 -0500 Subject: [PATCH 1458/1650] deleted no longer used and out-commented `/etc/sudoers.d/xfce-security-misc` leftover --- etc/sudoers.d/xfce-security-misc | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 etc/sudoers.d/xfce-security-misc diff --git a/etc/sudoers.d/xfce-security-misc b/etc/sudoers.d/xfce-security-misc deleted file mode 100644 index 3d26d7b..0000000 --- a/etc/sudoers.d/xfce-security-misc +++ /dev/null @@ -1,19 +0,0 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 -## /usr/share/polkit-1/actions/org.xfce.power.policy - -## Feel free to out comment this if you are not using xfce4-power-manager or Xfce. - -#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]] -#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]] -#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]][[\:digit\:]] - -#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]] -#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]] -#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]][[\:digit\:]] - -## XXX: Should we allow this? -#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --suspend -#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --hibernate From 57e1edde23aa3f313ce087e00ebc14d158356d6c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 12 Nov 2024 09:11:57 +0000 Subject: [PATCH 1459/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 40e9b99..dad0b22 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 7987a3914d364e674eb7479b15708c450041af02 +Author: Patrick Schleizer +Date: Tue Nov 12 02:29:42 2024 -0500 + + deleted no longer used and out-commented `/etc/sudoers.d/xfce-security-misc` leftover + +commit 8c2e8e69798e5255529ab3dbee6ca07b8b293100 +Author: Patrick Schleizer +Date: Tue Nov 12 01:41:12 2024 -0500 + + deleted no longer used and out-commented `etc/sudoers.d/pkexec-security-misc` leftover + +commit 65fc0419a84d62e07c61d7e37ef27d144b6b6794 +Author: Patrick Schleizer +Date: Mon Nov 11 11:07:57 2024 +0000 + + bumped changelog version + commit 50161f5d79eea2ab796863e4eb30eccc17e0b41d Author: Patrick Schleizer Date: Mon Nov 11 05:48:11 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 9ce2b90..534a025 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 12 Nov 2024 09:11:57 +0000 + security-misc (3:40.5-1) unstable; urgency=medium * New upstream version (local package). From c2aae73ce161811571e4c85609a0b043399c1b65 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 13 Nov 2024 05:38:03 +0000 Subject: [PATCH 1460/1650] Add reference and move text --- README.md | 6 +++--- usr/lib/sysctl.d/990-security-misc.conf | 23 ++++++++++++----------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 3404414..e167a87 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,9 @@ Networking: - Disable ICMP redirect acceptance and redirect sending messages to prevent man-in-the-middle attacks and minimize information disclosure. +- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning + via man-in-the-middle and denial-of-service attacks. + - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. - Ignore bogus ICMP error responses. @@ -121,9 +124,6 @@ Networking: - Optional - Enable IPv6 Privacy Extensions. -- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning - via man-in-the-middle and denial-of-service attacks. - ### Boot parameters Mitigations for known CPU vulnerabilities are enabled in their strictest form diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 2bec703..054dcbf 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -443,6 +443,18 @@ net.ipv4.conf.*.send_redirects=0 net.ipv6.conf.*.accept_redirects=0 #net.ipv4.conf.*.secure_redirects=1 +## Drop gratuitous ARP (Address Resolution Protocol) packets. +## Stops ARP responses sent by a device without being explicitly requested. +## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. +## Prevents man-in-the-middle and denial-of-service attacks. +## May cause breakages when ARP proxies are used in the network. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/ +## https://www.practicalnetworking.net/series/arp/gratuitous-arp/ +## +#net.ipv4.conf.*.drop_gratuitous_arp=1 + ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. ## @@ -526,14 +538,3 @@ net.ipv4.tcp_timestamps=0 ## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. ## #net.ipv6.conf.*.use_tempaddr=2 - -## Drop gratuitous ARP (Address Resolution Protocol) packets. -## Stops ARP responses sent by a device without being explicitly requested. -## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. -## Prevents man-in-the-middle and denial-of-service attacks. -## May cause breakages when ARP proxies are used in the network. -## -## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/ -## https://www.practicalnetworking.net/series/arp/gratuitous-arp/ -## -#net.ipv4.conf.*.drop_gratuitous_arp=1 From a25d4f8df88908e83e56049204aa625f1196a948 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 13 Nov 2024 05:40:21 +0000 Subject: [PATCH 1461/1650] Provide option to enable ARP filtering --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/README.md b/README.md index e167a87..baa450d 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,9 @@ Networking: - Disable ICMP redirect acceptance and redirect sending messages to prevent man-in-the-middle attacks and minimize information disclosure. +- Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP + cache poisoning attacks. + - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning via man-in-the-middle and denial-of-service attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 054dcbf..52d31de 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -443,6 +443,15 @@ net.ipv4.conf.*.send_redirects=0 net.ipv6.conf.*.accept_redirects=0 #net.ipv4.conf.*.secure_redirects=1 +## Enable ARP (Address Resolution Protocol) filtering. +## Prevents the Linux kernel from handling the ARP table globally +## Can mitigate some ARP spoofing and ARP cache poisoning attacks. +## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## +#net.ipv4.conf.*.arp_filter=1 + ## Drop gratuitous ARP (Address Resolution Protocol) packets. ## Stops ARP responses sent by a device without being explicitly requested. ## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. From 18aec201bfb0477fee8800ad1388099e11920016 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 13 Nov 2024 05:41:25 +0000 Subject: [PATCH 1462/1650] Provide option to harden response to ARP requests --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/README.md b/README.md index baa450d..ed9e4d7 100644 --- a/README.md +++ b/README.md @@ -105,6 +105,9 @@ Networking: - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks. +- Optional - Respond to ARP requests only if the target IP address is + on-link, preventing some IP spoofing attacks. + - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning via man-in-the-middle and denial-of-service attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 52d31de..a2c3198 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -452,6 +452,13 @@ net.ipv6.conf.*.accept_redirects=0 ## #net.ipv4.conf.*.arp_filter=1 +## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link. +## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## +#net.ipv4.conf.*.arp_ignore=2 + ## Drop gratuitous ARP (Address Resolution Protocol) packets. ## Stops ARP responses sent by a device without being explicitly requested. ## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. From 141b84c40de76988ec78bdccf1c1d67fc4367b3f Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 13 Nov 2024 05:42:56 +0000 Subject: [PATCH 1463/1650] Provide option to deny sending and receiving shared media redirects --- README.md | 5 ++++- usr/lib/sysctl.d/990-security-misc.conf | 11 +++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ed9e4d7..50b3cf0 100644 --- a/README.md +++ b/README.md @@ -102,12 +102,15 @@ Networking: - Disable ICMP redirect acceptance and redirect sending messages to prevent man-in-the-middle attacks and minimize information disclosure. +- Optional - Deny sending and receiving shared media redirects to reduce + the risk of IP spoofing attacks. + - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks. - Optional - Respond to ARP requests only if the target IP address is on-link, preventing some IP spoofing attacks. - + - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning via man-in-the-middle and denial-of-service attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index a2c3198..c43ca19 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -443,6 +443,17 @@ net.ipv4.conf.*.send_redirects=0 net.ipv6.conf.*.accept_redirects=0 #net.ipv4.conf.*.secure_redirects=1 +## Deny sending and receiving RFC1620 shared media redirects. +## Relevant mainly for network interfaces that operate over shared media such as Ethernet hubs. +## Stops the kernel from sending ICMP redirects to specific networks from the connected network. +## This variable overrides the use secure_redirects. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## https://datatracker.ietf.org/doc/html/rfc1620 +## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html +## +#net.ipv4.conf.*.shared_media=0 + ## Enable ARP (Address Resolution Protocol) filtering. ## Prevents the Linux kernel from handling the ARP table globally ## Can mitigate some ARP spoofing and ARP cache poisoning attacks. From ef95b3f9a5aed9652c541cf4bf05b20011718466 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 14 Nov 2024 14:41:14 -0500 Subject: [PATCH 1464/1650] Revert "fix `panic-on-oops.service`" This reverts commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751. --- usr/lib/systemd/system/panic-on-oops.service | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/systemd/system/panic-on-oops.service b/usr/lib/systemd/system/panic-on-oops.service index 425ab5c..cf13053 100644 --- a/usr/lib/systemd/system/panic-on-oops.service +++ b/usr/lib/systemd/system/panic-on-oops.service @@ -7,6 +7,7 @@ Documentation=https://github.com/Kicksecure/security-misc ConditionKernelCommandLine=!panic-on-oops=0 +After=multi-user.target After=graphical.target After=getty.target From 31804e30ecc9c5a1c5a8e1e014d3dcb85cee4f36 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 14 Nov 2024 20:46:26 +0000 Subject: [PATCH 1465/1650] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index dad0b22..7782fa4 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit ef95b3f9a5aed9652c541cf4bf05b20011718466 +Author: Patrick Schleizer +Date: Thu Nov 14 14:41:14 2024 -0500 + + Revert "fix `panic-on-oops.service`" + + This reverts commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751. + +commit 57e1edde23aa3f313ce087e00ebc14d158356d6c +Author: Patrick Schleizer +Date: Tue Nov 12 09:11:57 2024 +0000 + + bumped changelog version + commit 7987a3914d364e674eb7479b15708c450041af02 Author: Patrick Schleizer Date: Tue Nov 12 02:29:42 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 534a025..9ca0709 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 14 Nov 2024 20:46:26 +0000 + security-misc (3:40.6-1) unstable; urgency=medium * New upstream version (local package). From c7e9460b2ae8dcb96196fef69a7e0ed992c1b43b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 14 Nov 2024 16:31:12 -0500 Subject: [PATCH 1466/1650] output --- usr/bin/permission-hardener | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index e5039c0..858679c 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -26,7 +26,7 @@ source /usr/libexec/helper-scripts/log_run_die.sh echo_wrapper_ignore() { if test "${1}" = "verbose"; then shift - log notice "Run: $*" + log notice "Executing: $*" else shift fi @@ -36,7 +36,7 @@ echo_wrapper_ignore() { echo_wrapper_audit() { if test "${1}" = "verbose"; then shift - log notice "Run: $*" + log notice "Executing: $*" else shift fi From af43472d0ccdecb1725a200d10aeeb1b8d51f31a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 14 Nov 2024 22:24:50 +0000 Subject: [PATCH 1467/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7782fa4..2e26fb3 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit c7e9460b2ae8dcb96196fef69a7e0ed992c1b43b +Author: Patrick Schleizer +Date: Thu Nov 14 16:31:12 2024 -0500 + + output + +commit 31804e30ecc9c5a1c5a8e1e014d3dcb85cee4f36 +Author: Patrick Schleizer +Date: Thu Nov 14 20:46:26 2024 +0000 + + bumped changelog version + commit ef95b3f9a5aed9652c541cf4bf05b20011718466 Author: Patrick Schleizer Date: Thu Nov 14 14:41:14 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 9ca0709..1e46db1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 14 Nov 2024 22:24:50 +0000 + security-misc (3:40.7-1) unstable; urgency=medium * New upstream version (local package). From d7475e252a64e296913ed8893261e52e72163d55 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Thu, 21 Nov 2024 20:03:42 -0600 Subject: [PATCH 1468/1650] Make apt-get-update able to be terminated securely --- usr/libexec/security-misc/apt-get-update | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 9c5dde1..3086e55 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -3,6 +3,13 @@ ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +write_pid_file() { + safe-rm -rf /tmp/security-misc-apt-get-update-pid; + install -m644 /dev/null /tmp/security-misc-apt-get-update-pid \ + || exit 1 + echo "$$" > /tmp/security-misc-apt-get-update-pid +} + sigterm_trap() { if [ "$lastpid" = "" ]; then exit 143 @@ -21,6 +28,8 @@ trap "sigterm_trap" SIGTERM SIGINT [ -n "$timeout_after" ] || timeout_after="600" [ -n "$kill_after" ] || kill_after="10" +write_pid_file + timeout \ --kill-after="$kill_after" \ "$timeout_after" \ From d32cb8c95b09721e52c4d682a0ddd39d590a4368 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Nov 2024 15:44:00 -0500 Subject: [PATCH 1469/1650] use TMP, sponge, refactoring --- usr/libexec/security-misc/apt-get-update | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 3086e55..fecfe4f 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -4,10 +4,10 @@ ## See the file COPYING for copying conditions. write_pid_file() { - safe-rm -rf /tmp/security-misc-apt-get-update-pid; - install -m644 /dev/null /tmp/security-misc-apt-get-update-pid \ - || exit 1 - echo "$$" > /tmp/security-misc-apt-get-update-pid + [[ -z "${TMP:-}" ]] && error "TMP is unset" + safe-rm -rf "$TMP/security-misc-apt-get-update-pid"; + install -m644 /dev/null "$TMP/security-misc-apt-get-update-pid" || exit 1 + echo "$$" | sponge -- "$TMP/security-misc-apt-get-update-pid" } sigterm_trap() { From f9b5d7d3f4f2ed8d1baae67d8427f13cf26aee8d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Nov 2024 15:48:01 -0500 Subject: [PATCH 1470/1650] use strict shell options --- usr/libexec/security-misc/apt-get-update | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index fecfe4f..165d96f 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -3,6 +3,11 @@ ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +set -o errexit +set -o nounset +set -o errtrace +set -o pipefail + write_pid_file() { [[ -z "${TMP:-}" ]] && error "TMP is unset" safe-rm -rf "$TMP/security-misc-apt-get-update-pid"; @@ -25,8 +30,8 @@ sigterm_trap() { trap "sigterm_trap" SIGTERM SIGINT -[ -n "$timeout_after" ] || timeout_after="600" -[ -n "$kill_after" ] || kill_after="10" +[[ -v timeout_after ]] || timeout_after="600" +[[ -v kill_after ]] || kill_after="10" write_pid_file From 98d7c245ee11f16e566422a17543aaed2c155d88 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Nov 2024 15:57:30 -0500 Subject: [PATCH 1471/1650] "|| exit 1" no longer required thanks to errexit --- usr/libexec/security-misc/apt-get-update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 165d96f..b506e44 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -11,7 +11,7 @@ set -o pipefail write_pid_file() { [[ -z "${TMP:-}" ]] && error "TMP is unset" safe-rm -rf "$TMP/security-misc-apt-get-update-pid"; - install -m644 /dev/null "$TMP/security-misc-apt-get-update-pid" || exit 1 + install -m644 /dev/null "$TMP/security-misc-apt-get-update-pid" echo "$$" | sponge -- "$TMP/security-misc-apt-get-update-pid" } From 59299a6639fef31565b8f3cef857c9faa331e0f7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Nov 2024 21:07:42 +0000 Subject: [PATCH 1472/1650] bumped changelog version --- changelog.upstream | 37 +++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 43 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 2e26fb3..4fccc87 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,40 @@ +commit 98d7c245ee11f16e566422a17543aaed2c155d88 +Author: Patrick Schleizer +Date: Mon Nov 25 15:57:30 2024 -0500 + + "|| exit 1" no longer required thanks to errexit + +commit f9b5d7d3f4f2ed8d1baae67d8427f13cf26aee8d +Author: Patrick Schleizer +Date: Mon Nov 25 15:48:01 2024 -0500 + + use strict shell options + +commit d32cb8c95b09721e52c4d682a0ddd39d590a4368 +Author: Patrick Schleizer +Date: Mon Nov 25 15:44:00 2024 -0500 + + use TMP, sponge, refactoring + +commit 62a551cfe39a6a640f32e6e97f3e915aa8673514 +Merge: af43472 d7475e2 +Author: Patrick Schleizer +Date: Mon Nov 25 15:38:01 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sudoers' + +commit d7475e252a64e296913ed8893261e52e72163d55 +Author: Aaron Rainbolt +Date: Thu Nov 21 20:03:42 2024 -0600 + + Make apt-get-update able to be terminated securely + +commit af43472d0ccdecb1725a200d10aeeb1b8d51f31a +Author: Patrick Schleizer +Date: Thu Nov 14 22:24:50 2024 +0000 + + bumped changelog version + commit c7e9460b2ae8dcb96196fef69a7e0ed992c1b43b Author: Patrick Schleizer Date: Thu Nov 14 16:31:12 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 1e46db1..15e8b1e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 25 Nov 2024 21:07:41 +0000 + security-misc (3:40.8-1) unstable; urgency=medium * New upstream version (local package). From 1708a03e1edda821ef091f10c46d32f740511d38 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Thu, 28 Nov 2024 15:20:57 -0600 Subject: [PATCH 1473/1650] Enable umask hardening --- README.md | 14 +++++++++----- etc/sudoers.d/security-misc | 5 +++++ usr/share/pam-configs/umask-security-misc | 8 ++++++++ 3 files changed, 22 insertions(+), 5 deletions(-) create mode 100644 usr/share/pam-configs/umask-security-misc diff --git a/README.md b/README.md index c23d261..6117830 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,7 @@ Kernel space: - Force the kernel to panic on both "oopses", which can potentially indicate and thwart certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. - + - Optional - Force immediate reboot on the occurrence of a single kernel panic and also (when using Linux kernel >= 6.2) limit the number of allowed panics to one. @@ -573,9 +573,7 @@ See: #### umask Default `umask` is set to `027` for files created by non-root users such as -user `user`. Broken. Disabled. See: - -* https://github.com/Kicksecure/security-misc/issues/184 +user `user`. This is done using the PAM module `pam_mkhomedir.so umask=027`. @@ -589,7 +587,13 @@ https://wiki.debian.org/UserPrivateGroups Default `umask` is unchanged for root because then configuration files created in `/etc` by the system administrator would be unreadable by "others" and break -applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`. +applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`. The +`umask` is also set to 022 via `sudoers` configuration, so that files created +as root are world-readable even when using commands such as `sudo vi +/etc/file` or `sudo -i; touch /etc/file`. + +`umask` is set to 022 rather than 027 when using `sudo`, so that commands such +as `sudo vi /etc/configfile` and `sudo -i; touch /etc/file` See: diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index 7084b1f..591eede 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -3,3 +3,8 @@ user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops %sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops + +## Use a more open umask when executing commands with sudo +## Can be overridden on a per-user basis using .[z]profile if desirable +Defaults umask_override +Defaults umask=0022 diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc new file mode 100644 index 0000000..6436a56 --- /dev/null +++ b/usr/share/pam-configs/umask-security-misc @@ -0,0 +1,8 @@ +Name: Restrict umask to 027 (by package security-misc) +Default: yes +Priority: 100 +Session-Type: Additional +Session-Interactive-Only: yes +Session: + [success=1 default=ignore] pam_succeed_if.so uid eq 0 + optional pam_umask.so umask=027 From 93b51819d4693955936456916188b4118fe68a66 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 6 Dec 2024 09:47:08 -0500 Subject: [PATCH 1474/1650] permission hardener mount chmod change from `745` to `755` https://github.com/Kicksecure/security-misc/issues/284 --- etc/permission-hardener.d/25_default_whitelist_mount.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/permission-hardener.d/25_default_whitelist_mount.conf b/etc/permission-hardener.d/25_default_whitelist_mount.conf index 54b22a6..08965b8 100644 --- a/etc/permission-hardener.d/25_default_whitelist_mount.conf +++ b/etc/permission-hardener.d/25_default_whitelist_mount.conf @@ -13,5 +13,5 @@ ## Remove SUID from 'mount' but keep executable. ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 -/bin/mount 745 root root -/usr/bin/mount 745 root root +/bin/mount 755 root root +/usr/bin/mount 755 root root From 5b88e92e5c4b951e659e1574fc248bd11158dfb2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 6 Dec 2024 09:48:58 -0500 Subject: [PATCH 1475/1650] permission hardner: treat `mount` the same way we treat `umount` Thanks to @the-moog for the bug report! fixes https://github.com/Kicksecure/security-misc/issues/284 --- etc/permission-hardener.d/25_default_whitelist_mount.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/permission-hardener.d/25_default_whitelist_mount.conf b/etc/permission-hardener.d/25_default_whitelist_mount.conf index 08965b8..c0a4f96 100644 --- a/etc/permission-hardener.d/25_default_whitelist_mount.conf +++ b/etc/permission-hardener.d/25_default_whitelist_mount.conf @@ -10,8 +10,12 @@ ## SUID will be removed below in separate step. /bin/mount exactwhitelist /usr/bin/mount exactwhitelist +/bin/umount exactwhitelist +/usr/bin/umount exactwhitelist ## Remove SUID from 'mount' but keep executable. ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 /bin/mount 755 root root /usr/bin/mount 755 root root +/bin/umount 755 root root +/usr/bin/umount 755 root root From 1ce37d42cd2c132eca8c45ddb04fdb594349d08f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Dec 2024 04:50:40 -0500 Subject: [PATCH 1476/1650] . --- usr/share/security-misc/lkrg/lkrg-virtualbox | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox b/usr/share/security-misc/lkrg/lkrg-virtualbox index 3b4a061..6ab093a 100755 --- a/usr/share/security-misc/lkrg/lkrg-virtualbox +++ b/usr/share/security-misc/lkrg/lkrg-virtualbox @@ -6,8 +6,11 @@ #set -x set -e +## Check if the VirtualBox host software is installed. if ! command -v vboxmanage &>/dev/null ; then + ## VirtualBox host software is not installed. if test -f /etc/sysctl.d/30-lkrg-virtualbox.conf ; then + ## Delete using '--verbose' so user is notified. rm --force --verbose /etc/sysctl.d/30-lkrg-virtualbox.conf fi exit 0 @@ -21,4 +24,7 @@ if ! test -f /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf ; then exit 0 fi +## TODO: check if lkrg is installed. + +## Delete using '--verbose' so user is notified. cp --verbose /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf /etc/sysctl.d/30-lkrg-virtualbox.conf From 7902311c570edd4286ba36f0cb85223d1e909a03 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Dec 2024 04:54:47 -0500 Subject: [PATCH 1477/1650] do not create /etc/sysctl.d/30-lkrg-virtualbox.conf if LKRG is not installed --- usr/share/security-misc/lkrg/lkrg-virtualbox | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox b/usr/share/security-misc/lkrg/lkrg-virtualbox index 6ab093a..3e5edc3 100755 --- a/usr/share/security-misc/lkrg/lkrg-virtualbox +++ b/usr/share/security-misc/lkrg/lkrg-virtualbox @@ -6,6 +6,9 @@ #set -x set -e +## provides function: pkg_installed +source /usr/libexec/helper-scripts/package_installed_check.bsh + ## Check if the VirtualBox host software is installed. if ! command -v vboxmanage &>/dev/null ; then ## VirtualBox host software is not installed. @@ -24,7 +27,9 @@ if ! test -f /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf ; then exit 0 fi -## TODO: check if lkrg is installed. +if ! pkg_installed "lkrg" ; then + exit 0 +fi ## Delete using '--verbose' so user is notified. cp --verbose /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf /etc/sysctl.d/30-lkrg-virtualbox.conf From 439fa7f3be74f5eba4b98f73c0bb50fd37e8b0e1 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sun, 8 Dec 2024 03:21:27 -0600 Subject: [PATCH 1478/1650] Harden/disable recovery mode options --- etc/default/grub.d/41_recovery_restrict.cfg | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 etc/default/grub.d/41_recovery_restrict.cfg diff --git a/etc/default/grub.d/41_recovery_restrict.cfg b/etc/default/grub.d/41_recovery_restrict.cfg new file mode 100644 index 0000000..cfe68b0 --- /dev/null +++ b/etc/default/grub.d/41_recovery_restrict.cfg @@ -0,0 +1,16 @@ +## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## Disable access to single-user mode (i.e. recovery mode). +## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727 +GRUB_DISABLE_RECOVERY='true' + +## Disable access to Dracut's recovery console. +## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724 +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0 rd.emergency=halt" From 518224b8cf9e99a830b584d8d54b5dea2925c8f5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 10 Dec 2024 19:17:10 +0000 Subject: [PATCH 1479/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 4fccc87..ab75925 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 7902311c570edd4286ba36f0cb85223d1e909a03 +Author: Patrick Schleizer +Date: Sat Dec 7 04:54:47 2024 -0500 + + do not create /etc/sysctl.d/30-lkrg-virtualbox.conf if LKRG is not installed + +commit 1ce37d42cd2c132eca8c45ddb04fdb594349d08f +Author: Patrick Schleizer +Date: Sat Dec 7 04:50:40 2024 -0500 + + . + +commit 59299a6639fef31565b8f3cef857c9faa331e0f7 +Author: Patrick Schleizer +Date: Mon Nov 25 21:07:42 2024 +0000 + + bumped changelog version + commit 98d7c245ee11f16e566422a17543aaed2c155d88 Author: Patrick Schleizer Date: Mon Nov 25 15:57:30 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 15e8b1e..b4859e3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 10 Dec 2024 19:17:10 +0000 + security-misc (3:40.9-1) unstable; urgency=medium * New upstream version (local package). From a9dd592a8b49226f326e90111178aebba3cc144f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 10 Dec 2024 19:19:10 +0000 Subject: [PATCH 1480/1650] bumped changelog version --- changelog.upstream | 19 +++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 25 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index ab75925..1e3591c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,22 @@ +commit 58722324ec0be98c3e44938df8cb60ca9b261210 +Merge: 518224b 439fa7f +Author: Patrick Schleizer +Date: Tue Dec 10 14:18:50 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/no-recovery-mode' + +commit 518224b8cf9e99a830b584d8d54b5dea2925c8f5 +Author: Patrick Schleizer +Date: Tue Dec 10 19:17:10 2024 +0000 + + bumped changelog version + +commit 439fa7f3be74f5eba4b98f73c0bb50fd37e8b0e1 +Author: Aaron Rainbolt +Date: Sun Dec 8 03:21:27 2024 -0600 + + Harden/disable recovery mode options + commit 7902311c570edd4286ba36f0cb85223d1e909a03 Author: Patrick Schleizer Date: Sat Dec 7 04:54:47 2024 -0500 diff --git a/debian/changelog b/debian/changelog index b4859e3..0b5fc91 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 10 Dec 2024 19:19:10 +0000 + security-misc (3:41.0-1) unstable; urgency=medium * New upstream version (local package). From c1167968542a62d0677517e11505f6e9222ec378 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 12 Dec 2024 06:36:47 +0000 Subject: [PATCH 1481/1650] `arp_ignore`: Add reference to 2024-12-10 Mullvad VPN audit details --- usr/lib/sysctl.d/990-security-misc.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index c43ca19..93efe26 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -467,6 +467,9 @@ net.ipv6.conf.*.accept_redirects=0 ## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses. ## ## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## https://github.com/mullvad/mullvadvpn-app/blob/main/audits/2024-12-10-X41-D-Sec.md#mllvd-cr-24-03-virtual-ip-address-of-tunnel-device-leaks-to-network-adjacent-participant-severity-medium +## https://github.com/mullvad/mullvadvpn-app/pull/7141 +## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf ## #net.ipv4.conf.*.arp_ignore=2 From 4c3ca68453b44074025a1ec9f31451c57344f3cf Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Mon, 9 Dec 2024 12:37:11 -0600 Subject: [PATCH 1482/1650] Disable unnecessary sudoers exceptions --- etc/sudoers.d/security-misc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index 7084b1f..abe4364 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -1,5 +1,6 @@ ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops -%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops +## Neither of these are needed. +#user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops +#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops From ca3a73ac13d805515f71f1be7ecedc33d3a1b519 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 17 Dec 2024 11:37:10 +0000 Subject: [PATCH 1483/1650] Typo --- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 6009fc4..81e40a2 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -281,7 +281,7 @@ fs.protected_fifos=2 fs.protected_regular=2 ## Enable ASLR for mmap base, stack, VDSO pages, and heap. -## Forces shared libraries to be loaded to random addresses +## Forces shared libraries to be loaded to random addresses. ## Start location of PIE-linked binaries is randomized. ## Heap randomization can lead to breakages with legacy applications. ## From 943c421889ce5dfe3869380e4587ca22724f2ce7 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 17 Dec 2024 11:40:38 +0000 Subject: [PATCH 1484/1650] Minor refactoring --- etc/default/grub.d/41_recovery_restrict.cfg | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/etc/default/grub.d/41_recovery_restrict.cfg b/etc/default/grub.d/41_recovery_restrict.cfg index cfe68b0..530a728 100644 --- a/etc/default/grub.d/41_recovery_restrict.cfg +++ b/etc/default/grub.d/41_recovery_restrict.cfg @@ -7,10 +7,15 @@ ## KSPP=no: not (currently) compliant with recommendations by the KSPP ## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. -## Disable access to single-user mode (i.e. recovery mode). +## Disable access to single-user (recovery) mode. +## ## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727 -GRUB_DISABLE_RECOVERY='true' +## +GRUB_DISABLE_RECOVERY="true" ## Disable access to Dracut's recovery console. +## ## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724 -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0 rd.emergency=halt" +## +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt" +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0" \ No newline at end of file From defba1f2450b2c8bbc668bf5f6f6f0d101338cc7 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 17 Dec 2024 11:42:03 +0000 Subject: [PATCH 1485/1650] Refactor CPU mitigations --- etc/default/grub.d/40_cpu_mitigations.cfg | 80 ++++++++++++++++------- 1 file changed, 55 insertions(+), 25 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 1b900c0..c1828dc 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -17,7 +17,7 @@ ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html -## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. +## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT. ## ## KSPP=yes ## KSPP sets the kernel parameters. @@ -27,7 +27,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## Disable SMT as it has been the cause of and amplified numerous CPU exploits. ## The only full mitigation of cross-HT attacks is to disable SMT. ## Disabling will significantly decrease system performance on multi-threaded tasks. -## To enable SMT, remove this line and all other occurrences of "nosmt" in this file. +## Note, this setting will prevent re-enabling SMT via the sysfs interface. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 @@ -36,95 +36,125 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## KSPP=yes ## KSPP sets the kernel parameter. ## +## To re-enable SMT: +## - Remove "nosmt=force". +## - Remove all occurrences of ",nosmt" in this file (note the comma ","). +## - Downgrade "l1tf=full,force" protection to "l1tf=flush". +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" -## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) -## and Intel branch history injection (BHI) vulnerabilities. +## Spectre Side Channels (BTI and BHI): +## Unconditionally enable mitigation for Spectre Variant 2 (branch target injection). +## Enable mitigation for the Intel branch history injection vulnerability. +## Currently affects both AMD and Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" -## Disable Speculative Store Bypass (Spectre Variant 4). -## Unconditionally enable mitigation for both kernel and userspace. +## Speculative Store Bypass (SSB): +## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide. +## Unconditionally enable the mitigation for both kernel and userspace. +## Currently affects both AMD and Intel CPUs. ## +## https://en.wikipedia.org/wiki/Speculative_Store_Bypass ## https://www.suse.com/support/kb/doc/?id=000019189 ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on" -## Enable mitigations for the L1TF vulnerability through disabling SMT -## and L1D flush runtime control. +## L1 Terminal Fault (L1TF): +## Mitigate the vulnerability by disabling L1D flush runtime control and SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" -## Enable mitigations for the MDS vulnerability through clearing buffer cache -## and disabling SMT. +## Microarchitectural Data Sampling (MDS): +## Mitigate the vulnerability by clearing the buffer cache and disabling SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" -## Patches the TAA vulnerability by disabling TSX and enables mitigations using -## TSX Async Abort along with disabling SMT. +## TSX Asynchronous Abort (TAA): +## Mitigate the vulnerability by disabling TSX. +## If TSX is enabled, clear CPU buffer rings on transitions and disable SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" -## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. +## iTLB Multihit: +## Mitigate the vulnerability by marking all huge pages in the EPT as non-executable. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" -## Mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions -## are only possible through microcode updates from Intel. +## Special Register Buffer Data Sampling (SRBDS): +## Mitigation of the vulnerability is only possible via microcode updates from Intel. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html ## https://access.redhat.com/solutions/5142691 -## Enable the prctl() interface to prevent leaks from L1D on context switches. +## L1D Flushing: +## Mitigate leaks from the L1D cache on context switches by enabling the prctl() interface. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" -## Mitigate numerous MMIO Stale Data vulnerabilities and disable SMT. +## MMIO Stale Data: +## Mitigate the vulnerability by appropriately clearing the CPU buffer and disabling SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" -## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with -## Return Instructions) vulnerability and disable SMT. +## Arbitrary Speculative Code Execution with Return Instructions (Retbleed): +## Mitigate the vulnerability through CPU-dependent implementation and disable SMT. +## Currently affects both AMD Zen 1-2 and Intel CPUs. ## +## https://en.wikipedia.org/wiki/Retbleed +## https://comsec.ethz.ch/research/microarch/retbleed/ ## https://www.suse.com/support/kb/doc/?id=000020693 +## https://access.redhat.com/solutions/retbleed ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" -## Control RAS overflow mitigation on AMD Zen CPUs. +## Speculative Return Stack Overflow (SRSO): +## Mitigate the vulnerability by ensureing all RET instructions speculate to a controlled location. +## Currently affects AMD Zen 1-4 CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html ## ## The default kernel setting will be utilized until provided sufficient evidence to modify. +## Using "spec_rstack_overflow=ipbp" may provide stronger security at a greater performance impact. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" -## Enable Gather Data Sampling (GDS) mitigation. -## Note for systems that have not received a suitable microcode update this will -## entirely disable use of the AVX instructions set. +## Gather Data Sampling (GDS): +## Mitigate the vulnerability either via microcode update or by disabling AVX. +## Note, without a suitable microcode update, this will entirely disable use of the AVX instructions set. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" -## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which -## encompasses E-cores on hybrid architectures. +## Register File Data Sampling (RFDS): +## Mitigate the vulnerability by appropriately clearing the CPU buffer. +## Currently affects Intel Atom CPUs (which encompasses E-cores on hybrid architectures). ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html ## From 45355aabdc180a6a2fdd4a374c6f7d72f4d36240 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 17 Dec 2024 11:42:52 +0000 Subject: [PATCH 1486/1650] Enable `kvm-intel.vmentry_l1d_flush=always` --- etc/default/grub.d/40_cpu_mitigations.cfg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index c1828dc..8236c99 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -66,11 +66,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on" ## L1 Terminal Fault (L1TF): ## Mitigate the vulnerability by disabling L1D flush runtime control and SMT. +## If conditional L1D flushing, mitigate the vulnerability for certain KVM hypervisor configurations. ## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always" ## Microarchitectural Data Sampling (MDS): ## Mitigate the vulnerability by clearing the buffer cache and disabling SMT. From 3e96fdd9ccb6268403d6c4f9a061c4a33e6f6dd2 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 17 Dec 2024 11:44:11 +0000 Subject: [PATCH 1487/1650] Enable `kvm.mitigate_smt_rsb=1` --- etc/default/grub.d/40_cpu_mitigations.cfg | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 8236c99..b7984c5 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -134,6 +134,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" +## Cross-Thread Return Address Predictions: +## Mitigate the vulnerability for certain KVM hypervisor configurations. +## Currently affects AMD Zen 1-2 CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/cross-thread-rsb.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1" + ## Speculative Return Stack Overflow (SRSO): ## Mitigate the vulnerability by ensureing all RET instructions speculate to a controlled location. ## Currently affects AMD Zen 1-4 CPUs. From 0dff2cd28fd769955757cdef1b7f9d637a1180c5 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 18 Dec 2024 03:32:35 +0000 Subject: [PATCH 1488/1650] Minor additions --- etc/default/grub.d/40_cpu_mitigations.cfg | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index b7984c5..fa750b7 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -8,6 +8,7 @@ ## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Enable known mitigations for CPU vulnerabilities. +## Note, the mitigations for SSB and Retbleed are not currently mentioned in the first link. ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 @@ -40,6 +41,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## - Remove "nosmt=force". ## - Remove all occurrences of ",nosmt" in this file (note the comma ","). ## - Downgrade "l1tf=full,force" protection to "l1tf=flush". +## - Regenerate the dracut initramfs and then reboot system. ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" @@ -66,7 +68,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on" ## L1 Terminal Fault (L1TF): ## Mitigate the vulnerability by disabling L1D flush runtime control and SMT. -## If conditional L1D flushing, mitigate the vulnerability for certain KVM hypervisor configurations. +## If L1D flushing is conditional, mitigate the vulnerability for certain KVM hypervisor configurations. ## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html @@ -75,7 +77,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always" ## Microarchitectural Data Sampling (MDS): -## Mitigate the vulnerability by clearing the buffer cache and disabling SMT. +## Mitigate the vulnerability by clearing the CPU buffer cache and disabling SMT. ## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html @@ -101,7 +103,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" ## Special Register Buffer Data Sampling (SRBDS): -## Mitigation of the vulnerability is only possible via microcode updates from Intel. +## Mitigation of the vulnerability is only possible via microcode update from Intel. ## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html @@ -115,8 +117,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" -## MMIO Stale Data: -## Mitigate the vulnerability by appropriately clearing the CPU buffer and disabling SMT. +## Processor MMIO Stale Data: +## Mitigate the vulnerabilities by appropriately clearing the CPU buffer and disabling SMT. ## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html @@ -143,7 +145,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1" ## Speculative Return Stack Overflow (SRSO): -## Mitigate the vulnerability by ensureing all RET instructions speculate to a controlled location. +## Mitigate the vulnerability by ensuring all RET instructions speculate to a controlled location. ## Currently affects AMD Zen 1-4 CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html From 3749f8ff097551a843e5ed80de52c6770a32e0c6 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 18 Dec 2024 03:36:09 +0000 Subject: [PATCH 1489/1650] Update presentation on user namespaces --- README.md | 4 +-- usr/lib/sysctl.d/990-security-misc.conf | 43 ++++++++++++------------- 2 files changed, 23 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index c23d261..d032762 100644 --- a/README.md +++ b/README.md @@ -37,11 +37,11 @@ Kernel space: - Entirely disable the SysRq key so that the Secure Attention Key (SAK) can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). +- Optional - Disable all use of user namespaces. + - Optional - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial privilege escalation. -- Optional - Disable all use of user namespaces. - - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. - Force the kernel to panic on both "oopses", which can potentially indicate and thwart diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 81e40a2..10f7a12 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -117,42 +117,41 @@ vm.unprivileged_userfaultfd=0 ## kernel.sysrq=0 -## Restrict user namespaces to users with CAP_SYS_ADMIN. +## Disable user namespaces entirely. ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. -## Unprivileged user namespaces pose substantial privilege escalation risks. -## Restricting may lead to breakages in numerous software packages. -## -## Flatpak requires unprivileged users to create new user namespaces for sandboxing. -## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements -## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian -## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592 -## ## Disabling entirely will reduce compatibility with some AppArmor profiles. ## Disabling entirely is known to break the UPower systemd service. -## -## Also breaks (some?) AppImages. -## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594 -## -## Might also break evolution (e-mail client): -## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601 +## Not recommended due to well-known breakages across numerous software packages. ## ## https://lwn.net/Articles/673597/ ## https://madaidans-insecurities.github.io/linux.html#kernel -## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 -## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements ## https://github.com/Kicksecure/security-misc/pull/263 -## https://github.com/Kicksecure/security-misc/issues/274 ## ## KSPP=no -## KSPP sets user.max_user_namespaces=0 sysctl, a Linux mainline, stricter setting. +## KSPP sets the sysctl. ## -## kernel.unprivileged_userns_clone is a Debian specific kernel feature. Not Linux mainline. -#kernel.unprivileged_userns_clone=0 -## Uncomment the following sysctl to entirely disable user namespaces. #user.max_user_namespaces=0 +## Restrict user namespaces to users with CAP_SYS_ADMIN. +## See the user.max_user_namespaces setting for more details. +## This is a Debian-specific kernel feature, not a Linux mainline setting. +## Unprivileged user namespaces pose substantial privilege escalation risks. +## Flatpak requires unprivileged users to create new user namespaces for sandboxing. +## Restricting is known to cause breakages in some AppImages and the Evolution Email Client. +## Not recommended due to widespread breakages across many software packages. +## +## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian +## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction +## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements +## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592 +## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594 +## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601 +## https://github.com/Kicksecure/security-misc/issues/274 +## +#kernel.unprivileged_userns_clone=0 + ## Restricts kernel profiling to users with CAP_PERFMON. ## The performance events system should not be accessible by unprivileged users. ## Other distributions such as Ubuntu and Fedora may permit further restricting. From 9d69cd1912ab657e7916b38f56b477c2b7abd0a3 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Wed, 18 Dec 2024 21:34:16 -0600 Subject: [PATCH 1490/1650] Add sysmaint account lock detection --- usr/libexec/security-misc/pam-info | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 32fdeaf..adde5bc 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -72,6 +72,14 @@ https://www.kicksecure.com/wiki/root#console fi fi +if [ "$PAM_USER" = 'sysmaint' ]; then + sysmaint_passwd_info="$(passwd -S sysmaint 2>/dev/null)" || true + sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")" + if [ "${sysmaint_lock_info}" = 'L' ]; then + echo "$0: ERROR: Reboot and choose 'PERSISTENT mode SYSMAINT' for system maintenance. See https://www.kicksecure.com/wiki/sysmaint" + fi +fi + ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 ## Does not work (yet) for login, pam_securetty runs before and aborts. From f0c611d9edb5fd7a3e00d13b248c65abda2c9d8a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 19 Dec 2024 00:18:25 -0500 Subject: [PATCH 1491/1650] comment --- etc/sudoers.d/security-misc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index 803ee25..cc700a9 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -7,5 +7,6 @@ ## Use a more open umask when executing commands with sudo ## Can be overridden on a per-user basis using .[z]profile if desirable +## https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#umask_hardening Defaults umask_override Defaults umask=0022 From e9a5b14a0db6f071424c19e6f4b006386afb6ab4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 19 Dec 2024 06:57:42 +0000 Subject: [PATCH 1492/1650] bumped changelog version --- changelog.upstream | 177 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 183 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1e3591c..fe91377 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,119 @@ +commit 3135a03e21f9e5816097e25aaa7f4a1671f8f87d +Merge: f0c611d c7f7196 +Author: Patrick Schleizer +Date: Thu Dec 19 00:34:56 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit c7f7196471b07a580c6d4a5d86739215508142cd +Merge: e5b67e0 3749f8f +Author: Patrick Schleizer +Date: Thu Dec 19 00:31:25 2024 -0500 + + Merge pull request #287 from raja-grewal/patch + + Refactor and add two CPU mitigations + +commit f0c611d9edb5fd7a3e00d13b248c65abda2c9d8a +Author: Patrick Schleizer +Date: Thu Dec 19 00:18:25 2024 -0500 + + comment + +commit 4f681be77429984695a1b0f689065051884e7bf7 +Merge: 4c3ca68 4cf5757 +Author: Patrick Schleizer +Date: Thu Dec 19 00:17:44 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit e5b67e044bb5011dd667879a73a670f2c5f74057 +Merge: 4cf5757 c116796 +Author: Patrick Schleizer +Date: Thu Dec 19 00:15:02 2024 -0500 + + Merge pull request #279 from raja-grewal/arp + + Provide network-related hardening options via `sysctl`'s + +commit 4cf5757575c1257a14331f0169a9d8d163e1326d +Merge: 9d06341 1708a03 +Author: Patrick Schleizer +Date: Thu Dec 19 00:08:56 2024 -0500 + + Merge pull request #282 from ArrayBolt3/arraybolt3/umask + + Enable umask hardening + +commit 3749f8ff097551a843e5ed80de52c6770a32e0c6 +Author: raja-grewal +Date: Wed Dec 18 03:36:09 2024 +0000 + + Update presentation on user namespaces + +commit 0dff2cd28fd769955757cdef1b7f9d637a1180c5 +Author: raja-grewal +Date: Wed Dec 18 03:32:35 2024 +0000 + + Minor additions + +commit 3e96fdd9ccb6268403d6c4f9a061c4a33e6f6dd2 +Author: raja-grewal +Date: Tue Dec 17 11:44:11 2024 +0000 + + Enable `kvm.mitigate_smt_rsb=1` + +commit 45355aabdc180a6a2fdd4a374c6f7d72f4d36240 +Author: raja-grewal +Date: Tue Dec 17 11:42:52 2024 +0000 + + Enable `kvm-intel.vmentry_l1d_flush=always` + +commit defba1f2450b2c8bbc668bf5f6f6f0d101338cc7 +Author: raja-grewal +Date: Tue Dec 17 11:42:03 2024 +0000 + + Refactor CPU mitigations + +commit 943c421889ce5dfe3869380e4587ca22724f2ce7 +Author: raja-grewal +Date: Tue Dec 17 11:40:38 2024 +0000 + + Minor refactoring + +commit ca3a73ac13d805515f71f1be7ecedc33d3a1b519 +Author: raja-grewal +Date: Tue Dec 17 11:37:10 2024 +0000 + + Typo + +commit 4c3ca68453b44074025a1ec9f31451c57344f3cf +Author: Aaron Rainbolt +Date: Mon Dec 9 12:37:11 2024 -0600 + + Disable unnecessary sudoers exceptions + +commit 9d06341c91b51f9c737fe67457045924323635f0 +Merge: a9dd592 5b88e92 +Author: Patrick Schleizer +Date: Sat Dec 14 15:18:56 2024 -0500 + + Merge pull request #285 from Kicksecure/permission-hardener-mount + + Permission Hardener: treat mount same as umount + +commit c1167968542a62d0677517e11505f6e9222ec378 +Author: raja-grewal +Date: Thu Dec 12 06:36:47 2024 +0000 + + `arp_ignore`: Add reference to 2024-12-10 Mullvad VPN audit details + +commit a9dd592a8b49226f326e90111178aebba3cc144f +Author: Patrick Schleizer +Date: Tue Dec 10 19:19:10 2024 +0000 + + bumped changelog version + commit 58722324ec0be98c3e44938df8cb60ca9b261210 Merge: 518224b 439fa7f Author: Patrick Schleizer @@ -29,6 +145,30 @@ Date: Sat Dec 7 04:50:40 2024 -0500 . +commit 5b88e92e5c4b951e659e1574fc248bd11158dfb2 +Author: Patrick Schleizer +Date: Fri Dec 6 09:48:58 2024 -0500 + + permission hardner: treat `mount` the same way we treat `umount` + + Thanks to @the-moog for the bug report! + + fixes https://github.com/Kicksecure/security-misc/issues/284 + +commit 93b51819d4693955936456916188b4118fe68a66 +Author: Patrick Schleizer +Date: Fri Dec 6 09:47:08 2024 -0500 + + permission hardener mount chmod change from `745` to `755` + + https://github.com/Kicksecure/security-misc/issues/284 + +commit 1708a03e1edda821ef091f10c46d32f740511d38 +Author: Aaron Rainbolt +Date: Thu Nov 28 15:20:57 2024 -0600 + + Enable umask hardening + commit 59299a6639fef31565b8f3cef857c9faa331e0f7 Author: Patrick Schleizer Date: Mon Nov 25 21:07:42 2024 +0000 @@ -92,6 +232,37 @@ Date: Thu Nov 14 14:41:14 2024 -0500 This reverts commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751. +commit 412b371e85044962f6620386b767369b9e25d71e +Merge: 141b84c 57e1edd +Author: raja-grewal +Date: Wed Nov 13 16:47:57 2024 +1100 + + Merge branch 'Kicksecure:master' into arp + +commit 141b84c40de76988ec78bdccf1c1d67fc4367b3f +Author: raja-grewal +Date: Wed Nov 13 05:42:56 2024 +0000 + + Provide option to deny sending and receiving shared media redirects + +commit 18aec201bfb0477fee8800ad1388099e11920016 +Author: raja-grewal +Date: Wed Nov 13 05:41:25 2024 +0000 + + Provide option to harden response to ARP requests + +commit a25d4f8df88908e83e56049204aa625f1196a948 +Author: raja-grewal +Date: Wed Nov 13 05:40:21 2024 +0000 + + Provide option to enable ARP filtering + +commit c2aae73ce161811571e4c85609a0b043399c1b65 +Author: raja-grewal +Date: Wed Nov 13 05:38:03 2024 +0000 + + Add reference and move text + commit 57e1edde23aa3f313ce087e00ebc14d158356d6c Author: Patrick Schleizer Date: Tue Nov 12 09:11:57 2024 +0000 @@ -208,6 +379,12 @@ Date: Fri Nov 8 15:36:04 2024 +1100 Enable `ssbd=force-on` +commit a1d1f97955fd9fd3cee77dc04e2eb5e5fa29d243 +Author: raja-grewal +Date: Fri Nov 8 03:58:23 2024 +0000 + + Provide option to drop gratuitous ARP packets + commit 3af2684134279ba6f5b18b40986f02a50baa5604 Author: Patrick Schleizer Date: Wed Oct 30 09:43:05 2024 +0000 diff --git a/debian/changelog b/debian/changelog index 0b5fc91..e3c3c68 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 19 Dec 2024 06:57:42 +0000 + security-misc (3:41.1-1) unstable; urgency=medium * New upstream version (local package). From daf0a0900b780a9d44d0d9b49b3fca6ddbd20d18 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 19 Dec 2024 04:39:34 -0500 Subject: [PATCH 1493/1650] fix apt-get-update for non-English locale https://forums.kicksecure.com/t/systemcheck-reports-warning-debian-package-update-check-result-apt-get-reports-that-packages-can-be-updated-but-system-is-already-fully-upgraded/785 --- usr/libexec/security-misc/apt-get-update | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index b506e44..3c91ffd 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -8,6 +8,8 @@ set -o nounset set -o errtrace set -o pipefail +export LANG=C + write_pid_file() { [[ -z "${TMP:-}" ]] && error "TMP is unset" safe-rm -rf "$TMP/security-misc-apt-get-update-pid"; From 95b535764c8a98b67a71ee1fd57b7f01da464106 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 19 Dec 2024 09:43:26 +0000 Subject: [PATCH 1494/1650] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index fe91377..1153637 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit daf0a0900b780a9d44d0d9b49b3fca6ddbd20d18 +Author: Patrick Schleizer +Date: Thu Dec 19 04:39:34 2024 -0500 + + fix apt-get-update for non-English locale + + https://forums.kicksecure.com/t/systemcheck-reports-warning-debian-package-update-check-result-apt-get-reports-that-packages-can-be-updated-but-system-is-already-fully-upgraded/785 + +commit e9a5b14a0db6f071424c19e6f4b006386afb6ab4 +Author: Patrick Schleizer +Date: Thu Dec 19 06:57:42 2024 +0000 + + bumped changelog version + commit 3135a03e21f9e5816097e25aaa7f4a1671f8f87d Merge: f0c611d c7f7196 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index e3c3c68..a4dcb4d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 19 Dec 2024 09:43:26 +0000 + security-misc (3:41.2-1) unstable; urgency=medium * New upstream version (local package). From 750367a9066ca2a0ff819b438a92cb1f6c325edb Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 19 Dec 2024 10:29:56 +0000 Subject: [PATCH 1495/1650] Set `net.ipv4.conf.*.shared_media=0` --- README.md | 4 ++-- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index df12ba2..7f35178 100644 --- a/README.md +++ b/README.md @@ -102,8 +102,8 @@ Networking: - Disable ICMP redirect acceptance and redirect sending messages to prevent man-in-the-middle attacks and minimize information disclosure. -- Optional - Deny sending and receiving shared media redirects to reduce - the risk of IP spoofing attacks. +- Deny sending and receiving shared media redirects to reduce the risk of IP + spoofing attacks. - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 4cf6bb6..30fe4f6 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -451,7 +451,7 @@ net.ipv6.conf.*.accept_redirects=0 ## https://datatracker.ietf.org/doc/html/rfc1620 ## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html ## -#net.ipv4.conf.*.shared_media=0 +net.ipv4.conf.*.shared_media=0 ## Enable ARP (Address Resolution Protocol) filtering. ## Prevents the Linux kernel from handling the ARP table globally From af1d06973bdd46af3e39b0bdfda81b950ccac996 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 19 Dec 2024 10:31:43 +0000 Subject: [PATCH 1496/1650] Set `net.ipv4.conf.*.arp_filter=1` --- README.md | 3 +-- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index df12ba2..54a793a 100644 --- a/README.md +++ b/README.md @@ -105,8 +105,7 @@ Networking: - Optional - Deny sending and receiving shared media redirects to reduce the risk of IP spoofing attacks. -- Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP - cache poisoning attacks. +- Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks. - Optional - Respond to ARP requests only if the target IP address is on-link, preventing some IP spoofing attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 4cf6bb6..fd3ce59 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -460,7 +460,7 @@ net.ipv6.conf.*.accept_redirects=0 ## ## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf ## -#net.ipv4.conf.*.arp_filter=1 +net.ipv4.conf.*.arp_filter=1 ## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link. ## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses. From c37f4efadf8f046168732871172cb66f58eb7c78 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 19 Dec 2024 10:33:49 +0000 Subject: [PATCH 1497/1650] Set `net.ipv4.conf.*.arp_ignore=2` --- README.md | 4 ++-- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index df12ba2..3eb30d6 100644 --- a/README.md +++ b/README.md @@ -108,8 +108,8 @@ Networking: - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks. -- Optional - Respond to ARP requests only if the target IP address is - on-link, preventing some IP spoofing attacks. +- Respond to ARP requests only if the target IP address is on-link, + preventing some IP spoofing attacks. - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning via man-in-the-middle and denial-of-service attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 4cf6bb6..fc176d3 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -470,7 +470,7 @@ net.ipv6.conf.*.accept_redirects=0 ## https://github.com/mullvad/mullvadvpn-app/pull/7141 ## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf ## -#net.ipv4.conf.*.arp_ignore=2 +net.ipv4.conf.*.arp_ignore=2 ## Drop gratuitous ARP (Address Resolution Protocol) packets. ## Stops ARP responses sent by a device without being explicitly requested. From 2e6e1701a052ef32711f6c3abaad693a773323f6 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 19 Dec 2024 10:35:08 +0000 Subject: [PATCH 1498/1650] Set `net.ipv4.conf.*.drop_gratuitous_arp=1` --- README.md | 4 ++-- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index df12ba2..923ee2b 100644 --- a/README.md +++ b/README.md @@ -111,8 +111,8 @@ Networking: - Optional - Respond to ARP requests only if the target IP address is on-link, preventing some IP spoofing attacks. -- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning - via man-in-the-middle and denial-of-service attacks. +- Drop gratuitous ARP packets to prevent ARP cache poisoning via + man-in-the-middle and denial-of-service attacks. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 4cf6bb6..495de4a 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -482,7 +482,7 @@ net.ipv6.conf.*.accept_redirects=0 ## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/ ## https://www.practicalnetworking.net/series/arp/gratuitous-arp/ ## -#net.ipv4.conf.*.drop_gratuitous_arp=1 +net.ipv4.conf.*.drop_gratuitous_arp=1 ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. From 175b442d5bb9dfcb4e9b524ec2077e72c74598cc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 19 Dec 2024 05:56:50 -0500 Subject: [PATCH 1499/1650] use long option name --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index adde5bc..382e2ac 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -73,7 +73,7 @@ https://www.kicksecure.com/wiki/root#console fi if [ "$PAM_USER" = 'sysmaint' ]; then - sysmaint_passwd_info="$(passwd -S sysmaint 2>/dev/null)" || true + sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")" if [ "${sysmaint_lock_info}" = 'L' ]; then echo "$0: ERROR: Reboot and choose 'PERSISTENT mode SYSMAINT' for system maintenance. See https://www.kicksecure.com/wiki/sysmaint" From 642b4eeedc43e69bb82ea259b52c0946ce638983 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 19 Dec 2024 21:57:25 +1100 Subject: [PATCH 1500/1650] Add link to tabular comparison of CPU mitigations --- etc/default/grub.d/40_cpu_mitigations.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index fa750b7..d2232b3 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -18,6 +18,9 @@ ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html +## Tabular comparison between the utility and functionality of various mitigations. +## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/587 + ## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT. ## ## KSPP=yes From 721b100fb64136b7c36c8d43c90c716a1fed42d0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 19 Dec 2024 10:58:50 +0000 Subject: [PATCH 1501/1650] bumped changelog version --- changelog.upstream | 25 +++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 31 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1153637..e5ef237 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,22 @@ +commit 175b442d5bb9dfcb4e9b524ec2077e72c74598cc +Author: Patrick Schleizer +Date: Thu Dec 19 05:56:50 2024 -0500 + + use long option name + +commit c99021bb0c1d5b6bf361cc483449330cdd218ee6 +Merge: 95b5357 9d69cd1 +Author: Patrick Schleizer +Date: Thu Dec 19 05:56:01 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' + +commit 95b535764c8a98b67a71ee1fd57b7f01da464106 +Author: Patrick Schleizer +Date: Thu Dec 19 09:43:26 2024 +0000 + + bumped changelog version + commit daf0a0900b780a9d44d0d9b49b3fca6ddbd20d18 Author: Patrick Schleizer Date: Thu Dec 19 04:39:34 2024 -0500 @@ -59,6 +78,12 @@ Date: Thu Dec 19 00:08:56 2024 -0500 Enable umask hardening +commit 9d69cd1912ab657e7916b38f56b477c2b7abd0a3 +Author: Aaron Rainbolt +Date: Wed Dec 18 21:34:16 2024 -0600 + + Add sysmaint account lock detection + commit 3749f8ff097551a843e5ed80de52c6770a32e0c6 Author: raja-grewal Date: Wed Dec 18 03:36:09 2024 +0000 diff --git a/debian/changelog b/debian/changelog index a4dcb4d..944ae91 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 19 Dec 2024 10:58:50 +0000 + security-misc (3:41.3-1) unstable; urgency=medium * New upstream version (local package). From 6de5d2d0763539d6d0d4b19b501bb316ed3b2c94 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2024 00:37:44 -0500 Subject: [PATCH 1502/1650] permission hardener: also parse `/usr/lib/permission-hardener.d/*.conf` folder --- usr/bin/permission-hardener | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 858679c..c88b54f 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -590,6 +590,7 @@ parse_config_folder() { shopt -s nullglob for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ /etc/permission-hardener.d/*.conf \ /usr/local/etc/permission-hardener.d/*.conf \ /etc/permission-hardening.d/*.conf \ From a2c1e8c218117a47ef70dd767d753be5d084adfa Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2024 00:39:51 -0500 Subject: [PATCH 1503/1650] clean up old files in `/etc/permission-hardener.d` because will be moved to `/usr/lib/permission-hardener.d` --- debian/security-misc.maintscript | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index f6d6a83..adce7ef 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -68,6 +68,28 @@ rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf rm_conffile /etc/permission-hardening.d/30_default.conf +## moved to /usr/lib/permission-hardener.d +rm_conffile /etc/permission-hardener.d/25_default_passwd.conf +rm_conffile /etc/permission-hardener.d/25_default_sudo.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_chromium.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_dbus.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_firejail.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_fuse.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_mount.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_pam.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_policykit.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_postfix.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_qubes.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_selinux.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_spice.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_ssh.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_sudo.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_virtualbox.conf +rm_conffile /etc/permission-hardener.d/30_default.conf + ## merged into 1 file /etc/default/grub.d/40_kernel_hardening.cfg rm_conffile /etc/default/grub.d/40_distrust_bootloader.cfg rm_conffile /etc/default/grub.d/40_distrust_cpu.cfg From ad6e1f5ad490e12fc5e69b82da5dc1830cc41c96 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2024 00:41:06 -0500 Subject: [PATCH 1504/1650] move from `/etc/permission-hardener.d` to `/usr/lib/permission-hardener.d` --- {etc => usr/lib}/permission-hardener.d/25_default_passwd.conf | 0 {etc => usr/lib}/permission-hardener.d/25_default_sudo.conf | 0 .../permission-hardener.d/25_default_whitelist_bubblewrap.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_chromium.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_dbus.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_firejail.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_fuse.conf | 0 .../25_default_whitelist_hardened_malloc.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_mount.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_pam.conf | 0 .../permission-hardener.d/25_default_whitelist_policykit.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_postfix.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_qubes.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_selinux.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_spice.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_ssh.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_sudo.conf | 0 .../permission-hardener.d/25_default_whitelist_unix_chkpwd.conf | 0 .../permission-hardener.d/25_default_whitelist_virtualbox.conf | 0 {etc => usr/lib}/permission-hardener.d/30_default.conf | 0 20 files changed, 0 insertions(+), 0 deletions(-) rename {etc => usr/lib}/permission-hardener.d/25_default_passwd.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_sudo.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_bubblewrap.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_chromium.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_dbus.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_firejail.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_fuse.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_hardened_malloc.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_mount.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_pam.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_policykit.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_postfix.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_qubes.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_selinux.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_spice.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_ssh.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_sudo.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_virtualbox.conf (100%) rename {etc => usr/lib}/permission-hardener.d/30_default.conf (100%) diff --git a/etc/permission-hardener.d/25_default_passwd.conf b/usr/lib/permission-hardener.d/25_default_passwd.conf similarity index 100% rename from etc/permission-hardener.d/25_default_passwd.conf rename to usr/lib/permission-hardener.d/25_default_passwd.conf diff --git a/etc/permission-hardener.d/25_default_sudo.conf b/usr/lib/permission-hardener.d/25_default_sudo.conf similarity index 100% rename from etc/permission-hardener.d/25_default_sudo.conf rename to usr/lib/permission-hardener.d/25_default_sudo.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_chromium.conf b/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_chromium.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_dbus.conf b/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_dbus.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_firejail.conf b/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_firejail.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_fuse.conf b/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_fuse.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf b/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_mount.conf b/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_mount.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_mount.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_pam.conf b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_pam.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_pam.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_policykit.conf b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_policykit.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_postfix.conf b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_postfix.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_qubes.conf b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_qubes.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_selinux.conf b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_selinux.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_spice.conf b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_spice.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_spice.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_ssh.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_sudo.conf b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_sudo.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf b/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf b/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_virtualbox.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf diff --git a/etc/permission-hardener.d/30_default.conf b/usr/lib/permission-hardener.d/30_default.conf similarity index 100% rename from etc/permission-hardener.d/30_default.conf rename to usr/lib/permission-hardener.d/30_default.conf From cd027b86e710b6f6b8fac6dd0ebcdcd691e86dd3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2024 05:48:48 +0000 Subject: [PATCH 1505/1650] bumped changelog version --- changelog.upstream | 25 +++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 31 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index e5ef237..7f2d4d9 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,28 @@ +commit ad6e1f5ad490e12fc5e69b82da5dc1830cc41c96 +Author: Patrick Schleizer +Date: Fri Dec 20 00:41:06 2024 -0500 + + move from `/etc/permission-hardener.d` to `/usr/lib/permission-hardener.d` + +commit a2c1e8c218117a47ef70dd767d753be5d084adfa +Author: Patrick Schleizer +Date: Fri Dec 20 00:39:51 2024 -0500 + + clean up old files in `/etc/permission-hardener.d` + because will be moved to `/usr/lib/permission-hardener.d` + +commit 6de5d2d0763539d6d0d4b19b501bb316ed3b2c94 +Author: Patrick Schleizer +Date: Fri Dec 20 00:37:44 2024 -0500 + + permission hardener: also parse `/usr/lib/permission-hardener.d/*.conf` folder + +commit 721b100fb64136b7c36c8d43c90c716a1fed42d0 +Author: Patrick Schleizer +Date: Thu Dec 19 10:58:50 2024 +0000 + + bumped changelog version + commit 175b442d5bb9dfcb4e9b524ec2077e72c74598cc Author: Patrick Schleizer Date: Thu Dec 19 05:56:50 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 944ae91..d2603e0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 20 Dec 2024 05:48:48 +0000 + security-misc (3:41.4-1) unstable; urgency=medium * New upstream version (local package). From b21c394ea52401c0d77b6ec396af6a49335f5e0b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2024 00:56:20 -0500 Subject: [PATCH 1506/1650] Trigger permission hardener when new configuration files are being installed. --- debian/security-misc.triggers | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index f425076..ace3c31 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -1,6 +1,16 @@ ## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## use noawait ## https://github.com/Kicksecure/security-misc/issues/196 + +## Trigger permission hardener when new binaries are being installed. interest-noawait /usr interest-noawait /opt + +## Trigger permission hardener when new configuration files are being installed. +/usr/lib/permission-hardener.d +/etc/permission-hardener.d +/usr/local/etc/permission-hardener.d +/etc/permission-hardening.d +/usr/local/etc/permission-hardening.d From b40bc0a2c9b17b3569918a6839bce1c67af5c9df Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2024 05:58:24 +0000 Subject: [PATCH 1507/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7f2d4d9..370cb7c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit b21c394ea52401c0d77b6ec396af6a49335f5e0b +Author: Patrick Schleizer +Date: Fri Dec 20 00:56:20 2024 -0500 + + Trigger permission hardener when new configuration files are being installed. + +commit cd027b86e710b6f6b8fac6dd0ebcdcd691e86dd3 +Author: Patrick Schleizer +Date: Fri Dec 20 05:48:48 2024 +0000 + + bumped changelog version + commit ad6e1f5ad490e12fc5e69b82da5dc1830cc41c96 Author: Patrick Schleizer Date: Fri Dec 20 00:41:06 2024 -0500 diff --git a/debian/changelog b/debian/changelog index d2603e0..a3960be 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 20 Dec 2024 05:58:24 +0000 + security-misc (3:41.5-1) unstable; urgency=medium * New upstream version (local package). From a4c76c617a18a49168e0ffdba2d8b0ae834f2877 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2024 01:01:13 -0500 Subject: [PATCH 1508/1650] syntax fix --- debian/security-misc.triggers | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index ace3c31..2cadd25 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -9,8 +9,8 @@ interest-noawait /usr interest-noawait /opt ## Trigger permission hardener when new configuration files are being installed. -/usr/lib/permission-hardener.d -/etc/permission-hardener.d -/usr/local/etc/permission-hardener.d -/etc/permission-hardening.d -/usr/local/etc/permission-hardening.d +interest-noawait /usr/lib/permission-hardener.d +interest-noawait /etc/permission-hardener.d +interest-noawait /usr/local/etc/permission-hardener.d +interest-noawait /etc/permission-hardening.d +interest-noawait /usr/local/etc/permission-hardening.d From 3c73c0cd3a845d1a484551ff50f59e5f2ef56a68 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2024 06:01:27 +0000 Subject: [PATCH 1509/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 370cb7c..643158a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit a4c76c617a18a49168e0ffdba2d8b0ae834f2877 +Author: Patrick Schleizer +Date: Fri Dec 20 01:01:13 2024 -0500 + + syntax fix + +commit b40bc0a2c9b17b3569918a6839bce1c67af5c9df +Author: Patrick Schleizer +Date: Fri Dec 20 05:58:24 2024 +0000 + + bumped changelog version + commit b21c394ea52401c0d77b6ec396af6a49335f5e0b Author: Patrick Schleizer Date: Fri Dec 20 00:56:20 2024 -0500 diff --git a/debian/changelog b/debian/changelog index a3960be..c32adbe 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 20 Dec 2024 06:01:27 +0000 + security-misc (3:41.6-1) unstable; urgency=medium * New upstream version (local package). From 2f3a2bce7756efe75cd8aaf5066b599b4c49bbdc Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Fri, 20 Dec 2024 11:04:22 -0600 Subject: [PATCH 1510/1650] Add warning about using non-sysmaint accounts in sysmaint mode --- usr/libexec/security-misc/pam-info | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 382e2ac..3ffad57 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -76,10 +76,17 @@ if [ "$PAM_USER" = 'sysmaint' ]; then sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")" if [ "${sysmaint_lock_info}" = 'L' ]; then - echo "$0: ERROR: Reboot and choose 'PERSISTENT mode SYSMAINT' for system maintenance. See https://www.kicksecure.com/wiki/sysmaint" + echo "$0: ERROR: Reboot and choose 'PERSISTENT mode SYSMAINT' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" fi fi +kernel_cmdline="$(cat /proc/cmdline)" + +if [ "$PAM_USER" != 'sysmaint' ] \ + && [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then + echo "$0: WARNING: Reboot and choose 'PERSISTENT mode USER' for normal work. See https://www.kicksecure.com/wiki/Sysmaint" +fi + ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 ## Does not work (yet) for login, pam_securetty runs before and aborts. From aa82202e701167eacb63eac208469844e983ca43 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 24 Dec 2024 05:16:22 +0000 Subject: [PATCH 1511/1650] bumped changelog version --- changelog.upstream | 19 +++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 25 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 643158a..8c61741 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,22 @@ +commit 27d015d58ebc5e750d9d06f042b761720473941d +Merge: 3c73c0c 2f3a2bc +Author: Patrick Schleizer +Date: Tue Dec 24 00:08:58 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' + +commit 2f3a2bce7756efe75cd8aaf5066b599b4c49bbdc +Author: Aaron Rainbolt +Date: Fri Dec 20 11:04:22 2024 -0600 + + Add warning about using non-sysmaint accounts in sysmaint mode + +commit 3c73c0cd3a845d1a484551ff50f59e5f2ef56a68 +Author: Patrick Schleizer +Date: Fri Dec 20 06:01:27 2024 +0000 + + bumped changelog version + commit a4c76c617a18a49168e0ffdba2d8b0ae834f2877 Author: Patrick Schleizer Date: Fri Dec 20 01:01:13 2024 -0500 diff --git a/debian/changelog b/debian/changelog index c32adbe..f1c54b6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 24 Dec 2024 05:16:21 +0000 + security-misc (3:41.7-1) unstable; urgency=medium * New upstream version (local package). From 6602fb102dedc21300ae4c4519f3d9ef4e668045 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 24 Dec 2024 20:52:34 -0600 Subject: [PATCH 1512/1650] Adjust pam-info messaging for sysmaint mode --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 3ffad57..085f118 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -84,7 +84,7 @@ kernel_cmdline="$(cat /proc/cmdline)" if [ "$PAM_USER" != 'sysmaint' ] \ && [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then - echo "$0: WARNING: Reboot and choose 'PERSISTENT mode USER' for normal work. See https://www.kicksecure.com/wiki/Sysmaint" + echo "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" fi ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 From 83d386795940099e0835c51f3522aae3d9217dc8 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 24 Dec 2024 20:14:57 -0600 Subject: [PATCH 1513/1650] Refactor permission-hardener to be more idempotent --- debian/security-misc.maintscript | 3 + usr/bin/permission-hardener | 1048 +++++++++-------- usr/bin/permission-hardener-old | 748 ++++++++++++ ....conf => 25_default_whitelist_passwd.conf} | 2 + 4 files changed, 1287 insertions(+), 514 deletions(-) create mode 100755 usr/bin/permission-hardener-old rename usr/lib/permission-hardener.d/{25_default_passwd.conf => 25_default_whitelist_passwd.conf} (91%) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index adce7ef..5063263 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -106,3 +106,6 @@ rm_conffile /etc/default/grub.d/41_quiet.cfg ## moved to usability-misc rm_conffile /etc/dkms/framework.conf.d/30_security-misc.conf + +## renamed to reflect the fact that this uses a whitelist +rm_conffile /usr/lib/permission-hardener.d/25_default_passwd.conf diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index c88b54f..c8d115b 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -10,12 +10,6 @@ set -o errexit -o nounset -o pipefail -exit_code=0 -store_dir="/var/lib/permission-hardener" -dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" -dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" -delimiter="#permission-hardener-delimiter#" - # shellcheck disable=SC1091 source /usr/libexec/helper-scripts/safe_echo.sh # shellcheck disable=SC2034 @@ -34,6 +28,7 @@ echo_wrapper_ignore() { } echo_wrapper_audit() { + local return_code if test "${1}" = "verbose"; then shift log notice "Executing: $*" @@ -49,30 +44,23 @@ echo_wrapper_audit() { } } -make_store_dir(){ - mkdir --parents "${store_dir}/private" - mkdir --parents "${store_dir}/existing_mode" - mkdir --parents "${store_dir}/new_mode" -} - ## Some tools may fail on newlines and even variable assignment to array may ## fail if a variable that will be assigned to an array element contains ## characters that are used as delimiters. -block_newlines(){ +block_newlines() { local newline_variable newline_value - newline_variable="${1}" - newline_value="${2}" + newline_variable="${1:-}" + newline_value="${2:-}" ## dpkg-statoverride: error: path may not contain newlines - #if [[ "${newline_value}" == *$'\n'* ]]; then if [[ "${newline_value}" != "${newline_value//$'\n'/NEWLINE}" ]]; then log warn "Skipping ${newline_variable} that contains newlines: '${newline_value}'" >&2 return 1 fi } -output_stat(){ +output_stat() { local file_name - file_name="${1}" + file_name="${1:-}" if test -z "${file_name}"; then log error "File name is empty. file_name: '${file_name}'" >&2 @@ -81,16 +69,10 @@ output_stat(){ block_newlines file "${file_name}" - ## dpkg-statoverride can actually handle '--file-name'. -# if [[ $file_name == --* ]]; then -# log warn "File name starts with '--'. This would be interpreted by dpkg-statoverride as an option. Skipping. file_name: '${file_name}'" >&2 -# return 1 -# fi - declare -a arr local file_name_from_stat stat_output stat_output_newlined - if ! stat_output="$(stat --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" -- "${file_name}")"; then + if ! stat_output="$(stat -L --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" -- "${file_name}")"; then log error "Failed to run 'stat' on file: '${file_name}'!" >&2 return 1 fi @@ -100,7 +82,7 @@ output_stat(){ File name: '${file_name}' Stat output: '${stat_output}' stat_output_newlined: '${stat_output_newlined}' -line: '${line}' +line: '${processed_config_line}' " >&2 return 1 fi @@ -112,7 +94,7 @@ line: '${line}' File name: '${file_name}' Stat output: '${stat_output}' stat_output_newlined: '${stat_output_newlined}' -line: '${line}' +line: '${processed_config_line}' " >&2 return 1 fi @@ -124,7 +106,7 @@ line: '${line}' File name: '${file_name}' Stat output: '${stat_output}' stat_output_newlined: '${stat_output_newlined}' -line: '${line}' +line: '${processed_config_line}' " >&2 return 1 fi @@ -139,456 +121,178 @@ line: '${line}' File name is different from file name received from stat: File name: '${file_name}' File name from stat: '${file_name_from_stat}' -line: '${line}' +line: '${processed_config_line}' " >&2 return 1 fi if test -z "${existing_mode}"; then - log error "Existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + log error "Existing mode is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 return 1 fi if test -z "${existing_owner}"; then - log error "Existing owner is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + log error "Existing owner is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 return 1 fi if test -z "${existing_group}"; then - log error "Existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + log error "Existing group is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 return 1 fi } -sanity_tests() { - echo_wrapper_audit silent \ - which \ - capsh getcap setcap stat find dpkg-statoverride getent grep 1>/dev/null +print_usage(){ + safe_echo "Usage: ${0##*/} enable + ${0##*/} disable [FILE|all] + +Examples: + ${0##*/} enable + ${0##*/} disable all + ${0##*/} disable /usr/bin/newgrp" >&2 } -add_nosuid_statoverride_entry() { - local fso_to_process - fso_to_process="${fso}" - local should_be_counter - should_be_counter=0 - local counter_actual - counter_actual=0 +## TODO: Validate input before you blindly trust it! +add_to_policy() { + local file_name file_mode file_owner file_group updated_entry policy_idx \ + file_capabilities + file_name="${1:-}" + file_mode="${2:-}" + file_owner="${3:-}" + file_group="${4:-}" + file_capabilities="${5:-}" + updated_entry=false - local dummy_line - while IFS="" read -r -d "" dummy_line; do - log info "Test would parse line: '${dummy_line}'" - should_be_counter=$((should_be_counter + 1)) - done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) - ## False positive on SC2185 (find without path argument) #1748 - ## https://github.com/koalaman/shellcheck/issues/1748 - ## - ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. - ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 + for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do + if [ "${policy_file_list[policy_idx]}" = "${file_name}" ]; then + policy_mode_list[policy_idx]="${file_mode}" + policy_user_owner_list[policy_idx]="${file_owner}" + policy_group_owner_list[policy_idx]="${file_group}" + policy_capability_list[policy_idx]="${file_capabilities}" + updated_entry=true + break + fi + done - local line - while IFS="" read -r -d "" file_name; do - counter_actual=$((counter_actual + 1)) + if [ "${updated_entry}" != 'true' ]; then + policy_file_list+=( "${file_name}" ) + policy_mode_list+=( "${file_mode}" ) + policy_user_owner_list+=( "${file_owner}" ) + policy_group_owner_list+=( "${file_group}" ) + policy_capability_list+=( "${file_capabilities}" ) + fi +} + +check_nosuid_whitelist() { + local target_file match_white_list_entry + + target_file="${1:-}" + + ## Handle whitelists, if we're supposed to + if [ "${whitelists_disable_all}" = 'false' ]; then + ## literal matching is intentional here + # shellcheck disable=SC2076 + if ! [[ " ${policy_disable_white_list[*]} " =~ " ${target_file} " ]]; then + ## literal matching is intentional here too + # shellcheck disable=SC2076 + if [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]]; then + return 1 + fi + + for match_white_list_entry in "${policy_match_white_list[@]:-}"; do + if safe_echo "${target_file}" \ + | grep --quiet --fixed-strings -- "${match_white_list_entry}"; then + return 1 + fi + done + fi + fi + + return 0 +} + +load_early_nosuid_policy() { + local target_file find_list_item + + target_file="${1:-}" + + # shellcheck disable=SC2185 + while IFS="" read -r -d "" find_list_item; do + check_nosuid_whitelist "${find_list_item}" || continue ## sets: ## exiting_mode ## existing_owner ## existing_group - output_stat "${file_name}" + output_stat "${find_list_item}" ## -h file True if file is a symbolic Link. ## -u file True if file has its set-user-id bit set. ## -g file True if file has its set-group-id bit set. - if test -h "${file_name}"; then + if [ -h "${find_list_item}" ]; then ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - log info "Skip symlink: '${file_name}'" + log info "Skip symlink: '${find_list_item}'" continue fi - if test -d "${file_name}"; then - log info "Skip directory: '${file_name}'" + if [ -d "${find_list_item}" ]; then + log info "Skip directory: '${find_list_item}'" continue fi - local setuid setgid - setuid="" - if test -u "${file_name}"; then - setuid=true - fi - setgid="" - if test -g "${file_name}"; then - setgid=true - fi + ## Trim off the most significant digit of the mode, this discards S(U|G)ID + ## bits (and the sticky bit too but that doesn't matter on Linux) + ## + ## Actually, the old behavior is better here. + local new_mode + # new_mode="${existing_mode:1}" + new_mode='744' - local setuid_or_setgid - setuid_or_setgid="" - if test "${setuid}" = "true" || test "${setgid}" = "true"; then - setuid_or_setgid=true - fi - if test -z "${setuid_or_setgid}"; then - log info "Neither setuid nor setgid. Skipping. file_name: '${file_name}'" - continue - fi - - ## Remove suid / gid and execute permission for 'group' and 'others'. - ## Similar to: chmod og-ugx /path/to/filename - ## Removing execution permission is useful to make binaries such as 'su' - ## fail closed rather than fail open if suid was removed from these. - ## Do not remove read access since no security benefit and easier to - ## manually undo for users. - ## Are there suid or sgid binaries which are still useful if suid / sgid - ## has been removed from these? - new_mode="744" - - local is_exact_whitelisted - is_exact_whitelisted="" - for white_list_entry in "${exact_white_list[@]:-}"; do - if test -z "${white_list_entry}"; then - log info "white_list_entry unset. Skipping. file_name: '${file_name}'" - continue - fi - if test "${file_name}" = "${white_list_entry}"; then - is_exact_whitelisted="true" - log info "is_exact_whitelisted=true. Skipping. file_name: '${file_name}'" - ## Stop looping through the whitelist. - break - fi - done - - local is_match_whitelisted - is_match_whitelisted="" - for matchwhite_list_entry in "${match_white_list[@]:-}"; do - if test -z "${matchwhite_list_entry}"; then - log info "matchwhite_list_entry unset. Skipping. file_name: '${file_name}'" - continue - fi - if safe_echo "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then - is_match_whitelisted="true" - log info "is_match_whitelisted=true. Skipping. file_name: '${file_name}'" - ## Stop looping through the match_white_list. - break - fi - done - - local is_disable_whitelisted - is_disable_whitelisted="" - for disablematch_list_entry in "${disable_white_list[@]:-}"; do - if test -z "${disablematch_list_entry}"; then - log info "disablematch_list_entry unset. Skipping. file_name: '${file_name}'" - continue - fi - if safe_echo "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then - is_disable_whitelisted="true" - log info "is_disable_whitelisted=true. Skipping. file_name: '${file_name}'" - ## Stop looping through the disablewhitelist. - break - fi - done - - local clean_output_prefix clean_output - clean_output_prefix="Managing (S|G)UID of line:" - clean_output="${setuid:+setuid='true'} ${setgid:+setgid='true'} existing_mode='${existing_mode}' new_mode='${new_mode}' file='${file_name}'" - if test "${whitelists_disable_all:-}" = "true"; then - log info "${clean_output_prefix} whitelists_disable_all=true ${clean_output}" - elif test "${is_disable_whitelisted}" = "true"; then - log info "${clean_output_prefix} is_disable_whitelisted=true ${clean_output}" - else - if test "${is_exact_whitelisted}" = "true"; then - log info "${clean_output_prefix} is_exact_whitelisted=true ${clean_output}" - continue - fi - if test "${is_match_whitelisted}" = "true"; then - log info "${clean_output_prefix} is_match_whitelisted=true matchwhite_list_entry='${matchwhite_list_entry}' ${clean_output}" - continue - fi - fi - - log notice "${clean_output_prefix} ${clean_output}" - - # shellcheck disable=SC2086 - if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${file_name}" >/dev/null; then - log info "Existing mode already saved previously. Not saving again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${file_name}" - fi - - ## No need to check "dpkg-statoverride --list" for existing entries. - ## If existing_mode was correct already, we would not have reached this - ## point. Since existing_mode is incorrect, remove from dpkg-statoverride - ## and re-add. - - ## Remove from real database. - echo_wrapper_ignore silent dpkg-statoverride --remove "${file_name}" - - ## Remove from separate database. - # shellcheck disable=SC2086 - echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" - - ## Add to real database and use --update to make changes on disk. - echo_wrapper_audit verbose dpkg-statoverride --add --update "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" - - ## Not using --update as this is only for recording. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" - done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) - - ## Sanity test. - if test ! "${should_be_counter}" = "${counter_actual}"; then - log info "File (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})" - log error "Expected number of files to be parsed was not met." >&2 - exit_code=202 - fi + add_to_policy "${find_list_item}" "${new_mode}" "${existing_owner}" \ + "${existing_group}" + done < <(safe_echo_nonewline "${target_file}" | find -files0-from - -perm /u=s,g=s -print0) } -set_file_perms() { - log info "START parsing config file: '${config_file}'" +load_late_nosuid_policy() { + local target_file state_idx state_file_item state_user_owner_item \ + state_group_owner_item - local line - while read -r line || test -n "${line}"; do - if test -z "${line}"; then - true "DEBUG: line is empty. Skipping." - continue - fi + target_file="${1:-}" + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + state_file_item="${state_file_list[state_idx]}" + state_user_owner_item="${state_user_owner_list[state_idx]}" + state_group_owner_item="${state_group_owner_list[state_idx]}" + check_nosuid_whitelist "${state_file_item}" || continue - if [[ "${line}" =~ ^\s*# ]]; then - continue - fi - - if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then - exit_code=200 - log error "Line contains invalid characters: '${line}'" >&2 - ## Safer to exit with error in this case. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 - exit "${exit_code}" - fi - - if test "${line}" = 'whitelists_disable_all=true'; then - whitelists_disable_all=true - log info "whitelists_disable_all=true" - continue - fi - - #global fso - local mode_from_config owner_from_config group_from_config capability_from_config - if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<<"${line}"; then - exit_code=201 - log error "Cannot parse line: '${line}'" >&2 - ## Debugging. - du -hs /tmp || true - safe_echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true - ## Safer to exit with error in this case. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 - exit "${exit_code}" - fi - - log info "Parsing line: fso='${fso}' mode_from_config='${mode_from_config}' owner_from_config='${owner_from_config}' group_from_config='${group_from_config}' capability_from_config='${capability_from_config}'" - - ## Debugging. - #safe_echo "line: '${line}'" - #safe_echo "fso: '${fso}'" - #safe_echo "mode_from_config: '${mode_from_config}'" - #safe_echo "owner_from_config: '${owner_from_config}'" - - local fso_without_trailing_slash - fso_without_trailing_slash="${fso%/}" - - declare -g disable_white_list exact_white_list match_white_list - case "${mode_from_config}" in - disablewhitelist) - disable_white_list+=("${fso}") - continue - ;; - exactwhitelist) - exact_white_list+=("${fso}") - continue - ;; - matchwhitelist) - match_white_list+=("${fso}") - continue - ;; - esac - - if test ! -e "${fso}"; then - log info "File does not exist: '${fso}'" - continue - fi - - ## Use dpkg-statoverride so permissions are not reset during upgrades. - - if test "${mode_from_config}" = "nosuid"; then - ## If mode_from_config is "nosuid" the config does not set owner and - ## group. Therefore do not enforce owner/group check. - add_nosuid_statoverride_entry - else - local string_length_of_mode_from_config - string_length_of_mode_from_config="${#mode_from_config}" - if test "${string_length_of_mode_from_config}" -gt "4"; then - log error "Invalid mode: '${mode_from_config}'" >&2 - continue - fi - if test "${string_length_of_mode_from_config}" -lt "3"; then - log error "Invalid mode: '${mode_from_config}'" >&2 + if [[ ${state_file_item} == ${target_file}* ]]; then + if [ -h "${state_file_item}" ]; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 + log info "Skip symlink: '${state_file_item}'" continue fi - if ! grep --quiet --fixed-strings -- "${owner_from_config}:" "${store_dir}/private/passwd"; then - log error "Owner from config does not exist: '${owner_from_config}'" >&2 + if [ -d "${state_file_item}" ]; then + log info "Skip directory: '${state_file_item}'" continue fi - if ! grep --quiet --fixed-strings -- "${group_from_config}:" "${store_dir}/private/group"; then - log error "Group from config does not exist: '${group_from_config}'" >&2 - continue - fi - - local mode_for_grep - mode_for_grep="${mode_from_config}" - first_character_of_mode_from_config="${mode_from_config::1}" - if test "${first_character_of_mode_from_config}" = "0"; then - ## Remove leading '0'. - mode_for_grep="${mode_from_config:1}" - fi - - file_name="${fso_without_trailing_slash}" - - ## sets: - ## exiting_mode - ## existing_owner - ## existing_group - output_stat "${file_name}" - - ## Check there is an entry for the fso. - ## - ## example: dpkg-statoverride --list | grep /home - ## output: - ## root root 755 /home - ## - ## dpkg-statoverride does not show leading '0'. - local dpkg_statoverride_list_output="" - local dpkg_statoverride_list_exit_code=0 - dpkg_statoverride_list_output="$(dpkg-statoverride --list "${fso_without_trailing_slash}")" || { - dpkg_statoverride_list_exit_code=$? - true - } - - if test "${dpkg_statoverride_list_exit_code}" = "0"; then - local grep_line - grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" - if safe_echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then - log info "The owner/group/mode matches fso entry. No further action required." - else - log info "The owner/group/mode does not match fso entry, updating entry." - ## fso_without_trailing_slash instead of fso to prevent - ## "dpkg-statoverride: warning: stripping trailing /" - - # shellcheck disable=SC2086 - if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then - log info "Existing mode already saved previously. Not saving again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" - fi - - # shellcheck disable=SC2086 - echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${fso_without_trailing_slash}" - - ## Remove from and add to real database. - echo_wrapper_ignore silent dpkg-statoverride --remove "${fso_without_trailing_slash}" - echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" - - ## Save in separate database. - ## Not using --update as this is only for saving. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" - fi - else - log info "There is no fso entry, adding one." - - # shellcheck disable=SC2086 - if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then - log info "Existing mode already saved previously. Not saving again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" - fi - - ## Add to real database. - echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" - - ## Save in separate database. - ## Not using --update as this is only for saving. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" - fi + local new_mode + new_mode='744' + add_to_policy "${state_file_item}" "${new_mode}" \ + "${state_user_owner_item}" "${state_group_owner_item}" fi - if test -z "${capability_from_config}"; then - log info "capability_from_config is empty. Skipping. file_name: '${file_name}'" - continue - fi - - if test "${capability_from_config}" = "none"; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/45 - ## sudo setcap -r /bin/ping 2>/dev/null - ## Failed to set capabilities on file '/bin/ping' (No data available) - ## The value of the capability argument is not permitted for a file. Or - ## the file is not a regular (non-symlink) file - ## Therefore use echo_wrapper_ignore. - ## - ## NOTE: setcap does not support End-of-Options Marker ('--') yet. - ## setcap bug report: - ## setcap Command Does Not Support End-of-Options Marker ('--') - ## https://bugzilla.kernel.org/show_bug.cgi?id=219487 - echo_wrapper_ignore verbose setcap -r "${fso}" - getcap_output="$(getcap -- "${fso}")" - if test -n "${getcap_output}"; then - exit_code=205 - log error "Removing capabilities failed. File: '${fso}'" >&2 - continue - fi - else - if ! capsh --print | grep --fixed-strings -- "Bounding set" | grep --quiet -- "${capability_from_config}"; then - log error "Capability from config does not exist: '${capability_from_config}'" >&2 - continue - fi - - ## feature request: dpkg-statoverride: support for capabilities - ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 - echo_wrapper_audit verbose setcap "${capability_from_config}+ep" -- "${fso}" - fi - - done <"${config_file}" - log info "END parsing config file: '${config_file}'" + done } -parse_config_folder() { - touch "${store_dir}/private/passwd" - chmod og-rwx "${store_dir}/private/passwd" - touch "${store_dir}/private/group" - chmod og-rwx "${store_dir}/private/group" +load_state() { + ## Config format: + ## path options + ## where options is one of: + ## user_owner group_owner filemode [capability-setting] + ## [nosuid|exactwhitelist|matchwhitelist|disablewhitelist] - local passwd_file_contents_temp - ## Query contents of password and group databases only once and buffer them - ## - ## If we don't buffer we sometimes get incorrect results when checking for - ## entries using 'if getent passwd | grep --quiet -- '^root:'; ...' since - ## 'grep' exits after the first match in this case causing 'getent' to - ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is - ## set for this script. - passwd_file_contents_temp="$(getent passwd)" - safe_echo "${passwd_file_contents_temp}" | tee -- "${store_dir}/private/passwd" >/dev/null - group_file_contents_temp="$(getent group)" - safe_echo "${group_file_contents_temp}" | tee -- "${store_dir}/private/group" >/dev/null + local config_file line bit_list file_path policy_nosuid_file_item - #passwd_file_contents="$(cat "${store_dir}/private/passwd")" - #group_file_contents="$(cat "${store_dir}/private/group")" - - shopt -s nullglob + ## Load configuration, deferring whitelist handling until later for config_file in \ /usr/lib/permission-hardener.d/*.conf \ /etc/permission-hardener.d/*.conf \ @@ -596,97 +300,314 @@ parse_config_folder() { /etc/permission-hardening.d/*.conf \ /usr/local/etc/permission-hardening.d/*.conf do - set_file_perms + if [ ! -f "${config_file}" ]; then + continue + fi + while read -r line; do + if [ -z "${line}" ]; then + true 'DEBUG: line is empty. Skipping.' + continue + fi + if [[ "${line}" =~ ^\s*# ]]; then + continue + fi + if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then + exit_code=200 + log error "Line contains invalid characters: '${line}'" >&2 + ## Safer to exit with error in this case. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 + exit "${exit_code}" + fi + if [ "${line}" = 'whitelists_disable_all=true' ]; then + whitelists_disable_all=true + log info "whitelists_disable_all=true" + continue + fi + + processed_config_line="${line}" + + IFS=' ' read -r -a bit_list <<< "${line}" + + if (( ${#bit_list[@]} < 2 )) \ + || (( ${#bit_list[@]} > 5 )) \ + || (( ${#bit_list[@]} == 3 )); then + exit_code=200 + log error "Line contains an invalid number of fields: '${line}'" >&2 + exit "${exit_code}" + fi + + # Strip trailing slash if appropriate + bit_list[0]="${bit_list[0]%/}" + file_path="${bit_list[0]}" + + case "${bit_list[1]}" in + 'exactwhitelist') + [ ! -e "${file_path}" ] && continue + policy_exact_white_list+=( "${file_path}" ) + continue + ;; + 'matchwhitelist') + policy_match_white_list+=( "${file_path}" ) + continue + ;; + 'disablewhitelist') + policy_disable_white_list+=( "${file_path}" ) + continue + ;; + 'nosuid') + [ ! -e "${file_path}" ] && continue + policy_nosuid_file_list+=( "${file_path}" ) + ;; + *) + [ ! -e "${file_path}" ] && continue + add_to_policy "${bit_list[@]}" + ;; + esac + done < "${config_file}" + done + + ## We have to handle nosuid files at the end since the whitelist arrays need + ## built first. + for policy_nosuid_file_item in "${policy_nosuid_file_list[@]}"; do + load_early_nosuid_policy "${policy_nosuid_file_item}" + done + + local line bit_list policy_file_item + + ## Load the state file from disk + if [ -f "${state_file}" ]; then + while read -r line; do + read -r -a bit_list <<< "${line}" + if (( ${#bit_list[@]} != 4 )); then + log info "Invalid number of fields in state file line: '${line}'. Skipping." + continue + fi + state_user_owner_list+=( "${bit_list[0]}" ) + state_group_owner_list+=( "${bit_list[1]}" ) + state_mode_list+=( "${bit_list[2]}" ) + state_file_list+=( "${bit_list[3]}" ) + done < "${state_file}" + fi + + ## Find any files in the policy that don't already have a matching file in + ## the state. Add those files to the state, and save them to the state file + ## as well. + for policy_file_item in "${policy_file_list[@]}"; do + # shellcheck disable=SC2076 + if [[ " ${state_file_list[*]} " =~ " ${policy_file_item} " ]]; then + continue + fi + output_stat "${policy_file_item}" + state_file_list+=( "${policy_file_item}" ) + state_user_owner_list+=( "${existing_owner}" ) + state_group_owner_list+=( "${existing_group}" ) + state_mode_list+=( "${existing_mode}" ) + # shellcheck disable=SC2086 + echo_wrapper_audit silent dpkg-statoverride \ + ${dpkg_admindir_parameter_existing_mode} \ + --add "${existing_owner}" "${existing_group}" "${existing_mode}" \ + "${policy_file_item}" + done + + for policy_nosuid_file_item in "${policy_nosuid_file_list[@]}"; do + load_late_nosuid_policy "${policy_nosuid_file_item}" done } -apply() { - check_root - make_store_dir - sanity_tests - parse_config_folder +apply_policy() { + local policy_idx did_state_update state_idx - log notice "\ -To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: - sudo apt install --no-install-recommends meld - meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" + ## Modify the in-memory state so that all items that the policy affects match + ## the policy. DO NOT save these changes to the state file! + for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do + did_state_update=false + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + if [ "${state_file_list[state_idx]}" = "${policy_file_list[policy_idx]}" ]; then + state_user_owner_list[state_idx]="${policy_user_owner_list[policy_idx]}" + state_group_owner_list[state_idx]="${policy_group_owner_list[policy_idx]}" + state_mode_list[state_idx]="${policy_mode_list[policy_idx]}" + did_state_update=true + break + fi + done + if [ "${did_state_update}" = 'false' ]; then + exit_code=206 + log error "File exists in policy but not in state! File: '${policy_file_list[policy_idx]}'" + exit "${exit_code}" + fi + done } -spare() { - check_root - make_store_dir +commit_policy() { + local policy_idx state_idx state_file_item \ + state_user_owner_item state_group_owner_item \ + state_mode_item orig_main_statoverride_db orig_new_statoverride_db \ + policy_file_item policy_capability_item - remove_file="${1}" - exit_code=0 - dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" - dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" + ## Check each file on the filesystem against the state, and update it if the + ## state does not match. Also ensure the consistency of the new_mode database + ## so that people can compare the original permissions of files with the new + ## permissions. + orig_main_statoverride_db="$(dpkg-statoverride --list)" || true + # shellcheck disable=SC2086 + orig_new_statoverride_db="$(dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --list)" || true - if test ! -f "${store_dir}/existing_mode/statoverride"; then - true "DEBUG: Stat file does not exist, hardening was not applied before." + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + state_file_item="${state_file_list[state_idx]}" + state_user_owner_item="${state_user_owner_list[state_idx]}" + state_group_owner_item="${state_group_owner_list[state_idx]}" + state_mode_item="${state_mode_list[state_idx]}" + + ## Get rid of leading zeros, stat doesn't output them due to how we use it. + ## Using BASH_REMATCH is faster than sed. We capture all leading zeros into + ## one group, and the rest of the string into a second group. The second + ## group is the string we want. BASH_REMATCH[0] is the entire string, + ## BASH_REMATCH[1] is the first match that we want to discard, and + ## BASH_REMATCH[2] is the desired second group. + [[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true; + state_mode_item="${BASH_REMATCH[2]}" + + output_stat "${state_file_item}" + + if [ "${existing_owner}" != "${state_user_owner_item}" ] \ + || [ "${existing_group}" != "${state_group_owner_item}" ] \ + || [ "${existing_mode}" != "${state_mode_item}" ]; then + if ! grep --quiet --fixed-strings -- "${state_user_owner_item}:" "${store_dir}/private/passwd"; then + log error "Owner from config does not exist: '${state_user_owner_item}'" >&2 + continue + fi + + if ! grep --quiet --fixed-strings -- "${state_group_owner_item}:" "${store_dir}/private/group"; then + log error "Group from config does not exist: '${state_group_owner_item}'" >&2 + continue + fi + # Remove and reapply in main list + if grep --quiet --fixed-strings \ + -- "${state_file_item}" <<< "${orig_main_statoverride_db}"; then + echo_wrapper_ignore silent dpkg-statoverride --remove \ + "${state_file_item}" + fi + echo_wrapper_audit verbose dpkg-statoverride --add --update \ + "${state_user_owner_item}" "${state_group_owner_item}" \ + "${state_mode_item}" "${state_file_item}" + + # Update item in secondary list + if grep --quiet --fixed-strings \ + -- "${state_file_item}" <<< "${orig_new_statoverride_db}"; then + # shellcheck disable=SC2086 + echo_wrapper_ignore silent dpkg-statoverride \ + ${dpkg_admindir_parameter_new_mode} --remove \ + "${state_file_item}" + fi + # shellcheck disable=SC2086 + echo_wrapper_audit verbose dpkg-statoverride \ + ${dpkg_admindir_parameter_new_mode} --add \ + "${state_user_owner_item}" "${state_group_owner_item}" \ + "${state_mode_item}" "${state_file_item}" + fi + done + + ## Apply capability hardening, dpkg-statoverride can't handle this so we have + ## to do this manually + for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do + policy_file_item="${policy_file_list[policy_idx]}" + policy_capability_item="${policy_capability_list[policy_idx]}" + if [ -z "${policy_capability_item}" ]; then + continue + fi + + if [ "${policy_capability_item}" = 'none' ]; then + echo_wrapper_ignore verbose setcap -r "${policy_file_item}" + if [ -n "$(getcap -- "${policy_file_item}")" ]; then + exit_code=205 + log error \ + "Removing capabilities failed. File: '${policy_file_item}'" >&2 + continue + fi + else + if ! capsh --print \ + | grep --fixed-strings -- "Bounding set" \ + | grep --quiet -- "${policy_capability_item}"; then + log error \ + "Capability from config does not exist: '${policy_capability_item}'" \ + >&2 + continue + fi + + ## feature request: dpkg-statoverride: support for capabilities + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 + echo_wrapper_audit verbose setcap "${policy_capability_item}+ep" \ + -- "${policy_file_item}" + fi + done +} + +undo_policy_for_file() { + local undo_file state_idx state_file_item did_undo \ + undo_all verbose orig_main_statoverride_db orig_new_statoverride_db \ + state_user_owner_item state_group_owner_item state_mode_item + + undo_file="${1}" + undo_all=false + verbose='--verbose' + if [ "${undo_file}" = 'all' ]; then + undo_all=true + verbose='' + fi + + if [ ! -f "${state_file}" ]; then + true 'DEBUG: State file does not exist, hardening was not applied before.' return 0 fi - local line - while read -r line; do - ## example line: - ## root root 4755 /usr/lib/eject/dmcrypt-get-device + did_undo=false - local owner group mode file_name - if ! read -r owner group mode file_name <<< "${line}"; then - exit_code=201 - log error "Cannot parse line: '${line}'" >&2 - continue + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + state_file_item="${state_file_list[state_idx]}" + if [ "${undo_all}" = 'true' ]; then + undo_file="${state_file_item}" fi - log info "Parsing line: owner='${owner}' group='${group}' mode='${mode}' file_name='${file_name}'" - if test "${remove_file}" = "all"; then - verbose="" - remove_one=false - else - if test "${remove_file}" = "${file_name}"; then - verbose="--verbose" - remove_one=true - safe_echo "${remove_one}" | tee -- "${store_dir}/remove_one" >/dev/null - else - safe_echo "false" | tee -- "${store_dir}/remove_one" >/dev/null - continue + if [ "${state_file_item}" = "${undo_file}" ]; then + orig_main_statoverride_db="$(dpkg-statoverride --list)" || true + # shellcheck disable=SC2086 + orig_new_statoverride_db="$(dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --list)" || true + + if grep --quiet --fixed-strings \ + -- "${undo_file}" <<< "${orig_main_statoverride_db}"; then + echo_wrapper_ignore silent dpkg-statoverride --remove \ + "${undo_file}" fi - fi - if test "${remove_one}" = "true"; then - set -o xtrace - fi + if grep --quiet --fixed-strings \ + -- "${undo_file}" <<< "${orig_new_statoverride_db}"; then + # shellcheck disable=SC2086 + echo_wrapper_ignore silent dpkg-statoverride \ + ${dpkg_admindir_parameter_new_mode} --remove \ + "${undo_file}" + fi - if test -e "${file_name}"; then - # shellcheck disable=SC2086 - chown ${verbose} "${owner}:${group}" "${file_name}" || exit_code=202 - ## chmod need to be run after chown since chown removes suid. - ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature - # shellcheck disable=SC2086 - chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 - else - log info "File does not exist: '${file_name}'" - fi - - dpkg-statoverride --remove "${file_name}" &>/dev/null || true - # shellcheck disable=SC2086 - dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --remove "${file_name}" &>/dev/null || true - # shellcheck disable=SC2086 - dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" &>/dev/null || true - - if test "${remove_one}" = "true"; then - set +o xtrace + if [ -e "${undo_file}" ]; then + state_user_owner_item="${state_user_owner_list[state_idx]}" + state_group_owner_item="${state_group_owner_list[state_idx]}" + state_mode_item="${state_mode_list[state_idx]}" + chown ${verbose} "${state_user_owner_item}:${state_group_owner_item}" \ + "${undo_file}" || exit_code=202 + ## chmod need to be run after chown since chown removes suid. + chmod ${verbose} "${state_mode_item}" "${undo_file}" || exit_code=203 + else + log info "File does not exist: '${undo_file}'" + fi + did_undo=true break fi + done - done < "${store_dir}/existing_mode/statoverride" + if ! [[ "${did_undo}" = 'false' ]]; then + log info "The specified file is not hardened, leaving unchanged. - if test ! "${remove_file}" = "all"; then - if test "$(cat "${store_dir}/remove_one")" = "false"; then - log info "No file was removed. - - File '${remove_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if already done earlier. + File '${undo_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if no policy was ever applied to the file before. This program expects the full path to the file. Example: $0 disable /usr/bin/newgrp # absolute path: works @@ -706,39 +627,138 @@ spare() { For completely disabling SUID Disabler and Permission Hardener: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" - fi fi } -check_root(){ - if test "$(id -u)" != "0"; then - log error "Not running as root, aborting." - exit 1 - fi +print_columns() { + local format_str bogus_str + format_str='' + for bogus_str in "$@"; do + format_str="${format_str}%s\t" + done + format_str="${format_str}\n" + # Using a dynamically generated format string on purpose. + # shellcheck disable=SC2059 + printf "${format_str}" "$@" } -usage(){ - safe_echo "Usage: ${0##*/} enable - ${0##*/} disable [FILE|all] +print_policy() { + local policy_idx -Examples: - ${0##*/} enable - ${0##*/} disable all - ${0##*/} disable /usr/bin/newgrp" >&2 - exit "${1}" + print_columns 'File' 'User' 'Group' 'Mode' 'Capabilities' + + for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do + print_columns \ + "${policy_file_list[policy_idx]}" \ + "${policy_user_owner_list[policy_idx]}" \ + "${policy_group_owner_list[policy_idx]}" \ + "${policy_mode_list[policy_idx]}" \ + "${policy_capability_list[policy_idx]}" + done } +print_state() { + local state_idx + + print_columns 'File' 'User' 'Group' 'Mode' + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + print_columns \ + "${state_file_list[state_idx]}" \ + "${state_user_owner_list[state_idx]}" \ + "${state_group_owner_list[state_idx]}" \ + "${state_mode_list[state_idx]}" + done +} + +## Constants +store_dir="/var/lib/permission-hardener" +state_file="${store_dir}/existing_mode/statoverride" +dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" +dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" +delimiter="#permission-hardener-delimiter#" + +## Global variables +policy_file_list=() +policy_user_owner_list=() +policy_group_owner_list=() +policy_mode_list=() +policy_capability_list=() +policy_exact_white_list=() +policy_match_white_list=() +policy_disable_white_list=() +policy_nosuid_file_list=() +state_file_list=() +state_user_owner_list=() +state_group_owner_list=() +state_mode_list=() +whitelists_disable_all=false +existing_mode='' +existing_owner='' +existing_group='' +processed_config_line='' +exit_code=0 + +## Setup and sanity checking +if [ "$(id -u)" != '0' ]; then + log error "Not running as root, aborting." + exit 1 +fi + +mkdir --parents "${store_dir}/private" +mkdir --parents "${store_dir}/existing_mode" +mkdir --parents "${store_dir}/new_mode" +touch "${store_dir}/private/passwd" +chmod og-rwx "${store_dir}/private/passwd" +touch "${store_dir}/private/group" +chmod og-rwx "${store_dir}/private/group" +getent passwd | sponge -- "${store_dir}/private/passwd" +getent group | sponge -- "${store_dir}/private/group" + +echo_wrapper_audit silent which capsh getcap setcap stat find \ + dpkg-statoverride getent grep 1>/dev/null + +## Command parsing and execution case "${1:-}" in - enable) shift; apply "$@";; + enable) + shift + load_state + apply_policy + commit_policy + ;; disable) shift case "${1:-}" in - "") usage 1;; - *) spare "${1}";; + "") + print_usage + exit 1 + ;; + *) + load_state + undo_policy_for_file "${1}" + ;; esac ;; - -h|--help) usage 0;; - *) usage 1;; + print-policy) + load_state + print_policy + ;; + print-state) + load_state + print_state + ;; + print-policy-applied-state) + load_state + apply_policy + print_state + ;; + -h|--help) + print_usage + exit 0 + ;; + *) + print_usage + exit 1 + ;; esac if test "${exit_code}" != "0"; then diff --git a/usr/bin/permission-hardener-old b/usr/bin/permission-hardener-old new file mode 100755 index 0000000..c88b54f --- /dev/null +++ b/usr/bin/permission-hardener-old @@ -0,0 +1,748 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## https://forums.whonix.org/t/disable-suid-binaries/7706 +## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 + +## dpkg-statoverride does not support end-of-options ("--"). + +set -o errexit -o nounset -o pipefail + +exit_code=0 +store_dir="/var/lib/permission-hardener" +dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" +dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" +delimiter="#permission-hardener-delimiter#" + +# shellcheck disable=SC1091 +source /usr/libexec/helper-scripts/safe_echo.sh +# shellcheck disable=SC2034 +log_level=notice +# shellcheck disable=SC1091 +source /usr/libexec/helper-scripts/log_run_die.sh + +echo_wrapper_ignore() { + if test "${1}" = "verbose"; then + shift + log notice "Executing: $*" + else + shift + fi + "$@" 2>/dev/null || true +} + +echo_wrapper_audit() { + if test "${1}" = "verbose"; then + shift + log notice "Executing: $*" + else + shift + fi + return_code=0 + "$@" || + { + return_code="$?" + exit_code=203 + log error "Command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 + } +} + +make_store_dir(){ + mkdir --parents "${store_dir}/private" + mkdir --parents "${store_dir}/existing_mode" + mkdir --parents "${store_dir}/new_mode" +} + +## Some tools may fail on newlines and even variable assignment to array may +## fail if a variable that will be assigned to an array element contains +## characters that are used as delimiters. +block_newlines(){ + local newline_variable newline_value + newline_variable="${1}" + newline_value="${2}" + ## dpkg-statoverride: error: path may not contain newlines + #if [[ "${newline_value}" == *$'\n'* ]]; then + if [[ "${newline_value}" != "${newline_value//$'\n'/NEWLINE}" ]]; then + log warn "Skipping ${newline_variable} that contains newlines: '${newline_value}'" >&2 + return 1 + fi +} + +output_stat(){ + local file_name + file_name="${1}" + + if test -z "${file_name}"; then + log error "File name is empty. file_name: '${file_name}'" >&2 + return 1 + fi + + block_newlines file "${file_name}" + + ## dpkg-statoverride can actually handle '--file-name'. +# if [[ $file_name == --* ]]; then +# log warn "File name starts with '--'. This would be interpreted by dpkg-statoverride as an option. Skipping. file_name: '${file_name}'" >&2 +# return 1 +# fi + + declare -a arr + local file_name_from_stat stat_output stat_output_newlined + + if ! stat_output="$(stat --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" -- "${file_name}")"; then + log error "Failed to run 'stat' on file: '${file_name}'!" >&2 + return 1 + fi + + if [ "$stat_output" = "" ]; then + log error "stat_output is empty. +File name: '${file_name}' +Stat output: '${stat_output}' +stat_output_newlined: '${stat_output_newlined}' +line: '${line}' +" >&2 + return 1 + fi + + stat_output_newlined="$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}")" + + if test "${stat_output_newlined}" = ""; then + log error "stat_output_newlined is empty. +File name: '${file_name}' +Stat output: '${stat_output}' +stat_output_newlined: '${stat_output_newlined}' +line: '${line}' +" >&2 + return 1 + fi + + readarray -t arr <<< "${stat_output_newlined}" + + if test "${#arr[@]}" = 0; then + log error "Array length is 0. +File name: '${file_name}' +Stat output: '${stat_output}' +stat_output_newlined: '${stat_output_newlined}' +line: '${line}' +" >&2 + return 1 + fi + + existing_mode="${arr[0]}" + existing_owner="${arr[1]}" + existing_group="${arr[2]}" + file_name_from_stat="${arr[3]}" + + if [ ! "$file_name" = "$file_name_from_stat" ]; then + log error "\ +File name is different from file name received from stat: +File name: '${file_name}' +File name from stat: '${file_name_from_stat}' +line: '${line}' +" >&2 + return 1 + fi + + if test -z "${existing_mode}"; then + log error "Existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + return 1 + fi + if test -z "${existing_owner}"; then + log error "Existing owner is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + return 1 + fi + if test -z "${existing_group}"; then + log error "Existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + return 1 + fi +} + +sanity_tests() { + echo_wrapper_audit silent \ + which \ + capsh getcap setcap stat find dpkg-statoverride getent grep 1>/dev/null +} + +add_nosuid_statoverride_entry() { + local fso_to_process + fso_to_process="${fso}" + local should_be_counter + should_be_counter=0 + local counter_actual + counter_actual=0 + + local dummy_line + while IFS="" read -r -d "" dummy_line; do + log info "Test would parse line: '${dummy_line}'" + should_be_counter=$((should_be_counter + 1)) + done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) + ## False positive on SC2185 (find without path argument) #1748 + ## https://github.com/koalaman/shellcheck/issues/1748 + ## + ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. + ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 + + local line + while IFS="" read -r -d "" file_name; do + counter_actual=$((counter_actual + 1)) + + ## sets: + ## exiting_mode + ## existing_owner + ## existing_group + output_stat "${file_name}" + + ## -h file True if file is a symbolic Link. + ## -u file True if file has its set-user-id bit set. + ## -g file True if file has its set-group-id bit set. + + if test -h "${file_name}"; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 + log info "Skip symlink: '${file_name}'" + continue + fi + + if test -d "${file_name}"; then + log info "Skip directory: '${file_name}'" + continue + fi + + local setuid setgid + setuid="" + if test -u "${file_name}"; then + setuid=true + fi + setgid="" + if test -g "${file_name}"; then + setgid=true + fi + + local setuid_or_setgid + setuid_or_setgid="" + if test "${setuid}" = "true" || test "${setgid}" = "true"; then + setuid_or_setgid=true + fi + if test -z "${setuid_or_setgid}"; then + log info "Neither setuid nor setgid. Skipping. file_name: '${file_name}'" + continue + fi + + ## Remove suid / gid and execute permission for 'group' and 'others'. + ## Similar to: chmod og-ugx /path/to/filename + ## Removing execution permission is useful to make binaries such as 'su' + ## fail closed rather than fail open if suid was removed from these. + ## Do not remove read access since no security benefit and easier to + ## manually undo for users. + ## Are there suid or sgid binaries which are still useful if suid / sgid + ## has been removed from these? + new_mode="744" + + local is_exact_whitelisted + is_exact_whitelisted="" + for white_list_entry in "${exact_white_list[@]:-}"; do + if test -z "${white_list_entry}"; then + log info "white_list_entry unset. Skipping. file_name: '${file_name}'" + continue + fi + if test "${file_name}" = "${white_list_entry}"; then + is_exact_whitelisted="true" + log info "is_exact_whitelisted=true. Skipping. file_name: '${file_name}'" + ## Stop looping through the whitelist. + break + fi + done + + local is_match_whitelisted + is_match_whitelisted="" + for matchwhite_list_entry in "${match_white_list[@]:-}"; do + if test -z "${matchwhite_list_entry}"; then + log info "matchwhite_list_entry unset. Skipping. file_name: '${file_name}'" + continue + fi + if safe_echo "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then + is_match_whitelisted="true" + log info "is_match_whitelisted=true. Skipping. file_name: '${file_name}'" + ## Stop looping through the match_white_list. + break + fi + done + + local is_disable_whitelisted + is_disable_whitelisted="" + for disablematch_list_entry in "${disable_white_list[@]:-}"; do + if test -z "${disablematch_list_entry}"; then + log info "disablematch_list_entry unset. Skipping. file_name: '${file_name}'" + continue + fi + if safe_echo "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then + is_disable_whitelisted="true" + log info "is_disable_whitelisted=true. Skipping. file_name: '${file_name}'" + ## Stop looping through the disablewhitelist. + break + fi + done + + local clean_output_prefix clean_output + clean_output_prefix="Managing (S|G)UID of line:" + clean_output="${setuid:+setuid='true'} ${setgid:+setgid='true'} existing_mode='${existing_mode}' new_mode='${new_mode}' file='${file_name}'" + if test "${whitelists_disable_all:-}" = "true"; then + log info "${clean_output_prefix} whitelists_disable_all=true ${clean_output}" + elif test "${is_disable_whitelisted}" = "true"; then + log info "${clean_output_prefix} is_disable_whitelisted=true ${clean_output}" + else + if test "${is_exact_whitelisted}" = "true"; then + log info "${clean_output_prefix} is_exact_whitelisted=true ${clean_output}" + continue + fi + if test "${is_match_whitelisted}" = "true"; then + log info "${clean_output_prefix} is_match_whitelisted=true matchwhite_list_entry='${matchwhite_list_entry}' ${clean_output}" + continue + fi + fi + + log notice "${clean_output_prefix} ${clean_output}" + + # shellcheck disable=SC2086 + if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${file_name}" >/dev/null; then + log info "Existing mode already saved previously. Not saving again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + # shellcheck disable=SC2086 + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${file_name}" + fi + + ## No need to check "dpkg-statoverride --list" for existing entries. + ## If existing_mode was correct already, we would not have reached this + ## point. Since existing_mode is incorrect, remove from dpkg-statoverride + ## and re-add. + + ## Remove from real database. + echo_wrapper_ignore silent dpkg-statoverride --remove "${file_name}" + + ## Remove from separate database. + # shellcheck disable=SC2086 + echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" + + ## Add to real database and use --update to make changes on disk. + echo_wrapper_audit verbose dpkg-statoverride --add --update "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" + + ## Not using --update as this is only for recording. + # shellcheck disable=SC2086 + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" + done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) + + ## Sanity test. + if test ! "${should_be_counter}" = "${counter_actual}"; then + log info "File (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})" + log error "Expected number of files to be parsed was not met." >&2 + exit_code=202 + fi +} + +set_file_perms() { + log info "START parsing config file: '${config_file}'" + + local line + while read -r line || test -n "${line}"; do + if test -z "${line}"; then + true "DEBUG: line is empty. Skipping." + continue + fi + + if [[ "${line}" =~ ^\s*# ]]; then + continue + fi + + if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then + exit_code=200 + log error "Line contains invalid characters: '${line}'" >&2 + ## Safer to exit with error in this case. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 + exit "${exit_code}" + fi + + if test "${line}" = 'whitelists_disable_all=true'; then + whitelists_disable_all=true + log info "whitelists_disable_all=true" + continue + fi + + #global fso + local mode_from_config owner_from_config group_from_config capability_from_config + if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<<"${line}"; then + exit_code=201 + log error "Cannot parse line: '${line}'" >&2 + ## Debugging. + du -hs /tmp || true + safe_echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true + ## Safer to exit with error in this case. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 + exit "${exit_code}" + fi + + log info "Parsing line: fso='${fso}' mode_from_config='${mode_from_config}' owner_from_config='${owner_from_config}' group_from_config='${group_from_config}' capability_from_config='${capability_from_config}'" + + ## Debugging. + #safe_echo "line: '${line}'" + #safe_echo "fso: '${fso}'" + #safe_echo "mode_from_config: '${mode_from_config}'" + #safe_echo "owner_from_config: '${owner_from_config}'" + + local fso_without_trailing_slash + fso_without_trailing_slash="${fso%/}" + + declare -g disable_white_list exact_white_list match_white_list + case "${mode_from_config}" in + disablewhitelist) + disable_white_list+=("${fso}") + continue + ;; + exactwhitelist) + exact_white_list+=("${fso}") + continue + ;; + matchwhitelist) + match_white_list+=("${fso}") + continue + ;; + esac + + if test ! -e "${fso}"; then + log info "File does not exist: '${fso}'" + continue + fi + + ## Use dpkg-statoverride so permissions are not reset during upgrades. + + if test "${mode_from_config}" = "nosuid"; then + ## If mode_from_config is "nosuid" the config does not set owner and + ## group. Therefore do not enforce owner/group check. + add_nosuid_statoverride_entry + else + local string_length_of_mode_from_config + string_length_of_mode_from_config="${#mode_from_config}" + if test "${string_length_of_mode_from_config}" -gt "4"; then + log error "Invalid mode: '${mode_from_config}'" >&2 + continue + fi + if test "${string_length_of_mode_from_config}" -lt "3"; then + log error "Invalid mode: '${mode_from_config}'" >&2 + continue + fi + + if ! grep --quiet --fixed-strings -- "${owner_from_config}:" "${store_dir}/private/passwd"; then + log error "Owner from config does not exist: '${owner_from_config}'" >&2 + continue + fi + + if ! grep --quiet --fixed-strings -- "${group_from_config}:" "${store_dir}/private/group"; then + log error "Group from config does not exist: '${group_from_config}'" >&2 + continue + fi + + local mode_for_grep + mode_for_grep="${mode_from_config}" + first_character_of_mode_from_config="${mode_from_config::1}" + if test "${first_character_of_mode_from_config}" = "0"; then + ## Remove leading '0'. + mode_for_grep="${mode_from_config:1}" + fi + + file_name="${fso_without_trailing_slash}" + + ## sets: + ## exiting_mode + ## existing_owner + ## existing_group + output_stat "${file_name}" + + ## Check there is an entry for the fso. + ## + ## example: dpkg-statoverride --list | grep /home + ## output: + ## root root 755 /home + ## + ## dpkg-statoverride does not show leading '0'. + local dpkg_statoverride_list_output="" + local dpkg_statoverride_list_exit_code=0 + dpkg_statoverride_list_output="$(dpkg-statoverride --list "${fso_without_trailing_slash}")" || { + dpkg_statoverride_list_exit_code=$? + true + } + + if test "${dpkg_statoverride_list_exit_code}" = "0"; then + local grep_line + grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" + if safe_echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then + log info "The owner/group/mode matches fso entry. No further action required." + else + log info "The owner/group/mode does not match fso entry, updating entry." + ## fso_without_trailing_slash instead of fso to prevent + ## "dpkg-statoverride: warning: stripping trailing /" + + # shellcheck disable=SC2086 + if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then + log info "Existing mode already saved previously. Not saving again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + # shellcheck disable=SC2086 + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" + fi + + # shellcheck disable=SC2086 + echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${fso_without_trailing_slash}" + + ## Remove from and add to real database. + echo_wrapper_ignore silent dpkg-statoverride --remove "${fso_without_trailing_slash}" + echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + + ## Save in separate database. + ## Not using --update as this is only for saving. + # shellcheck disable=SC2086 + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + fi + else + log info "There is no fso entry, adding one." + + # shellcheck disable=SC2086 + if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then + log info "Existing mode already saved previously. Not saving again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + # shellcheck disable=SC2086 + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" + fi + + ## Add to real database. + echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + + ## Save in separate database. + ## Not using --update as this is only for saving. + # shellcheck disable=SC2086 + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + fi + fi + if test -z "${capability_from_config}"; then + log info "capability_from_config is empty. Skipping. file_name: '${file_name}'" + continue + fi + + if test "${capability_from_config}" = "none"; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/45 + ## sudo setcap -r /bin/ping 2>/dev/null + ## Failed to set capabilities on file '/bin/ping' (No data available) + ## The value of the capability argument is not permitted for a file. Or + ## the file is not a regular (non-symlink) file + ## Therefore use echo_wrapper_ignore. + ## + ## NOTE: setcap does not support End-of-Options Marker ('--') yet. + ## setcap bug report: + ## setcap Command Does Not Support End-of-Options Marker ('--') + ## https://bugzilla.kernel.org/show_bug.cgi?id=219487 + echo_wrapper_ignore verbose setcap -r "${fso}" + getcap_output="$(getcap -- "${fso}")" + if test -n "${getcap_output}"; then + exit_code=205 + log error "Removing capabilities failed. File: '${fso}'" >&2 + continue + fi + else + if ! capsh --print | grep --fixed-strings -- "Bounding set" | grep --quiet -- "${capability_from_config}"; then + log error "Capability from config does not exist: '${capability_from_config}'" >&2 + continue + fi + + ## feature request: dpkg-statoverride: support for capabilities + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 + echo_wrapper_audit verbose setcap "${capability_from_config}+ep" -- "${fso}" + fi + + done <"${config_file}" + log info "END parsing config file: '${config_file}'" +} + +parse_config_folder() { + touch "${store_dir}/private/passwd" + chmod og-rwx "${store_dir}/private/passwd" + touch "${store_dir}/private/group" + chmod og-rwx "${store_dir}/private/group" + + local passwd_file_contents_temp + ## Query contents of password and group databases only once and buffer them + ## + ## If we don't buffer we sometimes get incorrect results when checking for + ## entries using 'if getent passwd | grep --quiet -- '^root:'; ...' since + ## 'grep' exits after the first match in this case causing 'getent' to + ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is + ## set for this script. + passwd_file_contents_temp="$(getent passwd)" + safe_echo "${passwd_file_contents_temp}" | tee -- "${store_dir}/private/passwd" >/dev/null + group_file_contents_temp="$(getent group)" + safe_echo "${group_file_contents_temp}" | tee -- "${store_dir}/private/group" >/dev/null + + #passwd_file_contents="$(cat "${store_dir}/private/passwd")" + #group_file_contents="$(cat "${store_dir}/private/group")" + + shopt -s nullglob + for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do + set_file_perms + + done +} + +apply() { + check_root + make_store_dir + sanity_tests + parse_config_folder + + log notice "\ +To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: + sudo apt install --no-install-recommends meld + meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" +} + +spare() { + check_root + make_store_dir + + remove_file="${1}" + exit_code=0 + dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" + dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" + + if test ! -f "${store_dir}/existing_mode/statoverride"; then + true "DEBUG: Stat file does not exist, hardening was not applied before." + return 0 + fi + + local line + while read -r line; do + ## example line: + ## root root 4755 /usr/lib/eject/dmcrypt-get-device + + local owner group mode file_name + if ! read -r owner group mode file_name <<< "${line}"; then + exit_code=201 + log error "Cannot parse line: '${line}'" >&2 + continue + fi + log info "Parsing line: owner='${owner}' group='${group}' mode='${mode}' file_name='${file_name}'" + + if test "${remove_file}" = "all"; then + verbose="" + remove_one=false + else + if test "${remove_file}" = "${file_name}"; then + verbose="--verbose" + remove_one=true + safe_echo "${remove_one}" | tee -- "${store_dir}/remove_one" >/dev/null + else + safe_echo "false" | tee -- "${store_dir}/remove_one" >/dev/null + continue + fi + fi + + if test "${remove_one}" = "true"; then + set -o xtrace + fi + + if test -e "${file_name}"; then + # shellcheck disable=SC2086 + chown ${verbose} "${owner}:${group}" "${file_name}" || exit_code=202 + ## chmod need to be run after chown since chown removes suid. + ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature + # shellcheck disable=SC2086 + chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 + else + log info "File does not exist: '${file_name}'" + fi + + dpkg-statoverride --remove "${file_name}" &>/dev/null || true + # shellcheck disable=SC2086 + dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --remove "${file_name}" &>/dev/null || true + # shellcheck disable=SC2086 + dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" &>/dev/null || true + + if test "${remove_one}" = "true"; then + set +o xtrace + break + fi + + done < "${store_dir}/existing_mode/statoverride" + + if test ! "${remove_file}" = "all"; then + if test "$(cat "${store_dir}/remove_one")" = "false"; then + log info "No file was removed. + + File '${remove_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if already done earlier. + + This program expects the full path to the file. Example: + $0 disable /usr/bin/newgrp # absolute path: works + $0 disable newgrp # relative path: does not work + + To remove all: + $0 disable all + + This change might not be permanent. For full instructions, see: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener + + To view list of changed by SUID Disabler and Permission Hardener: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener + + For re-enabling any specific SUID binary: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries + + For completely disabling SUID Disabler and Permission Hardener: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" + fi + fi +} + +check_root(){ + if test "$(id -u)" != "0"; then + log error "Not running as root, aborting." + exit 1 + fi +} + +usage(){ + safe_echo "Usage: ${0##*/} enable + ${0##*/} disable [FILE|all] + +Examples: + ${0##*/} enable + ${0##*/} disable all + ${0##*/} disable /usr/bin/newgrp" >&2 + exit "${1}" +} + +case "${1:-}" in + enable) shift; apply "$@";; + disable) + shift + case "${1:-}" in + "") usage 1;; + *) spare "${1}";; + esac + ;; + -h|--help) usage 0;; + *) usage 1;; +esac + +if test "${exit_code}" != "0"; then + log error "Exiting with non-zero exit code: '${exit_code}'" >&2 +fi + +exit "${exit_code}" diff --git a/usr/lib/permission-hardener.d/25_default_passwd.conf b/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf similarity index 91% rename from usr/lib/permission-hardener.d/25_default_passwd.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf index 6313e15..6c8369c 100644 --- a/usr/lib/permission-hardener.d/25_default_passwd.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf @@ -10,5 +10,7 @@ # user logins with `su` and KScreenLocker # # See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd +/usr/bin/passwd exactwhitelist +/bin/passwd exactwhitelist /usr/bin/passwd 0755 root root /bin/passwd 0755 root root From 397b476a822c9f7e41ec911f5d689b67026660ad Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 26 Dec 2024 04:12:02 +0000 Subject: [PATCH 1514/1650] bumped changelog version --- changelog.upstream | 19 +++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 25 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 8c61741..97f695d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,22 @@ +commit 66f8c18c65f33676d242b57ebb1d4410876461b3 +Merge: aa82202 6602fb1 +Author: Patrick Schleizer +Date: Wed Dec 25 22:43:04 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' + +commit 6602fb102dedc21300ae4c4519f3d9ef4e668045 +Author: Aaron Rainbolt +Date: Tue Dec 24 20:52:34 2024 -0600 + + Adjust pam-info messaging for sysmaint mode + +commit aa82202e701167eacb63eac208469844e983ca43 +Author: Patrick Schleizer +Date: Tue Dec 24 05:16:22 2024 +0000 + + bumped changelog version + commit 27d015d58ebc5e750d9d06f042b761720473941d Merge: 3c73c0c 2f3a2bc Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index f1c54b6..09c0cc8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 26 Dec 2024 04:12:02 +0000 + security-misc (3:41.8-1) unstable; urgency=medium * New upstream version (local package). From dbcb612517abbf8d162cfb31ba0585c518df8817 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Wed, 25 Dec 2024 19:48:28 -0600 Subject: [PATCH 1515/1650] Polish permission-hardener refactor --- usr/bin/permission-hardener | 302 ++++--- usr/bin/permission-hardener-old | 748 ------------------ .../25_default_whitelist_passwd.conf | 3 +- 3 files changed, 184 insertions(+), 869 deletions(-) delete mode 100755 usr/bin/permission-hardener-old diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index c8d115b..de03c7c 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -1,4 +1,5 @@ #!/bin/bash +# shellcheck disable=SC2076 ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. @@ -8,32 +9,52 @@ ## dpkg-statoverride does not support end-of-options ("--"). +## SC2076 is disabled because ShellCheck seems to think that any use of +## [[ ... =~ ... ]] is supposed to be a regex match. But [[ '...' =~ '...' ]] +## works very well for literal matching, and it is used that way extensively +## throughout this script. + set -o errexit -o nounset -o pipefail -# shellcheck disable=SC1091 -source /usr/libexec/helper-scripts/safe_echo.sh +## Constants # shellcheck disable=SC2034 log_level=notice +store_dir="/var/lib/permission-hardener" +state_file="${store_dir}/existing_mode/statoverride" +dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" +dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" +delimiter="#permission-hardener-delimiter#" + +## Library imports +# shellcheck disable=SC1091 +source /usr/libexec/helper-scripts/safe_echo.sh # shellcheck disable=SC1091 source /usr/libexec/helper-scripts/log_run_die.sh +## Functions echo_wrapper_ignore() { - if test "${1}" = "verbose"; then + if [ "${1}" = 'verbose' ]; then shift log notice "Executing: $*" - else + elif [ "${1}" = 'silent' ]; then shift + else + log error "Unrecognized command '${1}'! calling function name: '${FUNCNAME[1]}'" >&2 + return fi "$@" 2>/dev/null || true } echo_wrapper_audit() { local return_code - if test "${1}" = "verbose"; then + if [ "${1}" = 'verbose' ]; then shift log notice "Executing: $*" - else + elif [ "${1}" = 'silent' ]; then shift + else + log error "Unrecognized command '${1}'! calling function name: '${FUNCNAME[1]}'" >&2 + return fi return_code=0 "$@" || @@ -59,25 +80,34 @@ block_newlines() { } output_stat() { - local file_name + local file_name stat_output stat_output_newlined + declare -a arr file_name="${1:-}" - if test -z "${file_name}"; then + if [ -z "${file_name}" ]; then log error "File name is empty. file_name: '${file_name}'" >&2 return 1 fi block_newlines file "${file_name}" - declare -a arr - local file_name_from_stat stat_output stat_output_newlined + if [ ! -e "${file_name}" ]; then + log info "File does not exist. file_name: '${file_name}'" >&2 + existing_mode='' + existing_owner='' + existing_group='' + file_name_from_stat='' + return 0 + fi - if ! stat_output="$(stat -L --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" -- "${file_name}")"; then + if ! stat_output="$(stat -L \ + --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" \ + -- "${file_name}")"; then log error "Failed to run 'stat' on file: '${file_name}'!" >&2 return 1 fi - if [ "$stat_output" = "" ]; then + if [ "$stat_output" = '' ]; then log error "stat_output is empty. File name: '${file_name}' Stat output: '${stat_output}' @@ -89,7 +119,7 @@ line: '${processed_config_line}' stat_output_newlined="$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}")" - if test "${stat_output_newlined}" = ""; then + if [ "${stat_output_newlined}" = '' ]; then log error "stat_output_newlined is empty. File name: '${file_name}' Stat output: '${stat_output}' @@ -101,7 +131,7 @@ line: '${processed_config_line}' readarray -t arr <<< "${stat_output_newlined}" - if test "${#arr[@]}" = 0; then + if [ "${#arr[@]}" = '0' ]; then log error "Array length is 0. File name: '${file_name}' Stat output: '${stat_output}' @@ -116,7 +146,7 @@ line: '${processed_config_line}' existing_group="${arr[2]}" file_name_from_stat="${arr[3]}" - if [ ! "$file_name" = "$file_name_from_stat" ]; then + if [ "$file_name" != "$file_name_from_stat" ]; then log error "\ File name is different from file name received from stat: File name: '${file_name}' @@ -126,15 +156,15 @@ line: '${processed_config_line}' return 1 fi - if test -z "${existing_mode}"; then + if [ -z "${existing_mode}" ]; then log error "Existing mode is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 return 1 fi - if test -z "${existing_owner}"; then + if [ -z "${existing_owner}" ]; then log error "Existing owner is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 return 1 fi - if test -z "${existing_group}"; then + if [ -z "${existing_group}" ]; then log error "Existing group is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 return 1 fi @@ -143,6 +173,9 @@ line: '${processed_config_line}' print_usage(){ safe_echo "Usage: ${0##*/} enable ${0##*/} disable [FILE|all] + ${0##*/} print-policy + ${0##*/} print-state + ${0##*/} print-policy-applied-state Examples: ${0##*/} enable @@ -150,7 +183,6 @@ Examples: ${0##*/} disable /usr/bin/newgrp" >&2 } -## TODO: Validate input before you blindly trust it! add_to_policy() { local file_name file_mode file_owner file_group updated_entry policy_idx \ file_capabilities @@ -187,25 +219,23 @@ check_nosuid_whitelist() { target_file="${1:-}" ## Handle whitelists, if we're supposed to - if [ "${whitelists_disable_all}" = 'false' ]; then - ## literal matching is intentional here - # shellcheck disable=SC2076 - if ! [[ " ${policy_disable_white_list[*]} " =~ " ${target_file} " ]]; then - ## literal matching is intentional here too - # shellcheck disable=SC2076 - if [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]]; then - return 1 - fi + [ "${whitelists_disable_all}" = 'true' ] && return 0 - for match_white_list_entry in "${policy_match_white_list[@]:-}"; do - if safe_echo "${target_file}" \ - | grep --quiet --fixed-strings -- "${match_white_list_entry}"; then - return 1 - fi - done - fi + ## literal matching is intentional here + [[ " ${policy_disable_white_list[*]} " =~ " ${target_file} " ]] && return 0 + + ## literal matching is intentional here too + if [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]]; then + return 1 fi + for match_white_list_entry in "${policy_match_white_list[@]:-}"; do + if safe_echo "${target_file}" \ + | grep --quiet --fixed-strings -- "${match_white_list_entry}"; then + return 1 + fi + done + return 0 } @@ -223,11 +253,11 @@ load_early_nosuid_policy() { ## existing_owner ## existing_group output_stat "${find_list_item}" + if [ -z "${file_name_from_stat}" ]; then + continue + fi - ## -h file True if file is a symbolic Link. - ## -u file True if file has its set-user-id bit set. - ## -g file True if file has its set-group-id bit set. - + ## -h file True if file is a symbolic link. if [ -h "${find_list_item}" ]; then ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 log info "Skip symlink: '${find_list_item}'" @@ -239,58 +269,107 @@ load_early_nosuid_policy() { continue fi - ## Trim off the most significant digit of the mode, this discards S(U|G)ID - ## bits (and the sticky bit too but that doesn't matter on Linux) - ## - ## Actually, the old behavior is better here. + ## Remove suid / gid and execute permission for 'group' and 'others'. + ## Similar to: chmod og-ugx /path/to/filename + ## Removing execution permission is useful to make binaries such as 'su' + ## fail closed rather than fail open if suid was removed from these. + ## Do not remove read access since no security benefit and easier to + ## manually undo for users. + ## Are there suid or sgid binaries which are still useful if suid / sgid + ## has been removed from these? local new_mode - # new_mode="${existing_mode:1}" new_mode='744' add_to_policy "${find_list_item}" "${new_mode}" "${existing_owner}" \ "${existing_group}" - done < <(safe_echo_nonewline "${target_file}" | find -files0-from - -perm /u=s,g=s -print0) + done < <(safe_echo_nonewline "${target_file}" \ + | find -files0-from - -perm /u=s,g=s -print0) +} + +match_dir() { + local base_str match_str base_arr match_arr base_idx + + base_str="${1}" + match_str="${2}" + [[ "${base_str}" =~ '//' ]] && return 1 + [[ "${match_str}" =~ '//' ]] && return 1 + + IFS='/' read -r -a base_arr <<< "${base_str}" + IFS='/' read -r -a match_arr <<< "${match_str}" + (( ${#base_arr[@]} > ${#match_arr[@]} )) && return 1 + + for (( base_idx=0; base_idx < ${#base_arr[@]}; base_idx++ )); do + if [ "${base_arr[base_idx]}" != "${match_arr[base_idx]}" ]; then + return 1 + fi + done + + return 0 } load_late_nosuid_policy() { local target_file state_idx state_file_item state_user_owner_item \ - state_group_owner_item + state_group_owner_item new_mode target_file="${1:-}" for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do state_file_item="${state_file_list[state_idx]}" - state_user_owner_item="${state_user_owner_list[state_idx]}" - state_group_owner_item="${state_group_owner_list[state_idx]}" check_nosuid_whitelist "${state_file_item}" || continue - if [[ ${state_file_item} == ${target_file}* ]]; then - if [ -h "${state_file_item}" ]; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - log info "Skip symlink: '${state_file_item}'" - continue - fi + ## If the "target file" matches the start of the state file name, that's + ## a likely match. + match_dir "${target_file}" "${state_file_item}" || continue - if [ -d "${state_file_item}" ]; then - log info "Skip directory: '${state_file_item}'" - continue - fi - - local new_mode - new_mode='744' - add_to_policy "${state_file_item}" "${new_mode}" \ - "${state_user_owner_item}" "${state_group_owner_item}" + if [ -h "${state_file_item}" ]; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 + log info "Skip symlink: '${state_file_item}'" + continue fi + + if [ -d "${state_file_item}" ]; then + log info "Skip directory: '${state_file_item}'" + continue + fi + + state_user_owner_item="${state_user_owner_list[state_idx]}" + state_group_owner_item="${state_group_owner_list[state_idx]}" + new_mode='744' + add_to_policy "${state_file_item}" "${new_mode}" \ + "${state_user_owner_item}" "${state_group_owner_item}" done } +load_state_without_policy() { + local line bit_list + + ## Load the state file from disk + if [ -f "${state_file}" ]; then + while read -r line; do + read -r -a bit_list <<< "${line}" + if (( ${#bit_list[@]} != 4 )); then + log info \ + "Invalid number of fields in state file line: '${line}'. Skipping." + continue + fi + state_user_owner_list+=( "${bit_list[0]}" ) + state_group_owner_list+=( "${bit_list[1]}" ) + state_mode_list+=( "${bit_list[2]}" ) + state_file_list+=( "${bit_list[3]}" ) + done < "${state_file}" + fi +} + load_state() { ## Config format: ## path options ## where options is one of: ## user_owner group_owner filemode [capability-setting] ## [nosuid|exactwhitelist|matchwhitelist|disablewhitelist] + ## + ## Additionally, the special value 'whitelists_disable_all=true' is understood + ## to mean that all whitelisting should be ignored. - local config_file line bit_list file_path policy_nosuid_file_item + local config_file line bit_list policy_nosuid_file_item policy_file_item ## Load configuration, deferring whitelist handling until later for config_file in \ @@ -303,14 +382,17 @@ load_state() { if [ ! -f "${config_file}" ]; then continue fi + while read -r line; do if [ -z "${line}" ]; then true 'DEBUG: line is empty. Skipping.' continue fi + if [[ "${line}" =~ ^\s*# ]]; then continue fi + if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then exit_code=200 log error "Line contains invalid characters: '${line}'" >&2 @@ -339,28 +421,27 @@ load_state() { # Strip trailing slash if appropriate bit_list[0]="${bit_list[0]%/}" - file_path="${bit_list[0]}" case "${bit_list[1]}" in 'exactwhitelist') - [ ! -e "${file_path}" ] && continue - policy_exact_white_list+=( "${file_path}" ) + [ ! -e "${bit_list[0]}" ] && continue + policy_exact_white_list+=( "${bit_list[0]}" ) continue ;; 'matchwhitelist') - policy_match_white_list+=( "${file_path}" ) + policy_match_white_list+=( "${bit_list[0]}" ) continue ;; 'disablewhitelist') - policy_disable_white_list+=( "${file_path}" ) + policy_disable_white_list+=( "${bit_list[0]}" ) continue ;; 'nosuid') - [ ! -e "${file_path}" ] && continue - policy_nosuid_file_list+=( "${file_path}" ) + [ ! -e "${bit_list[0]}" ] && continue + policy_nosuid_file_list+=( "${bit_list[0]}" ) ;; *) - [ ! -e "${file_path}" ] && continue + [ ! -e "${bit_list[0]}" ] && continue add_to_policy "${bit_list[@]}" ;; esac @@ -373,32 +454,19 @@ load_state() { load_early_nosuid_policy "${policy_nosuid_file_item}" done - local line bit_list policy_file_item - - ## Load the state file from disk - if [ -f "${state_file}" ]; then - while read -r line; do - read -r -a bit_list <<< "${line}" - if (( ${#bit_list[@]} != 4 )); then - log info "Invalid number of fields in state file line: '${line}'. Skipping." - continue - fi - state_user_owner_list+=( "${bit_list[0]}" ) - state_group_owner_list+=( "${bit_list[1]}" ) - state_mode_list+=( "${bit_list[2]}" ) - state_file_list+=( "${bit_list[3]}" ) - done < "${state_file}" - fi + load_state_without_policy ## Find any files in the policy that don't already have a matching file in ## the state. Add those files to the state, and save them to the state file ## as well. for policy_file_item in "${policy_file_list[@]}"; do - # shellcheck disable=SC2076 if [[ " ${state_file_list[*]} " =~ " ${policy_file_item} " ]]; then continue fi output_stat "${policy_file_item}" + if [ -z "${file_name_from_stat}" ]; then + continue + fi state_file_list+=( "${policy_file_item}" ) state_user_owner_list+=( "${existing_owner}" ) state_group_owner_list+=( "${existing_group}" ) @@ -410,6 +478,7 @@ load_state() { "${policy_file_item}" done + ## Fix up nosuid policies using state information for policy_nosuid_file_item in "${policy_nosuid_file_list[@]}"; do load_late_nosuid_policy "${policy_nosuid_file_item}" done @@ -433,7 +502,8 @@ apply_policy() { done if [ "${did_state_update}" = 'false' ]; then exit_code=206 - log error "File exists in policy but not in state! File: '${policy_file_list[policy_idx]}'" + log error \ + "File exists in policy but not in state! File: '${policy_file_list[policy_idx]}'" exit "${exit_code}" fi done @@ -469,22 +539,24 @@ commit_policy() { state_mode_item="${BASH_REMATCH[2]}" output_stat "${state_file_item}" + if [ -z "${file_name_from_stat}" ]; then + continue + fi if [ "${existing_owner}" != "${state_user_owner_item}" ] \ || [ "${existing_group}" != "${state_group_owner_item}" ] \ || [ "${existing_mode}" != "${state_mode_item}" ]; then - if ! grep --quiet --fixed-strings -- "${state_user_owner_item}:" "${store_dir}/private/passwd"; then + if ! [[ "${passwd_file_contents}" =~ "${state_user_owner_item}:" ]]; then log error "Owner from config does not exist: '${state_user_owner_item}'" >&2 continue fi - if ! grep --quiet --fixed-strings -- "${state_group_owner_item}:" "${store_dir}/private/group"; then + if ! [[ "${group_file_contents}" =~ "${state_group_owner_item}:" ]]; then log error "Group from config does not exist: '${state_group_owner_item}'" >&2 continue fi - # Remove and reapply in main list - if grep --quiet --fixed-strings \ - -- "${state_file_item}" <<< "${orig_main_statoverride_db}"; then + ## Remove and reapply in main list + if [[ "${orig_main_statoverride_db}" =~ "${state_file_item}" ]]; then echo_wrapper_ignore silent dpkg-statoverride --remove \ "${state_file_item}" fi @@ -492,9 +564,8 @@ commit_policy() { "${state_user_owner_item}" "${state_group_owner_item}" \ "${state_mode_item}" "${state_file_item}" - # Update item in secondary list - if grep --quiet --fixed-strings \ - -- "${state_file_item}" <<< "${orig_new_statoverride_db}"; then + ## Update item in secondary list + if [[ "${orig_new_statoverride_db}" =~ "${state_file_item}" ]]; then # shellcheck disable=SC2086 echo_wrapper_ignore silent dpkg-statoverride \ ${dpkg_admindir_parameter_new_mode} --remove \ @@ -574,14 +645,12 @@ undo_policy_for_file() { # shellcheck disable=SC2086 orig_new_statoverride_db="$(dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --list)" || true - if grep --quiet --fixed-strings \ - -- "${undo_file}" <<< "${orig_main_statoverride_db}"; then + if [[ "${orig_main_statoverride_db}" =~ "${undo_file}" ]]; then echo_wrapper_ignore silent dpkg-statoverride --remove \ "${undo_file}" fi - if grep --quiet --fixed-strings \ - -- "${undo_file}" <<< "${orig_new_statoverride_db}"; then + if [[ "${orig_new_statoverride_db}" =~ "${undo_file}" ]]; then # shellcheck disable=SC2086 echo_wrapper_ignore silent dpkg-statoverride \ ${dpkg_admindir_parameter_new_mode} --remove \ @@ -594,13 +663,16 @@ undo_policy_for_file() { state_mode_item="${state_mode_list[state_idx]}" chown ${verbose} "${state_user_owner_item}:${state_group_owner_item}" \ "${undo_file}" || exit_code=202 - ## chmod need to be run after chown since chown removes suid. + ## chmod needs to be run after chown since chown removes suid. chmod ${verbose} "${state_mode_item}" "${undo_file}" || exit_code=203 else log info "File does not exist: '${undo_file}'" fi did_undo=true - break + + if [ "${undo_all}" = 'false' ]; then + break + fi fi done @@ -637,7 +709,7 @@ print_columns() { format_str="${format_str}%s\t" done format_str="${format_str}\n" - # Using a dynamically generated format string on purpose. + ## Using a dynamically generated format string on purpose. # shellcheck disable=SC2059 printf "${format_str}" "$@" } @@ -670,13 +742,6 @@ print_state() { done } -## Constants -store_dir="/var/lib/permission-hardener" -state_file="${store_dir}/existing_mode/statoverride" -dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" -dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" -delimiter="#permission-hardener-delimiter#" - ## Global variables policy_file_list=() policy_user_owner_list=() @@ -696,6 +761,9 @@ existing_mode='' existing_owner='' existing_group='' processed_config_line='' +file_name_from_stat='' +passwd_file_contents="$(getent passwd)" +group_file_contents="$(getent group)" exit_code=0 ## Setup and sanity checking @@ -704,15 +772,8 @@ if [ "$(id -u)" != '0' ]; then exit 1 fi -mkdir --parents "${store_dir}/private" mkdir --parents "${store_dir}/existing_mode" mkdir --parents "${store_dir}/new_mode" -touch "${store_dir}/private/passwd" -chmod og-rwx "${store_dir}/private/passwd" -touch "${store_dir}/private/group" -chmod og-rwx "${store_dir}/private/group" -getent passwd | sponge -- "${store_dir}/private/passwd" -getent group | sponge -- "${store_dir}/private/group" echo_wrapper_audit silent which capsh getcap setcap stat find \ dpkg-statoverride getent grep 1>/dev/null @@ -733,7 +794,7 @@ case "${1:-}" in exit 1 ;; *) - load_state + load_state_without_policy undo_policy_for_file "${1}" ;; esac @@ -761,6 +822,7 @@ case "${1:-}" in ;; esac +## Exit if test "${exit_code}" != "0"; then log error "Exiting with non-zero exit code: '${exit_code}'" >&2 fi diff --git a/usr/bin/permission-hardener-old b/usr/bin/permission-hardener-old deleted file mode 100755 index c88b54f..0000000 --- a/usr/bin/permission-hardener-old +++ /dev/null @@ -1,748 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## https://forums.whonix.org/t/disable-suid-binaries/7706 -## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 - -## dpkg-statoverride does not support end-of-options ("--"). - -set -o errexit -o nounset -o pipefail - -exit_code=0 -store_dir="/var/lib/permission-hardener" -dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" -dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" -delimiter="#permission-hardener-delimiter#" - -# shellcheck disable=SC1091 -source /usr/libexec/helper-scripts/safe_echo.sh -# shellcheck disable=SC2034 -log_level=notice -# shellcheck disable=SC1091 -source /usr/libexec/helper-scripts/log_run_die.sh - -echo_wrapper_ignore() { - if test "${1}" = "verbose"; then - shift - log notice "Executing: $*" - else - shift - fi - "$@" 2>/dev/null || true -} - -echo_wrapper_audit() { - if test "${1}" = "verbose"; then - shift - log notice "Executing: $*" - else - shift - fi - return_code=0 - "$@" || - { - return_code="$?" - exit_code=203 - log error "Command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 - } -} - -make_store_dir(){ - mkdir --parents "${store_dir}/private" - mkdir --parents "${store_dir}/existing_mode" - mkdir --parents "${store_dir}/new_mode" -} - -## Some tools may fail on newlines and even variable assignment to array may -## fail if a variable that will be assigned to an array element contains -## characters that are used as delimiters. -block_newlines(){ - local newline_variable newline_value - newline_variable="${1}" - newline_value="${2}" - ## dpkg-statoverride: error: path may not contain newlines - #if [[ "${newline_value}" == *$'\n'* ]]; then - if [[ "${newline_value}" != "${newline_value//$'\n'/NEWLINE}" ]]; then - log warn "Skipping ${newline_variable} that contains newlines: '${newline_value}'" >&2 - return 1 - fi -} - -output_stat(){ - local file_name - file_name="${1}" - - if test -z "${file_name}"; then - log error "File name is empty. file_name: '${file_name}'" >&2 - return 1 - fi - - block_newlines file "${file_name}" - - ## dpkg-statoverride can actually handle '--file-name'. -# if [[ $file_name == --* ]]; then -# log warn "File name starts with '--'. This would be interpreted by dpkg-statoverride as an option. Skipping. file_name: '${file_name}'" >&2 -# return 1 -# fi - - declare -a arr - local file_name_from_stat stat_output stat_output_newlined - - if ! stat_output="$(stat --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" -- "${file_name}")"; then - log error "Failed to run 'stat' on file: '${file_name}'!" >&2 - return 1 - fi - - if [ "$stat_output" = "" ]; then - log error "stat_output is empty. -File name: '${file_name}' -Stat output: '${stat_output}' -stat_output_newlined: '${stat_output_newlined}' -line: '${line}' -" >&2 - return 1 - fi - - stat_output_newlined="$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}")" - - if test "${stat_output_newlined}" = ""; then - log error "stat_output_newlined is empty. -File name: '${file_name}' -Stat output: '${stat_output}' -stat_output_newlined: '${stat_output_newlined}' -line: '${line}' -" >&2 - return 1 - fi - - readarray -t arr <<< "${stat_output_newlined}" - - if test "${#arr[@]}" = 0; then - log error "Array length is 0. -File name: '${file_name}' -Stat output: '${stat_output}' -stat_output_newlined: '${stat_output_newlined}' -line: '${line}' -" >&2 - return 1 - fi - - existing_mode="${arr[0]}" - existing_owner="${arr[1]}" - existing_group="${arr[2]}" - file_name_from_stat="${arr[3]}" - - if [ ! "$file_name" = "$file_name_from_stat" ]; then - log error "\ -File name is different from file name received from stat: -File name: '${file_name}' -File name from stat: '${file_name_from_stat}' -line: '${line}' -" >&2 - return 1 - fi - - if test -z "${existing_mode}"; then - log error "Existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2 - return 1 - fi - if test -z "${existing_owner}"; then - log error "Existing owner is empty. Stat output: '${stat_output}', line: '${line}'" >&2 - return 1 - fi - if test -z "${existing_group}"; then - log error "Existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2 - return 1 - fi -} - -sanity_tests() { - echo_wrapper_audit silent \ - which \ - capsh getcap setcap stat find dpkg-statoverride getent grep 1>/dev/null -} - -add_nosuid_statoverride_entry() { - local fso_to_process - fso_to_process="${fso}" - local should_be_counter - should_be_counter=0 - local counter_actual - counter_actual=0 - - local dummy_line - while IFS="" read -r -d "" dummy_line; do - log info "Test would parse line: '${dummy_line}'" - should_be_counter=$((should_be_counter + 1)) - done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) - ## False positive on SC2185 (find without path argument) #1748 - ## https://github.com/koalaman/shellcheck/issues/1748 - ## - ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. - ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 - - local line - while IFS="" read -r -d "" file_name; do - counter_actual=$((counter_actual + 1)) - - ## sets: - ## exiting_mode - ## existing_owner - ## existing_group - output_stat "${file_name}" - - ## -h file True if file is a symbolic Link. - ## -u file True if file has its set-user-id bit set. - ## -g file True if file has its set-group-id bit set. - - if test -h "${file_name}"; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - log info "Skip symlink: '${file_name}'" - continue - fi - - if test -d "${file_name}"; then - log info "Skip directory: '${file_name}'" - continue - fi - - local setuid setgid - setuid="" - if test -u "${file_name}"; then - setuid=true - fi - setgid="" - if test -g "${file_name}"; then - setgid=true - fi - - local setuid_or_setgid - setuid_or_setgid="" - if test "${setuid}" = "true" || test "${setgid}" = "true"; then - setuid_or_setgid=true - fi - if test -z "${setuid_or_setgid}"; then - log info "Neither setuid nor setgid. Skipping. file_name: '${file_name}'" - continue - fi - - ## Remove suid / gid and execute permission for 'group' and 'others'. - ## Similar to: chmod og-ugx /path/to/filename - ## Removing execution permission is useful to make binaries such as 'su' - ## fail closed rather than fail open if suid was removed from these. - ## Do not remove read access since no security benefit and easier to - ## manually undo for users. - ## Are there suid or sgid binaries which are still useful if suid / sgid - ## has been removed from these? - new_mode="744" - - local is_exact_whitelisted - is_exact_whitelisted="" - for white_list_entry in "${exact_white_list[@]:-}"; do - if test -z "${white_list_entry}"; then - log info "white_list_entry unset. Skipping. file_name: '${file_name}'" - continue - fi - if test "${file_name}" = "${white_list_entry}"; then - is_exact_whitelisted="true" - log info "is_exact_whitelisted=true. Skipping. file_name: '${file_name}'" - ## Stop looping through the whitelist. - break - fi - done - - local is_match_whitelisted - is_match_whitelisted="" - for matchwhite_list_entry in "${match_white_list[@]:-}"; do - if test -z "${matchwhite_list_entry}"; then - log info "matchwhite_list_entry unset. Skipping. file_name: '${file_name}'" - continue - fi - if safe_echo "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then - is_match_whitelisted="true" - log info "is_match_whitelisted=true. Skipping. file_name: '${file_name}'" - ## Stop looping through the match_white_list. - break - fi - done - - local is_disable_whitelisted - is_disable_whitelisted="" - for disablematch_list_entry in "${disable_white_list[@]:-}"; do - if test -z "${disablematch_list_entry}"; then - log info "disablematch_list_entry unset. Skipping. file_name: '${file_name}'" - continue - fi - if safe_echo "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then - is_disable_whitelisted="true" - log info "is_disable_whitelisted=true. Skipping. file_name: '${file_name}'" - ## Stop looping through the disablewhitelist. - break - fi - done - - local clean_output_prefix clean_output - clean_output_prefix="Managing (S|G)UID of line:" - clean_output="${setuid:+setuid='true'} ${setgid:+setgid='true'} existing_mode='${existing_mode}' new_mode='${new_mode}' file='${file_name}'" - if test "${whitelists_disable_all:-}" = "true"; then - log info "${clean_output_prefix} whitelists_disable_all=true ${clean_output}" - elif test "${is_disable_whitelisted}" = "true"; then - log info "${clean_output_prefix} is_disable_whitelisted=true ${clean_output}" - else - if test "${is_exact_whitelisted}" = "true"; then - log info "${clean_output_prefix} is_exact_whitelisted=true ${clean_output}" - continue - fi - if test "${is_match_whitelisted}" = "true"; then - log info "${clean_output_prefix} is_match_whitelisted=true matchwhite_list_entry='${matchwhite_list_entry}' ${clean_output}" - continue - fi - fi - - log notice "${clean_output_prefix} ${clean_output}" - - # shellcheck disable=SC2086 - if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${file_name}" >/dev/null; then - log info "Existing mode already saved previously. Not saving again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${file_name}" - fi - - ## No need to check "dpkg-statoverride --list" for existing entries. - ## If existing_mode was correct already, we would not have reached this - ## point. Since existing_mode is incorrect, remove from dpkg-statoverride - ## and re-add. - - ## Remove from real database. - echo_wrapper_ignore silent dpkg-statoverride --remove "${file_name}" - - ## Remove from separate database. - # shellcheck disable=SC2086 - echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" - - ## Add to real database and use --update to make changes on disk. - echo_wrapper_audit verbose dpkg-statoverride --add --update "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" - - ## Not using --update as this is only for recording. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" - done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) - - ## Sanity test. - if test ! "${should_be_counter}" = "${counter_actual}"; then - log info "File (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})" - log error "Expected number of files to be parsed was not met." >&2 - exit_code=202 - fi -} - -set_file_perms() { - log info "START parsing config file: '${config_file}'" - - local line - while read -r line || test -n "${line}"; do - if test -z "${line}"; then - true "DEBUG: line is empty. Skipping." - continue - fi - - if [[ "${line}" =~ ^\s*# ]]; then - continue - fi - - if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then - exit_code=200 - log error "Line contains invalid characters: '${line}'" >&2 - ## Safer to exit with error in this case. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 - exit "${exit_code}" - fi - - if test "${line}" = 'whitelists_disable_all=true'; then - whitelists_disable_all=true - log info "whitelists_disable_all=true" - continue - fi - - #global fso - local mode_from_config owner_from_config group_from_config capability_from_config - if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<<"${line}"; then - exit_code=201 - log error "Cannot parse line: '${line}'" >&2 - ## Debugging. - du -hs /tmp || true - safe_echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true - ## Safer to exit with error in this case. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 - exit "${exit_code}" - fi - - log info "Parsing line: fso='${fso}' mode_from_config='${mode_from_config}' owner_from_config='${owner_from_config}' group_from_config='${group_from_config}' capability_from_config='${capability_from_config}'" - - ## Debugging. - #safe_echo "line: '${line}'" - #safe_echo "fso: '${fso}'" - #safe_echo "mode_from_config: '${mode_from_config}'" - #safe_echo "owner_from_config: '${owner_from_config}'" - - local fso_without_trailing_slash - fso_without_trailing_slash="${fso%/}" - - declare -g disable_white_list exact_white_list match_white_list - case "${mode_from_config}" in - disablewhitelist) - disable_white_list+=("${fso}") - continue - ;; - exactwhitelist) - exact_white_list+=("${fso}") - continue - ;; - matchwhitelist) - match_white_list+=("${fso}") - continue - ;; - esac - - if test ! -e "${fso}"; then - log info "File does not exist: '${fso}'" - continue - fi - - ## Use dpkg-statoverride so permissions are not reset during upgrades. - - if test "${mode_from_config}" = "nosuid"; then - ## If mode_from_config is "nosuid" the config does not set owner and - ## group. Therefore do not enforce owner/group check. - add_nosuid_statoverride_entry - else - local string_length_of_mode_from_config - string_length_of_mode_from_config="${#mode_from_config}" - if test "${string_length_of_mode_from_config}" -gt "4"; then - log error "Invalid mode: '${mode_from_config}'" >&2 - continue - fi - if test "${string_length_of_mode_from_config}" -lt "3"; then - log error "Invalid mode: '${mode_from_config}'" >&2 - continue - fi - - if ! grep --quiet --fixed-strings -- "${owner_from_config}:" "${store_dir}/private/passwd"; then - log error "Owner from config does not exist: '${owner_from_config}'" >&2 - continue - fi - - if ! grep --quiet --fixed-strings -- "${group_from_config}:" "${store_dir}/private/group"; then - log error "Group from config does not exist: '${group_from_config}'" >&2 - continue - fi - - local mode_for_grep - mode_for_grep="${mode_from_config}" - first_character_of_mode_from_config="${mode_from_config::1}" - if test "${first_character_of_mode_from_config}" = "0"; then - ## Remove leading '0'. - mode_for_grep="${mode_from_config:1}" - fi - - file_name="${fso_without_trailing_slash}" - - ## sets: - ## exiting_mode - ## existing_owner - ## existing_group - output_stat "${file_name}" - - ## Check there is an entry for the fso. - ## - ## example: dpkg-statoverride --list | grep /home - ## output: - ## root root 755 /home - ## - ## dpkg-statoverride does not show leading '0'. - local dpkg_statoverride_list_output="" - local dpkg_statoverride_list_exit_code=0 - dpkg_statoverride_list_output="$(dpkg-statoverride --list "${fso_without_trailing_slash}")" || { - dpkg_statoverride_list_exit_code=$? - true - } - - if test "${dpkg_statoverride_list_exit_code}" = "0"; then - local grep_line - grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" - if safe_echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then - log info "The owner/group/mode matches fso entry. No further action required." - else - log info "The owner/group/mode does not match fso entry, updating entry." - ## fso_without_trailing_slash instead of fso to prevent - ## "dpkg-statoverride: warning: stripping trailing /" - - # shellcheck disable=SC2086 - if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then - log info "Existing mode already saved previously. Not saving again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" - fi - - # shellcheck disable=SC2086 - echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${fso_without_trailing_slash}" - - ## Remove from and add to real database. - echo_wrapper_ignore silent dpkg-statoverride --remove "${fso_without_trailing_slash}" - echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" - - ## Save in separate database. - ## Not using --update as this is only for saving. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" - fi - else - log info "There is no fso entry, adding one." - - # shellcheck disable=SC2086 - if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then - log info "Existing mode already saved previously. Not saving again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" - fi - - ## Add to real database. - echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" - - ## Save in separate database. - ## Not using --update as this is only for saving. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" - fi - fi - if test -z "${capability_from_config}"; then - log info "capability_from_config is empty. Skipping. file_name: '${file_name}'" - continue - fi - - if test "${capability_from_config}" = "none"; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/45 - ## sudo setcap -r /bin/ping 2>/dev/null - ## Failed to set capabilities on file '/bin/ping' (No data available) - ## The value of the capability argument is not permitted for a file. Or - ## the file is not a regular (non-symlink) file - ## Therefore use echo_wrapper_ignore. - ## - ## NOTE: setcap does not support End-of-Options Marker ('--') yet. - ## setcap bug report: - ## setcap Command Does Not Support End-of-Options Marker ('--') - ## https://bugzilla.kernel.org/show_bug.cgi?id=219487 - echo_wrapper_ignore verbose setcap -r "${fso}" - getcap_output="$(getcap -- "${fso}")" - if test -n "${getcap_output}"; then - exit_code=205 - log error "Removing capabilities failed. File: '${fso}'" >&2 - continue - fi - else - if ! capsh --print | grep --fixed-strings -- "Bounding set" | grep --quiet -- "${capability_from_config}"; then - log error "Capability from config does not exist: '${capability_from_config}'" >&2 - continue - fi - - ## feature request: dpkg-statoverride: support for capabilities - ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 - echo_wrapper_audit verbose setcap "${capability_from_config}+ep" -- "${fso}" - fi - - done <"${config_file}" - log info "END parsing config file: '${config_file}'" -} - -parse_config_folder() { - touch "${store_dir}/private/passwd" - chmod og-rwx "${store_dir}/private/passwd" - touch "${store_dir}/private/group" - chmod og-rwx "${store_dir}/private/group" - - local passwd_file_contents_temp - ## Query contents of password and group databases only once and buffer them - ## - ## If we don't buffer we sometimes get incorrect results when checking for - ## entries using 'if getent passwd | grep --quiet -- '^root:'; ...' since - ## 'grep' exits after the first match in this case causing 'getent' to - ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is - ## set for this script. - passwd_file_contents_temp="$(getent passwd)" - safe_echo "${passwd_file_contents_temp}" | tee -- "${store_dir}/private/passwd" >/dev/null - group_file_contents_temp="$(getent group)" - safe_echo "${group_file_contents_temp}" | tee -- "${store_dir}/private/group" >/dev/null - - #passwd_file_contents="$(cat "${store_dir}/private/passwd")" - #group_file_contents="$(cat "${store_dir}/private/group")" - - shopt -s nullglob - for config_file in \ - /usr/lib/permission-hardener.d/*.conf \ - /etc/permission-hardener.d/*.conf \ - /usr/local/etc/permission-hardener.d/*.conf \ - /etc/permission-hardening.d/*.conf \ - /usr/local/etc/permission-hardening.d/*.conf - do - set_file_perms - - done -} - -apply() { - check_root - make_store_dir - sanity_tests - parse_config_folder - - log notice "\ -To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: - sudo apt install --no-install-recommends meld - meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" -} - -spare() { - check_root - make_store_dir - - remove_file="${1}" - exit_code=0 - dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" - dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" - - if test ! -f "${store_dir}/existing_mode/statoverride"; then - true "DEBUG: Stat file does not exist, hardening was not applied before." - return 0 - fi - - local line - while read -r line; do - ## example line: - ## root root 4755 /usr/lib/eject/dmcrypt-get-device - - local owner group mode file_name - if ! read -r owner group mode file_name <<< "${line}"; then - exit_code=201 - log error "Cannot parse line: '${line}'" >&2 - continue - fi - log info "Parsing line: owner='${owner}' group='${group}' mode='${mode}' file_name='${file_name}'" - - if test "${remove_file}" = "all"; then - verbose="" - remove_one=false - else - if test "${remove_file}" = "${file_name}"; then - verbose="--verbose" - remove_one=true - safe_echo "${remove_one}" | tee -- "${store_dir}/remove_one" >/dev/null - else - safe_echo "false" | tee -- "${store_dir}/remove_one" >/dev/null - continue - fi - fi - - if test "${remove_one}" = "true"; then - set -o xtrace - fi - - if test -e "${file_name}"; then - # shellcheck disable=SC2086 - chown ${verbose} "${owner}:${group}" "${file_name}" || exit_code=202 - ## chmod need to be run after chown since chown removes suid. - ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature - # shellcheck disable=SC2086 - chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 - else - log info "File does not exist: '${file_name}'" - fi - - dpkg-statoverride --remove "${file_name}" &>/dev/null || true - # shellcheck disable=SC2086 - dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --remove "${file_name}" &>/dev/null || true - # shellcheck disable=SC2086 - dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" &>/dev/null || true - - if test "${remove_one}" = "true"; then - set +o xtrace - break - fi - - done < "${store_dir}/existing_mode/statoverride" - - if test ! "${remove_file}" = "all"; then - if test "$(cat "${store_dir}/remove_one")" = "false"; then - log info "No file was removed. - - File '${remove_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if already done earlier. - - This program expects the full path to the file. Example: - $0 disable /usr/bin/newgrp # absolute path: works - $0 disable newgrp # relative path: does not work - - To remove all: - $0 disable all - - This change might not be permanent. For full instructions, see: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener - - To view list of changed by SUID Disabler and Permission Hardener: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener - - For re-enabling any specific SUID binary: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries - - For completely disabling SUID Disabler and Permission Hardener: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" - fi - fi -} - -check_root(){ - if test "$(id -u)" != "0"; then - log error "Not running as root, aborting." - exit 1 - fi -} - -usage(){ - safe_echo "Usage: ${0##*/} enable - ${0##*/} disable [FILE|all] - -Examples: - ${0##*/} enable - ${0##*/} disable all - ${0##*/} disable /usr/bin/newgrp" >&2 - exit "${1}" -} - -case "${1:-}" in - enable) shift; apply "$@";; - disable) - shift - case "${1:-}" in - "") usage 1;; - *) spare "${1}";; - esac - ;; - -h|--help) usage 0;; - *) usage 1;; -esac - -if test "${exit_code}" != "0"; then - log error "Exiting with non-zero exit code: '${exit_code}'" >&2 -fi - -exit "${exit_code}" diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf b/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf index 6c8369c..71d2298 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf @@ -7,7 +7,8 @@ # Keep the `passwd` utility executable to prevent issues with the # /usr/libexec/security-misc/pam-abort-on-locked-password script blocking -# user logins with `su` and KScreenLocker +# user logins with `su` and KScreenLocker. exactwhitelist is needed to keep +# the nosuid rule on /usr/bin from fighting with these rules. # # See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd /usr/bin/passwd exactwhitelist From 717e6fcfbea38cef9d3e201cf2e2b725e3da2267 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Mon, 30 Dec 2024 19:23:20 -0600 Subject: [PATCH 1516/1650] Post-review improvements to permission-hardener --- usr/bin/permission-hardener | 61 ++++++++++++++++++------------------- 1 file changed, 30 insertions(+), 31 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index de03c7c..bcd8180 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -107,7 +107,7 @@ output_stat() { return 1 fi - if [ "$stat_output" = '' ]; then + if [ -z "$stat_output" ]; then log error "stat_output is empty. File name: '${file_name}' Stat output: '${stat_output}' @@ -119,7 +119,7 @@ line: '${processed_config_line}' stat_output_newlined="$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}")" - if [ "${stat_output_newlined}" = '' ]; then + if [ -z "${stat_output_newlined}" ]; then log error "stat_output_newlined is empty. File name: '${file_name}' Stat output: '${stat_output}' @@ -225,9 +225,7 @@ check_nosuid_whitelist() { [[ " ${policy_disable_white_list[*]} " =~ " ${target_file} " ]] && return 0 ## literal matching is intentional here too - if [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]]; then - return 1 - fi + [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]] && return 1 for match_white_list_entry in "${policy_match_white_list[@]:-}"; do if safe_echo "${target_file}" \ @@ -286,6 +284,9 @@ load_early_nosuid_policy() { | find -files0-from - -perm /u=s,g=s -print0) } +## If the "target file" matches the start of the state file name, that's a +## likely match. This is used by load_late_nosuid_policy for detecting info +## about files that need SUID-locked that are in the state. match_dir() { local base_str match_str base_arr match_arr base_idx @@ -316,8 +317,6 @@ load_late_nosuid_policy() { state_file_item="${state_file_list[state_idx]}" check_nosuid_whitelist "${state_file_item}" || continue - ## If the "target file" matches the start of the state file name, that's - ## a likely match. match_dir "${target_file}" "${state_file_item}" || continue if [ -h "${state_file_item}" ]; then @@ -340,21 +339,21 @@ load_late_nosuid_policy() { } load_state_without_policy() { - local line bit_list + local line field_list ## Load the state file from disk if [ -f "${state_file}" ]; then while read -r line; do - read -r -a bit_list <<< "${line}" - if (( ${#bit_list[@]} != 4 )); then + read -r -a field_list <<< "${line}" + if (( ${#field_list[@]} != 4 )); then log info \ "Invalid number of fields in state file line: '${line}'. Skipping." continue fi - state_user_owner_list+=( "${bit_list[0]}" ) - state_group_owner_list+=( "${bit_list[1]}" ) - state_mode_list+=( "${bit_list[2]}" ) - state_file_list+=( "${bit_list[3]}" ) + state_user_owner_list+=( "${field_list[0]}" ) + state_group_owner_list+=( "${field_list[1]}" ) + state_mode_list+=( "${field_list[2]}" ) + state_file_list+=( "${field_list[3]}" ) done < "${state_file}" fi } @@ -369,7 +368,7 @@ load_state() { ## Additionally, the special value 'whitelists_disable_all=true' is understood ## to mean that all whitelisting should be ignored. - local config_file line bit_list policy_nosuid_file_item policy_file_item + local config_file line field_list policy_nosuid_file_item policy_file_item ## Load configuration, deferring whitelist handling until later for config_file in \ @@ -393,7 +392,7 @@ load_state() { continue fi - if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then + if ! [[ "${line}" =~ ^[-0-9a-zA-Z._/[:space:]]*$ ]]; then exit_code=200 log error "Line contains invalid characters: '${line}'" >&2 ## Safer to exit with error in this case. @@ -409,40 +408,40 @@ load_state() { processed_config_line="${line}" - IFS=' ' read -r -a bit_list <<< "${line}" + IFS=' ' read -r -a field_list <<< "${line}" - if (( ${#bit_list[@]} < 2 )) \ - || (( ${#bit_list[@]} > 5 )) \ - || (( ${#bit_list[@]} == 3 )); then + if (( ${#field_list[@]} != 2 )) \ + && (( ${#field_list[@]} != 4 )) \ + && (( ${#field_list[@]} != 5 )); then exit_code=200 log error "Line contains an invalid number of fields: '${line}'" >&2 exit "${exit_code}" fi # Strip trailing slash if appropriate - bit_list[0]="${bit_list[0]%/}" + field_list[0]="${field_list[0]%/}" - case "${bit_list[1]}" in + case "${field_list[1]}" in 'exactwhitelist') - [ ! -e "${bit_list[0]}" ] && continue - policy_exact_white_list+=( "${bit_list[0]}" ) + [ ! -e "${field_list[0]}" ] && continue + policy_exact_white_list+=( "${field_list[0]}" ) continue ;; 'matchwhitelist') - policy_match_white_list+=( "${bit_list[0]}" ) + policy_match_white_list+=( "${field_list[0]}" ) continue ;; 'disablewhitelist') - policy_disable_white_list+=( "${bit_list[0]}" ) + policy_disable_white_list+=( "${field_list[0]}" ) continue ;; 'nosuid') - [ ! -e "${bit_list[0]}" ] && continue - policy_nosuid_file_list+=( "${bit_list[0]}" ) + [ ! -e "${field_list[0]}" ] && continue + policy_nosuid_file_list+=( "${field_list[0]}" ) ;; *) - [ ! -e "${bit_list[0]}" ] && continue - add_to_policy "${bit_list[@]}" + [ ! -e "${field_list[0]}" ] && continue + add_to_policy "${field_list[@]}" ;; esac done < "${config_file}" @@ -661,7 +660,7 @@ undo_policy_for_file() { state_user_owner_item="${state_user_owner_list[state_idx]}" state_group_owner_item="${state_group_owner_list[state_idx]}" state_mode_item="${state_mode_list[state_idx]}" - chown ${verbose} "${state_user_owner_item}:${state_group_owner_item}" \ + chown ${verbose} -- "${state_user_owner_item}:${state_group_owner_item}" \ "${undo_file}" || exit_code=202 ## chmod needs to be run after chown since chown removes suid. chmod ${verbose} "${state_mode_item}" "${undo_file}" || exit_code=203 From 0640964c35b0d977ba718629d4a8791e67700202 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 31 Dec 2024 06:14:29 -0500 Subject: [PATCH 1517/1650] readme --- README.md | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index df12ba2..5a7e36b 100644 --- a/README.md +++ b/README.md @@ -584,28 +584,30 @@ See: #### umask -Default `umask` is set to `027` for files created by non-root users such as -user `user`. +The default `umask` is set to `027` for files created by non-root users, such +as the account `user`. This is done using the PAM module `pam_mkhomedir.so umask=027`. -This means files created by non-root users cannot be read by other non-root -users by default. While Permission Lockdown already protects the `/home` folder, -this protects other folders such as `/tmp`. +This configuration ensures that files created by non-root users cannot be read +by other non-root users by default. While Permission Lockdown already protects +the `/home` folder, this setting extends protection to other folders such as +`/tmp`. `group` read permissions are not removed. This is unnecessary due to Debian's use of User Private Groups (UPGs). See also: https://wiki.debian.org/UserPrivateGroups -Default `umask` is unchanged for root because then configuration files created -in `/etc` by the system administrator would be unreadable by "others" and break -applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`. The -`umask` is also set to 022 via `sudoers` configuration, so that files created -as root are world-readable even when using commands such as `sudo vi -/etc/file` or `sudo -i; touch /etc/file`. +The default `umask` is unchanged for root because configuration files created +in `/etc` by the system administrator would otherwise be unreadable by +"others," potentially breaking applications. Examples include `/etc/firefox-esr` +and `/etc/thunderbird`. Additionally, the `umask` is set to `022` via `sudoers` +configuration, ensuring that files created as root are world-readable, even +when using commands such as `sudo vi /etc/file` or `sudo -i; touch /etc/file`. -`umask` is set to 022 rather than 027 when using `sudo`, so that commands such -as `sudo vi /etc/configfile` and `sudo -i; touch /etc/file` +When using `sudo`, the `umask` is set to `022` rather than `027` to ensure +compatibility with commands such as `sudo vi /etc/configfile` and +`sudo -i; touch /etc/file`. See: From bb24bff2965ca31de6337820eafd787a11a44a2b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 31 Dec 2024 14:09:34 +0000 Subject: [PATCH 1518/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 97f695d..e706b3b 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 0640964c35b0d977ba718629d4a8791e67700202 +Author: Patrick Schleizer +Date: Tue Dec 31 06:14:29 2024 -0500 + + readme + +commit 397b476a822c9f7e41ec911f5d689b67026660ad +Author: Patrick Schleizer +Date: Thu Dec 26 04:12:02 2024 +0000 + + bumped changelog version + commit 66f8c18c65f33676d242b57ebb1d4410876461b3 Merge: aa82202 6602fb1 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 09c0cc8..ad720d8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 31 Dec 2024 14:09:34 +0000 + security-misc (3:41.9-1) unstable; urgency=medium * New upstream version (local package). From 33114f771aaeb4dccb0b465861d1239129deb8b2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 31 Dec 2024 13:26:21 -0500 Subject: [PATCH 1519/1650] copyright --- COPYING | 2 +- debian/copyright | 2 +- debian/make-helper-overrides.bsh | 2 +- debian/rules | 2 +- debian/security-misc.displace | 2 +- debian/security-misc.gconf-defaults | 2 +- debian/security-misc.install | 2 +- debian/security-misc.links | 2 +- debian/security-misc.maintscript | 2 +- debian/security-misc.postinst | 2 +- debian/security-misc.postrm | 2 +- debian/security-misc.preinst | 2 +- debian/security-misc.prerm | 2 +- debian/security-misc.triggers | 2 +- debian/security-misc.undisplace | 2 +- debian/watch | 2 +- etc/apparmor.d/tunables/home.d/security-misc | 2 +- etc/apt/apt.conf.d/40error-on-any | 2 +- etc/apt/apt.conf.d/40sandbox | 2 +- etc/bluetooth/30_security-misc.conf | 2 +- etc/default/grub.d/40_cpu_mitigations.cfg | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- etc/default/grub.d/40_remount_secure.cfg | 2 +- etc/default/grub.d/40_signed_modules.cfg | 2 +- etc/default/grub.d/41_quiet_boot.cfg | 2 +- etc/default/grub.d/41_recovery_restrict.cfg | 2 +- etc/dracut.conf.d/30-security-misc.conf | 2 +- etc/gitconfig | 2 +- etc/hide-hardware-info.d/30_default.conf | 2 +- etc/initramfs-tools/hooks/sysctl-initramfs | 2 +- etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs | 2 +- etc/kernel/postinst.d/30_remove-system-map | 2 +- etc/modprobe.d/30_security-misc_blacklist.conf | 2 +- etc/modprobe.d/30_security-misc_conntrack.conf | 2 +- etc/modprobe.d/30_security-misc_disable.conf | 2 +- etc/profile.d/30_security-misc.sh | 2 +- etc/securetty.security-misc | 2 +- etc/security/access-security-misc.conf | 2 +- etc/security/faillock.conf.security-misc | 2 +- etc/security/limits.d/30_security-misc.conf | 2 +- etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml | 2 +- etc/sudoers.d/security-misc | 2 +- etc/systemd/system/emergency.service.d/override.conf | 2 +- etc/systemd/system/rescue.service.d/override.conf | 2 +- etc/thunderbird/pref/40_security-misc.js | 2 +- usr/bin/disabled-bluetooth-by-security-misc | 2 +- usr/bin/disabled-cdrom-by-security-misc | 2 +- usr/bin/disabled-filesys-by-security-misc | 2 +- usr/bin/disabled-firewire-by-security-misc | 2 +- usr/bin/disabled-framebuffer-by-security-misc | 2 +- usr/bin/disabled-gps-by-security-misc | 2 +- usr/bin/disabled-intelme-by-security-misc | 2 +- usr/bin/disabled-intelpmt-by-security-misc | 2 +- usr/bin/disabled-miscellaneous-by-security-misc | 2 +- usr/bin/disabled-netfilesys-by-security-misc | 2 +- usr/bin/disabled-network-by-security-misc | 2 +- usr/bin/disabled-thunderbolt-by-security-misc | 2 +- usr/bin/permission-hardener | 2 +- usr/bin/remount-secure | 2 +- usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf | 2 +- usr/lib/NetworkManager/conf.d/80_randomize-mac.conf | 2 +- .../modules.d-disabled/20remount-secure/module-setup.sh | 2 +- .../modules.d-disabled/20remount-secure/remount-secure.sh | 2 +- usr/lib/modules-load.d/30_security-misc.conf | 2 +- usr/lib/permission-hardener.d/25_default_passwd.conf | 2 +- usr/lib/permission-hardener.d/25_default_sudo.conf | 2 +- .../25_default_whitelist_bubblewrap.conf | 2 +- .../permission-hardener.d/25_default_whitelist_chromium.conf | 2 +- usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf | 2 +- .../permission-hardener.d/25_default_whitelist_firejail.conf | 2 +- usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf | 2 +- .../25_default_whitelist_hardened_malloc.conf | 2 +- usr/lib/permission-hardener.d/25_default_whitelist_mount.conf | 2 +- usr/lib/permission-hardener.d/25_default_whitelist_pam.conf | 2 +- .../permission-hardener.d/25_default_whitelist_policykit.conf | 2 +- .../permission-hardener.d/25_default_whitelist_postfix.conf | 2 +- usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf | 2 +- .../permission-hardener.d/25_default_whitelist_selinux.conf | 2 +- usr/lib/permission-hardener.d/25_default_whitelist_spice.conf | 2 +- usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf | 2 +- usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf | 2 +- .../25_default_whitelist_unix_chkpwd.conf | 2 +- .../25_default_whitelist_virtualbox.conf | 2 +- usr/lib/permission-hardener.d/30_default.conf | 2 +- usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 2 +- usr/lib/sysctl.d/30_silent-kernel-printk.conf | 2 +- usr/lib/sysctl.d/990-security-misc.conf | 2 +- usr/lib/systemd/coredump.conf.d/30_security-misc.conf | 2 +- .../systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf | 2 +- usr/lib/systemd/system-preset/50-security-misc.preset | 2 +- usr/lib/systemd/system/harden-module-loading.service | 2 +- .../systemd/system/haveged.service.d/30_security-misc.conf | 2 +- usr/lib/systemd/system/hide-hardware-info.service | 2 +- usr/lib/systemd/system/panic-on-oops.service | 2 +- usr/lib/systemd/system/permission-hardener.service | 2 +- usr/lib/systemd/system/proc-hidepid.service | 2 +- usr/lib/systemd/system/remount-secure.service | 2 +- usr/lib/systemd/system/remove-system-map.service | 2 +- usr/lib/systemd/system/sysinit-post.target | 2 +- usr/lib/systemd/system/user@.service.d/sysfs.conf | 2 +- usr/libexec/security-misc/apt-get-update | 2 +- usr/libexec/security-misc/apt-get-update-sanity-test | 2 +- usr/libexec/security-misc/askpass | 2 +- usr/libexec/security-misc/disable-kernel-module-loading | 2 +- usr/libexec/security-misc/echo-path | 2 +- usr/libexec/security-misc/hide-hardware-info | 2 +- usr/libexec/security-misc/mmap-rnd-bits | 4 ++-- usr/libexec/security-misc/pam-abort-on-locked-password | 2 +- usr/libexec/security-misc/pam-info | 2 +- usr/libexec/security-misc/pam_faillock_not_if_x | 2 +- usr/libexec/security-misc/pam_only_if_login | 2 +- usr/libexec/security-misc/panic-on-oops | 2 +- usr/libexec/security-misc/permission-lockdown | 2 +- usr/libexec/security-misc/remove-system.map | 2 +- usr/libexec/security-misc/virusforget | 2 +- usr/share/glib-2.0/schemas/30_security-misc.gschema.override | 2 +- usr/share/lintian/overrides/security-misc | 2 +- usr/share/security-misc/dolphinrc | 2 +- usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf | 2 +- usr/share/security-misc/lkrg/lkrg-virtualbox | 2 +- 120 files changed, 121 insertions(+), 121 deletions(-) diff --git a/COPYING b/COPYING index bf11138..829d909 100644 --- a/COPYING +++ b/COPYING @@ -1,7 +1,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2024 ENCRYPTED SUPPORT LP +Copyright: 2012 - 2025 ENCRYPTED SUPPORT LLC License: AGPL-3+ License: AGPL-3+ diff --git a/debian/copyright b/debian/copyright index bf11138..829d909 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,7 +1,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2024 ENCRYPTED SUPPORT LP +Copyright: 2012 - 2025 ENCRYPTED SUPPORT LLC License: AGPL-3+ License: AGPL-3+ diff --git a/debian/make-helper-overrides.bsh b/debian/make-helper-overrides.bsh index ca24e42..dda635e 100755 --- a/debian/make-helper-overrides.bsh +++ b/debian/make-helper-overrides.bsh @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24 diff --git a/debian/rules b/debian/rules index 60f46e0..ca5e85c 100755 --- a/debian/rules +++ b/debian/rules @@ -1,6 +1,6 @@ #!/usr/bin/make -f -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. #export DH_VERBOSE=1 diff --git a/debian/security-misc.displace b/debian/security-misc.displace index 29392d5..78257f6 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. /etc/securetty.security-misc diff --git a/debian/security-misc.gconf-defaults b/debian/security-misc.gconf-defaults index ebfb7f3..b79536a 100644 --- a/debian/security-misc.gconf-defaults +++ b/debian/security-misc.gconf-defaults @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. /apps/nautilus/preview_sound never diff --git a/debian/security-misc.install b/debian/security-misc.install index 51e61ce..6d5f850 100644 --- a/debian/security-misc.install +++ b/debian/security-misc.install @@ -1,4 +1,4 @@ -## Copyright (C) 2020 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## This file was generated using 'genmkfile debinstfile'. diff --git a/debian/security-misc.links b/debian/security-misc.links index 467193f..c3369df 100644 --- a/debian/security-misc.links +++ b/debian/security-misc.links @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. /etc/profile.d/30_security-misc.sh /etc/zprofile.d/30_security-misc.zsh diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index adce7ef..9e990e4 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. rm_conffile /etc/sudoers.d/umask-security-misc diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 41aa3dc..8cbe4d7 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.postrm b/debian/security-misc.postrm index d474547..13dc588 100644 --- a/debian/security-misc.postrm +++ b/debian/security-misc.postrm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index f10ff11..992ff96 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.prerm b/debian/security-misc.prerm index b1f7db3..1c4cd87 100644 --- a/debian/security-misc.prerm +++ b/debian/security-misc.prerm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index 2cadd25..1f4a592 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -1,4 +1,4 @@ -## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## use noawait diff --git a/debian/security-misc.undisplace b/debian/security-misc.undisplace index 6db9354..990101a 100644 --- a/debian/security-misc.undisplace +++ b/debian/security-misc.undisplace @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. /etc/login.defs.security-misc diff --git a/debian/watch b/debian/watch index e38736e..86f015f 100644 --- a/debian/watch +++ b/debian/watch @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. version=4 diff --git a/etc/apparmor.d/tunables/home.d/security-misc b/etc/apparmor.d/tunables/home.d/security-misc index 5256089..d63d5db 100644 --- a/etc/apparmor.d/tunables/home.d/security-misc +++ b/etc/apparmor.d/tunables/home.d/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. alias /etc/pam.d/common-session -> /etc/pam.d/common-session.security-misc, diff --git a/etc/apt/apt.conf.d/40error-on-any b/etc/apt/apt.conf.d/40error-on-any index 85de3be..f1be472 100644 --- a/etc/apt/apt.conf.d/40error-on-any +++ b/etc/apt/apt.conf.d/40error-on-any @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Make "sudo apt-get update" exit non-zero for transient failures. diff --git a/etc/apt/apt.conf.d/40sandbox b/etc/apt/apt.conf.d/40sandbox index e8025ac..43150ec 100644 --- a/etc/apt/apt.conf.d/40sandbox +++ b/etc/apt/apt.conf.d/40sandbox @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702 diff --git a/etc/bluetooth/30_security-misc.conf b/etc/bluetooth/30_security-misc.conf index 8f45502..91ce2d3 100644 --- a/etc/bluetooth/30_security-misc.conf +++ b/etc/bluetooth/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [General] diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index fa750b7..6194b8f 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Definitions: diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index e41dabb..748bf47 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. kpkg="linux-image-$(dpkg --print-architecture)" || true diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg index f06235b..c3cc30a 100644 --- a/etc/default/grub.d/40_remount_secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Definitions: diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg index 75cd3bb..36af7f3 100644 --- a/etc/default/grub.d/40_signed_modules.cfg +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Definitions: diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 9623625..96d43cd 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Definitions: diff --git a/etc/default/grub.d/41_recovery_restrict.cfg b/etc/default/grub.d/41_recovery_restrict.cfg index 530a728..89fe02f 100644 --- a/etc/default/grub.d/41_recovery_restrict.cfg +++ b/etc/default/grub.d/41_recovery_restrict.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Definitions: diff --git a/etc/dracut.conf.d/30-security-misc.conf b/etc/dracut.conf.d/30-security-misc.conf index 4e24799..5b3c7b5 100644 --- a/etc/dracut.conf.d/30-security-misc.conf +++ b/etc/dracut.conf.d/30-security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. reproducible=yes diff --git a/etc/gitconfig b/etc/gitconfig index 4955199..8ce67b4 100644 --- a/etc/gitconfig +++ b/etc/gitconfig @@ -1,4 +1,4 @@ -## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Lines starting with a hash symbol ('#') are comments. diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf index 07e1c7e..7c41eb4 100644 --- a/etc/hide-hardware-info.d/30_default.conf +++ b/etc/hide-hardware-info.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Disable the /sys whitelist. diff --git a/etc/initramfs-tools/hooks/sysctl-initramfs b/etc/initramfs-tools/hooks/sysctl-initramfs index 22ceaf1..022c6af 100755 --- a/etc/initramfs-tools/hooks/sysctl-initramfs +++ b/etc/initramfs-tools/hooks/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -e diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index 88d0162..e4792e7 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. PREREQ="" diff --git a/etc/kernel/postinst.d/30_remove-system-map b/etc/kernel/postinst.d/30_remove-system-map index f5e3d96..416c808 100755 --- a/etc/kernel/postinst.d/30_remove-system-map +++ b/etc/kernel/postinst.d/30_remove-system-map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if test -x /usr/libexec/security-misc/remove-system.map ; then diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index af312b2..49e4fcb 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## See the following links for a community discussion and overview regarding the selections. diff --git a/etc/modprobe.d/30_security-misc_conntrack.conf b/etc/modprobe.d/30_security-misc_conntrack.conf index c1a641b..29cbb74 100644 --- a/etc/modprobe.d/30_security-misc_conntrack.conf +++ b/etc/modprobe.d/30_security-misc_conntrack.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Conntrack: diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 561441a..c7fc2b6 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## See the following links for a community discussion and overview regarding the selections. diff --git a/etc/profile.d/30_security-misc.sh b/etc/profile.d/30_security-misc.sh index 41aa6ac..c1adb22 100755 --- a/etc/profile.d/30_security-misc.sh +++ b/etc/profile.d/30_security-misc.sh @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -z "$XDG_CONFIG_DIRS" ]; then diff --git a/etc/securetty.security-misc b/etc/securetty.security-misc index e32ca29..c98d20d 100644 --- a/etc/securetty.security-misc +++ b/etc/securetty.security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. # /etc/securetty: list of terminals on which root is allowed to login. diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index a78abd1..c7f002f 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## To enable root login, see: diff --git a/etc/security/faillock.conf.security-misc b/etc/security/faillock.conf.security-misc index 3442279..4b70cde 100644 --- a/etc/security/faillock.conf.security-misc +++ b/etc/security/faillock.conf.security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. # Configuration for locking the user after multiple failed diff --git a/etc/security/limits.d/30_security-misc.conf b/etc/security/limits.d/30_security-misc.conf index 91a08a3..d494b14 100644 --- a/etc/security/limits.d/30_security-misc.conf +++ b/etc/security/limits.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Disable coredumps. diff --git a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml index 0f588ae..dd94349 100644 --- a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +++ b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml @@ -1,6 +1,6 @@ - + diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index cc700a9..1fa2146 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Neither of these are needed. diff --git a/etc/systemd/system/emergency.service.d/override.conf b/etc/systemd/system/emergency.service.d/override.conf index a7d4469..42fefd4 100644 --- a/etc/systemd/system/emergency.service.d/override.conf +++ b/etc/systemd/system/emergency.service.d/override.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 diff --git a/etc/systemd/system/rescue.service.d/override.conf b/etc/systemd/system/rescue.service.d/override.conf index a7d4469..42fefd4 100644 --- a/etc/systemd/system/rescue.service.d/override.conf +++ b/etc/systemd/system/rescue.service.d/override.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 diff --git a/etc/thunderbird/pref/40_security-misc.js b/etc/thunderbird/pref/40_security-misc.js index 49df52d..931f9d2 100644 --- a/etc/thunderbird/pref/40_security-misc.js +++ b/etc/thunderbird/pref/40_security-misc.js @@ -1,4 +1,4 @@ -//#### Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +//#### Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC //#### See the file COPYING for copying conditions. //#### meta start diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc index d576b26..0a4c308 100755 --- a/usr/bin/disabled-bluetooth-by-security-misc +++ b/usr/bin/disabled-bluetooth-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc index af27e08..f017e76 100755 --- a/usr/bin/disabled-cdrom-by-security-misc +++ b/usr/bin/disabled-cdrom-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc index faffe58..f0cf9b4 100755 --- a/usr/bin/disabled-filesys-by-security-misc +++ b/usr/bin/disabled-filesys-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc index 4886755..c0d035a 100755 --- a/usr/bin/disabled-firewire-by-security-misc +++ b/usr/bin/disabled-firewire-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-framebuffer-by-security-misc b/usr/bin/disabled-framebuffer-by-security-misc index 681bc40..c287c21 100755 --- a/usr/bin/disabled-framebuffer-by-security-misc +++ b/usr/bin/disabled-framebuffer-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc index 51997c1..149249a 100755 --- a/usr/bin/disabled-gps-by-security-misc +++ b/usr/bin/disabled-gps-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc index dc2bb72..094fa29 100755 --- a/usr/bin/disabled-intelme-by-security-misc +++ b/usr/bin/disabled-intelme-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-intelpmt-by-security-misc b/usr/bin/disabled-intelpmt-by-security-misc index 76daa06..45a7aa4 100755 --- a/usr/bin/disabled-intelpmt-by-security-misc +++ b/usr/bin/disabled-intelpmt-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-miscellaneous-by-security-misc b/usr/bin/disabled-miscellaneous-by-security-misc index 6eff13c..5848c6e 100755 --- a/usr/bin/disabled-miscellaneous-by-security-misc +++ b/usr/bin/disabled-miscellaneous-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc index 8775acb..ed4e792 100755 --- a/usr/bin/disabled-netfilesys-by-security-misc +++ b/usr/bin/disabled-netfilesys-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc index a6a87db..f8c3129 100755 --- a/usr/bin/disabled-network-by-security-misc +++ b/usr/bin/disabled-network-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc index 5bac656..c6d1d71 100755 --- a/usr/bin/disabled-thunderbolt-by-security-misc +++ b/usr/bin/disabled-thunderbolt-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index c88b54f..1f19b6e 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/disable-suid-binaries/7706 diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 14da1fe..865867d 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## features: diff --git a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf index 246eaf2..3d0a483 100644 --- a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf +++ b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. diff --git a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf index dfeda10..8088591 100644 --- a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf +++ b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. diff --git a/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh index e5a4188..8917091 100755 --- a/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh +++ b/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. # called by dracut diff --git a/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh index de44d46..0e0a0c1 100755 --- a/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## This script is intended to remount specified mount points with more secure diff --git a/usr/lib/modules-load.d/30_security-misc.conf b/usr/lib/modules-load.d/30_security-misc.conf index 08ee22a..2b38546 100644 --- a/usr/lib/modules-load.d/30_security-misc.conf +++ b/usr/lib/modules-load.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://www.whonix.org/wiki/Dev/Entropy diff --git a/usr/lib/permission-hardener.d/25_default_passwd.conf b/usr/lib/permission-hardener.d/25_default_passwd.conf index 6313e15..ef4a1d9 100644 --- a/usr/lib/permission-hardener.d/25_default_passwd.conf +++ b/usr/lib/permission-hardener.d/25_default_passwd.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_sudo.conf b/usr/lib/permission-hardener.d/25_default_sudo.conf index ee46b0e..74aedca 100644 --- a/usr/lib/permission-hardener.d/25_default_sudo.conf +++ b/usr/lib/permission-hardener.d/25_default_sudo.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf index 57ad396..7c44b1a 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf b/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf index 68f54ed..01ea21c 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf b/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf index 4c185ca..d6aadc9 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf b/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf index fbece5c..5b7351f 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf b/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf index a8b41b1..8c5563a 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf b/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf index 5437436..acf20b6 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf b/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf index c0a4f96..bf86ba9 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf index f9d8a08..00ee52d 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf index 227b5fc..beb7531 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf index d15b564..5ebdae3 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf index ec84733..0bd997f 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf index 0259ef1..fd74488 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf index 85e0197..df29fec 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf index 8d9eba5..5511112 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf index 7003861..a68564d 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf b/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf index 5953d85..05d5235 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf b/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf index d9c68bc..621a6b2 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/30_default.conf b/usr/lib/permission-hardener.d/30_default.conf index d35ee5a..27605d9 100644 --- a/usr/lib/permission-hardener.d/30_default.conf +++ b/usr/lib/permission-hardener.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index 5c38e38..0ef99da 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Definitions: diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index a1fd57e..d8febf9 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Definitions: diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 4cf6bb6..02cbf4e 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## NOTE: diff --git a/usr/lib/systemd/coredump.conf.d/30_security-misc.conf b/usr/lib/systemd/coredump.conf.d/30_security-misc.conf index 2cb1b1a..2d02bc9 100644 --- a/usr/lib/systemd/coredump.conf.d/30_security-misc.conf +++ b/usr/lib/systemd/coredump.conf.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Coredump] diff --git a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf index 5959004..5de38c4 100644 --- a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf +++ b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. diff --git a/usr/lib/systemd/system-preset/50-security-misc.preset b/usr/lib/systemd/system-preset/50-security-misc.preset index 37374b3..1895526 100644 --- a/usr/lib/systemd/system-preset/50-security-misc.preset +++ b/usr/lib/systemd/system-preset/50-security-misc.preset @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 diff --git a/usr/lib/systemd/system/harden-module-loading.service b/usr/lib/systemd/system/harden-module-loading.service index 3394623..8efea40 100644 --- a/usr/lib/systemd/system/harden-module-loading.service +++ b/usr/lib/systemd/system/harden-module-loading.service @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf b/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf index 97d4688..2981464 100644 --- a/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf +++ b/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Service] diff --git a/usr/lib/systemd/system/hide-hardware-info.service b/usr/lib/systemd/system/hide-hardware-info.service index 6d39335..659c3f5 100644 --- a/usr/lib/systemd/system/hide-hardware-info.service +++ b/usr/lib/systemd/system/hide-hardware-info.service @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/panic-on-oops.service b/usr/lib/systemd/system/panic-on-oops.service index cf13053..6b10ddc 100644 --- a/usr/lib/systemd/system/panic-on-oops.service +++ b/usr/lib/systemd/system/panic-on-oops.service @@ -1,4 +1,4 @@ -## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/permission-hardener.service b/usr/lib/systemd/system/permission-hardener.service index 99d4c37..109c9fd 100644 --- a/usr/lib/systemd/system/permission-hardener.service +++ b/usr/lib/systemd/system/permission-hardener.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/proc-hidepid.service b/usr/lib/systemd/system/proc-hidepid.service index f48211d..d7ea4d9 100644 --- a/usr/lib/systemd/system/proc-hidepid.service +++ b/usr/lib/systemd/system/proc-hidepid.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/remount-secure.service b/usr/lib/systemd/system/remount-secure.service index 414bba6..2489d34 100644 --- a/usr/lib/systemd/system/remount-secure.service +++ b/usr/lib/systemd/system/remount-secure.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/remove-system-map.service b/usr/lib/systemd/system/remove-system-map.service index 51041f2..1e36d61 100644 --- a/usr/lib/systemd/system/remove-system-map.service +++ b/usr/lib/systemd/system/remove-system-map.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/sysinit-post.target b/usr/lib/systemd/system/sysinit-post.target index 336133b..c00e91e 100644 --- a/usr/lib/systemd/system/sysinit-post.target +++ b/usr/lib/systemd/system/sysinit-post.target @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/user@.service.d/sysfs.conf b/usr/lib/systemd/system/user@.service.d/sysfs.conf index 2c27ce5..3a9129d 100644 --- a/usr/lib/systemd/system/user@.service.d/sysfs.conf +++ b/usr/lib/systemd/system/user@.service.d/sysfs.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Service] diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 3c91ffd..fc90a5e 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -o errexit diff --git a/usr/libexec/security-misc/apt-get-update-sanity-test b/usr/libexec/security-misc/apt-get-update-sanity-test index a363fae..a5b7709 100755 --- a/usr/libexec/security-misc/apt-get-update-sanity-test +++ b/usr/libexec/security-misc/apt-get-update-sanity-test @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -x diff --git a/usr/libexec/security-misc/askpass b/usr/libexec/security-misc/askpass index c3bb41a..56ecffc 100755 --- a/usr/libexec/security-misc/askpass +++ b/usr/libexec/security-misc/askpass @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/disable-kernel-module-loading b/usr/libexec/security-misc/disable-kernel-module-loading index 1916cc0..80d3190 100755 --- a/usr/libexec/security-misc/disable-kernel-module-loading +++ b/usr/libexec/security-misc/disable-kernel-module-loading @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -x diff --git a/usr/libexec/security-misc/echo-path b/usr/libexec/security-misc/echo-path index 4a82272..3bcc2cd 100755 --- a/usr/libexec/security-misc/echo-path +++ b/usr/libexec/security-misc/echo-path @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index ad532b5..acf24ef 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -o errexit diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index 74078fa..25745c2 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -1,6 +1,6 @@ #!/usr/bin/env bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## This script enforces the maximum ASLR hardening settings for mmap, given the @@ -56,7 +56,7 @@ fi ## Generate a sysctl.d conf file. SYSCTL="\ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## This file is automatically generated by: diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password index 4e02f3c..52da1c2 100755 --- a/usr/libexec/security-misc/pam-abort-on-locked-password +++ b/usr/libexec/security-misc/pam-abort-on-locked-password @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## This is only a usability feature to avoid needlessly bumping pam_faillock diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 085f118..d94e413 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## To enable debug log, run: diff --git a/usr/libexec/security-misc/pam_faillock_not_if_x b/usr/libexec/security-misc/pam_faillock_not_if_x index edfa35d..433dca8 100755 --- a/usr/libexec/security-misc/pam_faillock_not_if_x +++ b/usr/libexec/security-misc/pam_faillock_not_if_x @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/libexec/security-misc/pam_only_if_login b/usr/libexec/security-misc/pam_only_if_login index f81592e..568f037 100755 --- a/usr/libexec/security-misc/pam_only_if_login +++ b/usr/libexec/security-misc/pam_only_if_login @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 73c22d0..749eb3c 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index a5623b2..31aaee4 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Doing this for all users would create many issues. diff --git a/usr/libexec/security-misc/remove-system.map b/usr/libexec/security-misc/remove-system.map index 5341844..5b75f6d 100755 --- a/usr/libexec/security-misc/remove-system.map +++ b/usr/libexec/security-misc/remove-system.map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/usr/libexec/security-misc/virusforget b/usr/libexec/security-misc/virusforget index 62b6823..a5cb3ea 100755 --- a/usr/libexec/security-misc/virusforget +++ b/usr/libexec/security-misc/virusforget @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## VirusForget is inspired by Christopher Laprise. diff --git a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override index 92b5348..2f56805 100644 --- a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override +++ b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override @@ -1,4 +1,4 @@ -## Copyright (C) 2017 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2017 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [org.gnome.nautilus.preferences] diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index 0a24ab0..26c3c70 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## The whole point of the package. diff --git a/usr/share/security-misc/dolphinrc b/usr/share/security-misc/dolphinrc index 00e7768..9028487 100644 --- a/usr/share/security-misc/dolphinrc +++ b/usr/share/security-misc/dolphinrc @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions [PreviewSettings] diff --git a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf index e1485b6..150e06b 100644 --- a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf +++ b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## LKRG VirtualBox host configuration diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox b/usr/share/security-misc/lkrg/lkrg-virtualbox index 3e5edc3..4e1754c 100755 --- a/usr/share/security-misc/lkrg/lkrg-virtualbox +++ b/usr/share/security-misc/lkrg/lkrg-virtualbox @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. #set -x From 40b23cfad40825eefc3686e562d78250b58bbc82 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 31 Dec 2024 18:42:01 +0000 Subject: [PATCH 1520/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index e706b3b..69fec66 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 33114f771aaeb4dccb0b465861d1239129deb8b2 +Author: Patrick Schleizer +Date: Tue Dec 31 13:26:21 2024 -0500 + + copyright + +commit bb24bff2965ca31de6337820eafd787a11a44a2b +Author: Patrick Schleizer +Date: Tue Dec 31 14:09:34 2024 +0000 + + bumped changelog version + commit 0640964c35b0d977ba718629d4a8791e67700202 Author: Patrick Schleizer Date: Tue Dec 31 06:14:29 2024 -0500 diff --git a/debian/changelog b/debian/changelog index ad720d8..9020a37 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 31 Dec 2024 18:42:01 +0000 + security-misc (3:42.0-1) unstable; urgency=medium * New upstream version (local package). From 93ebf176c5f38bd268e5394e01421e46b9ae7dff Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Thu, 2 Jan 2025 20:41:40 -0500 Subject: [PATCH 1521/1650] Make the main field count check in permission-hardener a bit more elegant --- usr/bin/permission-hardener | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 3ed62b3..11bdfb9 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -410,13 +410,14 @@ load_state() { IFS=' ' read -r -a field_list <<< "${line}" - if (( ${#field_list[@]} != 2 )) \ - && (( ${#field_list[@]} != 4 )) \ - && (( ${#field_list[@]} != 5 )); then - exit_code=200 - log error "Line contains an invalid number of fields: '${line}'" >&2 - exit "${exit_code}" - fi + case "${#field_list[@]}" in + 2|4|5) true;; + *) + exit_code=200 + log error "Line contains an invalid number of fields: '${line}'" >&2 + exit "${exit_code}" + ;; + esac # Strip trailing slash if appropriate field_list[0]="${field_list[0]%/}" From d4767b75206b46f1a006cd91b00239a7b828fc89 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 6 Jan 2025 04:24:44 -0500 Subject: [PATCH 1522/1650] fix: apply PAM wheal only to `su` PAM service --- usr/libexec/security-misc/pam_only_if_su | 17 +++++++++++++++++ usr/share/pam-configs/wheel-security-misc | 1 + 2 files changed, 18 insertions(+) create mode 100755 usr/libexec/security-misc/pam_only_if_su diff --git a/usr/libexec/security-misc/pam_only_if_su b/usr/libexec/security-misc/pam_only_if_su new file mode 100755 index 0000000..604510f --- /dev/null +++ b/usr/libexec/security-misc/pam_only_if_su @@ -0,0 +1,17 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Similar to: +## /usr/libexec/security-misc/pam_only_if_login + +set -x + +true "PAM_SERVICE: $PAM_SERVICE" + +if [ "$PAM_SERVICE" = "su" ]; then + exit 1 +else + exit 0 +fi diff --git a/usr/share/pam-configs/wheel-security-misc b/usr/share/pam-configs/wheel-security-misc index 323ff72..10dcb88 100644 --- a/usr/share/pam-configs/wheel-security-misc +++ b/usr/share/pam-configs/wheel-security-misc @@ -3,4 +3,5 @@ Default: yes Priority: 280 Auth-Type: Primary Auth: + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_only_if_su requisite pam_wheel.so group=sudo debug From 6e0787957b53a64132b64e2a29bafe3e4b66d178 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 6 Jan 2025 05:29:40 -0500 Subject: [PATCH 1523/1650] increase priority of pam wheel so it is checked even before faillock in case of attemtping to use `su` without being a member of the required group `sudo`, it's useful to abort the PAM stack as early as possible to avoid needlessly propmting for a password to later be rejected tu to lack of group membership --- usr/share/pam-configs/wheel-security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/pam-configs/wheel-security-misc b/usr/share/pam-configs/wheel-security-misc index 10dcb88..eb8a9df 100644 --- a/usr/share/pam-configs/wheel-security-misc +++ b/usr/share/pam-configs/wheel-security-misc @@ -1,6 +1,6 @@ Name: group sudo membership required to use su (by package security-misc) Default: yes -Priority: 280 +Priority: 1050 Auth-Type: Primary Auth: [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_only_if_su From c6be621968c898f792ef1a450d2e1be5cd6056da Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 6 Jan 2025 10:31:40 +0000 Subject: [PATCH 1524/1650] bumped changelog version --- changelog.upstream | 21 +++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 27 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 69fec66..3db2650 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,24 @@ +commit 6e0787957b53a64132b64e2a29bafe3e4b66d178 +Author: Patrick Schleizer +Date: Mon Jan 6 05:29:40 2025 -0500 + + increase priority of pam wheel so it is checked even before faillock + + in case of attemtping to use `su` without being a member of the required group `sudo`, it's useful to abort the PAM stack as early as possible to avoid needlessly propmting for a password to later + be rejected tu to lack of group membership + +commit d4767b75206b46f1a006cd91b00239a7b828fc89 +Author: Patrick Schleizer +Date: Mon Jan 6 04:24:44 2025 -0500 + + fix: apply PAM wheal only to `su` PAM service + +commit 40b23cfad40825eefc3686e562d78250b58bbc82 +Author: Patrick Schleizer +Date: Tue Dec 31 18:42:01 2024 +0000 + + bumped changelog version + commit 33114f771aaeb4dccb0b465861d1239129deb8b2 Author: Patrick Schleizer Date: Tue Dec 31 13:26:21 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 9020a37..d6dcbb3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 06 Jan 2025 10:31:40 +0000 + security-misc (3:42.1-1) unstable; urgency=medium * New upstream version (local package). From 5941195e96880b8beb2a791d3c21f3a4c6d429eb Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 7 Jan 2025 14:10:46 -0600 Subject: [PATCH 1525/1650] Don't worry about files under /bin anymore, Bookworm uses a merged /usr directory --- usr/lib/permission-hardener.d/25_default_passwd.conf | 1 - usr/lib/permission-hardener.d/25_default_sudo.conf | 1 - .../25_default_whitelist_bubblewrap.conf | 1 - usr/lib/permission-hardener.d/25_default_whitelist_mount.conf | 4 ---- .../permission-hardener.d/25_default_whitelist_policykit.conf | 2 -- usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf | 1 - 6 files changed, 10 deletions(-) diff --git a/usr/lib/permission-hardener.d/25_default_passwd.conf b/usr/lib/permission-hardener.d/25_default_passwd.conf index ef4a1d9..fb34f38 100644 --- a/usr/lib/permission-hardener.d/25_default_passwd.conf +++ b/usr/lib/permission-hardener.d/25_default_passwd.conf @@ -11,4 +11,3 @@ # # See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd /usr/bin/passwd 0755 root root -/bin/passwd 0755 root root diff --git a/usr/lib/permission-hardener.d/25_default_sudo.conf b/usr/lib/permission-hardener.d/25_default_sudo.conf index 74aedca..e575449 100644 --- a/usr/lib/permission-hardener.d/25_default_sudo.conf +++ b/usr/lib/permission-hardener.d/25_default_sudo.conf @@ -17,4 +17,3 @@ ## compromised network-facing daemon (such as web servers, time synchronization daemons, ## etc.) running as its own user from exploiting sudo to escalate privileges. #/usr/bin/sudo 4750 root sudo -#/bin/sudo 4750 root sudo diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf index 7c44b1a..f1e873f 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf @@ -6,4 +6,3 @@ ## configuration. When security-misc is updated, this file may be overwritten. /usr/bin/bwrap exactwhitelist -/bin/bwrap exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf b/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf index bf86ba9..ac5e9d1 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf @@ -8,14 +8,10 @@ ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 ## Protect from 'chmod -x' (and SUID removal). ## SUID will be removed below in separate step. -/bin/mount exactwhitelist /usr/bin/mount exactwhitelist -/bin/umount exactwhitelist /usr/bin/umount exactwhitelist ## Remove SUID from 'mount' but keep executable. ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 -/bin/mount 755 root root /usr/bin/mount 755 root root -/bin/umount 755 root root /usr/bin/umount 755 root root diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf index beb7531..8133fab 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf @@ -6,9 +6,7 @@ ## configuration. When security-misc is updated, this file may be overwritten. /usr/bin/pkexec exactwhitelist -/bin/pkexec exactwhitelist /usr/bin/pkexec.security-misc-orig exactwhitelist -/bin/pkexec.security-misc-orig exactwhitelist ## TODO: research ## match both: diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf index a68564d..ee68aba 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf @@ -6,4 +6,3 @@ ## configuration. When security-misc is updated, this file may be overwritten. /usr/bin/sudo exactwhitelist -/bin/sudo exactwhitelist From 5e3785d76e616f49407e720b37138f35a50fe4fb Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 8 Jan 2025 18:35:52 +1100 Subject: [PATCH 1526/1650] README.md: Remove double space --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7f35178..3df75fb 100644 --- a/README.md +++ b/README.md @@ -102,7 +102,7 @@ Networking: - Disable ICMP redirect acceptance and redirect sending messages to prevent man-in-the-middle attacks and minimize information disclosure. -- Deny sending and receiving shared media redirects to reduce the risk of IP +- Deny sending and receiving shared media redirects to reduce the risk of IP spoofing attacks. - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP From 1f8eee47200221e2e38291a31e852e9c222d8c64 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 8 Jan 2025 18:36:00 +1100 Subject: [PATCH 1527/1650] Add missing sentence full stop --- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index fd3ce59..8a89cb8 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -454,7 +454,7 @@ net.ipv6.conf.*.accept_redirects=0 #net.ipv4.conf.*.shared_media=0 ## Enable ARP (Address Resolution Protocol) filtering. -## Prevents the Linux kernel from handling the ARP table globally +## Prevents the Linux kernel from handling the ARP table globally. ## Can mitigate some ARP spoofing and ARP cache poisoning attacks. ## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests. ## From 538b312349a97bcecb12e62519d77840afcd6ca3 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 9 Jan 2025 15:28:56 +1100 Subject: [PATCH 1528/1650] Add comment about microcode updates --- etc/default/grub.d/40_cpu_mitigations.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index d2232b3..795cc72 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -21,6 +21,11 @@ ## Tabular comparison between the utility and functionality of various mitigations. ## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/587 +## For complete protection, users must install the latest relevant security microcode update. +## BIOS/UEFI updates should only be obtained directly from OEMs and/or motherboard manufacturers. +## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues. +## The parameters below only provide (partial) protection at both the kernel and user space level. + ## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT. ## ## KSPP=yes From cf435a8fa8e6f795a25ef004cf44a65d461dd32c Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 10 Jan 2025 13:22:21 +1100 Subject: [PATCH 1529/1650] README.md: Note importance of microcode updates --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index df12ba2..05685b4 100644 --- a/README.md +++ b/README.md @@ -137,7 +137,9 @@ Networking: Mitigations for known CPU vulnerabilities are enabled in their strictest form and simultaneous multithreading (SMT) is disabled. See the -`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. +`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. Note, to achieve +complete protection for known CPU vulnerabilities, the latest security microcode +(BIOS/UEFI) updates must also be installed on the system. Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` From 482960d056ec8d624f127bfe9b1c69a4c30c7e34 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 10 Jan 2025 10:21:12 -0500 Subject: [PATCH 1530/1650] permission-hardener: move to new state folder `/var/lib/permission-hardener-v2` without migration https://github.com/Kicksecure/security-misc/pull/294 --- debian/security-misc.postinst | 11 ----------- usr/bin/permission-hardener | 2 +- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 8cbe4d7..d62cebc 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -15,16 +15,6 @@ true " ##################################################################### " -permission_hardening_legacy_state_files() { - if test -d /var/lib/permission-hardener ; then - return 0 - fi - if ! test -d /var/lib/permission-hardening ; then - return 0 - fi - mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener -} - permission_hardening_legacy_config_folder() { if ! test -d /etc/permission-hardening.d ; then return 0 @@ -77,7 +67,6 @@ esac pam-auth-update --package /usr/libexec/security-misc/permission-lockdown -permission_hardening_legacy_state_files permission_hardening diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 11bdfb9..b2991e0 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -19,7 +19,7 @@ set -o errexit -o nounset -o pipefail ## Constants # shellcheck disable=SC2034 log_level=notice -store_dir="/var/lib/permission-hardener" +store_dir="/var/lib/permission-hardener-v2" state_file="${store_dir}/existing_mode/statoverride" dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" From 485d9abd1d14e445b48f0fd63290a985b05a5ac7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 10 Jan 2025 15:34:21 +0000 Subject: [PATCH 1531/1650] bumped changelog version --- changelog.upstream | 171 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 177 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3db2650..2d113b6 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,113 @@ +commit c17485baa118e76cc8074ce3e72ac3ac38c577cd +Merge: 482960d e9ef360 +Author: Patrick Schleizer +Date: Fri Jan 10 10:32:26 2025 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit e9ef3602dd1661de0c0c3781d7e0246720643354 +Merge: 1b33e83 cf435a8 +Author: Patrick Schleizer +Date: Fri Jan 10 10:30:34 2025 -0500 + + Merge pull request #292 from raja-grewal/cpu_table + + Add link to tabular comparison of CPU mitigations + +commit 1b33e83529d652dab4468e0b386e333b3ca4745b +Merge: 486757b 2e6e170 +Author: Patrick Schleizer +Date: Fri Jan 10 10:29:30 2025 -0500 + + Merge pull request #291 from raja-grewal/drop_gratuitous_arp + + Drop gratuitous ARP packets + +commit 486757bfae5e7ecc389b16c49704e742fd267565 +Merge: 17ff249 c37f4ef +Author: Patrick Schleizer +Date: Fri Jan 10 10:29:12 2025 -0500 + + Merge pull request #290 from raja-grewal/arp_ignore + + Respond to ARP requests only if the target IP address is on-link + +commit 17ff24915062736a32d4d54da7163fe34aa70fd3 +Merge: 27d19ba 1f8eee4 +Author: Patrick Schleizer +Date: Fri Jan 10 10:28:48 2025 -0500 + + Merge pull request #289 from raja-grewal/arp_filter + + Enable ARP filtering + +commit 27d19ba568e601c37035a310ae6cdd7d953be286 +Merge: 482960d 5e3785d +Author: Patrick Schleizer +Date: Fri Jan 10 10:28:05 2025 -0500 + + Merge pull request #288 from raja-grewal/shared_media + + Deny sending and receiving shared media redirects + +commit 482960d056ec8d624f127bfe9b1c69a4c30c7e34 +Author: Patrick Schleizer +Date: Fri Jan 10 10:21:12 2025 -0500 + + permission-hardener: move to new state folder `/var/lib/permission-hardener-v2` without migration + + https://github.com/Kicksecure/security-misc/pull/294 + +commit cf435a8fa8e6f795a25ef004cf44a65d461dd32c +Author: raja-grewal +Date: Fri Jan 10 13:22:21 2025 +1100 + + README.md: Note importance of microcode updates + +commit 3a31cc99b34617cdd3c5f8e8950a37158849cb56 +Merge: c4cfb85 5941195 +Author: Patrick Schleizer +Date: Thu Jan 9 09:30:58 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/usrmerge' + +commit 538b312349a97bcecb12e62519d77840afcd6ca3 +Author: raja-grewal +Date: Thu Jan 9 15:28:56 2025 +1100 + + Add comment about microcode updates + +commit 1f8eee47200221e2e38291a31e852e9c222d8c64 +Author: raja-grewal +Date: Wed Jan 8 18:36:00 2025 +1100 + + Add missing sentence full stop + +commit 5e3785d76e616f49407e720b37138f35a50fe4fb +Author: raja-grewal +Date: Wed Jan 8 18:35:52 2025 +1100 + + README.md: Remove double space + +commit 5941195e96880b8beb2a791d3c21f3a4c6d429eb +Author: Aaron Rainbolt +Date: Tue Jan 7 14:10:46 2025 -0600 + + Don't worry about files under /bin anymore, Bookworm uses a merged /usr directory + +commit c4cfb8597d1a8631a4cbfa7e88212b798e2bc514 +Merge: c6be621 93ebf17 +Author: Patrick Schleizer +Date: Mon Jan 6 08:43:54 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-refactor' + +commit c6be621968c898f792ef1a450d2e1be5cd6056da +Author: Patrick Schleizer +Date: Mon Jan 6 10:31:40 2025 +0000 + + bumped changelog version + commit 6e0787957b53a64132b64e2a29bafe3e4b66d178 Author: Patrick Schleizer Date: Mon Jan 6 05:29:40 2025 -0500 @@ -13,6 +123,19 @@ Date: Mon Jan 6 04:24:44 2025 -0500 fix: apply PAM wheal only to `su` PAM service +commit 93ebf176c5f38bd268e5394e01421e46b9ae7dff +Author: Aaron Rainbolt +Date: Thu Jan 2 20:41:40 2025 -0500 + + Make the main field count check in permission-hardener a bit more elegant + +commit 895c0f541fb34f9ebfee9c7ef79c053d5af4a7cc +Merge: 717e6fc 40b23cf +Author: Aaron Rainbolt +Date: Wed Jan 1 15:04:01 2025 -0600 + + Merge branch 'master' into arraybolt3/permission-hardener-refactor + commit 40b23cfad40825eefc3686e562d78250b58bbc82 Author: Patrick Schleizer Date: Tue Dec 31 18:42:01 2024 +0000 @@ -37,6 +160,18 @@ Date: Tue Dec 31 06:14:29 2024 -0500 readme +commit 717e6fcfbea38cef9d3e201cf2e2b725e3da2267 +Author: Aaron Rainbolt +Date: Mon Dec 30 19:23:20 2024 -0600 + + Post-review improvements to permission-hardener + +commit dbcb612517abbf8d162cfb31ba0585c518df8817 +Author: Aaron Rainbolt +Date: Wed Dec 25 19:48:28 2024 -0600 + + Polish permission-hardener refactor + commit 397b476a822c9f7e41ec911f5d689b67026660ad Author: Patrick Schleizer Date: Thu Dec 26 04:12:02 2024 +0000 @@ -50,6 +185,12 @@ Date: Wed Dec 25 22:43:04 2024 -0500 Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' +commit 83d386795940099e0835c51f3522aae3d9217dc8 +Author: Aaron Rainbolt +Date: Tue Dec 24 20:14:57 2024 -0600 + + Refactor permission-hardener to be more idempotent + commit 6602fb102dedc21300ae4c4519f3d9ef4e668045 Author: Aaron Rainbolt Date: Tue Dec 24 20:52:34 2024 -0600 @@ -130,6 +271,12 @@ Date: Thu Dec 19 10:58:50 2024 +0000 bumped changelog version +commit 642b4eeedc43e69bb82ea259b52c0946ce638983 +Author: raja-grewal +Date: Thu Dec 19 21:57:25 2024 +1100 + + Add link to tabular comparison of CPU mitigations + commit 175b442d5bb9dfcb4e9b524ec2077e72c74598cc Author: Patrick Schleizer Date: Thu Dec 19 05:56:50 2024 -0500 @@ -143,6 +290,30 @@ Date: Thu Dec 19 05:56:01 2024 -0500 Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' +commit 2e6e1701a052ef32711f6c3abaad693a773323f6 +Author: raja-grewal +Date: Thu Dec 19 10:35:08 2024 +0000 + + Set `net.ipv4.conf.*.drop_gratuitous_arp=1` + +commit c37f4efadf8f046168732871172cb66f58eb7c78 +Author: raja-grewal +Date: Thu Dec 19 10:33:49 2024 +0000 + + Set `net.ipv4.conf.*.arp_ignore=2` + +commit af1d06973bdd46af3e39b0bdfda81b950ccac996 +Author: raja-grewal +Date: Thu Dec 19 10:31:43 2024 +0000 + + Set `net.ipv4.conf.*.arp_filter=1` + +commit 750367a9066ca2a0ff819b438a92cb1f6c325edb +Author: raja-grewal +Date: Thu Dec 19 10:29:56 2024 +0000 + + Set `net.ipv4.conf.*.shared_media=0` + commit 95b535764c8a98b67a71ee1fd57b7f01da464106 Author: Patrick Schleizer Date: Thu Dec 19 09:43:26 2024 +0000 diff --git a/debian/changelog b/debian/changelog index d6dcbb3..a861ab5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 10 Jan 2025 15:34:20 +0000 + security-misc (3:42.2-1) unstable; urgency=medium * New upstream version (local package). From d6a7cd3e0d1e677c1fa8c1fb3b307cdbe0f45031 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 12 Jan 2025 05:36:16 -0500 Subject: [PATCH 1532/1650] formatting. use chapter to make allow for deep linking --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index a4e391f..a67909a 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ many more sources. sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf` configuration file and significant hardening is applied to a myriad of components. -Kernel space: +#### Kernel space - Restrict access to kernel addresses through the use of kernel pointers regardless of user privileges. @@ -55,7 +55,7 @@ Kernel space: - Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been the source of numerous kernel exploits. -User space: +#### User space - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it enables programs to inspect and modify other active processes. Optional - Disable @@ -79,16 +79,16 @@ User space: on a magic number or their file extension to prevent unintended code execution. See issue: https://github.com/Kicksecure/security-misc/issues/267 -Core dumps: +#### Core dumps - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. -Swap space: +#### Swap space - Limit the copying of potentially sensitive content in memory to the swap device. -Networking: +#### Networking - Enable hardening of the BPF JIT compiler protect against JIT spraying. From b0baa8baa57937358dc988b88adab4858a1d8cae Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 12 Jan 2025 05:38:35 -0500 Subject: [PATCH 1533/1650] add link --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index a67909a..06f31d9 100644 --- a/README.md +++ b/README.md @@ -132,6 +132,8 @@ configuration file and significant hardening is applied to a myriad of component - Optional - Enable IPv6 Privacy Extensions. +- Documentation: https://www.kicksecure.com/wiki/Networking + ### Boot parameters Mitigations for known CPU vulnerabilities are enabled in their strictest form From de1f31e3df1a0fba0a4c6e41b9b46e076266cfd4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 12 Jan 2025 11:47:18 +0000 Subject: [PATCH 1534/1650] bumped changelog version --- changelog.upstream | 20 ++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 26 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 2d113b6..d09f087 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,23 @@ +commit b0baa8baa57937358dc988b88adab4858a1d8cae +Author: Patrick Schleizer +Date: Sun Jan 12 05:38:35 2025 -0500 + + add link + +commit d6a7cd3e0d1e677c1fa8c1fb3b307cdbe0f45031 +Author: Patrick Schleizer +Date: Sun Jan 12 05:36:16 2025 -0500 + + formatting. + + use chapter to make allow for deep linking + +commit 485d9abd1d14e445b48f0fd63290a985b05a5ac7 +Author: Patrick Schleizer +Date: Fri Jan 10 15:34:21 2025 +0000 + + bumped changelog version + commit c17485baa118e76cc8074ce3e72ac3ac38c577cd Merge: 482960d e9ef360 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index a861ab5..8c72c04 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 12 Jan 2025 11:47:17 +0000 + security-misc (3:42.3-1) unstable; urgency=medium * New upstream version (local package). From 07786de03953b91310588e0b37b9e150bf1b4736 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sun, 12 Jan 2025 19:34:41 -0600 Subject: [PATCH 1535/1650] Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 --- debian/control | 3 +- debian/po/POTFILES.in | 1 + debian/po/templates.pot | 34 ++++++++++++++++++ debian/security-misc.config | 64 ++++++++++++++++++++++++++++++++++ debian/security-misc.postinst | 62 ++++++++++++++++++++++++++++++-- debian/security-misc.templates | 7 ++++ 6 files changed, 167 insertions(+), 4 deletions(-) create mode 100644 debian/po/POTFILES.in create mode 100644 debian/po/templates.pot create mode 100644 debian/security-misc.config create mode 100644 debian/security-misc.templates diff --git a/debian/control b/debian/control index 4909511..d45f96d 100644 --- a/debian/control +++ b/debian/control @@ -8,7 +8,8 @@ Maintainer: Patrick Schleizer Build-Depends: config-package-dev, debhelper (>= 13), debhelper-compat (= 13), - dh-apparmor + dh-apparmor, + po-debconf Homepage: https://www.kicksecure.com/wiki/Security-misc Vcs-Browser: https://github.com/Kicksecure/security-misc Vcs-Git: https://github.com/Kicksecure/security-misc.git diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in new file mode 100644 index 0000000..435938f --- /dev/null +++ b/debian/po/POTFILES.in @@ -0,0 +1 @@ +[type: gettext/rfc822deb] security-misc.templates diff --git a/debian/po/templates.pot b/debian/po/templates.pot new file mode 100644 index 0000000..3ebab2d --- /dev/null +++ b/debian/po/templates.pot @@ -0,0 +1,34 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the security-misc package. +# FIRST AUTHOR , YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: security-misc\n" +"Report-Msgid-Bugs-To: security-misc@packages.debian.org\n" +"POT-Creation-Date: 2025-01-12 19:28-0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language-Team: LANGUAGE \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: note +#. Description +#: ../security-misc.templates:1001 +msgid "Manual intervention may be required for permission-hardener update" +msgstr "" + +#. Type: note +#. Description +#: ../security-misc.templates:1001 +msgid "" +"permission-hardener is being updated to correct a bug that caused state file " +"corruption. If you installed your own custom permission-hardener " +"configuration, some manual intervention may be required. See https://www." +"kicksecure.com/wiki/Permission-hardener#Fixing_state_files" +msgstr "" diff --git a/debian/security-misc.config b/debian/security-misc.config new file mode 100644 index 0000000..86722de --- /dev/null +++ b/debian/security-misc.config @@ -0,0 +1,64 @@ +#!/bin/bash + +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +source /usr/share/debconf/confmodule + +check_migrate_permission_hardener_state() { + local orig_hardening_arr custom_hardening_arr config_file + if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then + return 0 + fi + mkdir --parents '/var/lib/security-misc/do_once' + + # TODO: Is there some way to autogenerate this list at runtime? + orig_hardening_arr=( + '/usr/lib/permission-hardener.d/25_default_sudo.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf' + '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' + '/usr/lib/permission-hardener.d/30_ping.conf' + '/usr/lib/permission-hardener.d/30_default.conf' + ) + readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }') + + for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do + # shellcheck disable=SC2076 + if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then + custom_hardening_arr+=( "${config_file}" ) + fi + done + + if [ "${#custom_hardening_arr[@]}" != '0' ]; then + db_input critical security-misc/alert-on-permission-hardener-v2-upgrade + # shellcheck disable=SC2119 + db_go + fi + + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" +} + +check_migrate_permission_hardener_state \ No newline at end of file diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index d62cebc..5866b7b 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -7,11 +7,15 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then source /usr/libexec/helper-scripts/pre.bsh fi +## Required since this package uses debconf - this is mandatory even though +## the postinst itself does not use debconf commands. +source /usr/share/debconf/confmodule + set -e true " ##################################################################### -## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ +## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* ##################################################################### " @@ -33,6 +37,55 @@ permission_hardening() { echo "$0: INFO: Permission hardening success." } +migrate_permission_hardener_state() { + local v2_state_file + + if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then + return 0 + fi + mkdir --parents '/var/lib/security-misc/do_once' + + ## This has to be stored in the postinst rather than installed by the + ## package, because permission-hardener *will* change it and we *cannot* + ## allow future package updates to overwrite it. + v2_state_file="root root 644 /etc/passwd- +root root 755 /etc/cron.monthly +root root 755 /etc/sudoers.d +root shadow 2755 /usr/bin/expiry +root root 4755 /usr/bin/umount +root root 4755 /usr/bin/gpasswd +root root 755 /usr/lib/modules +root root 644 /etc/issue.net +root root 644 /etc/group- +root root 4755 /usr/bin/newgrp +root root 755 /etc/cron.weekly +root root 644 /etc/hosts.deny +root root 4755 /usr/bin/su +root root 644 /etc/hosts.allow +root root 700 /root +root root 755 /etc/cron.daily +root root 755 /bin/ping +root root 777 /etc/motd +root root 755 /boot +root root 755 /home +root shadow 2755 /usr/bin/chage +root root 4755 /usr/bin/chsh +root root 4755 /usr/bin/passwd +root root 4755 /usr/bin/chfn +root root 644 /etc/group +root root 755 /etc/permission-hardener.d +root root 644 /etc/passwd +root root 755 /usr/src +root root 4755 /usr/bin/mount +root root 777 /etc/issue +root root 755 /etc/cron.d" + + ## Not using sponge since moreutils might not be installed at this point. + mkdir --parents '/var/lib/permission-hardener-v2/existing_mode' + echo "${v2_state_file}" > '/var/lib/permission-hardener-v2/existing_mode/statoverride' + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" +} + case "$1" in configure) if [ -d /etc/skel/.gnupg ]; then @@ -45,13 +98,16 @@ case "$1" in ## state dir for faillock mkdir -p /var/lib/security-misc/faillock + + ## migrate permission_hardener state to v2 if applicable + migrate_permission_hardener_state ;; abort-upgrade|abort-remove|abort-deconfigure) ;; triggered) - echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'" + echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\*: '$*' 2: '$2'" /usr/share/security-misc/lkrg/lkrg-virtualbox || true /usr/libexec/security-misc/mmap-rnd-bits || true permission_hardening @@ -94,7 +150,7 @@ permission_hardening_legacy_config_folder true " ##################################################################### -## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ +## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* ##################################################################### " diff --git a/debian/security-misc.templates b/debian/security-misc.templates new file mode 100644 index 0000000..53b2ed3 --- /dev/null +++ b/debian/security-misc.templates @@ -0,0 +1,7 @@ +Template: security-misc/alert-on-permission-hardener-v2-upgrade +Type: note +_Description: Manual intervention may be required for permission-hardener update + permission-hardener is being updated to correct a bug that caused state file + corruption. If you installed your own custom permission-hardener configuration, + some manual intervention may be required. See + https://www.kicksecure.com/wiki/Permission-hardener#Fixing_state_files From 5570d3e5b9f97f14c772facff16dc45df66d42e9 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sun, 12 Jan 2025 20:40:41 -0600 Subject: [PATCH 1536/1650] Add a forgotten set -e --- debian/security-misc.config | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index 86722de..3880207 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -5,6 +5,8 @@ source /usr/share/debconf/confmodule +set -e + check_migrate_permission_hardener_state() { local orig_hardening_arr custom_hardening_arr config_file if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then @@ -61,4 +63,4 @@ check_migrate_permission_hardener_state() { touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } -check_migrate_permission_hardener_state \ No newline at end of file +check_migrate_permission_hardener_state From a9e87e9d308f5e61a2d2054fa038dae6faadad3a Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sun, 12 Jan 2025 21:13:43 -0600 Subject: [PATCH 1537/1650] Prevent installation failures when installing non-interactively --- debian/security-misc.config | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index 3880207..29d0992 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -55,9 +55,12 @@ check_migrate_permission_hardener_state() { done if [ "${#custom_hardening_arr[@]}" != '0' ]; then - db_input critical security-misc/alert-on-permission-hardener-v2-upgrade + ## db_input will return code 30 if the message won't be displayed, which + ## causes a non-interactive install to error out if you don't use || true + db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true + ## db_go can return code 30 too in some instances, we don't care here # shellcheck disable=SC2119 - db_go + db_go || true fi touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" From de9ebabd46798ff2afa259907b6a7b976070e7f0 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Mon, 13 Jan 2025 21:57:10 -0600 Subject: [PATCH 1538/1650] Fix minor migration bugs, don't run the migration code on new image builds --- debian/make-helper-overrides.bsh | 2 +- debian/security-misc.config | 130 +++++++++++------- debian/security-misc.postinst | 43 +----- ...on-hardener-existing-mode-legacy-hardcoded | 33 +++++ 4 files changed, 122 insertions(+), 86 deletions(-) create mode 100644 usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded diff --git a/debian/make-helper-overrides.bsh b/debian/make-helper-overrides.bsh index dda635e..4804b3e 100755 --- a/debian/make-helper-overrides.bsh +++ b/debian/make-helper-overrides.bsh @@ -4,4 +4,4 @@ ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24 -genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file" +genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file --suppress-tags no-complete-debconf-translation" diff --git a/debian/security-misc.config b/debian/security-misc.config index 29d0992..8513add 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -8,61 +8,99 @@ source /usr/share/debconf/confmodule set -e check_migrate_permission_hardener_state() { - local orig_hardening_arr custom_hardening_arr config_file + local orig_hardening_arr custom_hardening_arr config_file custom_config_file if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then return 0 fi mkdir --parents '/var/lib/security-misc/do_once' - # TODO: Is there some way to autogenerate this list at runtime? - orig_hardening_arr=( - '/usr/lib/permission-hardener.d/25_default_sudo.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf' - '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' - '/usr/lib/permission-hardener.d/30_ping.conf' - '/usr/lib/permission-hardener.d/30_default.conf' - ) - readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }') + if [ -d '/var/lib/permission-hardener' ]; then + orig_hardening_arr=( + '/usr/lib/permission-hardener.d/25_default_passwd.conf' + '/usr/lib/permission-hardener.d/25_default_sudo.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf' + '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' + '/usr/lib/permission-hardener.d/30_ping.conf' + '/usr/lib/permission-hardener.d/30_default.conf' + '/etc/permission-hardener.d/25_default_passwd.conf' + '/etc/permission-hardener.d/25_default_sudo.conf' + '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf' + '/etc/permission-hardener.d/25_default_whitelist_chromium.conf' + '/etc/permission-hardener.d/25_default_whitelist_dbus.conf' + '/etc/permission-hardener.d/25_default_whitelist_firejail.conf' + '/etc/permission-hardener.d/25_default_whitelist_fuse.conf' + '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' + '/etc/permission-hardener.d/25_default_whitelist_mount.conf' + '/etc/permission-hardener.d/25_default_whitelist_pam.conf' + '/etc/permission-hardener.d/25_default_whitelist_passwd.conf' + '/etc/permission-hardener.d/25_default_whitelist_policykit.conf' + '/etc/permission-hardener.d/25_default_whitelist_postfix.conf' + '/etc/permission-hardener.d/25_default_whitelist_qubes.conf' + '/etc/permission-hardener.d/25_default_whitelist_selinux.conf' + '/etc/permission-hardener.d/25_default_whitelist_spice.conf' + '/etc/permission-hardener.d/25_default_whitelist_ssh.conf' + '/etc/permission-hardener.d/25_default_whitelist_sudo.conf' + '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' + '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf' + '/etc/permission-hardener.d/20_user-sysmaint-split.conf' + '/etc/permission-hardener.d/30_ping.conf' + '/etc/permission-hardener.d/30_default.conf' + ) - for config_file in \ - /usr/lib/permission-hardener.d/*.conf \ - /etc/permission-hardener.d/*.conf \ - /usr/local/etc/permission-hardener.d/*.conf \ - /etc/permission-hardening.d/*.conf \ - /usr/local/etc/permission-hardening.d/*.conf - do - # shellcheck disable=SC2076 - if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then - custom_hardening_arr+=( "${config_file}" ) + readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }') + ## If the above `dpkg -V` command doesn't return any permission-hardener + ## related lines, the array will contain no meaningful info, just a single + ## blank element at the start. Set the array to be explicitly empty in + ## this scenario. + if [ -z "${custom_hardening_arr[0]}" ]; then + custom_hardening_arr=() + fi + + for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do + # shellcheck disable=SC2076 + if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then + if [ -f "${config_file}" ]; then + custom_hardening_arr+=( "${config_file}" ) + fi + fi + done + + if [ "${#custom_hardening_arr[@]}" != '0' ]; then + for custom_config_file in "${custom_hardening_arr[@]}"; do + echo "INFO: Possible custom configuration file found: '${custom_config_file}'" + done + ## db_input will return code 30 if the message won't be displayed, which + ## causes a non-interactive install to error out if you don't use || true + db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true + ## db_go can return code 30 too in some instances, we don't care here + # shellcheck disable=SC2119 + db_go || true fi - done - if [ "${#custom_hardening_arr[@]}" != '0' ]; then - ## db_input will return code 30 if the message won't be displayed, which - ## causes a non-interactive install to error out if you don't use || true - db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true - ## db_go can return code 30 too in some instances, we don't care here - # shellcheck disable=SC2119 - db_go || true fi - touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 5866b7b..4240d6f 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -38,51 +38,16 @@ permission_hardening() { } migrate_permission_hardener_state() { - local v2_state_file - if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then return 0 fi mkdir --parents '/var/lib/security-misc/do_once' - ## This has to be stored in the postinst rather than installed by the - ## package, because permission-hardener *will* change it and we *cannot* - ## allow future package updates to overwrite it. - v2_state_file="root root 644 /etc/passwd- -root root 755 /etc/cron.monthly -root root 755 /etc/sudoers.d -root shadow 2755 /usr/bin/expiry -root root 4755 /usr/bin/umount -root root 4755 /usr/bin/gpasswd -root root 755 /usr/lib/modules -root root 644 /etc/issue.net -root root 644 /etc/group- -root root 4755 /usr/bin/newgrp -root root 755 /etc/cron.weekly -root root 644 /etc/hosts.deny -root root 4755 /usr/bin/su -root root 644 /etc/hosts.allow -root root 700 /root -root root 755 /etc/cron.daily -root root 755 /bin/ping -root root 777 /etc/motd -root root 755 /boot -root root 755 /home -root shadow 2755 /usr/bin/chage -root root 4755 /usr/bin/chsh -root root 4755 /usr/bin/passwd -root root 4755 /usr/bin/chfn -root root 644 /etc/group -root root 755 /etc/permission-hardener.d -root root 644 /etc/passwd -root root 755 /usr/src -root root 4755 /usr/bin/mount -root root 777 /etc/issue -root root 755 /etc/cron.d" + if [ -d '/var/lib/permission-hardener' ]; then + mkdir --parents '/var/lib/permission-hardener-v2/existing_mode' + cp '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride' + fi - ## Not using sponge since moreutils might not be installed at this point. - mkdir --parents '/var/lib/permission-hardener-v2/existing_mode' - echo "${v2_state_file}" > '/var/lib/permission-hardener-v2/existing_mode/statoverride' touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } diff --git a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded new file mode 100644 index 0000000..e8a4bbe --- /dev/null +++ b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded @@ -0,0 +1,33 @@ +root root 644 /etc/passwd- +root root 755 /etc/cron.monthly +root root 755 /etc/sudoers.d +root shadow 2755 /usr/bin/expiry +root root 4755 /usr/bin/umount +root root 4755 /usr/bin/gpasswd +root root 755 /usr/lib/modules +root root 644 /etc/issue.net +root root 644 /etc/group- +root root 4755 /usr/bin/newgrp +root root 755 /etc/cron.weekly +root root 644 /etc/hosts.deny +root root 4755 /usr/bin/su +root root 644 /etc/hosts.allow +root root 700 /root +root root 755 /etc/cron.daily +root root 755 /bin/ping +root root 777 /etc/motd +root root 755 /boot +root root 755 /home +root shadow 2755 /usr/bin/chage +root root 4755 /usr/bin/chsh +root root 4755 /usr/bin/passwd +root root 4755 /usr/bin/chfn +root root 644 /etc/group +root root 755 /etc/permission-hardener.d +root root 644 /etc/passwd +root root 755 /usr/src +root root 4755 /usr/bin/mount +root root 777 /etc/issue +root root 755 /etc/cron.d +root root 4755 /usr/bin/sudo +root root 4755 /usr/bin/pkexec From b2a1a0ec9f8db1d84c222e734737b7ed149f6d92 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 03:17:00 -0500 Subject: [PATCH 1539/1650] refactoring --- debian/security-misc.config | 172 ++++++++++++++++++------------------ 1 file changed, 87 insertions(+), 85 deletions(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index 8513add..f08ea97 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -8,99 +8,101 @@ source /usr/share/debconf/confmodule set -e check_migrate_permission_hardener_state() { + if [ -d '/var/lib/permission-hardener' ]; then + return 0 + fi + local orig_hardening_arr custom_hardening_arr config_file custom_config_file if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then return 0 fi mkdir --parents '/var/lib/security-misc/do_once' - if [ -d '/var/lib/permission-hardener' ]; then - orig_hardening_arr=( - '/usr/lib/permission-hardener.d/25_default_passwd.conf' - '/usr/lib/permission-hardener.d/25_default_sudo.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf' - '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' - '/usr/lib/permission-hardener.d/30_ping.conf' - '/usr/lib/permission-hardener.d/30_default.conf' - '/etc/permission-hardener.d/25_default_passwd.conf' - '/etc/permission-hardener.d/25_default_sudo.conf' - '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf' - '/etc/permission-hardener.d/25_default_whitelist_chromium.conf' - '/etc/permission-hardener.d/25_default_whitelist_dbus.conf' - '/etc/permission-hardener.d/25_default_whitelist_firejail.conf' - '/etc/permission-hardener.d/25_default_whitelist_fuse.conf' - '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' - '/etc/permission-hardener.d/25_default_whitelist_mount.conf' - '/etc/permission-hardener.d/25_default_whitelist_pam.conf' - '/etc/permission-hardener.d/25_default_whitelist_passwd.conf' - '/etc/permission-hardener.d/25_default_whitelist_policykit.conf' - '/etc/permission-hardener.d/25_default_whitelist_postfix.conf' - '/etc/permission-hardener.d/25_default_whitelist_qubes.conf' - '/etc/permission-hardener.d/25_default_whitelist_selinux.conf' - '/etc/permission-hardener.d/25_default_whitelist_spice.conf' - '/etc/permission-hardener.d/25_default_whitelist_ssh.conf' - '/etc/permission-hardener.d/25_default_whitelist_sudo.conf' - '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' - '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf' - '/etc/permission-hardener.d/20_user-sysmaint-split.conf' - '/etc/permission-hardener.d/30_ping.conf' - '/etc/permission-hardener.d/30_default.conf' - ) - - readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }') - ## If the above `dpkg -V` command doesn't return any permission-hardener - ## related lines, the array will contain no meaningful info, just a single - ## blank element at the start. Set the array to be explicitly empty in - ## this scenario. - if [ -z "${custom_hardening_arr[0]}" ]; then - custom_hardening_arr=() - fi - - for config_file in \ - /usr/lib/permission-hardener.d/*.conf \ - /etc/permission-hardener.d/*.conf \ - /usr/local/etc/permission-hardener.d/*.conf \ - /etc/permission-hardening.d/*.conf \ - /usr/local/etc/permission-hardening.d/*.conf - do - # shellcheck disable=SC2076 - if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then - if [ -f "${config_file}" ]; then - custom_hardening_arr+=( "${config_file}" ) - fi - fi - done - - if [ "${#custom_hardening_arr[@]}" != '0' ]; then - for custom_config_file in "${custom_hardening_arr[@]}"; do - echo "INFO: Possible custom configuration file found: '${custom_config_file}'" - done - ## db_input will return code 30 if the message won't be displayed, which - ## causes a non-interactive install to error out if you don't use || true - db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true - ## db_go can return code 30 too in some instances, we don't care here - # shellcheck disable=SC2119 - db_go || true - fi + orig_hardening_arr=( + '/usr/lib/permission-hardener.d/25_default_passwd.conf' + '/usr/lib/permission-hardener.d/25_default_sudo.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf' + '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' + '/usr/lib/permission-hardener.d/30_ping.conf' + '/usr/lib/permission-hardener.d/30_default.conf' + '/etc/permission-hardener.d/25_default_passwd.conf' + '/etc/permission-hardener.d/25_default_sudo.conf' + '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf' + '/etc/permission-hardener.d/25_default_whitelist_chromium.conf' + '/etc/permission-hardener.d/25_default_whitelist_dbus.conf' + '/etc/permission-hardener.d/25_default_whitelist_firejail.conf' + '/etc/permission-hardener.d/25_default_whitelist_fuse.conf' + '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' + '/etc/permission-hardener.d/25_default_whitelist_mount.conf' + '/etc/permission-hardener.d/25_default_whitelist_pam.conf' + '/etc/permission-hardener.d/25_default_whitelist_passwd.conf' + '/etc/permission-hardener.d/25_default_whitelist_policykit.conf' + '/etc/permission-hardener.d/25_default_whitelist_postfix.conf' + '/etc/permission-hardener.d/25_default_whitelist_qubes.conf' + '/etc/permission-hardener.d/25_default_whitelist_selinux.conf' + '/etc/permission-hardener.d/25_default_whitelist_spice.conf' + '/etc/permission-hardener.d/25_default_whitelist_ssh.conf' + '/etc/permission-hardener.d/25_default_whitelist_sudo.conf' + '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' + '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf' + '/etc/permission-hardener.d/20_user-sysmaint-split.conf' + '/etc/permission-hardener.d/30_ping.conf' + '/etc/permission-hardener.d/30_default.conf' + ) + readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }') + ## If the above `dpkg -V` command doesn't return any permission-hardener + ## related lines, the array will contain no meaningful info, just a single + ## blank element at the start. Set the array to be explicitly empty in + ## this scenario. + if [ -z "${custom_hardening_arr[0]}" ]; then + custom_hardening_arr=() fi + + for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do + # shellcheck disable=SC2076 + if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then + if [ -f "${config_file}" ]; then + custom_hardening_arr+=( "${config_file}" ) + fi + fi + done + + if [ "${#custom_hardening_arr[@]}" != '0' ]; then + for custom_config_file in "${custom_hardening_arr[@]}"; do + echo "INFO: Possible custom configuration file found: '${custom_config_file}'" + done + ## db_input will return code 30 if the message won't be displayed, which + ## causes a non-interactive install to error out if you don't use || true + db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true + ## db_go can return code 30 too in some instances, we don't care here + # shellcheck disable=SC2119 + db_go || true + fi + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } From b7e7b2767eb957dd1401f5abcff07bfcb47a4c00 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 03:18:17 -0500 Subject: [PATCH 1540/1650] refactoring --- debian/security-misc.postinst | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 4240d6f..a2d4e2f 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -38,15 +38,17 @@ permission_hardening() { } migrate_permission_hardener_state() { + if [ ! -d '/var/lib/permission-hardener' ]; then + return 0 + fi + if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then return 0 fi mkdir --parents '/var/lib/security-misc/do_once' - if [ -d '/var/lib/permission-hardener' ]; then - mkdir --parents '/var/lib/permission-hardener-v2/existing_mode' - cp '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride' - fi + mkdir --parents '/var/lib/permission-hardener-v2/existing_mode' + cp '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride' touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } From 420cb3f86f69c4505702a8f38271fb095316cb6f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 03:19:21 -0500 Subject: [PATCH 1541/1650] refactoring --- debian/security-misc.config | 1 + debian/security-misc.postinst | 1 + 2 files changed, 2 insertions(+) diff --git a/debian/security-misc.config b/debian/security-misc.config index f08ea97..452a506 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -8,6 +8,7 @@ source /usr/share/debconf/confmodule set -e check_migrate_permission_hardener_state() { + ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. if [ -d '/var/lib/permission-hardener' ]; then return 0 fi diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index a2d4e2f..a722cf3 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -38,6 +38,7 @@ permission_hardening() { } migrate_permission_hardener_state() { + ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. if [ ! -d '/var/lib/permission-hardener' ]; then return 0 fi From 7e7632a55396e10e20a6e9d8d563011694cccc85 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 08:24:05 +0000 Subject: [PATCH 1542/1650] bumped changelog version --- changelog.upstream | 55 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 61 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d09f087..a93a8d7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,58 @@ +commit 420cb3f86f69c4505702a8f38271fb095316cb6f +Author: Patrick Schleizer +Date: Tue Jan 14 03:19:21 2025 -0500 + + refactoring + +commit b7e7b2767eb957dd1401f5abcff07bfcb47a4c00 +Author: Patrick Schleizer +Date: Tue Jan 14 03:18:17 2025 -0500 + + refactoring + +commit b2a1a0ec9f8db1d84c222e734737b7ed149f6d92 +Author: Patrick Schleizer +Date: Tue Jan 14 03:17:00 2025 -0500 + + refactoring + +commit 69ae2d9ea0826aa81c70e957bb5a9241a84346ad +Merge: de1f31e de9ebab +Author: Patrick Schleizer +Date: Tue Jan 14 03:15:45 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-migrate' + +commit de9ebabd46798ff2afa259907b6a7b976070e7f0 +Author: Aaron Rainbolt +Date: Mon Jan 13 21:57:10 2025 -0600 + + Fix minor migration bugs, don't run the migration code on new image builds + +commit a9e87e9d308f5e61a2d2054fa038dae6faadad3a +Author: Aaron Rainbolt +Date: Sun Jan 12 21:13:43 2025 -0600 + + Prevent installation failures when installing non-interactively + +commit 5570d3e5b9f97f14c772facff16dc45df66d42e9 +Author: Aaron Rainbolt +Date: Sun Jan 12 20:40:41 2025 -0600 + + Add a forgotten set -e + +commit 07786de03953b91310588e0b37b9e150bf1b4736 +Author: Aaron Rainbolt +Date: Sun Jan 12 19:34:41 2025 -0600 + + Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 + +commit de1f31e3df1a0fba0a4c6e41b9b46e076266cfd4 +Author: Patrick Schleizer +Date: Sun Jan 12 11:47:18 2025 +0000 + + bumped changelog version + commit b0baa8baa57937358dc988b88adab4858a1d8cae Author: Patrick Schleizer Date: Sun Jan 12 05:38:35 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 8c72c04..f1aa577 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 08:24:05 +0000 + security-misc (3:42.4-1) unstable; urgency=medium * New upstream version (local package). From 7d44db2cb268c4eb31b50bbd44b87b8001dc068c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 03:49:15 -0500 Subject: [PATCH 1543/1650] usrmerge --- usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf index 0bd997f..aca4ca1 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf @@ -14,5 +14,4 @@ ## ## match both: #/usr/lib/qubes/qfile-unpacker whitelist -#/lib/qubes/qfile-unpacker qfile-unpacker matchwhitelist From b198591537a01f5b35c9301ca28a24c70864bcbd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 03:49:42 -0500 Subject: [PATCH 1544/1650] comment --- usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf index aca4ca1..f8c85db 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf @@ -8,7 +8,7 @@ ## TODO: research ## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c ## -## Qubes upstream security issue: +## Historic Qubes upstream security issue: ## qfile-unpacker allows unprivileged users in VMs to gain root privileges ## https://github.com/QubesOS/qubes-issues/issues/8633 ## From 1e9940481318d8d7a443b98f0906089759f27a5d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 03:50:16 -0500 Subject: [PATCH 1545/1650] comment --- usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf index f8c85db..d175670 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf @@ -13,5 +13,6 @@ ## https://github.com/QubesOS/qubes-issues/issues/8633 ## ## match both: +#/usr/bin/qfile-unpacker #/usr/lib/qubes/qfile-unpacker whitelist qfile-unpacker matchwhitelist From fce6a5f8303cd891efd8bbfef861e357dc90e88e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 03:51:43 -0500 Subject: [PATCH 1546/1650] comment --- .../permission-hardener.d/25_default_whitelist_qubes.conf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf index d175670..4fefe4f 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf @@ -13,6 +13,9 @@ ## https://github.com/QubesOS/qubes-issues/issues/8633 ## ## match both: -#/usr/bin/qfile-unpacker -#/usr/lib/qubes/qfile-unpacker whitelist +## - /usr/lib/qubes/qfile-unpacker whitelist +## - Not bit-for-bit identical to /usr/lib/qubes/qfile-unpacker. +## - Stripping SUID from this does *not* break file copying. +## - TODO: further reserach required on its purpose +## - /usr/bin/qfile-unpacker qfile-unpacker matchwhitelist From 0ac85ea9f56abdf621ec1b4f2acf08a2450067ba Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 03:54:35 -0500 Subject: [PATCH 1547/1650] comment --- .../permission-hardener.d/25_default_whitelist_fuse.conf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf b/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf index 8c5563a..084510c 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf @@ -5,6 +5,13 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. -## required for AppImages such as electrum Bitcoin wallet +## Critical component of FUSE (Filesystem in USErspace) +## +## Used by things such as: +## - AppImages +## - such as electrum Bitcoin wallet +## - Docker +## If not SUID, unprivileged users will be unable to use FUSE any longer. +## ## https://forums.whonix.org/t/disable-suid-binaries/7706/57 /fusermount matchwhitelist From 9f1759ba0ea7ecee87c8777226eb8a56482deeb5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 03:56:55 -0500 Subject: [PATCH 1548/1650] comment --- .../25_default_whitelist_pam.conf | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf index 00ee52d..b787e5f 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf @@ -5,5 +5,18 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. +## Used by the pam_tmpdir module to create a secure temporary directory for the +## user that is logging in. +## https://manpages.ubuntu.com/manpages/oracular/man8/pam-tmpdir-helper.8.html +## Apparently specific to Debian, there isn't actually any Git repo with this +## code in it, it's just a "floating" package in the Debian archive. Written by +## the same person who maintains the package. Almost certainly cannot be +## disabled without causing serious problems, but may be worth auditing. +## (Worthy of note, it doesn't seem this program takes any user input, but +## relies solely on the calling user's UID and GID, though this could require +## further review.) +## ## Without this, Xfce fails to start with a dbus-launch error. +## +## TODO: audit pam-tmpdir-helper pam-tmpdir-helper matchwhitelist From d89ffcde30f6115c25c1bc807eb30b18c21e2b6e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 04:04:09 -0500 Subject: [PATCH 1549/1650] comment --- .../25_default_whitelist_policykit.conf | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf index 8133fab..f8a3919 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf @@ -9,7 +9,19 @@ /usr/bin/pkexec.security-misc-orig exactwhitelist ## TODO: research -## match both: -#/usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist -#/lib/policykit-1/polkit-agent-helper-1 +## TODO: Should be handled in user-sysmaint-split? +## +## Required for PolicyKit (Polkit) to function. +## +## https://polkit-devel.freedesktop.narkive.com/zXO4yEg7/documentation-on-polkit-agent-helper-1-and-suid# +## https://gitlab.freedesktop.org/polkit/polkit/-/issues/168 +## https://cgit.freedesktop.org/polkit/tree/src/polkitagent/polkitagenthelper-pam.c#n93 +## +## Changing permissions here may break more than just normal privilege escalation. +## May be safe to disable for users other than sysmaint similar to what was done with pkexec and sudo, +## however even that might not be safe. +## +## matches both: +## - /usr/lib/policykit-1/polkit-agent-helper-1 +## - /lib/policykit-1/polkit-agent-helper-1 polkit-agent-helper-1 matchwhitelist From 7a5f8b87af7142ce973bd88abf98279ce15559a9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 04:06:44 -0500 Subject: [PATCH 1550/1650] permission hardener: disable SUID for `ssh-agent`, `ssh-keysign`, `/lib/openssh/*` This might break SSH host-based authentication. --- .../25_default_whitelist_ssh.conf | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf index 5511112..2d5f786 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -5,7 +5,11 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. -## TODO: research -ssh-agent matchwhitelist -ssh-keysign matchwhitelist -/lib/openssh matchwhitelist +## Used only for SSH host-based authentication +## https://linux.die.net/man/8/ssh-keysign +## Needed to allow access to the machine's host key for use in the +## authentication process. This is a non-default method of authenticating to +## SSH, and is likely rarely used, thus this should be safe to disable. +#ssh-agent matchwhitelist +#ssh-keysign matchwhitelist +#/lib/openssh matchwhitelist From 466308e4f9ebd496ff54dd9f77881ce10a558802 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 04:09:57 -0500 Subject: [PATCH 1551/1650] permission hardener: disable SUID for `chrome-sandbox` --- .../25_default_whitelist_chromium.conf | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf b/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf index 01ea21c..bdb2b2a 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf @@ -5,4 +5,13 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. -chrome-sandbox matchwhitelist +## Chrome/Chromium now uses namespace-based sandboxing rather than a SUID +## sandbox for most use cases, and while the SUID sandbox is still technically +## supported [1], it's also virtually unused [2]. Chromium still works fine +## when it is stripped of its SUID bit and rendered no longer executable, +## and opening `chrome://sandbox` while in this state shows that sandboxing is +## still working perfectly fine. +## +## [1] https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_sandboxing.md +## [2] https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_suid_sandbox.md +#chrome-sandbox matchwhitelist From 6d282226ef653accf1de32582b999ff31775f60f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 04:12:12 -0500 Subject: [PATCH 1552/1650] comment --- .../permission-hardener.d/25_default_whitelist_dbus.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf b/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf index d6aadc9..4b455ae 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf @@ -5,4 +5,12 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. +## Needed for D-Bus system activation to work. +## https://dbus.freedesktop.org/doc/system-activation.txt +## +## May be vital for desktop features to work normally. +## +## Appears to have been designed with security in mind and can only be called +## by root or a user in the `messagebus` group (which currently has one member, +## namely user `messagebus`). dbus-daemon-launch-helper matchwhitelist From eec2e2c8ee621c6ebb152abbfe3951fa0322a0d0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 04:13:39 -0500 Subject: [PATCH 1553/1650] comment --- .../permission-hardener.d/25_default_whitelist_qubes.conf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf index 4fefe4f..40f9b59 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf @@ -12,10 +12,13 @@ ## qfile-unpacker allows unprivileged users in VMs to gain root privileges ## https://github.com/QubesOS/qubes-issues/issues/8633 ## -## match both: +## matches both: ## - /usr/lib/qubes/qfile-unpacker whitelist ## - Not bit-for-bit identical to /usr/lib/qubes/qfile-unpacker. ## - Stripping SUID from this does *not* break file copying. ## - TODO: further reserach required on its purpose ## - /usr/bin/qfile-unpacker +## - Appears to be an integral part of file transfer between qubes, stripping +## SUID from this in an AppVM results in that AppVM being unable to receive +## files any longer. (It can still send files to other qubes though.) qfile-unpacker matchwhitelist From 41cd09933a506d55bab1f8bf101840cf4bbbf028 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:26:05 +0000 Subject: [PATCH 1554/1650] bumped changelog version --- changelog.upstream | 74 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 80 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index a93a8d7..bbc805d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,77 @@ +commit eec2e2c8ee621c6ebb152abbfe3951fa0322a0d0 +Author: Patrick Schleizer +Date: Tue Jan 14 04:13:39 2025 -0500 + + comment + +commit 6d282226ef653accf1de32582b999ff31775f60f +Author: Patrick Schleizer +Date: Tue Jan 14 04:12:12 2025 -0500 + + comment + +commit 466308e4f9ebd496ff54dd9f77881ce10a558802 +Author: Patrick Schleizer +Date: Tue Jan 14 04:09:57 2025 -0500 + + permission hardener: disable SUID for `chrome-sandbox` + +commit 7a5f8b87af7142ce973bd88abf98279ce15559a9 +Author: Patrick Schleizer +Date: Tue Jan 14 04:06:44 2025 -0500 + + permission hardener: disable SUID for `ssh-agent`, `ssh-keysign`, `/lib/openssh/*` + + This might break SSH host-based authentication. + +commit d89ffcde30f6115c25c1bc807eb30b18c21e2b6e +Author: Patrick Schleizer +Date: Tue Jan 14 04:04:09 2025 -0500 + + comment + +commit 9f1759ba0ea7ecee87c8777226eb8a56482deeb5 +Author: Patrick Schleizer +Date: Tue Jan 14 03:56:55 2025 -0500 + + comment + +commit 0ac85ea9f56abdf621ec1b4f2acf08a2450067ba +Author: Patrick Schleizer +Date: Tue Jan 14 03:54:35 2025 -0500 + + comment + +commit fce6a5f8303cd891efd8bbfef861e357dc90e88e +Author: Patrick Schleizer +Date: Tue Jan 14 03:51:43 2025 -0500 + + comment + +commit 1e9940481318d8d7a443b98f0906089759f27a5d +Author: Patrick Schleizer +Date: Tue Jan 14 03:50:16 2025 -0500 + + comment + +commit b198591537a01f5b35c9301ca28a24c70864bcbd +Author: Patrick Schleizer +Date: Tue Jan 14 03:49:42 2025 -0500 + + comment + +commit 7d44db2cb268c4eb31b50bbd44b87b8001dc068c +Author: Patrick Schleizer +Date: Tue Jan 14 03:49:15 2025 -0500 + + usrmerge + +commit 7e7632a55396e10e20a6e9d8d563011694cccc85 +Author: Patrick Schleizer +Date: Tue Jan 14 08:24:05 2025 +0000 + + bumped changelog version + commit 420cb3f86f69c4505702a8f38271fb095316cb6f Author: Patrick Schleizer Date: Tue Jan 14 03:19:21 2025 -0500 diff --git a/debian/changelog b/debian/changelog index f1aa577..a95a613 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 09:26:05 +0000 + security-misc (3:42.5-1) unstable; urgency=medium * New upstream version (local package). From cdf179f1277bcae3ef681d35aeca6289d55b3a6a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 08:53:38 -0500 Subject: [PATCH 1555/1650] fix --- debian/security-misc.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index 452a506..55b89a5 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -9,7 +9,7 @@ set -e check_migrate_permission_hardener_state() { ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. - if [ -d '/var/lib/permission-hardener' ]; then + if [ ! -d '/var/lib/permission-hardener' ]; then return 0 fi From 0e4dfc59dd9c06dd732affd8ca7f72a1a70a95b0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 13:53:49 +0000 Subject: [PATCH 1556/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index bbc805d..0c7652b 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit cdf179f1277bcae3ef681d35aeca6289d55b3a6a +Author: Patrick Schleizer +Date: Tue Jan 14 08:53:38 2025 -0500 + + fix + +commit 41cd09933a506d55bab1f8bf101840cf4bbbf028 +Author: Patrick Schleizer +Date: Tue Jan 14 09:26:05 2025 +0000 + + bumped changelog version + commit eec2e2c8ee621c6ebb152abbfe3951fa0322a0d0 Author: Patrick Schleizer Date: Tue Jan 14 04:13:39 2025 -0500 diff --git a/debian/changelog b/debian/changelog index a95a613..64fbdec 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 13:53:49 +0000 + security-misc (3:42.6-1) unstable; urgency=medium * New upstream version (local package). From a812961beabacca052b4b25b78ecd2c35184d5d5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:06:12 -0500 Subject: [PATCH 1557/1650] verbose --- debian/security-misc.postinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index a722cf3..0603717 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -49,7 +49,7 @@ migrate_permission_hardener_state() { mkdir --parents '/var/lib/security-misc/do_once' mkdir --parents '/var/lib/permission-hardener-v2/existing_mode' - cp '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride' + cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride' touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } From e60183ec073d278f8d69a5475aa52d75870cd9b0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:06:41 -0500 Subject: [PATCH 1558/1650] output --- debian/security-misc.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index 55b89a5..8dbcf2a 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -94,7 +94,7 @@ check_migrate_permission_hardener_state() { if [ "${#custom_hardening_arr[@]}" != '0' ]; then for custom_config_file in "${custom_hardening_arr[@]}"; do - echo "INFO: Possible custom configuration file found: '${custom_config_file}'" + echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'" done ## db_input will return code 30 if the message won't be displayed, which ## causes a non-interactive install to error out if you don't use || true From 6a4f9c1bd8c48bb1a711eee077ea7a05646b0598 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 14:06:50 +0000 Subject: [PATCH 1559/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0c7652b..cdf1435 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit e60183ec073d278f8d69a5475aa52d75870cd9b0 +Author: Patrick Schleizer +Date: Tue Jan 14 09:06:41 2025 -0500 + + output + +commit a812961beabacca052b4b25b78ecd2c35184d5d5 +Author: Patrick Schleizer +Date: Tue Jan 14 09:06:12 2025 -0500 + + verbose + +commit 0e4dfc59dd9c06dd732affd8ca7f72a1a70a95b0 +Author: Patrick Schleizer +Date: Tue Jan 14 13:53:49 2025 +0000 + + bumped changelog version + commit cdf179f1277bcae3ef681d35aeca6289d55b3a6a Author: Patrick Schleizer Date: Tue Jan 14 08:53:38 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 64fbdec..cfd4f5e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:06:50 +0000 + security-misc (3:42.7-1) unstable; urgency=medium * New upstream version (local package). From 0a2f06b456854f1cec3ff93952edef928ac7a184 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:07:32 -0500 Subject: [PATCH 1560/1650] use pre.bsh --- debian/security-misc.config | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/debian/security-misc.config b/debian/security-misc.config index 8dbcf2a..6a0e3d4 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -3,6 +3,10 @@ ## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then + source /usr/libexec/helper-scripts/pre.bsh +fi + source /usr/share/debconf/confmodule set -e From 95dd8f419fc7e9832d8ce6f74d35af9b36752f3f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 14:07:50 +0000 Subject: [PATCH 1561/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index cdf1435..a521ddc 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 0a2f06b456854f1cec3ff93952edef928ac7a184 +Author: Patrick Schleizer +Date: Tue Jan 14 09:07:32 2025 -0500 + + use pre.bsh + +commit 6a4f9c1bd8c48bb1a711eee077ea7a05646b0598 +Author: Patrick Schleizer +Date: Tue Jan 14 14:06:50 2025 +0000 + + bumped changelog version + commit e60183ec073d278f8d69a5475aa52d75870cd9b0 Author: Patrick Schleizer Date: Tue Jan 14 09:06:41 2025 -0500 diff --git a/debian/changelog b/debian/changelog index cfd4f5e..24400c9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:07:50 +0000 + security-misc (3:42.8-1) unstable; urgency=medium * New upstream version (local package). From 9bb92e91a8f364a9d9e5d69e907fe8ed8a3c58a2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:16:25 -0500 Subject: [PATCH 1562/1650] debhelper --- debian/security-misc.config | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/debian/security-misc.config b/debian/security-misc.config index 6a0e3d4..5bb4bc1 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -11,6 +11,12 @@ source /usr/share/debconf/confmodule set -e +true " +##################################################################### +## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* +##################################################################### +" + check_migrate_permission_hardener_state() { ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. if [ ! -d '/var/lib/permission-hardener' ]; then @@ -112,3 +118,18 @@ check_migrate_permission_hardener_state() { } check_migrate_permission_hardener_state + +true "INFO: debhelper beginning here." + +#DEBHELPER# + +true "INFO: Done with debhelper." + +true " +##################################################################### +## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* +##################################################################### +" + +## Explicitly "exit 0", so eventually trapped errors can be ignored. +exit 0 From bbc4ad7c2a0827d079ccbb18dce4aaae042a2253 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 14:16:45 +0000 Subject: [PATCH 1563/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index a521ddc..7558518 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 9bb92e91a8f364a9d9e5d69e907fe8ed8a3c58a2 +Author: Patrick Schleizer +Date: Tue Jan 14 09:16:25 2025 -0500 + + debhelper + +commit 95dd8f419fc7e9832d8ce6f74d35af9b36752f3f +Author: Patrick Schleizer +Date: Tue Jan 14 14:07:50 2025 +0000 + + bumped changelog version + commit 0a2f06b456854f1cec3ff93952edef928ac7a184 Author: Patrick Schleizer Date: Tue Jan 14 09:07:32 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 24400c9..1ef755a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:16:45 +0000 + security-misc (3:42.9-1) unstable; urgency=medium * New upstream version (local package). From f3c07a2451fd2818daca6bc248cbbcba213516e7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:24:06 -0500 Subject: [PATCH 1564/1650] update link --- debian/security-misc.templates | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc.templates b/debian/security-misc.templates index 53b2ed3..03e7e7c 100644 --- a/debian/security-misc.templates +++ b/debian/security-misc.templates @@ -4,4 +4,4 @@ _Description: Manual intervention may be required for permission-hardener update permission-hardener is being updated to correct a bug that caused state file corruption. If you installed your own custom permission-hardener configuration, some manual intervention may be required. See - https://www.kicksecure.com/wiki/Permission-hardener#Fixing_state_files + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#fixing_state_files From c46178dee46f88e8d0007a12a48addc2493faab7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:27:37 -0500 Subject: [PATCH 1565/1650] output --- debian/security-misc.templates | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/debian/security-misc.templates b/debian/security-misc.templates index 03e7e7c..6d8a160 100644 --- a/debian/security-misc.templates +++ b/debian/security-misc.templates @@ -1,7 +1,9 @@ Template: security-misc/alert-on-permission-hardener-v2-upgrade Type: note _Description: Manual intervention may be required for permission-hardener update - permission-hardener is being updated to correct a bug that caused state file - corruption. If you installed your own custom permission-hardener configuration, - some manual intervention may be required. See + No panic. Nothing is broken. Just some rare condition has been hit. + permission-hardener is being updated to correct a minor bug that caused + permission-hardener state file corruption. If you installed your own custom + permission-hardener configuration, some manual intervention may be required. + See: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#fixing_state_files From 876c0b618785fc71d1d399ff7ab649382104a714 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:29:35 -0500 Subject: [PATCH 1566/1650] output --- debian/security-misc.templates | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/debian/security-misc.templates b/debian/security-misc.templates index 6d8a160..1b543e7 100644 --- a/debian/security-misc.templates +++ b/debian/security-misc.templates @@ -1,9 +1,9 @@ Template: security-misc/alert-on-permission-hardener-v2-upgrade Type: note _Description: Manual intervention may be required for permission-hardener update - No panic. Nothing is broken. Just some rare condition has been hit. - permission-hardener is being updated to correct a minor bug that caused - permission-hardener state file corruption. If you installed your own custom - permission-hardener configuration, some manual intervention may be required. - See: + No need to panic. Nothing is broken. A rare condition has been encountered. + permission-hardener is being updated to fix a minor bug that caused + corruption in the permission-hardener state file. If you installed your own + custom permission-hardener configuration, some manual intervention may be + required. See: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#fixing_state_files From 86d3db15bf94dc0f4547105e18ef5f26ca124fa8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:30:46 -0500 Subject: [PATCH 1567/1650] output --- debian/security-misc.config | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/debian/security-misc.config b/debian/security-misc.config index 5bb4bc1..71726a4 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -11,6 +11,10 @@ source /usr/share/debconf/confmodule set -e +## Not set by DPKG for '.config' script. +DPKG_MAINTSCRIPT_PACKAGE="security-misc" +DPKG_MAINTSCRIPT_NAME="config" + true " ##################################################################### ## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* From 659c7037c6956f6d905e55a1ebb13ebe6a273dee Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 14:30:58 +0000 Subject: [PATCH 1568/1650] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7558518..8c6e970 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit 86d3db15bf94dc0f4547105e18ef5f26ca124fa8 +Author: Patrick Schleizer +Date: Tue Jan 14 09:30:46 2025 -0500 + + output + +commit 876c0b618785fc71d1d399ff7ab649382104a714 +Author: Patrick Schleizer +Date: Tue Jan 14 09:29:35 2025 -0500 + + output + +commit c46178dee46f88e8d0007a12a48addc2493faab7 +Author: Patrick Schleizer +Date: Tue Jan 14 09:27:37 2025 -0500 + + output + +commit f3c07a2451fd2818daca6bc248cbbcba213516e7 +Author: Patrick Schleizer +Date: Tue Jan 14 09:24:06 2025 -0500 + + update link + +commit bbc4ad7c2a0827d079ccbb18dce4aaae042a2253 +Author: Patrick Schleizer +Date: Tue Jan 14 14:16:45 2025 +0000 + + bumped changelog version + commit 9bb92e91a8f364a9d9e5d69e907fe8ed8a3c58a2 Author: Patrick Schleizer Date: Tue Jan 14 09:16:25 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 1ef755a..5ee1fef 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:30:58 +0000 + security-misc (3:43.0-1) unstable; urgency=medium * New upstream version (local package). From 709036c79f8efc9fefa9e7709780a75f9f5004d2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:31:58 -0500 Subject: [PATCH 1569/1650] debconf-updatepo --- debian/po/templates.pot | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/debian/po/templates.pot b/debian/po/templates.pot index 3ebab2d..adb123b 100644 --- a/debian/po/templates.pot +++ b/debian/po/templates.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: security-misc\n" "Report-Msgid-Bugs-To: security-misc@packages.debian.org\n" -"POT-Creation-Date: 2025-01-12 19:28-0600\n" +"POT-Creation-Date: 2025-01-14 09:31-0500\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -27,8 +27,10 @@ msgstr "" #. Description #: ../security-misc.templates:1001 msgid "" -"permission-hardener is being updated to correct a bug that caused state file " -"corruption. If you installed your own custom permission-hardener " -"configuration, some manual intervention may be required. See https://www." -"kicksecure.com/wiki/Permission-hardener#Fixing_state_files" +"No need to panic. Nothing is broken. A rare condition has been encountered. " +"permission-hardener is being updated to fix a minor bug that caused " +"corruption in the permission-hardener state file. If you installed your own " +"custom permission-hardener configuration, some manual intervention may be " +"required. See: https://www.kicksecure.com/wiki/" +"SUID_Disabler_and_Permission_Hardener#fixing_state_files" msgstr "" From a84d3ba732bcbd2fb93ea2bc145a0db0f33f1b77 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 14:32:13 +0000 Subject: [PATCH 1570/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 8c6e970..b6f420d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 709036c79f8efc9fefa9e7709780a75f9f5004d2 +Author: Patrick Schleizer +Date: Tue Jan 14 09:31:58 2025 -0500 + + debconf-updatepo + +commit 659c7037c6956f6d905e55a1ebb13ebe6a273dee +Author: Patrick Schleizer +Date: Tue Jan 14 14:30:58 2025 +0000 + + bumped changelog version + commit 86d3db15bf94dc0f4547105e18ef5f26ca124fa8 Author: Patrick Schleizer Date: Tue Jan 14 09:30:46 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 5ee1fef..6e782c5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:32:12 +0000 + security-misc (3:43.1-1) unstable; urgency=medium * New upstream version (local package). From 396372c1295e2a09d596f3e23fccc26794a26f05 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 14 Jan 2025 18:50:24 -0600 Subject: [PATCH 1571/1650] Avoid scanning unnecessary packages for modified permission-hardener config --- debian/security-misc.config | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index 71726a4..95684bc 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -22,6 +22,8 @@ true " " check_migrate_permission_hardener_state() { + local modified_pkg_data_str custom_hardening_arr config_file + ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. if [ ! -d '/var/lib/permission-hardener' ]; then return 0 @@ -82,7 +84,10 @@ check_migrate_permission_hardener_state() { '/etc/permission-hardener.d/30_default.conf' ) - readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }') + ## This will exit non-zero if some of the packages don't exist, but we + ## don't care. The packages that *are* installed will still be scanned. + modified_pkg_data_str="$(dpkg -V security-misc user-sysmaint-split anon-apps-config)" || true + readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}") ## If the above `dpkg -V` command doesn't return any permission-hardener ## related lines, the array will contain no meaningful info, just a single ## blank element at the start. Set the array to be explicitly empty in From a0f81958dfb020d311d86cbd00d4f86f678d8be9 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 14 Jan 2025 19:25:15 -0600 Subject: [PATCH 1572/1650] De-corrupt the new_mode permission-hardener statoverride database too --- debian/security-misc.postinst | 2 ++ ...mission-hardener-new-mode-legacy-hardcoded | 23 +++++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 0603717..5ee40c6 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -49,7 +49,9 @@ migrate_permission_hardener_state() { mkdir --parents '/var/lib/security-misc/do_once' mkdir --parents '/var/lib/permission-hardener-v2/existing_mode' + mkdir --parents '/var/lib/permission-hardener-v2/new_mode' cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride' + cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/new_mode/statoverride' touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } diff --git a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded new file mode 100644 index 0000000..b8f0cf4 --- /dev/null +++ b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded @@ -0,0 +1,23 @@ +root root 700 /etc/cron.monthly +root root 700 /etc/sudoers.d +root shadow 744 /usr/bin/expiry +root root 755 /usr/bin/umount +root root 744 /usr/bin/gpasswd +root root 700 /usr/lib/modules +root root 744 /usr/bin/newgrp +root root 700 /etc/cron.weekly +root root 744 /usr/bin/su +root root 700 /etc/cron.daily +root root 644 /etc/motd +root _ssh 744 /usr/bin/ssh-agent +root root 700 /boot +root shadow 744 /usr/bin/chage +root root 744 /usr/lib/openssh/ssh-keysign +root root 744 /usr/bin/chsh +root root 755 /usr/bin/passwd +root root 744 /usr/bin/chfn +root root 600 /etc/permission-hardener.d +root root 700 /usr/src +root root 755 /usr/bin/mount +root root 644 /etc/issue +root root 700 /etc/cron.d From c6f09748f383fdf7c1b07441c73477b3f18d2768 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 14 Jan 2025 20:27:53 -0600 Subject: [PATCH 1573/1650] Handle de-corruption of new_mode a bit better --- debian/security-misc.postinst | 26 ++++++++++++++++--- ...mission-hardener-new-mode-legacy-hardcoded | 1 + 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 5ee40c6..d1f61d1 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -38,6 +38,7 @@ permission_hardening() { } migrate_permission_hardener_state() { + local existing_mode_dir new_mode_dir dpkg_statoverride_list ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. if [ ! -d '/var/lib/permission-hardener' ]; then return 0 @@ -48,10 +49,27 @@ migrate_permission_hardener_state() { fi mkdir --parents '/var/lib/security-misc/do_once' - mkdir --parents '/var/lib/permission-hardener-v2/existing_mode' - mkdir --parents '/var/lib/permission-hardener-v2/new_mode' - cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride' - cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/new_mode/statoverride' + existing_mode_dir='/var/lib/permission-hardener-v2/existing_mode' + new_mode_dir='/var/lib/permission-hardener-v2/new_mode' + + mkdir --parents "${existing_mode_dir}"; + mkdir --parents "${new_mode_dir}"; + + cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' "${existing_mode_dir}/statoverride" + cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' "${new_mode_dir}/statoverride" + + dpkg_statoverride_list="$(dpkg-statoverride --admindir "${new_mode_dir}" --list)" + + if [ "$(stat --format '%G' /usr/bin/sudo)" = 'sysmaint' ]; then + if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/sudo' ]]; then + dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/sudo' + fi + fi + if [ "$(stat --format '%G' /usr/bin/pkexec)" = 'sysmaint' ]; then + if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/pkexec' ]]; then + dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/pkexec' + fi + fi touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } diff --git a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded index b8f0cf4..142686e 100644 --- a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded +++ b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded @@ -8,6 +8,7 @@ root root 744 /usr/bin/newgrp root root 700 /etc/cron.weekly root root 744 /usr/bin/su root root 700 /etc/cron.daily +root root 755 /bin/ping root root 644 /etc/motd root _ssh 744 /usr/bin/ssh-agent root root 700 /boot From 328f747179ffb2e7705a73bc9a0c5133a17da829 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 14 Jan 2025 20:35:28 -0600 Subject: [PATCH 1574/1650] Restore permission-hardener's notice about how to compare old and new states --- usr/bin/permission-hardener | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index b2991e0..c5527e3 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -612,6 +612,11 @@ commit_policy() { -- "${policy_file_item}" fi done + + log notice "\ +To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: + sudo apt install --no-install-recommends meld + meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" } undo_policy_for_file() { From ca257164105c4f66576024b64c52a42921455d16 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 15 Jan 2025 09:44:48 -0500 Subject: [PATCH 1575/1650] improve permission hardener migration code --- debian/security-misc.config | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) mode change 100644 => 100755 debian/security-misc.config diff --git a/debian/security-misc.config b/debian/security-misc.config old mode 100644 new mode 100755 index 95684bc..d8f4506 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -22,7 +22,7 @@ true " " check_migrate_permission_hardener_state() { - local modified_pkg_data_str custom_hardening_arr config_file + local pkg_list modified_pkg_data_str custom_hardening_arr config_file ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. if [ ! -d '/var/lib/permission-hardener' ]; then @@ -35,6 +35,8 @@ check_migrate_permission_hardener_state() { fi mkdir --parents '/var/lib/security-misc/do_once' + source /usr/libexec/helper-scripts/package_installed_check.bsh + orig_hardening_arr=( '/usr/lib/permission-hardener.d/25_default_passwd.conf' '/usr/lib/permission-hardener.d/25_default_sudo.conf' @@ -84,11 +86,24 @@ check_migrate_permission_hardener_state() { '/etc/permission-hardener.d/30_default.conf' ) + pkg_list="security-misc" + if pkg_installed user-sysmaint-split ; then + pkg_list+=" user-sysmaint-split" + fi + if pkg_installed anon-apps-config ; then + pkg_list+=" anon-apps-config" + fi + ## This will exit non-zero if some of the packages don't exist, but we ## don't care. The packages that *are* installed will still be scanned. - modified_pkg_data_str="$(dpkg -V security-misc user-sysmaint-split anon-apps-config)" || true + modified_pkg_data_str="$(dpkg --verify $pkg_list)" || true + + ## Example modified_pkg_data_str: + #modified_pkg_data_str='missing /usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' + readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}") - ## If the above `dpkg -V` command doesn't return any permission-hardener + + ## If the above `dpkg --verify` command doesn't return any permission-hardener ## related lines, the array will contain no meaningful info, just a single ## blank element at the start. Set the array to be explicitly empty in ## this scenario. @@ -113,7 +128,11 @@ check_migrate_permission_hardener_state() { if [ "${#custom_hardening_arr[@]}" != '0' ]; then for custom_config_file in "${custom_hardening_arr[@]}"; do - echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'" + if ! test -e "${custom_config_file}" ; then + echo "$0: INFO: Possible missing configuration file found: '${custom_config_file}'" + else + echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'" + fi done ## db_input will return code 30 if the message won't be displayed, which ## causes a non-interactive install to error out if you don't use || true From 597186972e463ce7a0b44662f7656f351ddf1030 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 15 Jan 2025 15:02:44 +0000 Subject: [PATCH 1576/1650] bumped changelog version --- changelog.upstream | 43 +++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 49 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b6f420d..78b8576 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,46 @@ +commit ca257164105c4f66576024b64c52a42921455d16 +Author: Patrick Schleizer +Date: Wed Jan 15 09:44:48 2025 -0500 + + improve permission hardener migration code + +commit 2dfd30a44ae332faa50bc4920486cdd9480c7e5d +Merge: a84d3ba 328f747 +Author: Patrick Schleizer +Date: Wed Jan 15 09:33:57 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/more-permission-hardener' + +commit 328f747179ffb2e7705a73bc9a0c5133a17da829 +Author: Aaron Rainbolt +Date: Tue Jan 14 20:35:28 2025 -0600 + + Restore permission-hardener's notice about how to compare old and new states + +commit c6f09748f383fdf7c1b07441c73477b3f18d2768 +Author: Aaron Rainbolt +Date: Tue Jan 14 20:27:53 2025 -0600 + + Handle de-corruption of new_mode a bit better + +commit a0f81958dfb020d311d86cbd00d4f86f678d8be9 +Author: Aaron Rainbolt +Date: Tue Jan 14 19:25:15 2025 -0600 + + De-corrupt the new_mode permission-hardener statoverride database too + +commit 396372c1295e2a09d596f3e23fccc26794a26f05 +Author: Aaron Rainbolt +Date: Tue Jan 14 18:50:24 2025 -0600 + + Avoid scanning unnecessary packages for modified permission-hardener config + +commit a84d3ba732bcbd2fb93ea2bc145a0db0f33f1b77 +Author: Patrick Schleizer +Date: Tue Jan 14 14:32:13 2025 +0000 + + bumped changelog version + commit 709036c79f8efc9fefa9e7709780a75f9f5004d2 Author: Patrick Schleizer Date: Tue Jan 14 09:31:58 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 6e782c5..5acdf3c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 15 Jan 2025 15:02:43 +0000 + security-misc (3:43.2-1) unstable; urgency=medium * New upstream version (local package). From bf73f1f2b5e429caaf01bfbcdc7d5d032e3c0efb Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Wed, 15 Jan 2025 19:10:41 -0600 Subject: [PATCH 1577/1650] Avoid impossible-to-satisfy dependency on helper-scripts, improve string handling robustness in postinst --- debian/security-misc.config | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index d8f4506..07dfcf6 100755 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -21,6 +21,31 @@ true " ##################################################################### " +## Copied from helper-scripts/usr/libexec/helper-scripts/package_installed_check.bsh +pkg_installed() { + local package_name dpkg_query_output + local requested_action status error_state + + package_name="$1" + ## Cannot use '&>' because it is a bashism. + dpkg_query_output="$(dpkg-query --show --showformat='${Status}' "$package_name" 2>/dev/null)" || true + ## dpkg_query_output Exampels: + ## install ok half-configured + ## install ok installed + + requested_action=$(echo "$dpkg_query_output" | awk '{print $1}') + status=$(echo "$dpkg_query_output" | awk '{print $2}') + error_state=$(echo "$dpkg_query_output" | awk '{print $3}') + + if [ "$requested_action" = 'install' ]; then + true "$0: INFO: $package_name is installed, ok." + return 0 + fi + + true "$0: INFO: $package_name is not installed, ok." + return 1 +} + check_migrate_permission_hardener_state() { local pkg_list modified_pkg_data_str custom_hardening_arr config_file @@ -35,8 +60,6 @@ check_migrate_permission_hardener_state() { fi mkdir --parents '/var/lib/security-misc/do_once' - source /usr/libexec/helper-scripts/package_installed_check.bsh - orig_hardening_arr=( '/usr/lib/permission-hardener.d/25_default_passwd.conf' '/usr/lib/permission-hardener.d/25_default_sudo.conf' @@ -86,17 +109,17 @@ check_migrate_permission_hardener_state() { '/etc/permission-hardener.d/30_default.conf' ) - pkg_list="security-misc" + pkg_list=( "security-misc" ) if pkg_installed user-sysmaint-split ; then - pkg_list+=" user-sysmaint-split" + pkg_list+=( "user-sysmaint-split" ) fi if pkg_installed anon-apps-config ; then - pkg_list+=" anon-apps-config" + pkg_list+=( "anon-apps-config" ) fi ## This will exit non-zero if some of the packages don't exist, but we ## don't care. The packages that *are* installed will still be scanned. - modified_pkg_data_str="$(dpkg --verify $pkg_list)" || true + modified_pkg_data_str="$(dpkg --verify "${pkg_list[@]}")" || true ## Example modified_pkg_data_str: #modified_pkg_data_str='missing /usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' From 876d596a071ac916f7d220ee2449358aedba7efe Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 17 Jan 2025 07:55:54 -0500 Subject: [PATCH 1578/1650] comment --- debian/security-misc.config | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index 07dfcf6..11dd83d 100755 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -21,7 +21,10 @@ true " ##################################################################### " -## Copied from helper-scripts/usr/libexec/helper-scripts/package_installed_check.bsh +## Code duplication. +## '.config' scripts are run very early. Even 'Pre-Depends: helper-scripts' would be insufficient. +## Therefore the code is duplicated here. +## Copied from: helper-scripts /usr/libexec/helper-scripts/package_installed_check.bsh pkg_installed() { local package_name dpkg_query_output local requested_action status error_state From 51c7010e8f47ce6e6a28e6267c735e897dcfb053 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 17 Jan 2025 13:35:28 +0000 Subject: [PATCH 1579/1650] bumped changelog version --- changelog.upstream | 25 +++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 31 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 78b8576..79ae2c7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,28 @@ +commit 876d596a071ac916f7d220ee2449358aedba7efe +Author: Patrick Schleizer +Date: Fri Jan 17 07:55:54 2025 -0500 + + comment + +commit c9e2f82bd01813682998c775f75bac0841239e5e +Merge: 5971869 bf73f1f +Author: Patrick Schleizer +Date: Fri Jan 17 07:53:59 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/master' + +commit bf73f1f2b5e429caaf01bfbcdc7d5d032e3c0efb +Author: Aaron Rainbolt +Date: Wed Jan 15 19:10:41 2025 -0600 + + Avoid impossible-to-satisfy dependency on helper-scripts, improve string handling robustness in postinst + +commit 597186972e463ce7a0b44662f7656f351ddf1030 +Author: Patrick Schleizer +Date: Wed Jan 15 15:02:44 2025 +0000 + + bumped changelog version + commit ca257164105c4f66576024b64c52a42921455d16 Author: Patrick Schleizer Date: Wed Jan 15 09:44:48 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 5acdf3c..18555e8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 17 Jan 2025 13:35:27 +0000 + security-misc (3:43.3-1) unstable; urgency=medium * New upstream version (local package). From 1b4d1edfc316f125ff5039bf17897802205750e2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 20 Jan 2025 04:29:42 -0500 Subject: [PATCH 1580/1650] comments --- .../25_default_whitelist_policykit.conf | 6 +++--- .../permission-hardener.d/25_default_whitelist_postfix.conf | 1 + .../permission-hardener.d/25_default_whitelist_selinux.conf | 1 + .../permission-hardener.d/25_default_whitelist_spice.conf | 1 + .../permission-hardener.d/25_default_whitelist_sudo.conf | 1 + 5 files changed, 7 insertions(+), 3 deletions(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf index f8a3919..de20400 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf @@ -5,12 +5,10 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. +## user-sysmaint-split hardens this further. /usr/bin/pkexec exactwhitelist /usr/bin/pkexec.security-misc-orig exactwhitelist -## TODO: research -## TODO: Should be handled in user-sysmaint-split? -## ## Required for PolicyKit (Polkit) to function. ## ## https://polkit-devel.freedesktop.narkive.com/zXO4yEg7/documentation-on-polkit-agent-helper-1-and-suid# @@ -24,4 +22,6 @@ ## matches both: ## - /usr/lib/policykit-1/polkit-agent-helper-1 ## - /lib/policykit-1/polkit-agent-helper-1 +## +## user-sysmaint-split hardens this further. polkit-agent-helper-1 matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf index 5ebdae3..bf76069 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf @@ -5,5 +5,6 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. +## TODO: research and document postqueue matchwhitelist postdrop matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf index fd74488..62d3198 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf @@ -5,4 +5,5 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. +## TODO: research and document /utempter/utempter matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf index df29fec..5b79059 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf @@ -5,4 +5,5 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. +## TODO: research and document spice-client-glib-usb-acl-helper matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf index ee68aba..e15b265 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf @@ -5,4 +5,5 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. +## user-sysmaint-split hardens this further. /usr/bin/sudo exactwhitelist From 4e0d5a196ccb8ef3fdf2b67d974f28d02a532f91 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 20 Jan 2025 04:30:26 -0500 Subject: [PATCH 1581/1650] delete comment only configuration file (moved to user-sysmaint-split) --- .../25_default_sudo.conf | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 usr/lib/permission-hardener.d/25_default_sudo.conf diff --git a/usr/lib/permission-hardener.d/25_default_sudo.conf b/usr/lib/permission-hardener.d/25_default_sudo.conf deleted file mode 100644 index e575449..0000000 --- a/usr/lib/permission-hardener.d/25_default_sudo.conf +++ /dev/null @@ -1,19 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## https://forums.whonix.org/t/restrict-root-access/7658/116 -## This restricts the file permissions of the sudo executable so that a vulnerability -## in the program will not be exploitable by any users not in the "sudo" group. sudo -## is a very complex program and is setuid so vulnerabilities in it can allow privilege -## escalation, regardless of other root access restrictions. For example, the following -## buffer overflow vulnerability could have been exploited by any user on the system: -## https://www.openwall.com/lists/oss-security/2021/01/26/3 -## With this restriction, only users explicitly permitted to use sudo by being added to -## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a -## compromised network-facing daemon (such as web servers, time synchronization daemons, -## etc.) running as its own user from exploiting sudo to escalate privileges. -#/usr/bin/sudo 4750 root sudo From 8ff5f3b22125488f64cd384ffbfcbd8f2ecd61a6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 20 Jan 2025 10:11:43 +0000 Subject: [PATCH 1582/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 79ae2c7..c803629 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 4e0d5a196ccb8ef3fdf2b67d974f28d02a532f91 +Author: Patrick Schleizer +Date: Mon Jan 20 04:30:26 2025 -0500 + + delete comment only configuration file (moved to user-sysmaint-split) + +commit 1b4d1edfc316f125ff5039bf17897802205750e2 +Author: Patrick Schleizer +Date: Mon Jan 20 04:29:42 2025 -0500 + + comments + +commit 51c7010e8f47ce6e6a28e6267c735e897dcfb053 +Author: Patrick Schleizer +Date: Fri Jan 17 13:35:28 2025 +0000 + + bumped changelog version + commit 876d596a071ac916f7d220ee2449358aedba7efe Author: Patrick Schleizer Date: Fri Jan 17 07:55:54 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 18555e8..8653904 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 20 Jan 2025 10:11:42 +0000 + security-misc (3:43.4-1) unstable; urgency=medium * New upstream version (local package). From df9d058ed9635b168508ded20277c174a24cf3f5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 20 Jan 2025 06:28:16 -0500 Subject: [PATCH 1583/1650] usrmerge --- usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf | 1 - usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf | 2 +- .../permission-hardener.d/25_default_whitelist_unix_chkpwd.conf | 1 - .../permission-hardener.d/25_default_whitelist_virtualbox.conf | 1 - 4 files changed, 1 insertion(+), 4 deletions(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf b/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf index 87f4f1e..e7bc816 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf @@ -12,5 +12,4 @@ # # See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd /usr/bin/passwd exactwhitelist -/bin/passwd exactwhitelist /usr/bin/passwd 0755 root root diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf index 2d5f786..8688dfe 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -12,4 +12,4 @@ ## SSH, and is likely rarely used, thus this should be safe to disable. #ssh-agent matchwhitelist #ssh-keysign matchwhitelist -#/lib/openssh matchwhitelist +#/usr/lib/openssh matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf b/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf index 05d5235..1faf380 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf @@ -8,4 +8,3 @@ ## required for performing password validation from unprivileged user ## processes such as KScreenLocker's unlock prompt /usr/sbin/unix_chkpwd exactwhitelist -/sbin/unix_chkpwd exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf b/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf index 621a6b2..76c2eee 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf @@ -7,7 +7,6 @@ ## TODO: research /usr/lib/virtualbox/ matchwhitelist -/lib/virtualbox/ matchwhitelist VirtualBoxVM matchwhitelist VBoxSDL matchwhitelist VBoxNetNAT matchwhitelist From f1b6bff30b1891bfbe870de9edd78fa7dbd66e7c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 20 Jan 2025 11:35:08 +0000 Subject: [PATCH 1584/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c803629..3261247 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit df9d058ed9635b168508ded20277c174a24cf3f5 +Author: Patrick Schleizer +Date: Mon Jan 20 06:28:16 2025 -0500 + + usrmerge + +commit 8ff5f3b22125488f64cd384ffbfcbd8f2ecd61a6 +Author: Patrick Schleizer +Date: Mon Jan 20 10:11:43 2025 +0000 + + bumped changelog version + commit 4e0d5a196ccb8ef3fdf2b67d974f28d02a532f91 Author: Patrick Schleizer Date: Mon Jan 20 04:30:26 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 8653904..22d37c6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 20 Jan 2025 11:35:08 +0000 + security-misc (3:43.5-1) unstable; urgency=medium * New upstream version (local package). From a97620a2e491cc039adb15af94958f26b39319a2 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Mon, 20 Jan 2025 22:43:55 -0600 Subject: [PATCH 1585/1650] Add print-diagnostics command to permission-hardener --- usr/bin/permission-hardener | 176 +++++++++++++++++++++++++++++++----- 1 file changed, 153 insertions(+), 23 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index c5527e3..165dd2c 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -176,6 +176,7 @@ print_usage(){ ${0##*/} print-policy ${0##*/} print-state ${0##*/} print-policy-applied-state + ${0##*/} print-diagnostics Examples: ${0##*/} enable @@ -747,29 +748,113 @@ print_state() { done } -## Global variables -policy_file_list=() -policy_user_owner_list=() -policy_group_owner_list=() -policy_mode_list=() -policy_capability_list=() -policy_exact_white_list=() -policy_match_white_list=() -policy_disable_white_list=() -policy_nosuid_file_list=() -state_file_list=() -state_user_owner_list=() -state_group_owner_list=() -state_mode_list=() -whitelists_disable_all=false -existing_mode='' -existing_owner='' -existing_group='' -processed_config_line='' -file_name_from_stat='' -passwd_file_contents="$(getent passwd)" -group_file_contents="$(getent group)" -exit_code=0 +print_raw_policy_config() { + for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do + if [ ! -f "${config_file}" ]; then + continue + fi + echo "*** begin ${config_file} ***" + cat "${config_file}" + echo "*** end ${config_file} ***" + done +} + +print_raw_state() { + local state_file + for state_file in "${store_dir}/existing_mode/statoverride" \ + "${store_dir}/new_mode/statoverride"; do + echo "*** begin ${state_file} ***" + cat "${state_file}" + echo "*** end ${state_file} ***" + done +} + +print_fs_audit() { + local state_idx + + echo 'Legend:' + echo '... - Warning about an unusual, but not necessarily wrong, condition' + echo '!!! - Warning about an unusual and definitely wrong condition' + echo '*** - File permission data, actual state on filesystem is consistent with policy' + echo '^^^ - File permission data, actual state on filesystem is inconsistent with policy' + echo 'vvv - File permissions specified by state, always shown after a ^^^ item' + echo + + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + state_file_item="${state_file_list[state_idx]}" + state_user_owner_item="${state_user_owner_list[state_idx]}" + state_group_owner_item="${state_group_owner_list[state_idx]}" + state_mode_item="${state_mode_list[state_idx]}" + + ## Get rid of leading zeros, stat doesn't output them due to how we use it. + ## Using BASH_REMATCH is faster than sed. We capture all leading zeros into + ## one group, and the rest of the string into a second group. The second + ## group is the string we want. BASH_REMATCH[0] is the entire string, + ## BASH_REMATCH[1] is the first match that we want to discard, and + ## BASH_REMATCH[2] is the desired second group. + [[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true; + state_mode_item="${BASH_REMATCH[2]}" + + output_stat "${state_file_item}" + if [ -z "${file_name_from_stat}" ]; then + echo "... '${state_file_item}' does not exist" + continue + fi + + if [ "${existing_owner}" != "${state_user_owner_item}" ] \ + || [ "${existing_group}" != "${state_group_owner_item}" ] \ + || [ "${existing_mode}" != "${state_mode_item}" ]; then + if ! [[ "${passwd_file_contents}" =~ "${state_user_owner_item}:" ]]; then + echo "!!! Owner from config does not exist: '${state_user_owner_item}'" + continue + fi + + if ! [[ "${group_file_contents}" =~ "${state_group_owner_item}:" ]]; then + echo "!!! Group from config does not exist: '${state_group_owner_item}'" + continue + fi + + echo "^^^ ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" + echo "vvv ${state_file_item} ${state_user_owner_item}:${state_group_owner_item} ${state_mode_item}" + else + echo "*** ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" + fi + done +} + +reset_global_vars() { + ## Global variables + policy_file_list=() + policy_user_owner_list=() + policy_group_owner_list=() + policy_mode_list=() + policy_capability_list=() + policy_exact_white_list=() + policy_match_white_list=() + policy_disable_white_list=() + policy_nosuid_file_list=() + state_file_list=() + state_user_owner_list=() + state_group_owner_list=() + state_mode_list=() + whitelists_disable_all=false + existing_mode='' + existing_owner='' + existing_group='' + processed_config_line='' + file_name_from_stat='' + passwd_file_contents="$(getent passwd)" + group_file_contents="$(getent group)" + exit_code=0 +} + +reset_global_vars ## Setup and sanity checking if [ "$(id -u)" != '0' ]; then @@ -817,6 +902,51 @@ case "${1:-}" in apply_policy print_state ;; + print-diagnostics) + echo '=== BEGIN PERMISSION-HARDENER DIAGNOSTICS ===' + + echo '--- BEGIN State without policy ---' + load_state_without_policy + print_state + echo '--- END State without policy ---' + + reset_global_vars + + echo '--- BEGIN Policy without state ---' + load_state + print_policy + echo '--- END Policy without state ---' + + reset_global_vars + + echo '--- BEGIN Policy-applied-state ---' + load_state + apply_policy + print_state + echo '--- END Policy-applied state ---' + + reset_global_vars + + echo '--- BEGIN Master dpkg-statoverride database ---' + dpkg-statoverride --list + echo '--- END Master dpkg-statoverride database ---' + + echo '--- BEGIN Raw policy configuration ---' + print_raw_policy_config + echo '--- END Raw policy configuration ---' + + echo '--- BEGIN Raw state data ---' + print_raw_state + echo '--- END Raw state data ---' + + echo '--- BEGIN Filesystem state audit ---' + load_state + apply_policy + print_fs_audit + echo '--- END Filesystem state audit ---' + + echo '=== END PERMISSION-HARDENER DIAGNOSTICS ===' + ;; -h|--help) print_usage exit 0 From 15d13a8571d1f38b2bc36387f61bce24c86be97b Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 21 Jan 2025 12:36:04 +0000 Subject: [PATCH 1586/1650] Add info on DBX updates via the UEFI Revocation List --- README.md | 9 ++++++--- etc/default/grub.d/40_cpu_mitigations.cfg | 7 +++++++ 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 06f31d9..74bfa0f 100644 --- a/README.md +++ b/README.md @@ -138,9 +138,12 @@ configuration file and significant hardening is applied to a myriad of component Mitigations for known CPU vulnerabilities are enabled in their strictest form and simultaneous multithreading (SMT) is disabled. See the -`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. Note, to achieve -complete protection for known CPU vulnerabilities, the latest security microcode -(BIOS/UEFI) updates must also be installed on the system. +`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. + +Note, to achieve complete protection for known CPU vulnerabilities, the latest +security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore, +if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept +up to date through [UEFI Revocation List](https://uefi.org/revocationlistfile) updates. Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 06bcb88..9b29760 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -26,6 +26,13 @@ ## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues. ## The parameters below only provide (partial) protection at both the kernel and user space level. +## If using Secure Boot, users must also ensure the Secure Boot Forbidden Signature Database (DBX) is up to date. +## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems. +## If using compatible hardware, the database can be updated directly in user space using fwupd. +## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues. +## https://uefi.org/revocationlistfile +## https://github.com/fwupd/fwupd + ## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT. ## ## KSPP=yes From 4b1e530674146d4d2b62ff4a87fe3add5667403c Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 21 Jan 2025 12:39:06 +0000 Subject: [PATCH 1587/1650] README.md: List CPU mitigations --- README.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/README.md b/README.md index 74bfa0f..2b4904a 100644 --- a/README.md +++ b/README.md @@ -145,6 +145,38 @@ security microcode (BIOS/UEFI) updates must be installed on the system. Furtherm if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept up to date through [UEFI Revocation List](https://uefi.org/revocationlistfile) updates. +CPU mitigations: + +- Disable Simultaneous Multithreading (SMT) + +- Spectre Side Channels (BTI and BHI) + +- Speculative Store Bypass (SSB) + +- L1 Terminal Fault (L1TF) + +- Microarchitectural Data Sampling (MDS) + +- TSX Asynchronous Abort (TAA) + +- iTLB Multihit + +- Special Register Buffer Data Sampling (SRBDS) + +- L1D Flushing + +- Processor MMIO Stale Data + +- Arbitrary Speculative Code Execution with Return Instructions (Retbleed) + +- Cross-Thread Return Address Predictions + +- Speculative Return Stack Overflow (SRSO) + +- Gather Data Sampling (GDS) + +- Register File Data Sampling (RFDS) + Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` configuration file. From ed767e00b0260d29c18c710efe07d68a9beffb34 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 21 Jan 2025 16:41:30 -0600 Subject: [PATCH 1588/1650] Add some local variable declarations --- usr/bin/permission-hardener | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 165dd2c..58c0797 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -749,6 +749,7 @@ print_state() { } print_raw_policy_config() { + local config_file for config_file in \ /usr/lib/permission-hardener.d/*.conf \ /etc/permission-hardener.d/*.conf \ @@ -776,7 +777,8 @@ print_raw_state() { } print_fs_audit() { - local state_idx + local state_idx state_file_item state_user_owner_item state_group_owner_item \ + state_mode_item echo 'Legend:' echo '... - Warning about an unusual, but not necessarily wrong, condition' From 5e60416c864a7d06f635161a185864fc36d5685c Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 21 Jan 2025 21:05:03 -0600 Subject: [PATCH 1589/1650] Make permission-hardener always apply changes to real files, not symlinks --- usr/bin/permission-hardener | 32 ++++++++++++------- ...on-hardener-existing-mode-legacy-hardcoded | 4 +-- ...mission-hardener-new-mode-legacy-hardcoded | 4 +-- 3 files changed, 25 insertions(+), 15 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 58c0797..7d5028a 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -168,6 +168,12 @@ line: '${processed_config_line}' log error "Existing group is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 return 1 fi + + ## If a symlink was passed as input, return the original file's path rather + ## than the symlink to avoid problems stemming from using the wrong path + if [ -h "${file_name_from_stat}" ]; then + file_name_from_stat="$(realpath "${file_name_from_stat}")" + fi } print_usage(){ @@ -194,6 +200,10 @@ add_to_policy() { file_capabilities="${5:-}" updated_entry=false + if [ -h "${file_name}" ]; then + file_name="$(realpath "${file_name}")" || return 1 + fi + for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do if [ "${policy_file_list[policy_idx]}" = "${file_name}" ]; then policy_mode_list[policy_idx]="${file_mode}" @@ -279,7 +289,7 @@ load_early_nosuid_policy() { local new_mode new_mode='744' - add_to_policy "${find_list_item}" "${new_mode}" "${existing_owner}" \ + add_to_policy "${file_name_from_stat}" "${new_mode}" "${existing_owner}" \ "${existing_group}" done < <(safe_echo_nonewline "${target_file}" \ | find -files0-from - -perm /u=s,g=s -print0) @@ -468,7 +478,7 @@ load_state() { if [ -z "${file_name_from_stat}" ]; then continue fi - state_file_list+=( "${policy_file_item}" ) + state_file_list+=( "${file_name_from_stat}" ) state_user_owner_list+=( "${existing_owner}" ) state_group_owner_list+=( "${existing_group}" ) state_mode_list+=( "${existing_mode}" ) @@ -476,7 +486,7 @@ load_state() { echo_wrapper_audit silent dpkg-statoverride \ ${dpkg_admindir_parameter_existing_mode} \ --add "${existing_owner}" "${existing_group}" "${existing_mode}" \ - "${policy_file_item}" + "${file_name_from_stat}" done ## Fix up nosuid policies using state information @@ -557,26 +567,26 @@ commit_policy() { continue fi ## Remove and reapply in main list - if [[ "${orig_main_statoverride_db}" =~ "${state_file_item}" ]]; then + if [[ "${orig_main_statoverride_db}" =~ "${file_name_from_stat}" ]]; then echo_wrapper_ignore silent dpkg-statoverride --remove \ - "${state_file_item}" + "${file_name_from_stat}" fi echo_wrapper_audit verbose dpkg-statoverride --add --update \ "${state_user_owner_item}" "${state_group_owner_item}" \ - "${state_mode_item}" "${state_file_item}" + "${state_mode_item}" "${file_name_from_stat}" ## Update item in secondary list - if [[ "${orig_new_statoverride_db}" =~ "${state_file_item}" ]]; then + if [[ "${orig_new_statoverride_db}" =~ "${file_name_from_stat}" ]]; then # shellcheck disable=SC2086 echo_wrapper_ignore silent dpkg-statoverride \ ${dpkg_admindir_parameter_new_mode} --remove \ - "${state_file_item}" + "${file_name_from_stat}" fi # shellcheck disable=SC2086 echo_wrapper_audit verbose dpkg-statoverride \ ${dpkg_admindir_parameter_new_mode} --add \ "${state_user_owner_item}" "${state_group_owner_item}" \ - "${state_mode_item}" "${state_file_item}" + "${state_mode_item}" "${file_name_from_stat}" fi done @@ -805,7 +815,7 @@ print_fs_audit() { output_stat "${state_file_item}" if [ -z "${file_name_from_stat}" ]; then - echo "... '${state_file_item}' does not exist" + echo "... '${file_name_from_stat}' does not exist" continue fi @@ -823,7 +833,7 @@ print_fs_audit() { fi echo "^^^ ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" - echo "vvv ${state_file_item} ${state_user_owner_item}:${state_group_owner_item} ${state_mode_item}" + echo "vvv ${file_name_from_stat} ${state_user_owner_item}:${state_group_owner_item} ${state_mode_item}" else echo "*** ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" fi diff --git a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded index e8a4bbe..7f87a45 100644 --- a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded +++ b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded @@ -15,7 +15,7 @@ root root 644 /etc/hosts.allow root root 700 /root root root 755 /etc/cron.daily root root 755 /bin/ping -root root 777 /etc/motd +root root 777 /etc/motd.kicksecure root root 755 /boot root root 755 /home root shadow 2755 /usr/bin/chage @@ -27,7 +27,7 @@ root root 755 /etc/permission-hardener.d root root 644 /etc/passwd root root 755 /usr/src root root 4755 /usr/bin/mount -root root 777 /etc/issue +root root 777 /etc/issue.kicksecure root root 755 /etc/cron.d root root 4755 /usr/bin/sudo root root 4755 /usr/bin/pkexec diff --git a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded index 142686e..37f1088 100644 --- a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded +++ b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded @@ -9,7 +9,7 @@ root root 700 /etc/cron.weekly root root 744 /usr/bin/su root root 700 /etc/cron.daily root root 755 /bin/ping -root root 644 /etc/motd +root root 644 /etc/motd.kicksecure root _ssh 744 /usr/bin/ssh-agent root root 700 /boot root shadow 744 /usr/bin/chage @@ -20,5 +20,5 @@ root root 744 /usr/bin/chfn root root 600 /etc/permission-hardener.d root root 700 /usr/src root root 755 /usr/bin/mount -root root 644 /etc/issue +root root 644 /etc/issue.kicksecure root root 700 /etc/cron.d From 42f34f5a4ccf95d504e28a26aeb0747fef4685ba Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 21 Jan 2025 21:49:03 -0600 Subject: [PATCH 1590/1650] Don't handle files with multiple hardlinks --- usr/bin/permission-hardener | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 7d5028a..9f70834 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -80,7 +80,7 @@ block_newlines() { } output_stat() { - local file_name stat_output stat_output_newlined + local file_name stat_output stat_output_newlined hardlink_count declare -a arr file_name="${1:-}" @@ -101,7 +101,7 @@ output_stat() { fi if ! stat_output="$(stat -L \ - --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" \ + --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}%h${delimiter}" \ -- "${file_name}")"; then log error "Failed to run 'stat' on file: '${file_name}'!" >&2 return 1 @@ -145,6 +145,7 @@ line: '${processed_config_line}' existing_owner="${arr[1]}" existing_group="${arr[2]}" file_name_from_stat="${arr[3]}" + hardlink_count="${arr[4]}" if [ "$file_name" != "$file_name_from_stat" ]; then log error "\ @@ -156,6 +157,22 @@ line: '${processed_config_line}' return 1 fi + ## We can't handle files with hardlinks because figuring out all of the files + ## in a "hardlink pool" requires scanning the whole filesystem, which would + ## result in an unacceptable performance hit for this script. We don't check + ## directory hardlinks since directories can't have traditional hardlinks. + if [ ! -d "${file_name_from_stat}" ]; then + if (( hardlink_count > 1 )); then + log error "\ +File has unexpected hardlinks, cannot handle. +File name: '${file_name}' +File name from stat: '${file_name_from_stat}' +line: '${processed_config_line}' +" >&2 + return 1 + fi + fi + if [ -z "${existing_mode}" ]; then log error "Existing mode is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 return 1 From 80bd314436b99b723359f25e52bbd14683929b56 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 22 Jan 2025 08:25:14 -0500 Subject: [PATCH 1591/1650] add `.whonix` files to hardcoded files --- .../permission-hardener-existing-mode-legacy-hardcoded | 2 ++ .../security-misc/permission-hardener-new-mode-legacy-hardcoded | 2 ++ 2 files changed, 4 insertions(+) diff --git a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded index 7f87a45..4d7dc17 100644 --- a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded +++ b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded @@ -16,6 +16,7 @@ root root 700 /root root root 755 /etc/cron.daily root root 755 /bin/ping root root 777 /etc/motd.kicksecure +root root 777 /etc/motd.whonix root root 755 /boot root root 755 /home root shadow 2755 /usr/bin/chage @@ -28,6 +29,7 @@ root root 644 /etc/passwd root root 755 /usr/src root root 4755 /usr/bin/mount root root 777 /etc/issue.kicksecure +root root 777 /etc/issue.whonix root root 755 /etc/cron.d root root 4755 /usr/bin/sudo root root 4755 /usr/bin/pkexec diff --git a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded index 37f1088..d1b3a80 100644 --- a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded +++ b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded @@ -10,6 +10,7 @@ root root 744 /usr/bin/su root root 700 /etc/cron.daily root root 755 /bin/ping root root 644 /etc/motd.kicksecure +root root 644 /etc/motd.whonix root _ssh 744 /usr/bin/ssh-agent root root 700 /boot root shadow 744 /usr/bin/chage @@ -21,4 +22,5 @@ root root 600 /etc/permission-hardener.d root root 700 /usr/src root root 755 /usr/bin/mount root root 644 /etc/issue.kicksecure +root root 644 /etc/issue.whonix root root 700 /etc/cron.d From c8a2483cf6735b29ef9b265cc09b58b00b14b6f0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 22 Jan 2025 13:52:29 +0000 Subject: [PATCH 1592/1650] bumped changelog version --- changelog.upstream | 50 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 56 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3261247..27b686b 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,53 @@ +commit 80bd314436b99b723359f25e52bbd14683929b56 +Author: Patrick Schleizer +Date: Wed Jan 22 08:25:14 2025 -0500 + + add `.whonix` files to hardcoded files + +commit 9b012bdeee03e73de537e7fe65c0bb8d16b38e79 +Merge: 507130a 42f34f5 +Author: Patrick Schleizer +Date: Wed Jan 22 08:23:49 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-symlink-fix' + +commit 507130a1cc0592bd4a4b280da7496dade470e637 +Merge: f1b6bff ed767e0 +Author: Patrick Schleizer +Date: Wed Jan 22 08:21:39 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-diag' + +commit 42f34f5a4ccf95d504e28a26aeb0747fef4685ba +Author: Aaron Rainbolt +Date: Tue Jan 21 21:49:03 2025 -0600 + + Don't handle files with multiple hardlinks + +commit 5e60416c864a7d06f635161a185864fc36d5685c +Author: Aaron Rainbolt +Date: Tue Jan 21 21:05:03 2025 -0600 + + Make permission-hardener always apply changes to real files, not symlinks + +commit ed767e00b0260d29c18c710efe07d68a9beffb34 +Author: Aaron Rainbolt +Date: Tue Jan 21 16:41:30 2025 -0600 + + Add some local variable declarations + +commit a97620a2e491cc039adb15af94958f26b39319a2 +Author: Aaron Rainbolt +Date: Mon Jan 20 22:43:55 2025 -0600 + + Add print-diagnostics command to permission-hardener + +commit f1b6bff30b1891bfbe870de9edd78fa7dbd66e7c +Author: Patrick Schleizer +Date: Mon Jan 20 11:35:08 2025 +0000 + + bumped changelog version + commit df9d058ed9635b168508ded20277c174a24cf3f5 Author: Patrick Schleizer Date: Mon Jan 20 06:28:16 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 22d37c6..25950d7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 22 Jan 2025 13:52:29 +0000 + security-misc (3:43.6-1) unstable; urgency=medium * New upstream version (local package). From d5ad29a7324dfbece3185026a3f4c58121c453b6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 22 Jan 2025 09:04:44 -0500 Subject: [PATCH 1593/1650] add /usr/lib/polkit-1/polkit-agent-helper-1 to permission hardener hardcoded statoverride file --- .../permission-hardener-existing-mode-legacy-hardcoded | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded index 4d7dc17..d40c552 100644 --- a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded +++ b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded @@ -33,3 +33,4 @@ root root 777 /etc/issue.whonix root root 755 /etc/cron.d root root 4755 /usr/bin/sudo root root 4755 /usr/bin/pkexec +root root 4755 /usr/lib/polkit-1/polkit-agent-helper-1 From 3a056c9d9c17ed3968f48ac332cee94f714320c7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 22 Jan 2025 09:05:50 -0500 Subject: [PATCH 1594/1650] bump permission hardner migration code version --- debian/security-misc.config | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index 11dd83d..e9b2756 100755 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -58,7 +58,7 @@ check_migrate_permission_hardener_state() { fi local orig_hardening_arr custom_hardening_arr config_file custom_config_file - if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then + if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then return 0 fi mkdir --parents '/var/lib/security-misc/do_once' @@ -168,7 +168,7 @@ check_migrate_permission_hardener_state() { db_go || true fi - touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" } check_migrate_permission_hardener_state From f90ffacac3d3c12f62f62106a69cb6caeca69041 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 22 Jan 2025 09:09:56 -0500 Subject: [PATCH 1595/1650] bump permission hardner migration code version --- debian/security-misc.postinst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index d1f61d1..ac81a23 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -44,7 +44,7 @@ migrate_permission_hardener_state() { return 0 fi - if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then + if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then return 0 fi mkdir --parents '/var/lib/security-misc/do_once' @@ -71,7 +71,7 @@ migrate_permission_hardener_state() { fi fi - touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" } case "$1" in From 3c18734db32b2d19c3a30e282435f083d307d86e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 22 Jan 2025 14:11:21 +0000 Subject: [PATCH 1596/1650] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 27b686b..1c845f3 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit f90ffacac3d3c12f62f62106a69cb6caeca69041 +Author: Patrick Schleizer +Date: Wed Jan 22 09:09:56 2025 -0500 + + bump permission hardner migration code version + +commit 3a056c9d9c17ed3968f48ac332cee94f714320c7 +Author: Patrick Schleizer +Date: Wed Jan 22 09:05:50 2025 -0500 + + bump permission hardner migration code version + +commit d5ad29a7324dfbece3185026a3f4c58121c453b6 +Author: Patrick Schleizer +Date: Wed Jan 22 09:04:44 2025 -0500 + + add /usr/lib/polkit-1/polkit-agent-helper-1 to permission hardener hardcoded statoverride file + +commit c8a2483cf6735b29ef9b265cc09b58b00b14b6f0 +Author: Patrick Schleizer +Date: Wed Jan 22 13:52:29 2025 +0000 + + bumped changelog version + commit 80bd314436b99b723359f25e52bbd14683929b56 Author: Patrick Schleizer Date: Wed Jan 22 08:25:14 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 25950d7..0f49262 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 22 Jan 2025 14:11:21 +0000 + security-misc (3:43.7-1) unstable; urgency=medium * New upstream version (local package). From b10f5489a3e3317f01339ea34a0e5c7bfb850a01 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 23 Jan 2025 11:12:26 -0500 Subject: [PATCH 1597/1650] copyright --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index d45f96d..fd56b5f 100644 --- a/debian/control +++ b/debian/control @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. Source: security-misc From 6b4fa1ef0055d36a45d65481129dabfee77027e4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 23 Jan 2025 16:28:58 +0000 Subject: [PATCH 1598/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1c845f3..de4ea6c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit b10f5489a3e3317f01339ea34a0e5c7bfb850a01 +Author: Patrick Schleizer +Date: Thu Jan 23 11:12:26 2025 -0500 + + copyright + +commit 3c18734db32b2d19c3a30e282435f083d307d86e +Author: Patrick Schleizer +Date: Wed Jan 22 14:11:21 2025 +0000 + + bumped changelog version + commit f90ffacac3d3c12f62f62106a69cb6caeca69041 Author: Patrick Schleizer Date: Wed Jan 22 09:09:56 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 0f49262..6ff9c8d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 23 Jan 2025 16:28:58 +0000 + security-misc (3:43.8-1) unstable; urgency=medium * New upstream version (local package). From 6aaf7082177fe4d02415aac4317cde74665f495c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jan 2025 14:36:41 +0000 Subject: [PATCH 1599/1650] bumped changelog version --- changelog.upstream | 34 ++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 40 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index de4ea6c..7cc6b12 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit 10508cb5801c28f8fff306957e867a1626aa6489 +Merge: 6b4fa1e b9dee26 +Author: Patrick Schleizer +Date: Wed Jan 29 09:36:28 2025 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit b9dee2633128577245763bad41cf3cb6b49751f3 +Merge: 6b4fa1e 4b1e530 +Author: Patrick Schleizer +Date: Wed Jan 29 09:35:50 2025 -0500 + + Merge pull request #296 from raja-grewal/cpu_details + + Hardware-related Documentation + +commit 6b4fa1ef0055d36a45d65481129dabfee77027e4 +Author: Patrick Schleizer +Date: Thu Jan 23 16:28:58 2025 +0000 + + bumped changelog version + commit b10f5489a3e3317f01339ea34a0e5c7bfb850a01 Author: Patrick Schleizer Date: Thu Jan 23 11:12:26 2025 -0500 @@ -72,6 +94,18 @@ Date: Tue Jan 21 16:41:30 2025 -0600 Add some local variable declarations +commit 4b1e530674146d4d2b62ff4a87fe3add5667403c +Author: raja-grewal +Date: Tue Jan 21 12:39:06 2025 +0000 + + README.md: List CPU mitigations + +commit 15d13a8571d1f38b2bc36387f61bce24c86be97b +Author: raja-grewal +Date: Tue Jan 21 12:36:04 2025 +0000 + + Add info on DBX updates via the UEFI Revocation List + commit a97620a2e491cc039adb15af94958f26b39319a2 Author: Aaron Rainbolt Date: Mon Jan 20 22:43:55 2025 -0600 diff --git a/debian/changelog b/debian/changelog index 6ff9c8d..cce4734 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jan 2025 14:36:41 +0000 + security-misc (3:43.9-1) unstable; urgency=medium * New upstream version (local package). From 7c150d116d1d1f95e2fb729934906eb4391a389a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 30 Jan 2025 07:45:08 -0500 Subject: [PATCH 1600/1650] LANG=C str_replace: no longer requires LANG=C, therefore removed --- etc/default/grub.d/41_quiet_boot.cfg | 4 ++-- usr/libexec/security-misc/pam-info | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 96d43cd..7221ac0 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -9,11 +9,11 @@ ## Some default configuration files automatically include the "quiet" parameter. ## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. -## LANG=C str_replace is provided by package helper-scripts. +## str_replace is provided by package helper-scripts. ## ## https://github.com/Kicksecure/security-misc/pull/233#issuecomment-2228792461 ## -GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" +GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "quiet" "")" ## Prevent sensitive kernel information leaks in the console during boot. ## Must be used in combination with the kernel.printk sysctl. diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index d94e413..240dc1e 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -152,7 +152,7 @@ true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'" ## example pam_faillock_output_first_line: ## user: -user_name="$(echo "$pam_faillock_output_first_line" | LANG=C str_replace ":" "")" +user_name="$(echo "$pam_faillock_output_first_line" | str_replace ":" "")" ## example user_name: ## user ## root @@ -180,7 +180,7 @@ deny=3 if test -f /etc/security/faillock.conf ; then deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =") - deny="$(echo "$deny_line" | LANG=C str_replace "=" "" | LANG=C str_replace "deny" "" | LANG=C str_replace " " "")" + deny="$(echo "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")" ## Example: #deny=50 fi From 9f5e522b83ba969112abf6a9fba77c1eff31b14d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 30 Jan 2025 07:53:04 -0500 Subject: [PATCH 1601/1650] LC_ALL=C --- usr/libexec/security-misc/apt-get-update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index fc90a5e..729baca 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -8,7 +8,7 @@ set -o nounset set -o errtrace set -o pipefail -export LANG=C +export LC_ALL=C write_pid_file() { [[ -z "${TMP:-}" ]] && error "TMP is unset" From c0f2f110146410428fc12815b30aaba67ff16126 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 30 Jan 2025 12:58:48 +0000 Subject: [PATCH 1602/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7cc6b12..01cd911 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 9f5e522b83ba969112abf6a9fba77c1eff31b14d +Author: Patrick Schleizer +Date: Thu Jan 30 07:53:04 2025 -0500 + + LC_ALL=C + +commit 7c150d116d1d1f95e2fb729934906eb4391a389a +Author: Patrick Schleizer +Date: Thu Jan 30 07:45:08 2025 -0500 + + LANG=C str_replace: no longer requires LANG=C, therefore removed + +commit 6aaf7082177fe4d02415aac4317cde74665f495c +Author: Patrick Schleizer +Date: Wed Jan 29 14:36:41 2025 +0000 + + bumped changelog version + commit 10508cb5801c28f8fff306957e867a1626aa6489 Merge: 6b4fa1e b9dee26 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index cce4734..4f03643 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 30 Jan 2025 12:58:48 +0000 + security-misc (3:44.0-1) unstable; urgency=medium * New upstream version (local package). From ac1493fcfc194b8d1a680d7e8bf53a90caa984ac Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 31 Jan 2025 14:33:17 -0500 Subject: [PATCH 1603/1650] comment --- debian/security-misc.config | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index e9b2756..adaed34 100755 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -21,10 +21,11 @@ true " ##################################################################### " -## Code duplication. +## NOTE: Code duplication. +## Copied from: helper-scripts /usr/libexec/helper-scripts/package_installed_check.bsh +## ## '.config' scripts are run very early. Even 'Pre-Depends: helper-scripts' would be insufficient. ## Therefore the code is duplicated here. -## Copied from: helper-scripts /usr/libexec/helper-scripts/package_installed_check.bsh pkg_installed() { local package_name dpkg_query_output local requested_action status error_state From 041caf286b343268e6db69f2957f23c1dd20812a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 31 Jan 2025 14:33:54 -0500 Subject: [PATCH 1604/1650] update pkg_installed function --- debian/security-misc.config | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index adaed34..e200fb6 100755 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -33,13 +33,13 @@ pkg_installed() { package_name="$1" ## Cannot use '&>' because it is a bashism. dpkg_query_output="$(dpkg-query --show --showformat='${Status}' "$package_name" 2>/dev/null)" || true - ## dpkg_query_output Exampels: + ## dpkg_query_output Examples: ## install ok half-configured ## install ok installed - requested_action=$(echo "$dpkg_query_output" | awk '{print $1}') - status=$(echo "$dpkg_query_output" | awk '{print $2}') - error_state=$(echo "$dpkg_query_output" | awk '{print $3}') + requested_action=$(printf '%s' "$dpkg_query_output" | awk '{print $1}') + status=$(printf '%s' "$dpkg_query_output" | awk '{print $2}') + error_state=$(printf '%s' "$dpkg_query_output" | awk '{print $3}') if [ "$requested_action" = 'install' ]; then true "$0: INFO: $package_name is installed, ok." From 2a4a228b150e06c7ff796315719d41e825dd8ad3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 31 Jan 2025 19:38:42 +0000 Subject: [PATCH 1605/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 01cd911..507a461 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 041caf286b343268e6db69f2957f23c1dd20812a +Author: Patrick Schleizer +Date: Fri Jan 31 14:33:54 2025 -0500 + + update pkg_installed function + +commit ac1493fcfc194b8d1a680d7e8bf53a90caa984ac +Author: Patrick Schleizer +Date: Fri Jan 31 14:33:17 2025 -0500 + + comment + +commit c0f2f110146410428fc12815b30aaba67ff16126 +Author: Patrick Schleizer +Date: Thu Jan 30 12:58:48 2025 +0000 + + bumped changelog version + commit 9f5e522b83ba969112abf6a9fba77c1eff31b14d Author: Patrick Schleizer Date: Thu Jan 30 07:53:04 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 4f03643..6f9d2b4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 31 Jan 2025 19:38:41 +0000 + security-misc (3:44.1-1) unstable; urgency=medium * New upstream version (local package). From ce4b57d1cb179f18c1ac41681626d01054355fe6 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 3 Feb 2025 00:31:45 +0000 Subject: [PATCH 1606/1650] Update docs on kernel panics --- usr/lib/sysctl.d/990-security-misc.conf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index cc04e0c..3b2e38c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -168,11 +168,16 @@ kernel.perf_event_paranoid=3 ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. ## Panics may be due to false-positives such as bad drivers. ## Oopses are serious but non-fatal errors. -## Kernel warnings are useful to avoid a when attempting to access the location of a WARN(). +## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. +## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). +## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. +## Forcing immediate system reboots on any single kernel panic is an extreme option. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops ## https://en.wikipedia.org/wiki/Kdump_(Linux) +## https://lwn.net/Articles/876209/ +## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=partial From 3e7d1b4e23e1e8ef4ad138dbe4119eee7e72511c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 9 Feb 2025 23:04:36 +0000 Subject: [PATCH 1607/1650] bumped changelog version --- changelog.upstream | 28 ++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 507a461..f9fc56f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,31 @@ +commit 0615e6e995eb25d8e1bff181ecc49ff51e4029cc +Merge: 2a4a228 4d62ee3 +Author: Patrick Schleizer +Date: Sun Feb 9 18:01:43 2025 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 4d62ee3ab31bde80eebde265c2513233f10f751a +Merge: 2a4a228 ce4b57d +Author: Patrick Schleizer +Date: Sun Feb 9 18:00:59 2025 -0500 + + Merge pull request #297 from raja-grewal/warn_path + + Update docs on kernel panics + +commit ce4b57d1cb179f18c1ac41681626d01054355fe6 +Author: raja-grewal +Date: Mon Feb 3 00:31:45 2025 +0000 + + Update docs on kernel panics + +commit 2a4a228b150e06c7ff796315719d41e825dd8ad3 +Author: Patrick Schleizer +Date: Fri Jan 31 19:38:42 2025 +0000 + + bumped changelog version + commit 041caf286b343268e6db69f2957f23c1dd20812a Author: Patrick Schleizer Date: Fri Jan 31 14:33:54 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 6f9d2b4..a6a3891 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 09 Feb 2025 23:04:36 +0000 + security-misc (3:44.2-1) unstable; urgency=medium * New upstream version (local package). From cd0ba94ac5e7e8360183ac6f440d941b4067025b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 3 Mar 2025 05:57:59 -0500 Subject: [PATCH 1608/1650] no longer disable `vivid` kernel module by default, because it breaks Qubes Video Companion Thanks to @marmarek for the bug report! https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393 fixes https://github.com/Kicksecure/security-misc/issues/298 --- etc/modprobe.d/30_security-misc_disable.conf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index c7fc2b6..e95bd68 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -303,4 +303,8 @@ install prism54 /usr/bin/disabled-miscellaneous-by-security-misc ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 ## -install vivid /usr/bin/disabled-miscellaneous-by-security-misc +## No longer disabled by default: +## https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393 +## https://github.com/Kicksecure/security-misc/issues/298 +## +#install vivid /usr/bin/disabled-miscellaneous-by-security-misc From d927fe238cc5369f7fe1632a4173fe4bdf0ffdfb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 3 Mar 2025 11:00:38 +0000 Subject: [PATCH 1609/1650] bumped changelog version --- changelog.upstream | 19 +++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 25 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f9fc56f..cd40cff 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,22 @@ +commit cd0ba94ac5e7e8360183ac6f440d941b4067025b +Author: Patrick Schleizer +Date: Mon Mar 3 05:57:59 2025 -0500 + + no longer disable `vivid` kernel module by default, + because it breaks Qubes Video Companion + + Thanks to @marmarek for the bug report! + + https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393 + + fixes https://github.com/Kicksecure/security-misc/issues/298 + +commit 3e7d1b4e23e1e8ef4ad138dbe4119eee7e72511c +Author: Patrick Schleizer +Date: Sun Feb 9 23:04:36 2025 +0000 + + bumped changelog version + commit 0615e6e995eb25d8e1bff181ecc49ff51e4029cc Merge: 2a4a228 4d62ee3 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index a6a3891..c6b69a9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 03 Mar 2025 11:00:37 +0000 + security-misc (3:44.3-1) unstable; urgency=medium * New upstream version (local package). From f643ebc2f923ba4d7231e5aeaf1d91d1a9d1d0df Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 16 Mar 2025 03:28:39 +0000 Subject: [PATCH 1610/1650] Disable pstore processing by systemd-pstore service --- README.md | 5 +++++ usr/lib/systemd/pstore.conf.d/30_security-misc.conf | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 usr/lib/systemd/pstore.conf.d/30_security-misc.conf diff --git a/README.md b/README.md index 2b4904a..d47cf1d 100644 --- a/README.md +++ b/README.md @@ -413,6 +413,11 @@ Miscellaneous modules: `/lib/systemd/coredump.conf.d/30_security-misc.conf` +- PStore is disabled as crash logs can contain sensitive system data such as + kernel version, hostname, and users. See: + + `/usr/lib/systemd/pstore.conf.d/30_security-misc.conf` + - An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as early as possible. This is implemented for `initramfs-tools` only because diff --git a/usr/lib/systemd/pstore.conf.d/30_security-misc.conf b/usr/lib/systemd/pstore.conf.d/30_security-misc.conf new file mode 100644 index 0000000..9e513c6 --- /dev/null +++ b/usr/lib/systemd/pstore.conf.d/30_security-misc.conf @@ -0,0 +1,5 @@ +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[PStore] +Storage=none From df2fc2cf6b0437d23c7641118ebd24d2e3a670ce Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 16 Mar 2025 03:30:04 +0000 Subject: [PATCH 1611/1650] Set `efi_pstore.pstore_disable=1` --- README.md | 3 +++ etc/default/grub.d/40_kernel_hardening.cfg | 12 ++++++++++++ 2 files changed, 15 insertions(+) diff --git a/README.md b/README.md index d47cf1d..ebcfef5 100644 --- a/README.md +++ b/README.md @@ -226,6 +226,9 @@ Kernel space: - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) to reduce attack surface. +- Disable EFI persistent storage feature, preventing the kernel from writing crash logs and + other persistent data to the EFI variable store. + Direct memory access: - Enable strict IOMMU translation to protect against some DMA attacks via the use diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 748bf47..99f2d16 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -223,6 +223,18 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" +## Disable EFI persistent storage feature. +## Prevents the kernel from writing crash logs and other persistent data to the EFI variable store. +## +## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system +## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/ +## https://lwn.net/Articles/434821/ +## https://manpages.debian.org/testing/systemd/systemd-pstore.service.8.en.html +## https://gitlab.tails.boum.org/tails/tails/-/issues/20813 +## https://github.com/Kicksecure/security-misc/issues/299 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1" + ## 2. Direct Memory Access: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks From f0d17c7e4134d8a54ce7331c1e9d3ce932278987 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 16 Mar 2025 03:31:24 +0000 Subject: [PATCH 1612/1650] README: Fix a few links --- README.md | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index ebcfef5..c51b776 100644 --- a/README.md +++ b/README.md @@ -228,7 +228,7 @@ Kernel space: - Disable EFI persistent storage feature, preventing the kernel from writing crash logs and other persistent data to the EFI variable store. - + Direct memory access: - Enable strict IOMMU translation to protect against some DMA attacks via the use @@ -403,7 +403,7 @@ Miscellaneous modules: `/etc/kernel/postinst.d/30_remove-system-map` -`/lib/systemd/system/remove-system-map.service` +`/usr/lib/systemd/system/remove-system-map.service` `/usr/libexec/security-misc/remove-system.map` @@ -412,21 +412,20 @@ Miscellaneous modules: `/etc/security/limits.d/30_security-misc.conf` -`/etc/sysctl.d/30_security-misc.conf` +`/usr/lib/sysctl.d/30_security-misc.conf` -`/lib/systemd/coredump.conf.d/30_security-misc.conf` +`/usr/lib/systemd/coredump.conf.d/30_security-misc.conf` - PStore is disabled as crash logs can contain sensitive system data such as kernel version, hostname, and users. See: `/usr/lib/systemd/pstore.conf.d/30_security-misc.conf` -- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and - `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as - early as possible. This is implemented for `initramfs-tools` only because - this is not needed for `dracut` as `dracut` does that by default, at - least on `systemd` enabled systems. Not researched for non-`systemd` systems - by the author of this part of the readme. +- An initramfs hook sets the sysctl values in `/usr/lib/sysctl.d/` before init + is executed so sysctl hardening is enabled as early as possible. This is + implemented for `initramfs-tools` only because this is not needed for `dracut` + as `dracut` does that by default, at least on `systemd` enabled systems. Not + researched for non-`systemd` systems by the author of this part of the readme. ## Network hardening From 173606891ad0c064a22b4ec0aee772105d8be54a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 8 Apr 2025 06:48:29 -0400 Subject: [PATCH 1613/1650] output --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 240dc1e..afd8ac4 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -201,7 +201,7 @@ $0: ERROR: Login blocked after $failed_login_counter attempts. To unlock, run the following command as superuser: (If you still have a sudo/root shell somewhere.) -faillock --reset --user $PAM_USER +faillock --dir $pam_faillock_state_dir --reset --user $PAM_USER However, most likely unlock procedure is required. First boot into recovery mode at grub boot menu and then run above command. From 39f4f5b60739c387f02970018e14f1ae93677e00 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 8 Apr 2025 06:53:08 -0400 Subject: [PATCH 1614/1650] comments --- debian/security-misc.preinst | 2 +- etc/hide-hardware-info.d/30_default.conf | 2 +- etc/security/access-security-misc.conf | 2 +- usr/lib/modules-load.d/30_security-misc.conf | 2 +- .../permission-hardener.d/25_default_whitelist_firejail.conf | 2 +- usr/libexec/security-misc/pam-abort-on-locked-password | 2 +- usr/libexec/security-misc/pam-info | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 992ff96..8e900d0 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -47,7 +47,7 @@ user_groups_modifications() { ## an "empty" /etc/securetty. ## In case a system administrator edits /etc/securetty, there is no need to ## block for this to be still blocked by console lockdown. See also: - ## https://www.whonix.org/wiki/Root#Root_Login + ## https://www.kicksecure.com/wiki/Root#Root_Login adduser root console } diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf index 7c41eb4..d1bc221 100644 --- a/etc/hide-hardware-info.d/30_default.conf +++ b/etc/hide-hardware-info.d/30_default.conf @@ -11,5 +11,5 @@ #sysfs=0 ## Disable selinux mode. -## https://www.whonix.org/wiki/Security-misc#selinux +## https://www.kicksecure.com/wiki/Security-misc#selinux #selinux=0 diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index c7f002f..e8bc2ab 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -2,7 +2,7 @@ ## See the file COPYING for copying conditions. ## To enable root login, see: -## https://www.whonix.org/wiki/Root#Root_Login +## https://www.kicksecure.com/wiki/Root#Root_Login ## Console Lockdown ## https://forums.whonix.org/t/etc-security-hardening/8592 diff --git a/usr/lib/modules-load.d/30_security-misc.conf b/usr/lib/modules-load.d/30_security-misc.conf index 2b38546..6ee13ca 100644 --- a/usr/lib/modules-load.d/30_security-misc.conf +++ b/usr/lib/modules-load.d/30_security-misc.conf @@ -1,7 +1,7 @@ ## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -## https://www.whonix.org/wiki/Dev/Entropy +## https://www.kicksecure.com/wiki/Dev/Entropy ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972 ## https://forums.whonix.org/t/jitterentropy-rngd/7204 jitterentropy_rng diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf b/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf index 5b7351f..e3441e1 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf @@ -7,5 +7,5 @@ ## There is a controversy about firejail but those who choose to install it ## should be able to use it. -## https://www.whonix.org/wiki/Dev/Firejail#Security +## https://www.kicksecure.com/wiki/Dev/Firejail#Security /usr/bin/firejail exactwhitelist diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password index 52da1c2..35c2dd4 100755 --- a/usr/libexec/security-misc/pam-abort-on-locked-password +++ b/usr/libexec/security-misc/pam-abort-on-locked-password @@ -12,7 +12,7 @@ passwd_bin="$(type -P -- "passwd")" if ! test -x "$passwd_bin" ; then echo "\ $0: ERROR: passwd_bin \"$passwd_bin\" is not executable. -See https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2 +See https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2 ## Identifiable exit codes in case stdout / stderr is not logged in journal. exit 2 fi diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index afd8ac4..f1e03a2 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -116,7 +116,7 @@ fi ## ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts ## -## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html +## https://web.archive.org/web/20200919221439/https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html ## ## Checking exit code to avoid breaking when read-only disk boot but ## without ro-mode-init or grub-live being used. From 4d2b2e65468522b1d1beda63b0b16cfa12b1d535 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 8 Apr 2025 14:08:24 +0000 Subject: [PATCH 1615/1650] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index cd40cff..a13f7df 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 39f4f5b60739c387f02970018e14f1ae93677e00 +Author: Patrick Schleizer +Date: Tue Apr 8 06:53:08 2025 -0400 + + comments + +commit 173606891ad0c064a22b4ec0aee772105d8be54a +Author: Patrick Schleizer +Date: Tue Apr 8 06:48:29 2025 -0400 + + output + +commit d927fe238cc5369f7fe1632a4173fe4bdf0ffdfb +Author: Patrick Schleizer +Date: Mon Mar 3 11:00:38 2025 +0000 + + bumped changelog version + commit cd0ba94ac5e7e8360183ac6f440d941b4067025b Author: Patrick Schleizer Date: Mon Mar 3 05:57:59 2025 -0500 diff --git a/debian/changelog b/debian/changelog index c6b69a9..c28da5f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 08 Apr 2025 14:08:24 +0000 + security-misc (3:44.4-1) unstable; urgency=medium * New upstream version (local package). From 163d51f32a1888a52ea78ba32a4e4a2d72aea87d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 9 Apr 2025 09:47:52 -0400 Subject: [PATCH 1616/1650] newline at the end --- etc/default/grub.d/41_recovery_restrict.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/41_recovery_restrict.cfg b/etc/default/grub.d/41_recovery_restrict.cfg index 89fe02f..f54247b 100644 --- a/etc/default/grub.d/41_recovery_restrict.cfg +++ b/etc/default/grub.d/41_recovery_restrict.cfg @@ -18,4 +18,4 @@ GRUB_DISABLE_RECOVERY="true" ## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724 ## GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt" -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0" \ No newline at end of file +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0" From da9dd3c3f14103701ad82af775b4fb547f5b3e2e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 9 Apr 2025 15:16:00 +0000 Subject: [PATCH 1617/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index a13f7df..fbd70ba 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 163d51f32a1888a52ea78ba32a4e4a2d72aea87d +Author: Patrick Schleizer +Date: Wed Apr 9 09:47:52 2025 -0400 + + newline at the end + +commit 4d2b2e65468522b1d1beda63b0b16cfa12b1d535 +Author: Patrick Schleizer +Date: Tue Apr 8 14:08:24 2025 +0000 + + bumped changelog version + commit 39f4f5b60739c387f02970018e14f1ae93677e00 Author: Patrick Schleizer Date: Tue Apr 8 06:53:08 2025 -0400 diff --git a/debian/changelog b/debian/changelog index c28da5f..24991b1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 09 Apr 2025 15:15:59 +0000 + security-misc (3:44.5-1) unstable; urgency=medium * New upstream version (local package). From aa0ffff42753f68e67bc92680a22986a5b9ef9e0 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 10 Apr 2025 11:49:45 +1000 Subject: [PATCH 1618/1650] README.md: Revert error --- README.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index c51b776..38cc8e0 100644 --- a/README.md +++ b/README.md @@ -421,11 +421,12 @@ Miscellaneous modules: `/usr/lib/systemd/pstore.conf.d/30_security-misc.conf` -- An initramfs hook sets the sysctl values in `/usr/lib/sysctl.d/` before init - is executed so sysctl hardening is enabled as early as possible. This is - implemented for `initramfs-tools` only because this is not needed for `dracut` - as `dracut` does that by default, at least on `systemd` enabled systems. Not - researched for non-`systemd` systems by the author of this part of the readme. +- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and + `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as + early as possible. This is implemented for `initramfs-tools` only because + this is not needed for `dracut` as `dracut` does that by default, at + least on `systemd` enabled systems. Not researched for non-`systemd` systems + by the author of this part of the readme. ## Network hardening From 74ca63d12c716017d022f5dfc5348ae7b787e220 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Wed, 9 Apr 2025 21:01:41 -0500 Subject: [PATCH 1619/1650] Mass-change "PERSISTENCE mode USERNAME" to "PERSISTENCE Mode - USERNAME Session" --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index f1e03a2..a254a94 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -76,7 +76,7 @@ if [ "$PAM_USER" = 'sysmaint' ]; then sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")" if [ "${sysmaint_lock_info}" = 'L' ]; then - echo "$0: ERROR: Reboot and choose 'PERSISTENT mode SYSMAINT' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" + echo "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" fi fi From 5e88dfe809a762aeebf62ea2de131cfbdea9ae32 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 10 Apr 2025 11:38:17 +0000 Subject: [PATCH 1620/1650] bumped changelog version --- changelog.upstream | 19 +++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 25 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index fbd70ba..11fb2cf 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,22 @@ +commit c0a18c5a7122fe3c7b52d0e02ca5e8817efb3996 +Merge: da9dd3c 74ca63d +Author: Patrick Schleizer +Date: Thu Apr 10 06:07:55 2025 -0400 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/rename-boot-modes' + +commit 74ca63d12c716017d022f5dfc5348ae7b787e220 +Author: Aaron Rainbolt +Date: Wed Apr 9 21:01:41 2025 -0500 + + Mass-change "PERSISTENCE mode USERNAME" to "PERSISTENCE Mode - USERNAME Session" + +commit da9dd3c3f14103701ad82af775b4fb547f5b3e2e +Author: Patrick Schleizer +Date: Wed Apr 9 15:16:00 2025 +0000 + + bumped changelog version + commit 163d51f32a1888a52ea78ba32a4e4a2d72aea87d Author: Patrick Schleizer Date: Wed Apr 9 09:47:52 2025 -0400 diff --git a/debian/changelog b/debian/changelog index 24991b1..83b5447 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 10 Apr 2025 11:38:17 +0000 + security-misc (3:44.6-1) unstable; urgency=medium * New upstream version (local package). From 7512aa67572c97267fd176e63ae4862b6d37f8ae Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 15 Apr 2025 20:59:37 +0000 Subject: [PATCH 1621/1650] bumped changelog version --- changelog.upstream | 46 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 52 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 11fb2cf..fac59a5 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit e0e2a9b61c61b34a6fe10782e294d58adff15cfe +Merge: 5e88dfe 9f2836d +Author: Patrick Schleizer +Date: Tue Apr 15 15:27:10 2025 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 9f2836d2baae900222cbae74d7a32bcdc69e589f +Merge: 5e88dfe aa0ffff +Author: Patrick Schleizer +Date: Tue Apr 15 15:17:25 2025 -0400 + + Merge pull request #304 from raja-grewal/stop_pstore + + Disable PStore + +commit 5e88dfe809a762aeebf62ea2de131cfbdea9ae32 +Author: Patrick Schleizer +Date: Thu Apr 10 11:38:17 2025 +0000 + + bumped changelog version + commit c0a18c5a7122fe3c7b52d0e02ca5e8817efb3996 Merge: da9dd3c 74ca63d Author: Patrick Schleizer @@ -11,6 +33,12 @@ Date: Wed Apr 9 21:01:41 2025 -0500 Mass-change "PERSISTENCE mode USERNAME" to "PERSISTENCE Mode - USERNAME Session" +commit aa0ffff42753f68e67bc92680a22986a5b9ef9e0 +Author: raja-grewal +Date: Thu Apr 10 11:49:45 2025 +1000 + + README.md: Revert error + commit da9dd3c3f14103701ad82af775b4fb547f5b3e2e Author: Patrick Schleizer Date: Wed Apr 9 15:16:00 2025 +0000 @@ -41,6 +69,24 @@ Date: Tue Apr 8 06:48:29 2025 -0400 output +commit f0d17c7e4134d8a54ce7331c1e9d3ce932278987 +Author: raja-grewal +Date: Sun Mar 16 03:31:24 2025 +0000 + + README: Fix a few links + +commit df2fc2cf6b0437d23c7641118ebd24d2e3a670ce +Author: raja-grewal +Date: Sun Mar 16 03:30:04 2025 +0000 + + Set `efi_pstore.pstore_disable=1` + +commit f643ebc2f923ba4d7231e5aeaf1d91d1a9d1d0df +Author: raja-grewal +Date: Sun Mar 16 03:28:39 2025 +0000 + + Disable pstore processing by systemd-pstore service + commit d927fe238cc5369f7fe1632a4173fe4bdf0ffdfb Author: Patrick Schleizer Date: Mon Mar 3 11:00:38 2025 +0000 diff --git a/debian/changelog b/debian/changelog index 83b5447..b12df22 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 15 Apr 2025 20:59:37 +0000 + security-misc (3:44.7-1) unstable; urgency=medium * New upstream version (local package). From 5a37790e6bd80ffd4f74d9596523ef72366d35d9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 12:43:15 -0400 Subject: [PATCH 1622/1650] cleanup --- usr/libexec/security-misc/apt-get-update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 729baca..cb586e9 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -12,7 +12,7 @@ export LC_ALL=C write_pid_file() { [[ -z "${TMP:-}" ]] && error "TMP is unset" - safe-rm -rf "$TMP/security-misc-apt-get-update-pid"; + safe-rm -rf "$TMP/security-misc-apt-get-update-pid" install -m644 /dev/null "$TMP/security-misc-apt-get-update-pid" echo "$$" | sponge -- "$TMP/security-misc-apt-get-update-pid" } From 96ff7c8dc67809a3199d0b7f22d9e50483634a9c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 12:45:06 -0400 Subject: [PATCH 1623/1650] refactoring --- usr/libexec/security-misc/apt-get-update | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index cb586e9..0e5e8f5 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -21,12 +21,9 @@ sigterm_trap() { if [ "$lastpid" = "" ]; then exit 143 fi - ps -p "$lastpid" >/dev/null 2>&1 - if [ ! "$?" = "0" ]; then - ## Already terminated. - exit 143 + if kill -0 -- "$lastpid" &>/dev/null ; then + kill -s sigterm -- "$lastpid" fi - kill -s sigterm "$lastpid" exit 143 } From ce2c9a21a357b3981335336eaf7ac8a6a3bcb052 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 12:47:40 -0400 Subject: [PATCH 1624/1650] /usr/libexec/security-misc/apt-get-update: use `/run/helper-scripts` folder for pid file instead of `$TMP` to avoid permission issues --- usr/libexec/security-misc/apt-get-update | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 0e5e8f5..6262d00 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -11,10 +11,9 @@ set -o pipefail export LC_ALL=C write_pid_file() { - [[ -z "${TMP:-}" ]] && error "TMP is unset" - safe-rm -rf "$TMP/security-misc-apt-get-update-pid" - install -m644 /dev/null "$TMP/security-misc-apt-get-update-pid" - echo "$$" | sponge -- "$TMP/security-misc-apt-get-update-pid" + safe-rm -rf "/run/helper-scripts/security-misc-apt-get-update-pid" + install -m644 /dev/null "/run/helper-scripts/security-misc-apt-get-update-pid" + echo "$$" | sponge -- "/run/helper-scripts/security-misc-apt-get-update-pid" } sigterm_trap() { From 90330a1ec958f82f9322ecc62bcfb7169d641af4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 12:49:18 -0400 Subject: [PATCH 1625/1650] refactoring --- usr/libexec/security-misc/apt-get-update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 6262d00..27d829e 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -11,7 +11,7 @@ set -o pipefail export LC_ALL=C write_pid_file() { - safe-rm -rf "/run/helper-scripts/security-misc-apt-get-update-pid" + safe-rm -r -f -- "/run/helper-scripts/security-misc-apt-get-update-pid" install -m644 /dev/null "/run/helper-scripts/security-misc-apt-get-update-pid" echo "$$" | sponge -- "/run/helper-scripts/security-misc-apt-get-update-pid" } From 81634930fa13a240b9fff9a878dd84af1dccc6b3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 12:55:32 -0400 Subject: [PATCH 1626/1650] refactoring --- usr/libexec/security-misc/apt-get-update | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 27d829e..d645cf9 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -9,11 +9,12 @@ set -o errtrace set -o pipefail export LC_ALL=C +pidfile="/run/helper-scripts/security-misc-apt-get-update-pid" write_pid_file() { - safe-rm -r -f -- "/run/helper-scripts/security-misc-apt-get-update-pid" - install -m644 /dev/null "/run/helper-scripts/security-misc-apt-get-update-pid" - echo "$$" | sponge -- "/run/helper-scripts/security-misc-apt-get-update-pid" + safe-rm -r -f -- "$pidfile" + install -m644 /dev/null "$pidfile" + echo "$$" | sponge -- "$pidfile" } sigterm_trap() { From c4f0e1d16f6999b055b0fa310456870f12a6dbea Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 12:57:14 -0400 Subject: [PATCH 1627/1650] refactoring --- usr/libexec/security-misc/apt-get-update | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index d645cf9..d5d4da0 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -21,9 +21,10 @@ sigterm_trap() { if [ "$lastpid" = "" ]; then exit 143 fi - if kill -0 -- "$lastpid" &>/dev/null ; then - kill -s sigterm -- "$lastpid" + if ! kill -0 -- "$lastpid" &>/dev/null ; then + exit 143 fi + kill -s sigterm -- "$lastpid" exit 143 } From 4799f3ce02e5683dad0fff13f5d7fe0aadb0a0db Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 13:17:28 -0400 Subject: [PATCH 1628/1650] make `/usr/libexec/security-misc/apt-get-update` more reliable --- usr/libexec/security-misc/apt-get-update | 32 ++++++++++-------------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index d5d4da0..e333930 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -11,34 +11,28 @@ set -o pipefail export LC_ALL=C pidfile="/run/helper-scripts/security-misc-apt-get-update-pid" -write_pid_file() { - safe-rm -r -f -- "$pidfile" - install -m644 /dev/null "$pidfile" - echo "$$" | sponge -- "$pidfile" -} - sigterm_trap() { - if [ "$lastpid" = "" ]; then - exit 143 - fi - if ! kill -0 -- "$lastpid" &>/dev/null ; then - exit 143 - fi - kill -s sigterm -- "$lastpid" + /usr/libexec/helper-scripts/apt-get-update-kill-helper exit 143 } +## terminate potential previous invocations. +/usr/libexec/helper-scripts/apt-get-update-kill-helper + trap "sigterm_trap" SIGTERM SIGINT [[ -v timeout_after ]] || timeout_after="600" [[ -v kill_after ]] || kill_after="10" -write_pid_file - -timeout \ - --kill-after="$kill_after" \ - "$timeout_after" \ - apt-get update --error-on=any "$@" & +start-stop-daemon \ + --make-pidfile \ + --pidfile "$pidfile" \ + --exec /usr/bin/timeout \ + --start \ + -- \ + --kill-after="$kill_after" \ + "$timeout_after" \ + apt-get update --error-on=any "$@" & lastpid="$!" wait "$lastpid" From a670c0d873eba8d84bde90ebbeecc7aecc22349e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 13:18:23 -0400 Subject: [PATCH 1629/1650] comment --- usr/libexec/security-misc/apt-get-update | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index e333930..63729d3 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -3,6 +3,8 @@ ## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. +## TODO: Move this to helper-scripts. + set -o errexit set -o nounset set -o errtrace From 701f4a0e88a32e4c9312fd92b73cef5d4f755f0a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 13:20:04 -0400 Subject: [PATCH 1630/1650] output --- usr/libexec/security-misc/apt-get-update | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 63729d3..03da442 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -14,12 +14,12 @@ export LC_ALL=C pidfile="/run/helper-scripts/security-misc-apt-get-update-pid" sigterm_trap() { - /usr/libexec/helper-scripts/apt-get-update-kill-helper + /usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null exit 143 } ## terminate potential previous invocations. -/usr/libexec/helper-scripts/apt-get-update-kill-helper +/usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null trap "sigterm_trap" SIGTERM SIGINT From 4aca622706f33e85832e67650259a7751ba87a72 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 13:23:26 -0400 Subject: [PATCH 1631/1650] fix --- usr/libexec/security-misc/apt-get-update | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 03da442..0cd6401 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -10,6 +10,8 @@ set -o nounset set -o errtrace set -o pipefail +command -v start-stop-daemon >/dev/null + export LC_ALL=C pidfile="/run/helper-scripts/security-misc-apt-get-update-pid" From 9948ae114d4c6bbd650022c9985137c0fdea5675 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 13:24:17 -0400 Subject: [PATCH 1632/1650] fix --- usr/libexec/security-misc/apt-get-update | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 0cd6401..9cbfd8e 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -11,6 +11,8 @@ set -o errtrace set -o pipefail command -v start-stop-daemon >/dev/null +command -v timeout >/dev/null +command -v apt-get >/dev/null export LC_ALL=C pidfile="/run/helper-scripts/security-misc-apt-get-update-pid" From dc7e8579040a96630ab1bbf7b4b901e3e3abe8c7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 17:33:56 +0000 Subject: [PATCH 1633/1650] bumped changelog version --- changelog.upstream | 74 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 80 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index fac59a5..443ce2d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,77 @@ +commit 9948ae114d4c6bbd650022c9985137c0fdea5675 +Author: Patrick Schleizer +Date: Sat Apr 19 13:24:17 2025 -0400 + + fix + +commit 4aca622706f33e85832e67650259a7751ba87a72 +Author: Patrick Schleizer +Date: Sat Apr 19 13:23:26 2025 -0400 + + fix + +commit 701f4a0e88a32e4c9312fd92b73cef5d4f755f0a +Author: Patrick Schleizer +Date: Sat Apr 19 13:20:04 2025 -0400 + + output + +commit a670c0d873eba8d84bde90ebbeecc7aecc22349e +Author: Patrick Schleizer +Date: Sat Apr 19 13:18:23 2025 -0400 + + comment + +commit 4799f3ce02e5683dad0fff13f5d7fe0aadb0a0db +Author: Patrick Schleizer +Date: Sat Apr 19 13:17:28 2025 -0400 + + make `/usr/libexec/security-misc/apt-get-update` more reliable + +commit c4f0e1d16f6999b055b0fa310456870f12a6dbea +Author: Patrick Schleizer +Date: Sat Apr 19 12:57:14 2025 -0400 + + refactoring + +commit 81634930fa13a240b9fff9a878dd84af1dccc6b3 +Author: Patrick Schleizer +Date: Sat Apr 19 12:55:32 2025 -0400 + + refactoring + +commit 90330a1ec958f82f9322ecc62bcfb7169d641af4 +Author: Patrick Schleizer +Date: Sat Apr 19 12:49:18 2025 -0400 + + refactoring + +commit ce2c9a21a357b3981335336eaf7ac8a6a3bcb052 +Author: Patrick Schleizer +Date: Sat Apr 19 12:47:40 2025 -0400 + + /usr/libexec/security-misc/apt-get-update: use `/run/helper-scripts` folder for pid file instead of `$TMP` + + to avoid permission issues + +commit 96ff7c8dc67809a3199d0b7f22d9e50483634a9c +Author: Patrick Schleizer +Date: Sat Apr 19 12:45:06 2025 -0400 + + refactoring + +commit 5a37790e6bd80ffd4f74d9596523ef72366d35d9 +Author: Patrick Schleizer +Date: Sat Apr 19 12:43:15 2025 -0400 + + cleanup + +commit 7512aa67572c97267fd176e63ae4862b6d37f8ae +Author: Patrick Schleizer +Date: Tue Apr 15 20:59:37 2025 +0000 + + bumped changelog version + commit e0e2a9b61c61b34a6fe10782e294d58adff15cfe Merge: 5e88dfe 9f2836d Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index b12df22..66ff75b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 19 Apr 2025 17:33:56 +0000 + security-misc (3:44.8-1) unstable; urgency=medium * New upstream version (local package). From efa2967fca36c776d43419dd5bf12696bc61c426 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 21 Apr 2025 04:53:04 -0400 Subject: [PATCH 1634/1650] comments --- etc/modprobe.d/30_security-misc_disable.conf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index e95bd68..79b5ed6 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -1,7 +1,7 @@ ## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -## See the following links for a community discussion and overview regarding the selections. +## See the following links for a community discussion and overview regarding the selections: ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules @@ -17,11 +17,11 @@ ## 1. Hardware: ## Bluetooth: -## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. +## Disable Bluetooth to reduce the attack surface due to its long history of security vulnerabilities. ## ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns ## -## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability. +## Now replaced with a privacy- and security-preserving default Bluetooth configuration for better usability. ## https://github.com/Kicksecure/security-misc/pull/145 ## #install bluetooth /usr/bin/disabled-bluetooth-by-security-misc @@ -43,7 +43,7 @@ #install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc ## FireWire (IEEE 1394): -## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. +## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent certain DMA attacks. ## ## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues ## @@ -70,9 +70,9 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Management Engine (ME): ## Partially disable the Intel ME interface with the OS. -## ME functionality has increasing become more intertwined with basic Intel system operation. -## Disabling may lead to breakages in numerous places without clear debugging/error messages. -## May cause issues with firmware updates, security, power management, display, and DRM. +## ME functionality has increasingly become intertwined with basic Intel system operation. +## Disabling it may lead to breakages in various components without clear debugging/error messages. +## It may affect firmware updates, security, power management, display, and DRM. ## ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html ## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities @@ -94,7 +94,7 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc #install microread_mei /usr/bin/disabled-intelme-by-security-misc ## Intel Platform Monitoring Technology (PMT) Telemetry: -## Disable some functionality of the Intel PMT components. +## Disable certain functionalities of the Intel PMT components. ## ## https://github.com/intel/Intel-PMT ## @@ -103,7 +103,7 @@ install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc ## Thunderbolt: -## Disables Thunderbolt modules to prevent some DMA attacks. +## Disable Thunderbolt modules to prevent certain DMA attacks. ## ## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities ## From abb0c83619b820b7b66258efa9e141850eaa8b6c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 21 Apr 2025 04:54:06 -0400 Subject: [PATCH 1635/1650] comments --- etc/modprobe.d/30_security-misc_conntrack.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_conntrack.conf b/etc/modprobe.d/30_security-misc_conntrack.conf index 29cbb74..c3ff5b9 100644 --- a/etc/modprobe.d/30_security-misc_conntrack.conf +++ b/etc/modprobe.d/30_security-misc_conntrack.conf @@ -3,7 +3,7 @@ ## Conntrack: ## Disable Netfilter's automatic connection tracking helper assignment. -## Increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. +## Increases the kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. ## ## https://conntrack-tools.netfilter.org/manual.html ## https://forums.whonix.org/t/disable-conntrack-helper/18917 From 502f5953c734346edc680a0b898b435e6c6f6e27 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 21 Apr 2025 04:55:19 -0400 Subject: [PATCH 1636/1650] comments --- etc/modprobe.d/30_security-misc_conntrack.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_conntrack.conf b/etc/modprobe.d/30_security-misc_conntrack.conf index c3ff5b9..7f36327 100644 --- a/etc/modprobe.d/30_security-misc_conntrack.conf +++ b/etc/modprobe.d/30_security-misc_conntrack.conf @@ -3,7 +3,8 @@ ## Conntrack: ## Disable Netfilter's automatic connection tracking helper assignment. -## Increases the kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. +## This functionality adds unnecessary features, such as IRC protocol parsing, into the kernel. +## Disabling it reduces the kernel attack surface and improves security. ## ## https://conntrack-tools.netfilter.org/manual.html ## https://forums.whonix.org/t/disable-conntrack-helper/18917 From 4bf0e3a63667c284d053e5b8517440a884a42441 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 21 Apr 2025 04:57:07 -0400 Subject: [PATCH 1637/1650] comments --- etc/modprobe.d/30_security-misc_blacklist.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index 49e4fcb..5ce1edc 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -10,7 +10,7 @@ ## CD-ROM/DVD: ## Blacklist CD-ROM and DVD modules. -## Do not disable by default for potential future ISO plans. +## Not disabled by default due to potential future ISO plans. ## ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 From e154d0af6dd41e392122fbe3d09219734c5ad588 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 21 Apr 2025 10:21:54 +0000 Subject: [PATCH 1638/1650] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 443ce2d..60f4eb5 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit 4bf0e3a63667c284d053e5b8517440a884a42441 +Author: Patrick Schleizer +Date: Mon Apr 21 04:57:07 2025 -0400 + + comments + +commit 502f5953c734346edc680a0b898b435e6c6f6e27 +Author: Patrick Schleizer +Date: Mon Apr 21 04:55:19 2025 -0400 + + comments + +commit abb0c83619b820b7b66258efa9e141850eaa8b6c +Author: Patrick Schleizer +Date: Mon Apr 21 04:54:06 2025 -0400 + + comments + +commit efa2967fca36c776d43419dd5bf12696bc61c426 +Author: Patrick Schleizer +Date: Mon Apr 21 04:53:04 2025 -0400 + + comments + +commit dc7e8579040a96630ab1bbf7b4b901e3e3abe8c7 +Author: Patrick Schleizer +Date: Sat Apr 19 17:33:56 2025 +0000 + + bumped changelog version + commit 9948ae114d4c6bbd650022c9985137c0fdea5675 Author: Patrick Schleizer Date: Sat Apr 19 13:24:17 2025 -0400 diff --git a/debian/changelog b/debian/changelog index 66ff75b..ae03aa4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:45.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 21 Apr 2025 10:21:54 +0000 + security-misc (3:44.9-1) unstable; urgency=medium * New upstream version (local package). From 612f5f92fde236b86928428fd0247c8e971b0460 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Thu, 24 Apr 2025 20:01:35 -0500 Subject: [PATCH 1639/1650] Fix umask for pkexec-run commands --- usr/share/pam-configs/umask-security-misc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc index 6436a56..c6c32e6 100644 --- a/usr/share/pam-configs/umask-security-misc +++ b/usr/share/pam-configs/umask-security-misc @@ -2,7 +2,8 @@ Name: Restrict umask to 027 (by package security-misc) Default: yes Priority: 100 Session-Type: Additional -Session-Interactive-Only: yes Session: [success=1 default=ignore] pam_succeed_if.so uid eq 0 optional pam_umask.so umask=027 + [success=1 default=ignore] pam_succeed_if.so uid ne 0 + optional pam_umask.so umask=022 From a8f6132bec1a6f4a639d58295b3e50faf5494d98 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 25 Apr 2025 03:11:27 -0400 Subject: [PATCH 1640/1650] output --- usr/share/pam-configs/umask-security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc index c6c32e6..b29e433 100644 --- a/usr/share/pam-configs/umask-security-misc +++ b/usr/share/pam-configs/umask-security-misc @@ -1,4 +1,4 @@ -Name: Restrict umask to 027 (by package security-misc) +Name: Restrict umask to 027 for non-root users (by package security-misc) Default: yes Priority: 100 Session-Type: Additional From ba1012ca8767baf34ed762d80b25b03bb70e6765 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 25 Apr 2025 08:19:35 +0000 Subject: [PATCH 1641/1650] bumped changelog version --- changelog.upstream | 25 +++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 31 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 60f4eb5..7a4f697 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,28 @@ +commit a8f6132bec1a6f4a639d58295b3e50faf5494d98 +Author: Patrick Schleizer +Date: Fri Apr 25 03:11:27 2025 -0400 + + output + +commit 1d14a9f32435b8131c251e03bff2af5c929bbf49 +Merge: e154d0a 612f5f9 +Author: Patrick Schleizer +Date: Fri Apr 25 02:59:09 2025 -0400 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/fix-pkexec-umask' + +commit 612f5f92fde236b86928428fd0247c8e971b0460 +Author: Aaron Rainbolt +Date: Thu Apr 24 20:01:35 2025 -0500 + + Fix umask for pkexec-run commands + +commit e154d0af6dd41e392122fbe3d09219734c5ad588 +Author: Patrick Schleizer +Date: Mon Apr 21 10:21:54 2025 +0000 + + bumped changelog version + commit 4bf0e3a63667c284d053e5b8517440a884a42441 Author: Patrick Schleizer Date: Mon Apr 21 04:57:07 2025 -0400 diff --git a/debian/changelog b/debian/changelog index ae03aa4..26d2607 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:45.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 25 Apr 2025 08:19:34 +0000 + security-misc (3:45.0-1) unstable; urgency=medium * New upstream version (local package). From 06e1e44b0039807baa862102b12fc5e199c3ccb3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 25 Apr 2025 05:51:21 -0400 Subject: [PATCH 1642/1650] comments --- usr/libexec/security-misc/pam-info | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index a254a94..5f8198a 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -106,12 +106,12 @@ fi # fi # fi -## as user "user" +## under account "user" ## /usr/sbin/faillock -u user ## faillock: Error opening /var/log/tallylog for update: Permission denied ## /usr/sbin/faillock: Authentication error ## -## xscreensaver runs as user "user", therefore pam_faillock cannot function. +## xscreensaver runs under account "user", therefore pam_faillock cannot function. ## xscreensaver has its own failed login counter. ## ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts From 341dce33fb806ab03822470e6af91604662c22dd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 25 Apr 2025 09:54:23 +0000 Subject: [PATCH 1643/1650] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7a4f697..d2432d7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 06e1e44b0039807baa862102b12fc5e199c3ccb3 +Author: Patrick Schleizer +Date: Fri Apr 25 05:51:21 2025 -0400 + + comments + +commit ba1012ca8767baf34ed762d80b25b03bb70e6765 +Author: Patrick Schleizer +Date: Fri Apr 25 08:19:35 2025 +0000 + + bumped changelog version + commit a8f6132bec1a6f4a639d58295b3e50faf5494d98 Author: Patrick Schleizer Date: Fri Apr 25 03:11:27 2025 -0400 diff --git a/debian/changelog b/debian/changelog index 26d2607..a0ef4b0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:45.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 25 Apr 2025 09:54:23 +0000 + security-misc (3:45.1-1) unstable; urgency=medium * New upstream version (local package). From 6c3be9ced071e73e78451c82e8def9c5a5b02598 Mon Sep 17 00:00:00 2001 From: DMHalford <161769419+DMHalford@users.noreply.github.com> Date: Thu, 15 May 2025 15:06:10 -0400 Subject: [PATCH 1644/1650] Prevent erroneous "Login blocked after [negative number] attempts" errors For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value. This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking. This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings. * Only rudimentary tests were conducted --- usr/libexec/security-misc/pam-info | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 5f8198a..a0e86db 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -163,9 +163,9 @@ pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)" ## example pam_faillock_output_count: ## 4 -## Do not count the first two informational textual output lines -## (starting with "user:" and "When"). -failed_login_counter=$(( pam_faillock_output_count - 2 )) +## Do not count the first two informational textual output lines (starting with "user:" and "When") if present, +## but ensure failed_login_counter is not set to a negative value. +failed_login_counter=$( [ $(( pam_faillock_output_count - 2 )) -gt 0 ] && echo $(( pam_faillock_output_count - 2 )) || echo "0" ) ## example failed_login_counter: ## 2 From 91a76db66bb496ba4650ada38df31636297738cf Mon Sep 17 00:00:00 2001 From: DMHalford <161769419+DMHalford@users.noreply.github.com> Date: Thu, 15 May 2025 15:42:50 -0400 Subject: [PATCH 1645/1650] Prevent erroneous "Login blocked after [negative number] attempts" errors For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value. This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking. This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings. * Only rudimentary local tests were conducted --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index a0e86db..0559ea3 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -164,7 +164,7 @@ pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)" ## 4 ## Do not count the first two informational textual output lines (starting with "user:" and "When") if present, -## but ensure failed_login_counter is not set to a negative value. +## whilst ensuring failed_login_counter is not set to a negative value. failed_login_counter=$( [ $(( pam_faillock_output_count - 2 )) -gt 0 ] && echo $(( pam_faillock_output_count - 2 )) || echo "0" ) ## example failed_login_counter: From 7f2ba0980d17360fc014c6a412fc4ee57e1032fd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 18 May 2025 06:40:50 -0400 Subject: [PATCH 1646/1650] refactoring --- usr/libexec/security-misc/pam-info | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 0559ea3..8998641 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -164,12 +164,18 @@ pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)" ## 4 ## Do not count the first two informational textual output lines (starting with "user:" and "When") if present, -## whilst ensuring failed_login_counter is not set to a negative value. -failed_login_counter=$( [ $(( pam_faillock_output_count - 2 )) -gt 0 ] && echo $(( pam_faillock_output_count - 2 )) || echo "0" ) +failed_login_counter=$(( pam_faillock_output_count - 2 )) ## example failed_login_counter: ## 2 +## Ensuring failed_login_counter is not set to a negative value. +## https://github.com/Kicksecure/security-misc/pull/305 +if [ "$failed_login_counter" -le "0" ]; then + true "$0: WARNING: Failed login counter is negative. Resetting to 0." + failed_login_counter=0 +fi + if [ "$failed_login_counter" = "0" ]; then true "$0: INFO: Failed login counter is 0, ok." exit 0 From d8feca12768441b0499ead7cc9f9bce4e89b1edf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 18 May 2025 06:41:41 -0400 Subject: [PATCH 1647/1650] printf --- usr/libexec/security-misc/pam-info | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 8998641..49b376c 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -42,7 +42,7 @@ if [ ! "$grep_result" = "" ]; then ## Yes, grep matched. ## Check if not out commented. - if ! echo "$grep_result" | grep --quiet -- "#" ; then + if ! printf '%s\n' "$grep_result" | grep --quiet -- "#" ; then ## Not out commented indeed. ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 @@ -55,7 +55,7 @@ if [ ! "$grep_result" = "" ]; then fi if [ ! "$console_allowed" = "true" ]; then - echo "\ + printf '%s\n' "\ $0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console' To unlock, run the following command as superuser: (If you still have a sudo/root shell somewhere.) @@ -76,7 +76,7 @@ if [ "$PAM_USER" = 'sysmaint' ]; then sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")" if [ "${sysmaint_lock_info}" = 'L' ]; then - echo "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" + printf '%s\n' "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" fi fi @@ -84,7 +84,7 @@ kernel_cmdline="$(cat /proc/cmdline)" if [ "$PAM_USER" != 'sysmaint' ] \ && [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then - echo "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" + printf '%s\n' "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" fi ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 @@ -95,7 +95,7 @@ fi # if [ -f /etc/securetty ]; then # grep_result="$(grep "^[^#]" /etc/securetty)" # if [ "$grep_result" = "" ]; then -# echo "\ +# printf '%s\n' "\ # $0: ERROR: Root login is disabled. # ERROR: This is because /etc/securetty is empty. # See also: @@ -143,7 +143,7 @@ fi ## Usage: faillock [--dir /path/to/tally-directory] [--user username] [--reset] ## Get first line. -#pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head --lines=1)" +#pam_faillock_output_first_line="$(printf '%s\n' "$pam_faillock_output" | head --lines=1)" while read -t 10 -r pam_faillock_output_first_line ; do break done <<< "$pam_faillock_output" @@ -152,12 +152,12 @@ true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'" ## example pam_faillock_output_first_line: ## user: -user_name="$(echo "$pam_faillock_output_first_line" | str_replace ":" "")" +user_name="$(printf '%s\n' "$pam_faillock_output_first_line" | str_replace ":" "")" ## example user_name: ## user ## root -pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)" +pam_faillock_output_count="$(printf '%s\n' "$pam_faillock_output" | wc -l)" ## example pam_faillock_output_count: ## 2 ## example pam_faillock_output_count: @@ -186,13 +186,13 @@ deny=3 if test -f /etc/security/faillock.conf ; then deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =") - deny="$(echo "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")" + deny="$(printf '%s\n' "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")" ## Example: #deny=50 fi if [[ "$deny" == *[!0-9]* ]]; then - echo "\ + printf '%s\n' "\ $0: ERROR: deny is not numeric. deny: '$deny' ERROR: Please report this bug. " >&2 @@ -202,7 +202,7 @@ fi remaining_attempts="$(( $deny - $failed_login_counter ))" if [ "$remaining_attempts" -le "0" ]; then - echo "\ + printf '%s\n' "\ $0: ERROR: Login blocked after $failed_login_counter attempts. To unlock, run the following command as superuser: (If you still have a sudo/root shell somewhere.) @@ -217,14 +217,14 @@ https://www.kicksecure.com/wiki/root#unlock exit 0 fi -echo "\ +printf '%s\n' "\ $0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'. Login will be blocked after $deny attempts. You have $remaining_attempts more attempts before unlock procedure is required. " >&2 if [ "$PAM_SERVICE" = "su" ]; then - echo "\ + printf '%s\n' "\ $0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown. " >&2 fi From 601ea77b005d18b57a85e0701f3981edd61b7881 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 18 May 2025 06:42:39 -0400 Subject: [PATCH 1648/1650] end-of-options --- usr/libexec/security-misc/pam-info | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 49b376c..ce420b2 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -80,7 +80,7 @@ if [ "$PAM_USER" = 'sysmaint' ]; then fi fi -kernel_cmdline="$(cat /proc/cmdline)" +kernel_cmdline="$(cat -- /proc/cmdline)" if [ "$PAM_USER" != 'sysmaint' ] \ && [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then @@ -93,7 +93,7 @@ fi ## Also this should only run for login since securetty covers only login. # if [ "$PAM_USER" = "root" ]; then # if [ -f /etc/securetty ]; then -# grep_result="$(grep "^[^#]" /etc/securetty)" +# grep_result="$(grep -- "^[^#]" /etc/securetty)" # if [ "$grep_result" = "" ]; then # printf '%s\n' "\ # $0: ERROR: Root login is disabled. From 88235cc97b8b54f3fe78d6ad76f64326e8b53f3e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 18 May 2025 06:44:04 -0400 Subject: [PATCH 1649/1650] refactoring --- usr/libexec/security-misc/pam-info | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index ce420b2..b24c668 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -82,9 +82,10 @@ fi kernel_cmdline="$(cat -- /proc/cmdline)" -if [ "$PAM_USER" != 'sysmaint' ] \ - && [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then - printf '%s\n' "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" +if [ "$PAM_USER" != 'sysmaint' ]; then + if [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then + printf '%s\n' "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" + fi fi ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 From 405880e63b92319626332d083a6c5ad5101dbf77 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 18 May 2025 06:44:42 -0400 Subject: [PATCH 1650/1650] handle case of non-existence of /proc/cmdline --- usr/libexec/security-misc/pam-info | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index b24c668..736e44f 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -80,7 +80,9 @@ if [ "$PAM_USER" = 'sysmaint' ]; then fi fi -kernel_cmdline="$(cat -- /proc/cmdline)" +if test -f /proc/cmdline; then + kernel_cmdline="$(cat -- /proc/cmdline)" +fi if [ "$PAM_USER" != 'sysmaint' ]; then if [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then