diff --git a/COPYING b/COPYING index 829d909..4d66db5 100644 --- a/COPYING +++ b/COPYING @@ -1,668 +1,73 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2025 ENCRYPTED SUPPORT LLC -License: AGPL-3+ - -License: AGPL-3+ - GNU AFFERO GENERAL PUBLIC LICENSE - Version 3, 19 November 2007 - . - Copyright (C) 2007 Free Software Foundation, Inc. - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - . - Preamble - . - The GNU Affero General Public License is a free, copyleft license for - software and other kinds of works, specifically designed to ensure - cooperation with the community in the case of network server software. - . - The licenses for most software and other practical works are designed - to take away your freedom to share and change the works. By contrast, - our General Public Licenses are intended to guarantee your freedom to - share and change all versions of a program--to make sure it remains free - software for all its users. - . - When we speak of free software, we are referring to freedom, not - price. Our General Public Licenses are designed to make sure that you - have the freedom to distribute copies of free software (and charge for - them if you wish), that you receive source code or can get it if you - want it, that you can change the software or use pieces of it in new - free programs, and that you know you can do these things. - . - Developers that use our General Public Licenses protect your rights - with two steps: (1) assert copyright on the software, and (2) offer - you this License which gives you legal permission to copy, distribute - and/or modify the software. - . - A secondary benefit of defending all users' freedom is that - improvements made in alternate versions of the program, if they - receive widespread use, become available for other developers to - incorporate. Many developers of free software are heartened and - encouraged by the resulting cooperation. However, in the case of - software used on network servers, this result may fail to come about. - The GNU General Public License permits making a modified version and - letting the public access it on a server without ever releasing its - source code to the public. - . - The GNU Affero General Public License is designed specifically to - ensure that, in such cases, the modified source code becomes available - to the community. It requires the operator of a network server to - provide the source code of the modified version running there to the - users of that server. Therefore, public use of a modified version, on - a publicly accessible server, gives the public access to the source - code of the modified version. - . - An older license, called the Affero General Public License and - published by Affero, was designed to accomplish similar goals. This is - a different license, not a version of the Affero GPL, but Affero has - released a new version of the Affero GPL which permits relicensing under - this license. - . - The precise terms and conditions for copying, distribution and - modification follow. - . - TERMS AND CONDITIONS - . - 0. Definitions. - . - "This License" refers to version 3 of the GNU Affero General Public License. - . - "Copyright" also means copyright-like laws that apply to other kinds of - works, such as semiconductor masks. - . - "The Program" refers to any copyrightable work licensed under this - License. Each licensee is addressed as "you". "Licensees" and - "recipients" may be individuals or organizations. - . - To "modify" a work means to copy from or adapt all or part of the work - in a fashion requiring copyright permission, other than the making of an - exact copy. The resulting work is called a "modified version" of the - earlier work or a work "based on" the earlier work. - . - A "covered work" means either the unmodified Program or a work based - on the Program. - . - To "propagate" a work means to do anything with it that, without - permission, would make you directly or secondarily liable for - infringement under applicable copyright law, except executing it on a - computer or modifying a private copy. Propagation includes copying, - distribution (with or without modification), making available to the - public, and in some countries other activities as well. - . - To "convey" a work means any kind of propagation that enables other - parties to make or receive copies. Mere interaction with a user through - a computer network, with no transfer of a copy, is not conveying. - . - An interactive user interface displays "Appropriate Legal Notices" - to the extent that it includes a convenient and prominently visible - feature that (1) displays an appropriate copyright notice, and (2) - tells the user that there is no warranty for the work (except to the - extent that warranties are provided), that licensees may convey the - work under this License, and how to view a copy of this License. If - the interface presents a list of user commands or options, such as a - menu, a prominent item in the list meets this criterion. - . - 1. Source Code. - . - The "source code" for a work means the preferred form of the work - for making modifications to it. "Object code" means any non-source - form of a work. - . - A "Standard Interface" means an interface that either is an official - standard defined by a recognized standards body, or, in the case of - interfaces specified for a particular programming language, one that - is widely used among developers working in that language. - . - The "System Libraries" of an executable work include anything, other - than the work as a whole, that (a) is included in the normal form of - packaging a Major Component, but which is not part of that Major - Component, and (b) serves only to enable use of the work with that - Major Component, or to implement a Standard Interface for which an - implementation is available to the public in source code form. A - "Major Component", in this context, means a major essential component - (kernel, window system, and so on) of the specific operating system - (if any) on which the executable work runs, or a compiler used to - produce the work, or an object code interpreter used to run it. - . - The "Corresponding Source" for a work in object code form means all - the source code needed to generate, install, and (for an executable - work) run the object code and to modify the work, including scripts to - control those activities. However, it does not include the work's - System Libraries, or general-purpose tools or generally available free - programs which are used unmodified in performing those activities but - which are not part of the work. For example, Corresponding Source - includes interface definition files associated with source files for - the work, and the source code for shared libraries and dynamically - linked subprograms that the work is specifically designed to require, - such as by intimate data communication or control flow between those - subprograms and other parts of the work. - . - The Corresponding Source need not include anything that users - can regenerate automatically from other parts of the Corresponding - Source. - . - The Corresponding Source for a work in source code form is that - same work. - . - 2. Basic Permissions. - . - All rights granted under this License are granted for the term of - copyright on the Program, and are irrevocable provided the stated - conditions are met. This License explicitly affirms your unlimited - permission to run the unmodified Program. The output from running a - covered work is covered by this License only if the output, given its - content, constitutes a covered work. This License acknowledges your - rights of fair use or other equivalent, as provided by copyright law. - . - You may make, run and propagate covered works that you do not - convey, without conditions so long as your license otherwise remains - in force. You may convey covered works to others for the sole purpose - of having them make modifications exclusively for you, or provide you - with facilities for running those works, provided that you comply with - the terms of this License in conveying all material for which you do - not control copyright. Those thus making or running the covered works - for you must do so exclusively on your behalf, under your direction - and control, on terms that prohibit them from making any copies of - your copyrighted material outside their relationship with you. - . - Conveying under any other circumstances is permitted solely under - the conditions stated below. Sublicensing is not allowed; section 10 - makes it unnecessary. - . - 3. Protecting Users' Legal Rights From Anti-Circumvention Law. - . - No covered work shall be deemed part of an effective technological - measure under any applicable law fulfilling obligations under article - 11 of the WIPO copyright treaty adopted on 20 December 1996, or - similar laws prohibiting or restricting circumvention of such - measures. - . - When you convey a covered work, you waive any legal power to forbid - circumvention of technological measures to the extent such circumvention - is effected by exercising rights under this License with respect to - the covered work, and you disclaim any intention to limit operation or - modification of the work as a means of enforcing, against the work's - users, your or third parties' legal rights to forbid circumvention of - technological measures. - . - 4. Conveying Verbatim Copies. - . - You may convey verbatim copies of the Program's source code as you - receive it, in any medium, provided that you conspicuously and - appropriately publish on each copy an appropriate copyright notice; - keep intact all notices stating that this License and any - non-permissive terms added in accord with section 7 apply to the code; - keep intact all notices of the absence of any warranty; and give all - recipients a copy of this License along with the Program. - . - You may charge any price or no price for each copy that you convey, - and you may offer support or warranty protection for a fee. - . - 5. Conveying Modified Source Versions. - . - You may convey a work based on the Program, or the modifications to - produce it from the Program, in the form of source code under the - terms of section 4, provided that you also meet all of these conditions: - . - a) The work must carry prominent notices stating that you modified - it, and giving a relevant date. - . - b) The work must carry prominent notices stating that it is - released under this License and any conditions added under section - 7. This requirement modifies the requirement in section 4 to - "keep intact all notices". - . - c) You must license the entire work, as a whole, under this - License to anyone who comes into possession of a copy. This - License will therefore apply, along with any applicable section 7 - additional terms, to the whole of the work, and all its parts, - regardless of how they are packaged. This License gives no - permission to license the work in any other way, but it does not - invalidate such permission if you have separately received it. - . - d) If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your - work need not make them do so. - . - A compilation of a covered work with other separate and independent - works, which are not by their nature extensions of the covered work, - and which are not combined with it such as to form a larger program, - in or on a volume of a storage or distribution medium, is called an - "aggregate" if the compilation and its resulting copyright are not - used to limit the access or legal rights of the compilation's users - beyond what the individual works permit. Inclusion of a covered work - in an aggregate does not cause this License to apply to the other - parts of the aggregate. - . - 6. Conveying Non-Source Forms. - . - You may convey a covered work in object code form under the terms - of sections 4 and 5, provided that you also convey the - machine-readable Corresponding Source under the terms of this License, - in one of these ways: - . - a) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by the - Corresponding Source fixed on a durable physical medium - customarily used for software interchange. - . - b) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by a - written offer, valid for at least three years and valid for as - long as you offer spare parts or customer support for that product - model, to give anyone who possesses the object code either (1) a - copy of the Corresponding Source for all the software in the - product that is covered by this License, on a durable physical - medium customarily used for software interchange, for a price no - more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the - Corresponding Source from a network server at no charge. - . - c) Convey individual copies of the object code with a copy of the - written offer to provide the Corresponding Source. This - alternative is allowed only occasionally and noncommercially, and - only if you received the object code with such an offer, in accord - with subsection 6b. - . - d) Convey the object code by offering access from a designated - place (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to - copy the object code is a network server, the Corresponding Source - may be on a different server (operated by you or a third party) - that supports equivalent copying facilities, provided you maintain - clear directions next to the object code saying where to find the - Corresponding Source. Regardless of what server hosts the - Corresponding Source, you remain obligated to ensure that it is - available for as long as needed to satisfy these requirements. - . - e) Convey the object code using peer-to-peer transmission, provided - you inform other peers where the object code and Corresponding - Source of the work are being offered to the general public at no - charge under subsection 6d. - . - A separable portion of the object code, whose source code is excluded - from the Corresponding Source as a System Library, need not be - included in conveying the object code work. - . - A "User Product" is either (1) a "consumer product", which means any - tangible personal property which is normally used for personal, family, - or household purposes, or (2) anything designed or sold for incorporation - into a dwelling. In determining whether a product is a consumer product, - doubtful cases shall be resolved in favor of coverage. For a particular - product received by a particular user, "normally used" refers to a - typical or common use of that class of product, regardless of the status - of the particular user or of the way in which the particular user - actually uses, or expects or is expected to use, the product. A product - is a consumer product regardless of whether the product has substantial - commercial, industrial or non-consumer uses, unless such uses represent - the only significant mode of use of the product. - . - "Installation Information" for a User Product means any methods, - procedures, authorization keys, or other information required to install - and execute modified versions of a covered work in that User Product from - a modified version of its Corresponding Source. The information must - suffice to ensure that the continued functioning of the modified object - code is in no case prevented or interfered with solely because - modification has been made. - . - If you convey an object code work under this section in, or with, or - specifically for use in, a User Product, and the conveying occurs as - part of a transaction in which the right of possession and use of the - User Product is transferred to the recipient in perpetuity or for a - fixed term (regardless of how the transaction is characterized), the - Corresponding Source conveyed under this section must be accompanied - by the Installation Information. But this requirement does not apply - if neither you nor any third party retains the ability to install - modified object code on the User Product (for example, the work has - been installed in ROM). - . - The requirement to provide Installation Information does not include a - requirement to continue to provide support service, warranty, or updates - for a work that has been modified or installed by the recipient, or for - the User Product in which it has been modified or installed. Access to a - network may be denied when the modification itself materially and - adversely affects the operation of the network or violates the rules and - protocols for communication across the network. - . - Corresponding Source conveyed, and Installation Information provided, - in accord with this section must be in a format that is publicly - documented (and with an implementation available to the public in - source code form), and must require no special password or key for - unpacking, reading or copying. - . - 7. Additional Terms. - . - "Additional permissions" are terms that supplement the terms of this - License by making exceptions from one or more of its conditions. - Additional permissions that are applicable to the entire Program shall - be treated as though they were included in this License, to the extent - that they are valid under applicable law. If additional permissions - apply only to part of the Program, that part may be used separately - under those permissions, but the entire Program remains governed by - this License without regard to the additional permissions. - . - When you convey a copy of a covered work, you may at your option - remove any additional permissions from that copy, or from any part of - it. (Additional permissions may be written to require their own - removal in certain cases when you modify the work.) You may place - additional permissions on material, added by you to a covered work, - for which you have or can give appropriate copyright permission. - . - Notwithstanding any other provision of this License, for material you - add to a covered work, you may (if authorized by the copyright holders of - that material) supplement the terms of this License with terms: - . - a) Disclaiming warranty or limiting liability differently from the - terms of sections 15 and 16 of this License; or - . - b) Requiring preservation of specified reasonable legal notices or - author attributions in that material or in the Appropriate Legal - Notices displayed by works containing it; or - . - c) Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or - . - d) Limiting the use for publicity purposes of names of licensors or - authors of the material; or - . - e) Declining to grant rights under trademark law for use of some - trade names, trademarks, or service marks; or - . - f) Requiring indemnification of licensors and authors of that - material by anyone who conveys the material (or modified versions of - it) with contractual assumptions of liability to the recipient, for - any liability that these contractual assumptions directly impose on - those licensors and authors. - . - All other non-permissive additional terms are considered "further - restrictions" within the meaning of section 10. If the Program as you - received it, or any part of it, contains a notice stating that it is - governed by this License along with a term that is a further - restriction, you may remove that term. If a license document contains - a further restriction but permits relicensing or conveying under this - License, you may add to a covered work material governed by the terms - of that license document, provided that the further restriction does - not survive such relicensing or conveying. - . - If you add terms to a covered work in accord with this section, you - must place, in the relevant source files, a statement of the - additional terms that apply to those files, or a notice indicating - where to find the applicable terms. - . - Additional terms, permissive or non-permissive, may be stated in the - form of a separately written license, or stated as exceptions; - the above requirements apply either way. - . - 8. Termination. - . - You may not propagate or modify a covered work except as expressly - provided under this License. Any attempt otherwise to propagate or - modify it is void, and will automatically terminate your rights under - this License (including any patent licenses granted under the third - paragraph of section 11). - . - However, if you cease all violation of this License, then your - license from a particular copyright holder is reinstated (a) - provisionally, unless and until the copyright holder explicitly and - finally terminates your license, and (b) permanently, if the copyright - holder fails to notify you of the violation by some reasonable means - prior to 60 days after the cessation. - . - Moreover, your license from a particular copyright holder is - reinstated permanently if the copyright holder notifies you of the - violation by some reasonable means, this is the first time you have - received notice of violation of this License (for any work) from that - copyright holder, and you cure the violation prior to 30 days after - your receipt of the notice. - . - Termination of your rights under this section does not terminate the - licenses of parties who have received copies or rights from you under - this License. If your rights have been terminated and not permanently - reinstated, you do not qualify to receive new licenses for the same - material under section 10. - . - 9. Acceptance Not Required for Having Copies. - . - You are not required to accept this License in order to receive or - run a copy of the Program. Ancillary propagation of a covered work - occurring solely as a consequence of using peer-to-peer transmission - to receive a copy likewise does not require acceptance. However, - nothing other than this License grants you permission to propagate or - modify any covered work. These actions infringe copyright if you do - not accept this License. Therefore, by modifying or propagating a - covered work, you indicate your acceptance of this License to do so. - . - 10. Automatic Licensing of Downstream Recipients. - . - Each time you convey a covered work, the recipient automatically - receives a license from the original licensors, to run, modify and - propagate that work, subject to this License. You are not responsible - for enforcing compliance by third parties with this License. - . - An "entity transaction" is a transaction transferring control of an - organization, or substantially all assets of one, or subdividing an - organization, or merging organizations. If propagation of a covered - work results from an entity transaction, each party to that - transaction who receives a copy of the work also receives whatever - licenses to the work the party's predecessor in interest had or could - give under the previous paragraph, plus a right to possession of the - Corresponding Source of the work from the predecessor in interest, if - the predecessor has it or can get it with reasonable efforts. - . - You may not impose any further restrictions on the exercise of the - rights granted or affirmed under this License. For example, you may - not impose a license fee, royalty, or other charge for exercise of - rights granted under this License, and you may not initiate litigation - (including a cross-claim or counterclaim in a lawsuit) alleging that - any patent claim is infringed by making, using, selling, offering for - sale, or importing the Program or any portion of it. - . - 11. Patents. - . - A "contributor" is a copyright holder who authorizes use under this - License of the Program or a work on which the Program is based. The - work thus licensed is called the contributor's "contributor version". - . - A contributor's "essential patent claims" are all patent claims - owned or controlled by the contributor, whether already acquired or - hereafter acquired, that would be infringed by some manner, permitted - by this License, of making, using, or selling its contributor version, - but do not include claims that would be infringed only as a - consequence of further modification of the contributor version. For - purposes of this definition, "control" includes the right to grant - patent sublicenses in a manner consistent with the requirements of - this License. - . - Each contributor grants you a non-exclusive, worldwide, royalty-free - patent license under the contributor's essential patent claims, to - make, use, sell, offer for sale, import and otherwise run, modify and - propagate the contents of its contributor version. - . - In the following three paragraphs, a "patent license" is any express - agreement or commitment, however denominated, not to enforce a patent - (such as an express permission to practice a patent or covenant not to - sue for patent infringement). To "grant" such a patent license to a - party means to make such an agreement or commitment not to enforce a - patent against the party. - . - If you convey a covered work, knowingly relying on a patent license, - and the Corresponding Source of the work is not available for anyone - to copy, free of charge and under the terms of this License, through a - publicly available network server or other readily accessible means, - then you must either (1) cause the Corresponding Source to be so - available, or (2) arrange to deprive yourself of the benefit of the - patent license for this particular work, or (3) arrange, in a manner - consistent with the requirements of this License, to extend the patent - license to downstream recipients. "Knowingly relying" means you have - actual knowledge that, but for the patent license, your conveying the - covered work in a country, or your recipient's use of the covered work - in a country, would infringe one or more identifiable patents in that - country that you have reason to believe are valid. - . - If, pursuant to or in connection with a single transaction or - arrangement, you convey, or propagate by procuring conveyance of, a - covered work, and grant a patent license to some of the parties - receiving the covered work authorizing them to use, propagate, modify - or convey a specific copy of the covered work, then the patent license - you grant is automatically extended to all recipients of the covered - work and works based on it. - . - A patent license is "discriminatory" if it does not include within - the scope of its coverage, prohibits the exercise of, or is - conditioned on the non-exercise of one or more of the rights that are - specifically granted under this License. You may not convey a covered - work if you are a party to an arrangement with a third party that is - in the business of distributing software, under which you make payment - to the third party based on the extent of your activity of conveying - the work, and under which the third party grants, to any of the - parties who would receive the covered work from you, a discriminatory - patent license (a) in connection with copies of the covered work - conveyed by you (or copies made from those copies), or (b) primarily - for and in connection with specific products or compilations that - contain the covered work, unless you entered into that arrangement, - or that patent license was granted, prior to 28 March 2007. - . - Nothing in this License shall be construed as excluding or limiting - any implied license or other defenses to infringement that may - otherwise be available to you under applicable patent law. - . - 12. No Surrender of Others' Freedom. - . - If conditions are imposed on you (whether by court order, agreement or - otherwise) that contradict the conditions of this License, they do not - excuse you from the conditions of this License. If you cannot convey a - covered work so as to satisfy simultaneously your obligations under this - License and any other pertinent obligations, then as a consequence you may - not convey it at all. For example, if you agree to terms that obligate you - to collect a royalty for further conveying from those to whom you convey - the Program, the only way you could satisfy both those terms and this - License would be to refrain entirely from conveying the Program. - . - 13. Remote Network Interaction; Use with the GNU General Public License. - . - Notwithstanding any other provision of this License, if you modify the - Program, your modified version must prominently offer all users - interacting with it remotely through a computer network (if your version - supports such interaction) an opportunity to receive the Corresponding - Source of your version by providing access to the Corresponding Source - from a network server at no charge, through some standard or customary - means of facilitating copying of software. This Corresponding Source - shall include the Corresponding Source for any work covered by version 3 - of the GNU General Public License that is incorporated pursuant to the - following paragraph. - . - Notwithstanding any other provision of this License, you have - permission to link or combine any covered work with a work licensed - under version 3 of the GNU General Public License into a single - combined work, and to convey the resulting work. The terms of this - License will continue to apply to the part which is the covered work, - but the work with which it is combined will remain governed by version - 3 of the GNU General Public License. - . - 14. Revised Versions of this License. - . - The Free Software Foundation may publish revised and/or new versions of - the GNU Affero General Public License from time to time. Such new versions - will be similar in spirit to the present version, but may differ in detail to - address new problems or concerns. - . - Each version is given a distinguishing version number. If the - Program specifies that a certain numbered version of the GNU Affero General - Public License "or any later version" applies to it, you have the - option of following the terms and conditions either of that numbered - version or of any later version published by the Free Software - Foundation. If the Program does not specify a version number of the - GNU Affero General Public License, you may choose any version ever published - by the Free Software Foundation. - . - If the Program specifies that a proxy can decide which future - versions of the GNU Affero General Public License can be used, that proxy's - public statement of acceptance of a version permanently authorizes you - to choose that version for the Program. - . - Later license versions may give you additional or different - permissions. However, no additional obligations are imposed on any - author or copyright holder as a result of your choosing to follow a - later version. - . - 15. Disclaimer of Warranty. - . - THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY - APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT - HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY - OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, - THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM - IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +Copyright: 2012 - 2023 ENCRYPTED SUPPORT LP +License: GPL-3+-with-additional-terms-1 + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see . + . + On Debian systems, the full text of the GNU General Public + License version 3 can be found in the file + `/usr/share/common-licenses/GPL-3'. + . + ADDITIONAL TERMS APPLICABLE per GNU GPL version 3 section 7 + . + 1. Replacement of Section 15. Section 15 of the GPL shall be deleted in its + entirety and replaced with the following: + . + 15. Disclaimer of Warranty. + . + THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED, + INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR + PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY. THE PROGRAM IS BEING + DELIVERED OR MADE AVAILABLE 'AS IS', 'WITH ALL FAULTS' AND WITHOUT WARRANTY OR + REPRESENTATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE + PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. . - 16. Limitation of Liability. + 2. Replacement of Section 16. Section 16 of the GPL shall be deleted in its + entirety and replaced with the following: . - IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING - WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS - THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY - GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE - USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF - DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD - PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), - EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF - SUCH DAMAGES. + 16. LIMITATION OF LIABILITY. . - 17. Interpretation of Sections 15 and 16. + UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY + OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE + LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY + DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL, + INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN + CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH + THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED + INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE + PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER + OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH + DAMAGES COULD HAVE BEEN FORESEEN. . - If the disclaimer of warranty and limitation of liability provided - above cannot be given local legal effect according to their terms, - reviewing courts shall apply local law that most closely approximates - an absolute waiver of all civil liability in connection with the - Program, unless a warranty or assumption of liability accompanies a - copy of the Program in return for a fee. + 3. LEGAL NOTICES; NO TRADEMARK LICENSE; ORIGIN. You must reproduce faithfully + all trademark, copyright and other proprietary and legal notices on any copies + of the Program or any other required author attributions. This license does not + grant you rights to use any copyright holder or any other party's name, logo, or + trademarks. Neither the name of the copyright holder or its affiliates, or any + other party who modifies and/or conveys the Program may be used to endorse or + promote products derived from this software without specific prior written + permission. The origin of the Program must not be misrepresented; you must not + claim that you wrote the original Program. Altered source versions must be + plainly marked as such, and must not be misrepresented as being the original + Program. . - END OF TERMS AND CONDITIONS - . - How to Apply These Terms to Your New Programs - . - If you develop a new program, and you want it to be of the greatest - possible use to the public, the best way to achieve this is to make it - free software which everyone can redistribute and change under these terms. - . - To do so, attach the following notices to the program. It is safest - to attach them to the start of each source file to most effectively - state the exclusion of warranty; and each file should have at least - the "copyright" line and a pointer to where the full notice is found. - . - - Copyright (C) - . - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU Affero General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - . - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU Affero General Public License for more details. - . - You should have received a copy of the GNU Affero General Public License - along with this program. If not, see . - . - Also add information on how to contact you by electronic and paper mail. - . - If your software can interact with users remotely through a computer - network, you should also make sure that it provides a way for users to - get its source. For example, if your program is a web application, its - interface could display a "Source" link that leads users to an archive - of the code. There are many ways you could offer source, and different - solutions will be better for different programs; see section 13 for the - specific requirements. - . - You should also get your employer (if you work as a programmer) or school, - if any, to sign a "copyright disclaimer" for the program, if necessary. - For more information on this, and how to apply and follow the GNU AGPL, see - . + 4. INDEMNIFICATION. IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT + OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK, + YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND + AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF + ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE + ATTORNEYS' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR + IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY. diff --git a/GPLv3 b/GPLv3 new file mode 100644 index 0000000..94a9ed0 --- /dev/null +++ b/GPLv3 @@ -0,0 +1,674 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/README.md b/README.md index 38cc8e0..ea335fb 100644 --- a/README.md +++ b/README.md @@ -3,588 +3,295 @@ ## Kernel hardening This section is inspired by the Kernel Self Protection Project (KSPP). It -attempts to implement all recommended Linux kernel settings by the KSPP and -many more sources. +implements all recommended Linux kernel settings by the KSPP and many +more. -- https://kspp.github.io/Recommended_Settings -- https://github.com/KSPP/kspp.github.io +* https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project ### sysctl -sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf` -configuration file and significant hardening is applied to a myriad of components. - -#### Kernel space - -- Restrict access to kernel addresses through the use of kernel pointers regardless - of user privileges. - -- Restrict access to the kernel logs to `CAP_SYSLOG` as they often contain - sensitive information. - -- Prevent kernel information leaks in the console during boot. - -- Restrict usage of `bpf()` to `CAP_BPF` to prevent the loading of BPF programs - by unprivileged users. - -- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`. - -- Restrict the `userfaultfd()` syscall to `CAP_SYS_PTRACE`, which reduces the - likelihood of use-after-free exploits. - -- Disable `kexec` as it can be used to replace the running kernel. - -- Entirely disable the SysRq key so that the Secure Attention Key (SAK) - can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). - -- Optional - Disable all use of user namespaces. - -- Optional - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial - privilege escalation. - -- Restrict kernel profiling and the performance events system to `CAP_PERFMON`. - -- Force the kernel to panic on both "oopses", which can potentially indicate and thwart - certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. - -- Optional - Force immediate reboot on the occurrence of a single kernel panic and also - (when using Linux kernel >= 6.2) limit the number of allowed panics to one. - -- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. - -- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been - the source of numerous kernel exploits. - -#### User space - -- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - enables programs to inspect and modify other active processes. Optional - Disable - usage of `ptrace()` by all processes. - -- Maximize the bits of entropy used for mmap ASLR across all CPU architectures. - -- Prevent hardlink and symlink TOCTOU races in world-writable directories. - -- Disallow unintentional writes to files in world-writable directories unless - they are owned by the directory owner to mitigate some data spoofing attacks. - -- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. - -- Raise the minimum address a process can request for memory mapping to 64KB to - protect against kernel null pointer dereference vulnerabilities. - -- Increase the maximum number of memory map areas a process is able to utilize to 1,048,576. - -- Optional - Disallow registering interpreters for various (miscellaneous) binary formats based - on a magic number or their file extension to prevent unintended code execution. - See issue: https://github.com/Kicksecure/security-misc/issues/267 - -#### Core dumps - -- Disable core dump files and prevent their creation. If core dump files are - enabled, they will be named based on `core.PID` instead of the default `core`. - -#### Swap space - -- Limit the copying of potentially sensitive content in memory to the swap device. - -#### Networking - -- Enable hardening of the BPF JIT compiler protect against JIT spraying. - -- Enable TCP SYN cookie protection to assist against SYN flood attacks. - -- Protect against TCP time-wait assassination hazards. - -- Enable reverse path filtering (source validation) of packets received - from all interfaces to prevent IP spoofing. - -- Disable ICMP redirect acceptance and redirect sending messages to prevent - man-in-the-middle attacks and minimize information disclosure. - -- Deny sending and receiving shared media redirects to reduce the risk of IP - spoofing attacks. - -- Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks. - -- Respond to ARP requests only if the target IP address is on-link, - preventing some IP spoofing attacks. - -- Drop gratuitous ARP packets to prevent ARP cache poisoning via - man-in-the-middle and denial-of-service attacks. - -- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. - -- Ignore bogus ICMP error responses. - -- Disable source routing which allows users to redirect network traffic that - can result in man-in-the-middle attacks. - -- Do not accept IPv6 router advertisements and solicitations. - -- Optional - Disable SACK and DSACK as they have historically been a known - vector for exploitation. - -- Disable TCP timestamps as they can allow detecting the system time. - -- Optional - Log packets with impossible source or destination addresses to - enable further inspection and analysis. - -- Optional - Enable IPv6 Privacy Extensions. - -- Documentation: https://www.kicksecure.com/wiki/Networking - -### Boot parameters - -Mitigations for known CPU vulnerabilities are enabled in their strictest form -and simultaneous multithreading (SMT) is disabled. See the -`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. - -Note, to achieve complete protection for known CPU vulnerabilities, the latest -security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore, -if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept -up to date through [UEFI Revocation List](https://uefi.org/revocationlistfile) updates. - -CPU mitigations: - -- Disable Simultaneous Multithreading (SMT) - -- Spectre Side Channels (BTI and BHI) - -- Speculative Store Bypass (SSB) - -- L1 Terminal Fault (L1TF) - -- Microarchitectural Data Sampling (MDS) - -- TSX Asynchronous Abort (TAA) - -- iTLB Multihit - -- Special Register Buffer Data Sampling (SRBDS) - -- L1D Flushing - -- Processor MMIO Stale Data - -- Arbitrary Speculative Code Execution with Return Instructions (Retbleed) - -- Cross-Thread Return Address Predictions - -- Speculative Return Stack Overflow (SRSO) - -- Gather Data Sampling (GDS) - -- Register File Data Sampling (RFDS) - -Boot parameters relating to kernel hardening, DMA mitigations, and entropy -generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` +sysctl settings are configured via the `/etc/sysctl.d/30_security-misc.conf` configuration file. -Kernel space: +* A kernel pointer points to a specific location in kernel memory. These +can be very useful in exploiting the kernel so they are restricted to `CAP_SYSLOG`. -- Disable merging of slabs with similar size, which reduces the risk of - triggering heap overflows and limits influencing slab cache layout. +* The kernel logs are restricted to `CAP_SYSLOG` as they can often leak sensitive +information such as kernel pointers. -- Enable sanity checks and red zoning via slab debugging. This will implicitly - disable kernel pointer hashing, leaking very sensitive information to root. +* The `ptrace()` system call is restricted to `CAP_SYS_PTRACE`. -- Enable memory zeroing at both allocation and free time, which mitigates some - use-after-free vulnerabilities by erasing sensitive information in memory. +* eBPF is restricted to `CAP_BPF` (`CAP_SYS_ADMIN` on kernel versions prior +to 5.8) and JIT hardening techniques such as constant blinding are enabled. -- Enable the kernel page allocator to randomize free lists to limit some data - exfiltration and ROP attacks, especially during the early boot process. +* Restricts performance events to `CAP_PERFMON` (`CAP_SYS_ADMIN` on kernel +versions prior to 5.8). -- Enable kernel page table isolation to increase KASLR effectiveness and also - mitigate the Meltdown CPU vulnerability. +* Restricts loading line disciplines to `CAP_SYS_MODULE` to prevent unprivileged +attackers from loading vulnerable line disciplines with the `TIOCSETD` ioctl which +has been abused in a number of exploits before. -- Enable randomization of the kernel stack offset on syscall entries to harden - against memory corruption attacks. +* Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` as `userfaultfd()` is +often abused to exploit use-after-free flaws. -- Disable vsyscalls as they are vulnerable to ROP attacks and have now been - replaced by vDSO. +* Kexec is disabled as it can be used to load a malicious kernel and gain +arbitrary code execution in kernel mode. -- Restrict access to debugfs by not registering the file system since it can - contain sensitive information. +* Randomises the addresses for mmap base, heap, stack, and VDSO pages. -- Force kernel panics on "oopses" to potentially indicate and thwart certain - kernel exploitation attempts. +* Prevents unintentional writes to attacker-controlled files. -- Optional - Modify the machine check exception handler. +* Prevents common symlink and hardlink TOCTOU races. -- Prevent sensitive kernel information leaks in the console during boot. +* Restricts the SysRq key so it can only be used for shutdowns and the +Secure Attention Key. -- Enable the kernel Electric-Fence sampling-based memory safety error detector - which can identify heap out-of-bounds access, use-after-free, and invalid-free errors. +* The kernel is only allowed to swap if it is absolutely necessary. This +prevents writing potentially sensitive contents of memory to disk. -- Disable 32-bit vDSO mappings as they are a legacy compatibility feature. - -- Optional - Use kCFI as the default CFI implementation (when using Linux kernel >= 6.2) - since it may be slightly more resilient to attacks that are able to write - arbitrary executables in memory. - -- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) - to reduce attack surface. - -- Disable EFI persistent storage feature, preventing the kernel from writing crash logs and - other persistent data to the EFI variable store. - -Direct memory access: - -- Enable strict IOMMU translation to protect against some DMA attacks via the use - of both CPU manufacturer-specific drivers and kernel settings. - -- Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables - DMA before the IOMMU is configured. May cause boot failure on certain hardware. - -Entropy: - -- Do not credit the CPU or bootloader as entropy sources at boot in order to - maximize the absolute quantity of entropy in the combined pool. - -- Obtain more entropy at boot from RAM as the runtime memory allocator is - being initialized. - -Networking: - -- Optional - Disable the entire IPv6 stack to reduce attack surface. +* TCP timestamps are disabled as it can allow detecting the system time. ### mmap ASLR -- The bits of entropy used for mmap ASLR for all CPU architectures are maxed - out via `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of - `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` - that the kernel was built with), therefore improving its effectiveness. +* The bits of entropy used for mmap ASLR are maxed out via +`/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of +`CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` that +the kernel was built with), therefore improving its effectiveness. -### Kernel Self Protection Project (KSPP) compliance status +### Boot parameters -**Summary:** +Boot parameters are outlined in configuration files located in the +`etc/default/grub.d/` directory. -`security-misc` is in full compliance with KSPP recommendations wherever feasible. However, -there are a few cases of partial or non-compliance due to technical limitations. +* Slab merging is disabled which significantly increases the difficulty of +heap exploitation by preventing overwriting objects from merged caches and +by making it harder to influence slab cache layout. -* [KSPP Recommended Settings](https://kspp.github.io/Recommended_Settings) +* Memory zeroing at allocation and free time is enabled to mitigate some +use-after-free vulnerabilities and erase sensitive information in memory. -**Full compliance:** +* Page allocator freelist randomization is enabled. -More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with -the KSPP's recommendations. +* Kernel Page Table Isolation is enabled to mitigate Meltdown and increase +KASLR effectiveness. -**Partial compliance:** +* vsyscalls are disabled as they are obsolete, are at fixed addresses and thus, +are a potential target for ROP. -1. `sysctl kernel.yama.ptrace_scope=3` +* The kernel panics on oopses to thwart certain kernel exploits. -Completely disables `ptrace()`. Can be enabled easily if needed. +* Enables randomisation of the kernel stack offset on syscall entries. -* [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242) +* All mitigations for known CPU vulnerabilities are enabled and SMT is +disabled. -2. `sysctl kernel.panic=-1` +* IOMMU is enabled to prevent DMA attacks along with strict enforcement of IOMMU +TLB invalidation so devices will never be able to access stale data contents. -Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected -system crashes. +* Distrust the 'randomly' generated CPU and bootloader seeds. -* [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) -* [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) +### Disables and blacklists kernel modules -**Non-compliance:** +Certain kernel modules are disabled and blacklisted by default to reduce attack surface via the +`/etc/modprobe.d/30_security-misc.conf` configuration file. -3. `sysctl user.max_user_namespaces=0` +* Deactivates Netfilter's connection tracking helper - this module +increases kernel attack surface by enabling superfluous functionality +such as IRC parsing in the kernel. Hence, this feature is disabled. -Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. +* Bluetooth is disabled to reduce attack surface. Bluetooth has +a lengthy history of security concerns. -* [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263) +* Thunderbolt and numerous FireWire kernel modules are also disabled as they are +often vulnerable to DMA attacks. -4. `sysctl fs.binfmt_misc.status=0` +* The MSR kernel module is disabled to prevent CPU MSRs from being +abused to write to arbitrary memory. -Disables the registration of interpreters for miscellaneous binary formats. Currently not -feasible due to compatibility issues with Firefox. +* Uncommon network protocols are blacklisted. This includes: -* [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) -* [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267) + DCCP - Datagram Congestion Control Protocol -### Kernel Modules + SCTP - Stream Control Transmission Protocol -#### Kernel Module Signature Verification + RDS - Reliable Datagram Sockets -Not yet implemented due to issues: + TIPC - Transparent Inter-process Communication -- https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 -- https://github.com/dell/dkms/issues/359 + HDLC - High-Level Data Link Control -See: + AX25 - Amateur X.25 -- `/etc/default/grub.d/40_signed_modules.cfg` + NetRom -#### Disables the loading of new modules to the kernel after the fact + X25 -Not yet implemented due to issues: + ROSE -- https://github.com/Kicksecure/security-misc/pull/152 + DECnet -A systemd service dynamically sets the kernel parameter `modules_disabled` to 1, -preventing new modules from being loaded. Since this isn't configured directly -within systemctl, it does not break the loading of legitimate and necessary -modules for the user, like drivers etc., given they are plugged in on startup. + Econet -#### Blacklist and disable kernel modules + af_802154 - IEEE 802.15.4 -Conntrack: Deactivates Netfilter's connection tracking helper module which -increases kernel attack surface by enabling superfluous functionality such -as IRC parsing in the kernel. See `/etc/modprobe.d/30_security-misc_conntrack.conf`. + IPX - Internetwork Packet Exchange -Certain kernel modules are blacklisted by default to reduce attack surface via -`/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel -modules from automatically starting. + AppleTalk -- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. + PSNAP - Subnetwork Access Protocol -- Miscellaneous: Blacklist an assortment of other modules to prevent them from - automatically loading. + p8023 - Novell raw IEEE 802.3 -Specific kernel modules are entirely disabled to reduce attack surface via -`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel -modules from starting. This approach should not be considered comprehensive; -rather, it is a form of badness enumeration. Any potential candidates for future -disabling should first be blacklisted for a suitable amount of time. + p8022 - IEEE 802.2 -Hardware modules: + CAN - Controller Area Network -- Optional - Bluetooth: Disabled to reduce attack surface. + ATM -- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. +* Disables a large array of uncommon file systems and network file systems that reduces the attack surface especially against legacy approaches. -- GPS: Disable GPS-related modules such as those required for Global Navigation - Satellite Systems (GNSS). +* The vivid kernel module is only required for testing and has been the cause +of multiple vulnerabilities so it is disabled. -- Optional - Intel Management Engine (ME): Provides some disabling of the interface - between the Intel ME and the OS. May lead to breakages in places such as firmware - updates, security, power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239 +* Provides some disabling of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS. -- Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality - of the Intel PMT components. +* Incorporates much of [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) default blacklist of modules to be blocked from automatically loading. However, they are still permitted to load. -- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. - -File system modules: - -- File Systems: Disable uncommon and legacy file systems. - -- Network File Systems: Disable uncommon and legacy network file systems. - -Networking modules: - -- Network Protocols: A wide array of uncommon and legacy network protocols and drivers - are disabled. - -Miscellaneous modules: - -- Amateur Radios: Disabled to reduce attack surface. - -- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. - -- Floppy Disks: Disabled to reduce attack surface. - -- Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause - kernel panics, and are generally only used by legacy devices. - -- Replaced Modules: Disabled legacy drivers that have been entirely replaced and - superseded by newer drivers. - -- Optional - USB Video Device Class: Disables the USB-based video streaming driver for - devices like some webcams and digital camcorders. - -- Vivid: Disabled to reduce attack surface given previous vulnerabilities. +* Blocks automatic loading of the modules needed to use of CD-ROM devices by default. Not completely disabled yet. ### Other -- A systemd service clears the System.map file on boot as these contain kernel - pointers. The file is completely overwritten with zeroes to ensure it cannot - be recovered. See: +* A systemd service clears the System.map file on boot as these contain kernel +pointers. The file is completely overwritten with zeroes to ensure it cannot +be recovered. See: `/etc/kernel/postinst.d/30_remove-system-map` -`/usr/lib/systemd/system/remove-system-map.service` +`/lib/systemd/system/remove-system-map.service` `/usr/libexec/security-misc/remove-system.map` -- Coredumps are disabled as they may contain important information such as - encryption keys or passwords. See: +* Coredumps are disabled as they may contain important information such as +encryption keys or passwords. See: `/etc/security/limits.d/30_security-misc.conf` -`/usr/lib/sysctl.d/30_security-misc.conf` +`/etc/sysctl.d/30_security-misc.conf` -`/usr/lib/systemd/coredump.conf.d/30_security-misc.conf` +`/lib/systemd/coredump.conf.d/30_security-misc.conf` -- PStore is disabled as crash logs can contain sensitive system data such as - kernel version, hostname, and users. See: - - `/usr/lib/systemd/pstore.conf.d/30_security-misc.conf` - -- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and - `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as - early as possible. This is implemented for `initramfs-tools` only because - this is not needed for `dracut` as `dracut` does that by default, at - least on `systemd` enabled systems. Not researched for non-`systemd` systems - by the author of this part of the readme. +* An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and +`/etc/sysctl.d` before init is executed so sysctl hardening is enabled +as early as possible. This is implemented for `initramfs-tools` only because +this is not needed for `dracut` because `dracut` does that by default, at least +on `systemd` enabled systems. Not researched for non-`systemd` systems by the +author of this part of the readme. ## Network hardening -Not yet implemented due to issues: +* TCP syncookies are enabled to prevent SYN flood attacks. -- https://github.com/Kicksecure/security-misc/pull/145 +* ICMP redirect acceptance, ICMP redirect sending, source routing and +IPv6 router advertisements are disabled to prevent man-in-the-middle attacks. -- https://github.com/Kicksecure/security-misc/issues/184 +* The kernel is configured to ignore all ICMP requests to avoid Smurf attacks, +make the device more difficult to enumerate on the network and prevent clock +fingerprinting through ICMP timestamps. -- Unlike version 4, IPv6 addresses can provide information not only about the - originating network but also the originating device. We prevent this from - happening by enabling the respective privacy extensions for IPv6. +* RFC1337 is enabled to protect against time-wait assassination attacks by +dropping RST packets for sockets in the time-wait state. -- In addition, we deny the capability to track the originating device in the - network at all, by using randomized MAC addresses per connection by - default. - -See: - -- `/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf` -- `/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf` -- `/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf` - -## Bluetooth Hardening - -### Bluetooth Status: Enabled but Defaulted to Off - -- **Default Behavior**: Although Bluetooth capability is 'enabled' in the kernel, - security-misc deviates from the usual behavior by starting with Bluetooth - turned off at system start. This setting remains until the user explicitly opts - to activate Bluetooth. - -- **User Control**: Users have the freedom to easily switch Bluetooth on and off - in the usual way, exercising their own discretion. This can be done via the - Bluetooth toggle through the usual way, that is either through GUI settings - application or command line commands. - -- **Enhanced Privacy Settings**: We enforce more private defaults for Bluetooth - connections. This includes the use of private addresses and strict timeout - settings for discoverability and visibility. - -- **Security Considerations**: Despite these measures, it's important to note that - Bluetooth technology, by its nature, may still be prone to exploits due to its - history of security vulnerabilities. Thus, we recommend users to opt-out of - using Bluetooth when possible. - -### Configuration Details - -- See configuration: `/etc/bluetooth/30_security-misc.conf` -- For more information and discussion: [GitHub Pull Request](https://github.com/Kicksecure/security-misc/pull/145) - -### Understanding Bluetooth Terms - -- **Disabling Bluetooth**: This means the absence of the Bluetooth kernel module. - When disabled, Bluetooth is non-existent in the system - it cannot be seen, set, - configured, or interacted with in any way. - -- **Turning Bluetooth On/Off**: This refers to a software toggle. Normally, on - Debian systems, Bluetooth is 'on' when the system boots up. It actively searches - for known devices to auto-connect and may be discoverable or visible under certain - conditions. Our default ensures that Bluetooth is off on startup. However, it - remains 'enabled' in the kernel, meaning the kernel can use the Bluetooth protocol - and has the necessary modules. - -### Quick Toggle Guide - -- **Turning Bluetooth On**: Simply click the Bluetooth button in the settings - application or on the tray, and switch the toggle. It's a straightforward action - that can be completed in less than a second. - -- **Turning Bluetooth Off**: Follow the same procedure as turning it on but switch - the toggle to the off position. +* Reverse path filtering is enabled to prevent IP spoofing and mitigate +vulnerabilities such as CVE-2019-14899. ## Entropy collection improvements -- The `jitterentropy_rng` kernel module is loaded as early as possible during - boot to gather more entropy via the - `/usr/lib/modules-load.d/30_security-misc.conf` configuration file. +* The `jitterentropy_rng` kernel module is loaded as early as possible +during boot to gather more entropy via the +`/usr/lib/modules-load.d/30_security-misc.conf` configuration file. -- Distrusts the CPU for initial entropy at boot as it is not possible to - audit, may contain weaknesses or a backdoor. Similarly, do not credit the - bootloader seed for initial entropy. For references, see: - `/etc/default/grub.d/40_kernel_hardening.cfg` +* Distrusts the CPU for initial entropy at boot as it is not possible to +audit, may contain weaknesses or a backdoor. For references, see: +`/etc/default/grub.d/40_distrust_cpu.cfg` -- Gathers more entropy during boot if using the linux-hardened kernel patch. +* Gathers more entropy during boot if using the linux-hardened kernel patch. ## Restrictive mount options -A systemd service is triggered on boot to remount all sensitive partitions and -directories with significantly more secure hardened mount options. Since this -would require manual tuning for a given specific system, we handle it by -creating a very solid configuration file for that very system on package -installation. - Not enabled by default yet. In development. Help welcome. -- https://www.kicksecure.com/wiki/Dev/remount-secure -- https://github.com/Kicksecure/security-misc/issues/157 -- https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ +https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ + +`/home`, `/tmp`, `/dev/shm` and `/run` are remounted with the `nosuid` and `nodev` +mount options to prevent execution of setuid or setgid binaries and creation of +devices on those filesystems. + +Optionally, they can also be mounted with `noexec` to prevent execution of any +binary. To opt-in to applying `noexec`, execute `touch /etc/noexec` as root +and reboot. + +To disable this, execute `touch /etc/remount-disable` as root. + +Alternatively, file `/usr/local/etc/remount-disable` or `/usr/local/etc/noexec` +could be used. ## Root access restrictions -- `su` is restricted to only users within the group `sudo` which prevents - users from using `su` to gain root access or to switch user accounts - - `/usr/share/pam-configs/wheel-security-misc` (which results in a change in - file `/etc/pam.d/common-auth`). +* `su` is restricted to only users within the group `sudo` which prevents +users from using `su` to gain root access or to switch user accounts - +`/usr/share/pam-configs/wheel-security-misc` +(which results in a change in file `/etc/pam.d/common-auth`). -- Add user `root` to group `sudo`. This is required due to the above - restriction so that logging in from a virtual console is still possible - - `debian/security-misc.postinst` +* Add user `root` to group `sudo`. This is required due to the above restriction so +that logging in from a virtual console is still possible - `debian/security-misc.postinst` -- Abort login for users with locked passwords - - `/usr/libexec/security-misc/pam-abort-on-locked-password`. +* Abort login for users with locked passwords - +`/usr/libexec/security-misc/pam-abort-on-locked-password`. -- Logging into the root account from a virtual, serial, or other console is - prevented by shipping an existing and empty `/etc/securetty` file (deletion - of `/etc/securetty` has a different effect). +* Logging into the root account from a virtual, serial, whatnot console is +prevented by shipping an existing and empty `/etc/securetty` file +(deletion of `/etc/securetty` has a different effect). -This package does not yet automatically lock the root account password. It is -not clear if this would be sane in such a package, although it is recommended to -lock and expire the root account. +This package does not yet automatically lock the root account password. It +is not clear if this would be sane in such a package although, it is recommended +to lock and expire the root account. -In new Kicksecure builds, the root account will be locked by package +In new Kicksecure builds, root account will be locked by package dist-base-files. See: -- https://www.kicksecure.com/wiki/Root -- https://www.kicksecure.com/wiki/Dev/Permissions -- https://forums.whonix.org/t/restrict-root-access/7658 +* https://www.kicksecure.com/wiki/Root +* https://www.kicksecure.com/wiki/Dev/Permissions +* https://forums.whonix.org/t/restrict-root-access/7658 However, a locked root password will break rescue and emergency shell. -Therefore, this package enables passwordless rescue and emergency shell. This is -the same solution that Debian will likely adopt for the Debian installer: -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 +Therefore, this package enables passwordless rescue and emergency shell. +This is the same solution that Debian will likely adapt for Debian +installer: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 See: -- `/etc/systemd/system/emergency.service.d/override.conf` -- `/etc/systemd/system/rescue.service.d/override.conf` +* `/etc/systemd/system/emergency.service.d/override.conf` +* `/etc/systemd/system/rescue.service.d/override.conf` Adverse security effects can be prevented by setting up BIOS password -protection, GRUB password protection, and/or full disk encryption. +protection, GRUB password protection and/or full disk encryption. ## Console lockdown -This uses pam_access to allow members of group `console` to use the console but +This uses pam_access to allow members of group `console` to use console but restrict everyone else (except members of group `console-unrestricted`) from -using the console with ancient, unpopular login methods such as `/bin/login` over -networks as this might be exploitable. (CVE-2001-0797) +using console with ancient, unpopular login methods such as `/bin/login` +over networks as this might be exploitable. (CVE-2001-0797) -This is not enabled by default in this package since this package does not know -which users should be added to group 'console' and thus, would break console access. +This is not enabled by default in this package since this package does not +know which users shall be added to group 'console' and thus, would break console. See: -- `/usr/share/pam-configs/console-lockdown-security-misc` -- `/etc/security/access-security-misc.conf` +* `/usr/share/pam-configs/console-lockdown-security-misc` +* `/etc/security/access-security-misc.conf` ## Brute force attack protection @@ -592,108 +299,54 @@ User accounts are locked after 50 failed login attempts using `pam_faillock`. Informational output during Linux PAM: -- Show failed and remaining password attempts. -- Document unlock procedure if Linux user account got locked. -- Point out that there is no password feedback for `su`. -- Explain locked root account if locked. +* Show failed and remaining password attempts. +* Document unlock procedure if Linux user account got locked. +* Point out that there is no password feedback for `su`. +* Explain locked root account if locked. See: -- `/usr/share/pam-configs/tally2-security-misc` -- `/usr/libexec/security-misc/pam-info` -- `/usr/libexec/security-misc/pam-abort-on-locked-password` +* `/usr/share/pam-configs/tally2-security-misc` +* `/usr/libexec/security-misc/pam-info` +* `/usr/libexec/security-misc/pam-abort-on-locked-password` ## Access rights restrictions ### Strong user account separation -#### Permission Lockdown - -Read, write, and execute access for "others" are removed during package -installation, upgrade, or PAM `mkhomedir` for all users who have home folders in -`/home` by running, for example: +Read, write and execute access for "others" are removed during package +installation, upgrade or PAM `mkhomedir` for all users who have home +folders in `/home` by running, for example: ``` chmod o-rwx /home/user ``` -This will be done only once per folder in `/home` so users who wish to relax -file permissions are free to do so. This is to protect files in a home folder -that were previously created with lax file permissions prior to the installation -of this package. +This will be done only once per folder in `/home` so users who wish to +relax file permissions are free to do so. This is to protect files in a +home folder that were previously created with lax file permissions prior +to the installation of this package. See: -- `debian/security-misc.postinst` -- `/usr/libexec/security-misc/permission-lockdown` -- `/usr/share/pam-configs/mkhomedir-security-misc` - -#### umask - -The default `umask` is set to `027` for files created by non-root users, such -as the account `user`. - -This is done using the PAM module `pam_mkhomedir.so umask=027`. - -This configuration ensures that files created by non-root users cannot be read -by other non-root users by default. While Permission Lockdown already protects -the `/home` folder, this setting extends protection to other folders such as -`/tmp`. - -`group` read permissions are not removed. This is unnecessary due to Debian's -use of User Private Groups (UPGs). See also: -https://wiki.debian.org/UserPrivateGroups - -The default `umask` is unchanged for root because configuration files created -in `/etc` by the system administrator would otherwise be unreadable by -"others," potentially breaking applications. Examples include `/etc/firefox-esr` -and `/etc/thunderbird`. Additionally, the `umask` is set to `022` via `sudoers` -configuration, ensuring that files created as root are world-readable, even -when using commands such as `sudo vi /etc/file` or `sudo -i; touch /etc/file`. - -When using `sudo`, the `umask` is set to `022` rather than `027` to ensure -compatibility with commands such as `sudo vi /etc/configfile` and -`sudo -i; touch /etc/file`. - -See: - -- `/usr/share/pam-configs/umask-security-misc` +* `debian/security-misc.postinst` +* `/usr/libexec/security-misc/permission-lockdown` +* `/usr/share/pam-configs/mkhomedir-security-misc` ### SUID / SGID removal and permission hardening -#### SUID / SGID removal +Not enabled by default yet. -A systemd service removes SUID / SGID bits from non-essential binaries as these -are often used in privilege escalation attacks. - -#### File permission hardening - -Various file permissions are reset with more secure and hardened defaults. These -include but are not limited to: - -- Limiting `/home` and `/root` to the root only. -- Limiting crontab to root as well as all the configuration files for cron. -- Limiting the configuration for cups and ssh. -- Protecting the information of sudoers from others. -- Protecting various system-relevant files and modules. - -##### permission-hardener - -`permission-hardener` removes SUID / SGID bits from non-essential binaries as -these are often used in privilege escalation attacks. It is enabled by default -and applied at security-misc package installation and upgrade time. - -There is also an optional systemd unit which does the same at boot time that -can be enabled by running `systemctl enable permission-hardener.service` as -root. The hardening at boot time is not the default because this slows down -the boot process too much. +A systemd service removes SUID / SGID bits from non-essential binaries as +these are often used in privilege escalation attacks. It is disabled by +default for now during testing and can optionally be enabled by running +`systemctl enable permission-hardening.service` as root. See: -* `/usr/bin/permission-hardener` -* `debian/security-misc.postinst` -* `/lib/systemd/system/permission-hardener.service` -* `/etc/permission-hardener.d` +* `/usr/libexec/security-misc/permission-hardening` +* `/lib/systemd/system/permission-hardening.service` +* `/etc/permission-hardening.d` * https://forums.whonix.org/t/disable-suid-binaries/7706 * https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener @@ -712,117 +365,56 @@ See: ## Application-specific hardening -- Enables "`apt-get --error-on=any`" which makes apt exit non-zero for - transient failures. - `/etc/apt/apt.conf.d/40error-on-any`. -- Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`. -- Deactivates previews in Dolphin. -- Deactivates previews in Nautilus - - `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. -- Deactivates thumbnails in Thunar. - - Rationale: lower attack surface when using the file manager - - https://forums.whonix.org/t/disable-preview-in-file-manager-by-default/18904 -- Thunderbird is hardened with the following options: - - Displays domain names in punycode to prevent IDN homograph attacks (a - form of phishing). - - Strips email client information from sent email headers. - - Strips user time information from sent email headers by replacing the - originating time zone with UTC and rounding the timestamp to the nearest - minute. - - Disables scripting when viewing PDF files. - - Disables implicit outgoing connections. - - Disables all and any kind of telemetry. -- Security and privacy enhancements for gnupg's config file - `/etc/skel/.gnupg/gpg.conf`. See also: - - https://raw.github.com/ioerror/torbirdy/master/gpg.conf - - https://github.com/ioerror/torbirdy/pull/11 +* Enables "`apt-get --error-on=any`" which makes apt exit non-zero for + transient failures. - `/etc/apt/apt.conf.d/40error-on-any`. +* Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`. +* Deactivates previews in Dolphin. +* Deactivates previews in Nautilus - +`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. +* Deactivates thumbnails in Thunar. +* Displays domain names in punycode (`network.IDN_show_punycode`) in +Thunderbird to prevent IDN homograph attacks (a form of phishing). +* Security and privacy enhancements for gnupg's config file +`/etc/skel/.gnupg/gpg.conf`. See also: -### Project scope of application-specific hardening +https://raw.github.com/ioerror/torbirdy/master/gpg.conf -Added in December 2023. - -Before sending pull requests to harden arbitrary applications, please note the -scope of security-misc is limited to default installed applications in -Kicksecure and Whonix. This includes: - -- Thunderbird, VLC Media Player, KeePassXC -- Debian Specific System Components (APT, DPKG) -- System Services (NetworkManager IPv6 privacy options, MAC address - randomization) -- Actually used development utilities such as `git`. - -It will not be possible to review and merge "1500" settings profiles for -arbitrary applications outside of this context. - -The main objective of security-misc is to harden Kicksecure and its derivatives, -such as Whonix, by implementing robust security settings. It's designed to be -compatible with Debian, reflecting a commitment to clean implementation and -sound design principles. However, it's important to note that security-misc is a -component of Kicksecure, not a substitute for it. The intention isn't to -recreate Kicksecure within security-misc. Instead, specific security -enhancements, like recommending a curated list of security-focused -default packages (e.g., `libpam-tmpdir`), should be integrated directly into -those appropriate areas of Kicksecure (e.g. `kicksecure-meta-packages`). - -Discussion: https://github.com/Kicksecure/security-misc/issues/154 - -### Development philosophy - -Added in December 2023. - -Maintainability is a key priority \[1\]. Before modifying settings in the -downstream security-misc, it's essential to first engage with upstream -developers to propose these changes as defaults. This step should only be -bypassed if there's a clear, prior indication from upstream that such changes -won't be accepted. Additionally, before implementing any workarounds, consulting -with upstream is necessary to avoid future unmaintainable complexity. - -If debugging features are disabled, pull requests won't be merged until there is -a corresponding pull request for the debug-misc package to re-enable these. This -is to avoid configuring the system into a corner where it can no longer be -debugged. - -\[1\] https://www.kicksecure.com/wiki/Dev/maintainability +https://github.com/ioerror/torbirdy/pull/11 ## Opt-in hardening Some hardening is opt-in as it causes too much breakage to be enabled by default. -- An optional systemd service mounts `/proc` with `hidepid=2` at boot to - prevent users from seeing another user's processes. This is disabled by - default because it is incompatible with `pkexec`. It can be enabled by - executing `systemctl enable proc-hidepid.service` as root. +* An optional systemd service mounts `/proc` with `hidepid=2` at boot to +prevent users from seeing another user's processes. This is disabled by +default because it is incompatible with `pkexec`. It can be enabled by +executing `systemctl enable proc-hidepid.service` as root. -- A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi`, and - `/sys` to the root user. This hides a lot of hardware identifiers from - unprivileged users and increases security as `/sys` exposes a lot of - information that shouldn't be accessible to unprivileged users. As this will - break many things, it is disabled by default and can optionally be enabled - by executing `systemctl enable hide-hardware-info.service` as root. +* A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and +`/sys` to the root user. This hides a lot of hardware identifiers from +unprivileged users and increases security as `/sys` exposes a lot of +information that shouldn't be accessible to unprivileged users. As this will +break many things, it is disabled by default and can optionally be enabled by +executing `systemctl enable hide-hardware-info.service` as root. -## Miscellaneous +## miscellaneous -- Hardened malloc compatibility for haveged workaround - `/lib/systemd/system/haveged.service.d/30_security-misc.conf` +* hardened malloc compatibility for haveged workaround +`/lib/systemd/system/haveged.service.d/30_security-misc.conf` -- Set `dracut` `reproducible=yes` setting - -## Legal - -`/usr/lib/issue.d/20_security-misc.issue` - -https://github.com/Kicksecure/security-misc/pull/167 +* set `dracut` `reproducible=yes` setting ## Related -- Linux Kernel Runtime Guard (LKRG) -- tirdad - TCP ISN CPU Information Leak Protection. -- Kicksecure (TM) - a security-hardened Linux Distribution -- And more. -- https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG -- https://github.com/Kicksecure/tirdad -- https://www.kicksecure.com -- https://github.com/Kicksecure +* Linux Kernel Runtime Guard (LKRG) +* tirdad - TCP ISN CPU Information Leak Protection. +* Kicksecure (TM) - a security-hardened Linux Distribution +* And more. +* https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG +* https://github.com/Kicksecure/tirdad +* https://www.kicksecure.com +* https://github.com/Kicksecure ## Discussion @@ -838,23 +430,20 @@ See https://www.kicksecure.com/wiki/Security-misc#install Can be build using standard Debian package build tools such as: - dpkg-buildpackage -b +``` +dpkg-buildpackage -b +``` -See instructions. (Replace `generic-package` with the actual name of this -package `security-misc`.) +See instructions. (Replace `generic-package` with the actual name of this package `security-misc`.) -- **A)** - [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy), - *OR* -- **B)** [including verifying software - signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package) +* **A)** [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy), _OR_ +* **B)** [including verifying software signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package) ## Contact -- [Free Forum Support](https://forums.kicksecure.com) -- [Professional Support](https://www.kicksecure.com/wiki/Professional_Support) +* [Free Forum Support](https://forums.kicksecure.com) +* [Professional Support](https://www.kicksecure.com/wiki/Professional_Support) ## Donate -`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to -stay alive! +`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to stay alive! diff --git a/README_generic.md b/README_generic.md index 787af72..95a324f 100644 --- a/README_generic.md +++ b/README_generic.md @@ -1,8 +1,8 @@ # Enhances Miscellaneous Security Settings # -https://github.com/Kicksecure/security-misc/blob/master/README.md +https://github.com/Whonix/security-misc/blob/master/README.md -https://www.kicksecure.com/wiki/Security-misc +https://www.whonix.org/wiki/Security-misc Discussion: @@ -14,12 +14,12 @@ https://forums.whonix.org/t/kernel-hardening/7296 1\. Download the APT Signing Key. ``` -wget https://www.kicksecure.com/keys/derivative.asc +wget https://www.kicksecure.com/derivative.asc ``` Users can [check the Signing Key](https://www.kicksecure.com/wiki/Signing_Key) for better security. -2\. Add the APT Signing Key. +2\. Add the APT Signing Key.. ``` sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc @@ -28,7 +28,7 @@ sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc 3\. Add the derivative repository. ``` -echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list +echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list ``` 4\. Update your package lists. @@ -61,7 +61,7 @@ NOTE: Replace `generic-package` with the actual name of this package `security-m ## Contact ## * [Free Forum Support](https://forums.kicksecure.com) -* [Premium Support](https://www.kicksecure.com/wiki/Premium_Support) +* [Professional Support](https://www.kicksecure.com/wiki/Professional_Support) ## Donate ## diff --git a/bin/disabled-bluetooth-by-security-misc b/bin/disabled-bluetooth-by-security-misc new file mode 100755 index 0000000..55b1e63 --- /dev/null +++ b/bin/disabled-bluetooth-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-cdrom-by-security-misc b/bin/disabled-cdrom-by-security-misc new file mode 100755 index 0000000..9efd765 --- /dev/null +++ b/bin/disabled-cdrom-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-filesys-by-security-misc b/bin/disabled-filesys-by-security-misc new file mode 100755 index 0000000..50dd638 --- /dev/null +++ b/bin/disabled-filesys-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-firewire-by-security-misc b/bin/disabled-firewire-by-security-misc new file mode 100755 index 0000000..ca04ab1 --- /dev/null +++ b/bin/disabled-firewire-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-intelme-by-security-misc b/bin/disabled-intelme-by-security-misc new file mode 100755 index 0000000..108cc81 --- /dev/null +++ b/bin/disabled-intelme-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-msr-by-security-misc b/bin/disabled-msr-by-security-misc new file mode 100755 index 0000000..2c5e6e1 --- /dev/null +++ b/bin/disabled-msr-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This CPU MSR kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-netfilesys-by-security-misc b/bin/disabled-netfilesys-by-security-misc new file mode 100755 index 0000000..5c15b39 --- /dev/null +++ b/bin/disabled-netfilesys-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-network-by-security-misc b/bin/disabled-network-by-security-misc new file mode 100755 index 0000000..d2ae58c --- /dev/null +++ b/bin/disabled-network-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-thunderbolt-by-security-misc b/bin/disabled-thunderbolt-by-security-misc new file mode 100755 index 0000000..e086d4a --- /dev/null +++ b/bin/disabled-thunderbolt-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/bin/disabled-vivid-by-security-misc b/bin/disabled-vivid-by-security-misc new file mode 100755 index 0000000..ed1487f --- /dev/null +++ b/bin/disabled-vivid-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 diff --git a/changelog.upstream b/changelog.upstream index d2432d7..b62a2f1 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,6780 +1,3 @@ -commit 06e1e44b0039807baa862102b12fc5e199c3ccb3 -Author: Patrick Schleizer -Date: Fri Apr 25 05:51:21 2025 -0400 - - comments - -commit ba1012ca8767baf34ed762d80b25b03bb70e6765 -Author: Patrick Schleizer -Date: Fri Apr 25 08:19:35 2025 +0000 - - bumped changelog version - -commit a8f6132bec1a6f4a639d58295b3e50faf5494d98 -Author: Patrick Schleizer -Date: Fri Apr 25 03:11:27 2025 -0400 - - output - -commit 1d14a9f32435b8131c251e03bff2af5c929bbf49 -Merge: e154d0a 612f5f9 -Author: Patrick Schleizer -Date: Fri Apr 25 02:59:09 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/fix-pkexec-umask' - -commit 612f5f92fde236b86928428fd0247c8e971b0460 -Author: Aaron Rainbolt -Date: Thu Apr 24 20:01:35 2025 -0500 - - Fix umask for pkexec-run commands - -commit e154d0af6dd41e392122fbe3d09219734c5ad588 -Author: Patrick Schleizer -Date: Mon Apr 21 10:21:54 2025 +0000 - - bumped changelog version - -commit 4bf0e3a63667c284d053e5b8517440a884a42441 -Author: Patrick Schleizer -Date: Mon Apr 21 04:57:07 2025 -0400 - - comments - -commit 502f5953c734346edc680a0b898b435e6c6f6e27 -Author: Patrick Schleizer -Date: Mon Apr 21 04:55:19 2025 -0400 - - comments - -commit abb0c83619b820b7b66258efa9e141850eaa8b6c -Author: Patrick Schleizer -Date: Mon Apr 21 04:54:06 2025 -0400 - - comments - -commit efa2967fca36c776d43419dd5bf12696bc61c426 -Author: Patrick Schleizer -Date: Mon Apr 21 04:53:04 2025 -0400 - - comments - -commit dc7e8579040a96630ab1bbf7b4b901e3e3abe8c7 -Author: Patrick Schleizer -Date: Sat Apr 19 17:33:56 2025 +0000 - - bumped changelog version - -commit 9948ae114d4c6bbd650022c9985137c0fdea5675 -Author: Patrick Schleizer -Date: Sat Apr 19 13:24:17 2025 -0400 - - fix - -commit 4aca622706f33e85832e67650259a7751ba87a72 -Author: Patrick Schleizer -Date: Sat Apr 19 13:23:26 2025 -0400 - - fix - -commit 701f4a0e88a32e4c9312fd92b73cef5d4f755f0a -Author: Patrick Schleizer -Date: Sat Apr 19 13:20:04 2025 -0400 - - output - -commit a670c0d873eba8d84bde90ebbeecc7aecc22349e -Author: Patrick Schleizer -Date: Sat Apr 19 13:18:23 2025 -0400 - - comment - -commit 4799f3ce02e5683dad0fff13f5d7fe0aadb0a0db -Author: Patrick Schleizer -Date: Sat Apr 19 13:17:28 2025 -0400 - - make `/usr/libexec/security-misc/apt-get-update` more reliable - -commit c4f0e1d16f6999b055b0fa310456870f12a6dbea -Author: Patrick Schleizer -Date: Sat Apr 19 12:57:14 2025 -0400 - - refactoring - -commit 81634930fa13a240b9fff9a878dd84af1dccc6b3 -Author: Patrick Schleizer -Date: Sat Apr 19 12:55:32 2025 -0400 - - refactoring - -commit 90330a1ec958f82f9322ecc62bcfb7169d641af4 -Author: Patrick Schleizer -Date: Sat Apr 19 12:49:18 2025 -0400 - - refactoring - -commit ce2c9a21a357b3981335336eaf7ac8a6a3bcb052 -Author: Patrick Schleizer -Date: Sat Apr 19 12:47:40 2025 -0400 - - /usr/libexec/security-misc/apt-get-update: use `/run/helper-scripts` folder for pid file instead of `$TMP` - - to avoid permission issues - -commit 96ff7c8dc67809a3199d0b7f22d9e50483634a9c -Author: Patrick Schleizer -Date: Sat Apr 19 12:45:06 2025 -0400 - - refactoring - -commit 5a37790e6bd80ffd4f74d9596523ef72366d35d9 -Author: Patrick Schleizer -Date: Sat Apr 19 12:43:15 2025 -0400 - - cleanup - -commit 7512aa67572c97267fd176e63ae4862b6d37f8ae -Author: Patrick Schleizer -Date: Tue Apr 15 20:59:37 2025 +0000 - - bumped changelog version - -commit e0e2a9b61c61b34a6fe10782e294d58adff15cfe -Merge: 5e88dfe 9f2836d -Author: Patrick Schleizer -Date: Tue Apr 15 15:27:10 2025 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 9f2836d2baae900222cbae74d7a32bcdc69e589f -Merge: 5e88dfe aa0ffff -Author: Patrick Schleizer -Date: Tue Apr 15 15:17:25 2025 -0400 - - Merge pull request #304 from raja-grewal/stop_pstore - - Disable PStore - -commit 5e88dfe809a762aeebf62ea2de131cfbdea9ae32 -Author: Patrick Schleizer -Date: Thu Apr 10 11:38:17 2025 +0000 - - bumped changelog version - -commit c0a18c5a7122fe3c7b52d0e02ca5e8817efb3996 -Merge: da9dd3c 74ca63d -Author: Patrick Schleizer -Date: Thu Apr 10 06:07:55 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/rename-boot-modes' - -commit 74ca63d12c716017d022f5dfc5348ae7b787e220 -Author: Aaron Rainbolt -Date: Wed Apr 9 21:01:41 2025 -0500 - - Mass-change "PERSISTENCE mode USERNAME" to "PERSISTENCE Mode - USERNAME Session" - -commit aa0ffff42753f68e67bc92680a22986a5b9ef9e0 -Author: raja-grewal -Date: Thu Apr 10 11:49:45 2025 +1000 - - README.md: Revert error - -commit da9dd3c3f14103701ad82af775b4fb547f5b3e2e -Author: Patrick Schleizer -Date: Wed Apr 9 15:16:00 2025 +0000 - - bumped changelog version - -commit 163d51f32a1888a52ea78ba32a4e4a2d72aea87d -Author: Patrick Schleizer -Date: Wed Apr 9 09:47:52 2025 -0400 - - newline at the end - -commit 4d2b2e65468522b1d1beda63b0b16cfa12b1d535 -Author: Patrick Schleizer -Date: Tue Apr 8 14:08:24 2025 +0000 - - bumped changelog version - -commit 39f4f5b60739c387f02970018e14f1ae93677e00 -Author: Patrick Schleizer -Date: Tue Apr 8 06:53:08 2025 -0400 - - comments - -commit 173606891ad0c064a22b4ec0aee772105d8be54a -Author: Patrick Schleizer -Date: Tue Apr 8 06:48:29 2025 -0400 - - output - -commit f0d17c7e4134d8a54ce7331c1e9d3ce932278987 -Author: raja-grewal -Date: Sun Mar 16 03:31:24 2025 +0000 - - README: Fix a few links - -commit df2fc2cf6b0437d23c7641118ebd24d2e3a670ce -Author: raja-grewal -Date: Sun Mar 16 03:30:04 2025 +0000 - - Set `efi_pstore.pstore_disable=1` - -commit f643ebc2f923ba4d7231e5aeaf1d91d1a9d1d0df -Author: raja-grewal -Date: Sun Mar 16 03:28:39 2025 +0000 - - Disable pstore processing by systemd-pstore service - -commit d927fe238cc5369f7fe1632a4173fe4bdf0ffdfb -Author: Patrick Schleizer -Date: Mon Mar 3 11:00:38 2025 +0000 - - bumped changelog version - -commit cd0ba94ac5e7e8360183ac6f440d941b4067025b -Author: Patrick Schleizer -Date: Mon Mar 3 05:57:59 2025 -0500 - - no longer disable `vivid` kernel module by default, - because it breaks Qubes Video Companion - - Thanks to @marmarek for the bug report! - - https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393 - - fixes https://github.com/Kicksecure/security-misc/issues/298 - -commit 3e7d1b4e23e1e8ef4ad138dbe4119eee7e72511c -Author: Patrick Schleizer -Date: Sun Feb 9 23:04:36 2025 +0000 - - bumped changelog version - -commit 0615e6e995eb25d8e1bff181ecc49ff51e4029cc -Merge: 2a4a228 4d62ee3 -Author: Patrick Schleizer -Date: Sun Feb 9 18:01:43 2025 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 4d62ee3ab31bde80eebde265c2513233f10f751a -Merge: 2a4a228 ce4b57d -Author: Patrick Schleizer -Date: Sun Feb 9 18:00:59 2025 -0500 - - Merge pull request #297 from raja-grewal/warn_path - - Update docs on kernel panics - -commit ce4b57d1cb179f18c1ac41681626d01054355fe6 -Author: raja-grewal -Date: Mon Feb 3 00:31:45 2025 +0000 - - Update docs on kernel panics - -commit 2a4a228b150e06c7ff796315719d41e825dd8ad3 -Author: Patrick Schleizer -Date: Fri Jan 31 19:38:42 2025 +0000 - - bumped changelog version - -commit 041caf286b343268e6db69f2957f23c1dd20812a -Author: Patrick Schleizer -Date: Fri Jan 31 14:33:54 2025 -0500 - - update pkg_installed function - -commit ac1493fcfc194b8d1a680d7e8bf53a90caa984ac -Author: Patrick Schleizer -Date: Fri Jan 31 14:33:17 2025 -0500 - - comment - -commit c0f2f110146410428fc12815b30aaba67ff16126 -Author: Patrick Schleizer -Date: Thu Jan 30 12:58:48 2025 +0000 - - bumped changelog version - -commit 9f5e522b83ba969112abf6a9fba77c1eff31b14d -Author: Patrick Schleizer -Date: Thu Jan 30 07:53:04 2025 -0500 - - LC_ALL=C - -commit 7c150d116d1d1f95e2fb729934906eb4391a389a -Author: Patrick Schleizer -Date: Thu Jan 30 07:45:08 2025 -0500 - - LANG=C str_replace: no longer requires LANG=C, therefore removed - -commit 6aaf7082177fe4d02415aac4317cde74665f495c -Author: Patrick Schleizer -Date: Wed Jan 29 14:36:41 2025 +0000 - - bumped changelog version - -commit 10508cb5801c28f8fff306957e867a1626aa6489 -Merge: 6b4fa1e b9dee26 -Author: Patrick Schleizer -Date: Wed Jan 29 09:36:28 2025 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit b9dee2633128577245763bad41cf3cb6b49751f3 -Merge: 6b4fa1e 4b1e530 -Author: Patrick Schleizer -Date: Wed Jan 29 09:35:50 2025 -0500 - - Merge pull request #296 from raja-grewal/cpu_details - - Hardware-related Documentation - -commit 6b4fa1ef0055d36a45d65481129dabfee77027e4 -Author: Patrick Schleizer -Date: Thu Jan 23 16:28:58 2025 +0000 - - bumped changelog version - -commit b10f5489a3e3317f01339ea34a0e5c7bfb850a01 -Author: Patrick Schleizer -Date: Thu Jan 23 11:12:26 2025 -0500 - - copyright - -commit 3c18734db32b2d19c3a30e282435f083d307d86e -Author: Patrick Schleizer -Date: Wed Jan 22 14:11:21 2025 +0000 - - bumped changelog version - -commit f90ffacac3d3c12f62f62106a69cb6caeca69041 -Author: Patrick Schleizer -Date: Wed Jan 22 09:09:56 2025 -0500 - - bump permission hardner migration code version - -commit 3a056c9d9c17ed3968f48ac332cee94f714320c7 -Author: Patrick Schleizer -Date: Wed Jan 22 09:05:50 2025 -0500 - - bump permission hardner migration code version - -commit d5ad29a7324dfbece3185026a3f4c58121c453b6 -Author: Patrick Schleizer -Date: Wed Jan 22 09:04:44 2025 -0500 - - add /usr/lib/polkit-1/polkit-agent-helper-1 to permission hardener hardcoded statoverride file - -commit c8a2483cf6735b29ef9b265cc09b58b00b14b6f0 -Author: Patrick Schleizer -Date: Wed Jan 22 13:52:29 2025 +0000 - - bumped changelog version - -commit 80bd314436b99b723359f25e52bbd14683929b56 -Author: Patrick Schleizer -Date: Wed Jan 22 08:25:14 2025 -0500 - - add `.whonix` files to hardcoded files - -commit 9b012bdeee03e73de537e7fe65c0bb8d16b38e79 -Merge: 507130a 42f34f5 -Author: Patrick Schleizer -Date: Wed Jan 22 08:23:49 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-symlink-fix' - -commit 507130a1cc0592bd4a4b280da7496dade470e637 -Merge: f1b6bff ed767e0 -Author: Patrick Schleizer -Date: Wed Jan 22 08:21:39 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-diag' - -commit 42f34f5a4ccf95d504e28a26aeb0747fef4685ba -Author: Aaron Rainbolt -Date: Tue Jan 21 21:49:03 2025 -0600 - - Don't handle files with multiple hardlinks - -commit 5e60416c864a7d06f635161a185864fc36d5685c -Author: Aaron Rainbolt -Date: Tue Jan 21 21:05:03 2025 -0600 - - Make permission-hardener always apply changes to real files, not symlinks - -commit ed767e00b0260d29c18c710efe07d68a9beffb34 -Author: Aaron Rainbolt -Date: Tue Jan 21 16:41:30 2025 -0600 - - Add some local variable declarations - -commit 4b1e530674146d4d2b62ff4a87fe3add5667403c -Author: raja-grewal -Date: Tue Jan 21 12:39:06 2025 +0000 - - README.md: List CPU mitigations - -commit 15d13a8571d1f38b2bc36387f61bce24c86be97b -Author: raja-grewal -Date: Tue Jan 21 12:36:04 2025 +0000 - - Add info on DBX updates via the UEFI Revocation List - -commit a97620a2e491cc039adb15af94958f26b39319a2 -Author: Aaron Rainbolt -Date: Mon Jan 20 22:43:55 2025 -0600 - - Add print-diagnostics command to permission-hardener - -commit f1b6bff30b1891bfbe870de9edd78fa7dbd66e7c -Author: Patrick Schleizer -Date: Mon Jan 20 11:35:08 2025 +0000 - - bumped changelog version - -commit df9d058ed9635b168508ded20277c174a24cf3f5 -Author: Patrick Schleizer -Date: Mon Jan 20 06:28:16 2025 -0500 - - usrmerge - -commit 8ff5f3b22125488f64cd384ffbfcbd8f2ecd61a6 -Author: Patrick Schleizer -Date: Mon Jan 20 10:11:43 2025 +0000 - - bumped changelog version - -commit 4e0d5a196ccb8ef3fdf2b67d974f28d02a532f91 -Author: Patrick Schleizer -Date: Mon Jan 20 04:30:26 2025 -0500 - - delete comment only configuration file (moved to user-sysmaint-split) - -commit 1b4d1edfc316f125ff5039bf17897802205750e2 -Author: Patrick Schleizer -Date: Mon Jan 20 04:29:42 2025 -0500 - - comments - -commit 51c7010e8f47ce6e6a28e6267c735e897dcfb053 -Author: Patrick Schleizer -Date: Fri Jan 17 13:35:28 2025 +0000 - - bumped changelog version - -commit 876d596a071ac916f7d220ee2449358aedba7efe -Author: Patrick Schleizer -Date: Fri Jan 17 07:55:54 2025 -0500 - - comment - -commit c9e2f82bd01813682998c775f75bac0841239e5e -Merge: 5971869 bf73f1f -Author: Patrick Schleizer -Date: Fri Jan 17 07:53:59 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/master' - -commit bf73f1f2b5e429caaf01bfbcdc7d5d032e3c0efb -Author: Aaron Rainbolt -Date: Wed Jan 15 19:10:41 2025 -0600 - - Avoid impossible-to-satisfy dependency on helper-scripts, improve string handling robustness in postinst - -commit 597186972e463ce7a0b44662f7656f351ddf1030 -Author: Patrick Schleizer -Date: Wed Jan 15 15:02:44 2025 +0000 - - bumped changelog version - -commit ca257164105c4f66576024b64c52a42921455d16 -Author: Patrick Schleizer -Date: Wed Jan 15 09:44:48 2025 -0500 - - improve permission hardener migration code - -commit 2dfd30a44ae332faa50bc4920486cdd9480c7e5d -Merge: a84d3ba 328f747 -Author: Patrick Schleizer -Date: Wed Jan 15 09:33:57 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/more-permission-hardener' - -commit 328f747179ffb2e7705a73bc9a0c5133a17da829 -Author: Aaron Rainbolt -Date: Tue Jan 14 20:35:28 2025 -0600 - - Restore permission-hardener's notice about how to compare old and new states - -commit c6f09748f383fdf7c1b07441c73477b3f18d2768 -Author: Aaron Rainbolt -Date: Tue Jan 14 20:27:53 2025 -0600 - - Handle de-corruption of new_mode a bit better - -commit a0f81958dfb020d311d86cbd00d4f86f678d8be9 -Author: Aaron Rainbolt -Date: Tue Jan 14 19:25:15 2025 -0600 - - De-corrupt the new_mode permission-hardener statoverride database too - -commit 396372c1295e2a09d596f3e23fccc26794a26f05 -Author: Aaron Rainbolt -Date: Tue Jan 14 18:50:24 2025 -0600 - - Avoid scanning unnecessary packages for modified permission-hardener config - -commit a84d3ba732bcbd2fb93ea2bc145a0db0f33f1b77 -Author: Patrick Schleizer -Date: Tue Jan 14 14:32:13 2025 +0000 - - bumped changelog version - -commit 709036c79f8efc9fefa9e7709780a75f9f5004d2 -Author: Patrick Schleizer -Date: Tue Jan 14 09:31:58 2025 -0500 - - debconf-updatepo - -commit 659c7037c6956f6d905e55a1ebb13ebe6a273dee -Author: Patrick Schleizer -Date: Tue Jan 14 14:30:58 2025 +0000 - - bumped changelog version - -commit 86d3db15bf94dc0f4547105e18ef5f26ca124fa8 -Author: Patrick Schleizer -Date: Tue Jan 14 09:30:46 2025 -0500 - - output - -commit 876c0b618785fc71d1d399ff7ab649382104a714 -Author: Patrick Schleizer -Date: Tue Jan 14 09:29:35 2025 -0500 - - output - -commit c46178dee46f88e8d0007a12a48addc2493faab7 -Author: Patrick Schleizer -Date: Tue Jan 14 09:27:37 2025 -0500 - - output - -commit f3c07a2451fd2818daca6bc248cbbcba213516e7 -Author: Patrick Schleizer -Date: Tue Jan 14 09:24:06 2025 -0500 - - update link - -commit bbc4ad7c2a0827d079ccbb18dce4aaae042a2253 -Author: Patrick Schleizer -Date: Tue Jan 14 14:16:45 2025 +0000 - - bumped changelog version - -commit 9bb92e91a8f364a9d9e5d69e907fe8ed8a3c58a2 -Author: Patrick Schleizer -Date: Tue Jan 14 09:16:25 2025 -0500 - - debhelper - -commit 95dd8f419fc7e9832d8ce6f74d35af9b36752f3f -Author: Patrick Schleizer -Date: Tue Jan 14 14:07:50 2025 +0000 - - bumped changelog version - -commit 0a2f06b456854f1cec3ff93952edef928ac7a184 -Author: Patrick Schleizer -Date: Tue Jan 14 09:07:32 2025 -0500 - - use pre.bsh - -commit 6a4f9c1bd8c48bb1a711eee077ea7a05646b0598 -Author: Patrick Schleizer -Date: Tue Jan 14 14:06:50 2025 +0000 - - bumped changelog version - -commit e60183ec073d278f8d69a5475aa52d75870cd9b0 -Author: Patrick Schleizer -Date: Tue Jan 14 09:06:41 2025 -0500 - - output - -commit a812961beabacca052b4b25b78ecd2c35184d5d5 -Author: Patrick Schleizer -Date: Tue Jan 14 09:06:12 2025 -0500 - - verbose - -commit 0e4dfc59dd9c06dd732affd8ca7f72a1a70a95b0 -Author: Patrick Schleizer -Date: Tue Jan 14 13:53:49 2025 +0000 - - bumped changelog version - -commit cdf179f1277bcae3ef681d35aeca6289d55b3a6a -Author: Patrick Schleizer -Date: Tue Jan 14 08:53:38 2025 -0500 - - fix - -commit 41cd09933a506d55bab1f8bf101840cf4bbbf028 -Author: Patrick Schleizer -Date: Tue Jan 14 09:26:05 2025 +0000 - - bumped changelog version - -commit eec2e2c8ee621c6ebb152abbfe3951fa0322a0d0 -Author: Patrick Schleizer -Date: Tue Jan 14 04:13:39 2025 -0500 - - comment - -commit 6d282226ef653accf1de32582b999ff31775f60f -Author: Patrick Schleizer -Date: Tue Jan 14 04:12:12 2025 -0500 - - comment - -commit 466308e4f9ebd496ff54dd9f77881ce10a558802 -Author: Patrick Schleizer -Date: Tue Jan 14 04:09:57 2025 -0500 - - permission hardener: disable SUID for `chrome-sandbox` - -commit 7a5f8b87af7142ce973bd88abf98279ce15559a9 -Author: Patrick Schleizer -Date: Tue Jan 14 04:06:44 2025 -0500 - - permission hardener: disable SUID for `ssh-agent`, `ssh-keysign`, `/lib/openssh/*` - - This might break SSH host-based authentication. - -commit d89ffcde30f6115c25c1bc807eb30b18c21e2b6e -Author: Patrick Schleizer -Date: Tue Jan 14 04:04:09 2025 -0500 - - comment - -commit 9f1759ba0ea7ecee87c8777226eb8a56482deeb5 -Author: Patrick Schleizer -Date: Tue Jan 14 03:56:55 2025 -0500 - - comment - -commit 0ac85ea9f56abdf621ec1b4f2acf08a2450067ba -Author: Patrick Schleizer -Date: Tue Jan 14 03:54:35 2025 -0500 - - comment - -commit fce6a5f8303cd891efd8bbfef861e357dc90e88e -Author: Patrick Schleizer -Date: Tue Jan 14 03:51:43 2025 -0500 - - comment - -commit 1e9940481318d8d7a443b98f0906089759f27a5d -Author: Patrick Schleizer -Date: Tue Jan 14 03:50:16 2025 -0500 - - comment - -commit b198591537a01f5b35c9301ca28a24c70864bcbd -Author: Patrick Schleizer -Date: Tue Jan 14 03:49:42 2025 -0500 - - comment - -commit 7d44db2cb268c4eb31b50bbd44b87b8001dc068c -Author: Patrick Schleizer -Date: Tue Jan 14 03:49:15 2025 -0500 - - usrmerge - -commit 7e7632a55396e10e20a6e9d8d563011694cccc85 -Author: Patrick Schleizer -Date: Tue Jan 14 08:24:05 2025 +0000 - - bumped changelog version - -commit 420cb3f86f69c4505702a8f38271fb095316cb6f -Author: Patrick Schleizer -Date: Tue Jan 14 03:19:21 2025 -0500 - - refactoring - -commit b7e7b2767eb957dd1401f5abcff07bfcb47a4c00 -Author: Patrick Schleizer -Date: Tue Jan 14 03:18:17 2025 -0500 - - refactoring - -commit b2a1a0ec9f8db1d84c222e734737b7ed149f6d92 -Author: Patrick Schleizer -Date: Tue Jan 14 03:17:00 2025 -0500 - - refactoring - -commit 69ae2d9ea0826aa81c70e957bb5a9241a84346ad -Merge: de1f31e de9ebab -Author: Patrick Schleizer -Date: Tue Jan 14 03:15:45 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-migrate' - -commit de9ebabd46798ff2afa259907b6a7b976070e7f0 -Author: Aaron Rainbolt -Date: Mon Jan 13 21:57:10 2025 -0600 - - Fix minor migration bugs, don't run the migration code on new image builds - -commit a9e87e9d308f5e61a2d2054fa038dae6faadad3a -Author: Aaron Rainbolt -Date: Sun Jan 12 21:13:43 2025 -0600 - - Prevent installation failures when installing non-interactively - -commit 5570d3e5b9f97f14c772facff16dc45df66d42e9 -Author: Aaron Rainbolt -Date: Sun Jan 12 20:40:41 2025 -0600 - - Add a forgotten set -e - -commit 07786de03953b91310588e0b37b9e150bf1b4736 -Author: Aaron Rainbolt -Date: Sun Jan 12 19:34:41 2025 -0600 - - Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 - -commit de1f31e3df1a0fba0a4c6e41b9b46e076266cfd4 -Author: Patrick Schleizer -Date: Sun Jan 12 11:47:18 2025 +0000 - - bumped changelog version - -commit b0baa8baa57937358dc988b88adab4858a1d8cae -Author: Patrick Schleizer -Date: Sun Jan 12 05:38:35 2025 -0500 - - add link - -commit d6a7cd3e0d1e677c1fa8c1fb3b307cdbe0f45031 -Author: Patrick Schleizer -Date: Sun Jan 12 05:36:16 2025 -0500 - - formatting. - - use chapter to make allow for deep linking - -commit 485d9abd1d14e445b48f0fd63290a985b05a5ac7 -Author: Patrick Schleizer -Date: Fri Jan 10 15:34:21 2025 +0000 - - bumped changelog version - -commit c17485baa118e76cc8074ce3e72ac3ac38c577cd -Merge: 482960d e9ef360 -Author: Patrick Schleizer -Date: Fri Jan 10 10:32:26 2025 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit e9ef3602dd1661de0c0c3781d7e0246720643354 -Merge: 1b33e83 cf435a8 -Author: Patrick Schleizer -Date: Fri Jan 10 10:30:34 2025 -0500 - - Merge pull request #292 from raja-grewal/cpu_table - - Add link to tabular comparison of CPU mitigations - -commit 1b33e83529d652dab4468e0b386e333b3ca4745b -Merge: 486757b 2e6e170 -Author: Patrick Schleizer -Date: Fri Jan 10 10:29:30 2025 -0500 - - Merge pull request #291 from raja-grewal/drop_gratuitous_arp - - Drop gratuitous ARP packets - -commit 486757bfae5e7ecc389b16c49704e742fd267565 -Merge: 17ff249 c37f4ef -Author: Patrick Schleizer -Date: Fri Jan 10 10:29:12 2025 -0500 - - Merge pull request #290 from raja-grewal/arp_ignore - - Respond to ARP requests only if the target IP address is on-link - -commit 17ff24915062736a32d4d54da7163fe34aa70fd3 -Merge: 27d19ba 1f8eee4 -Author: Patrick Schleizer -Date: Fri Jan 10 10:28:48 2025 -0500 - - Merge pull request #289 from raja-grewal/arp_filter - - Enable ARP filtering - -commit 27d19ba568e601c37035a310ae6cdd7d953be286 -Merge: 482960d 5e3785d -Author: Patrick Schleizer -Date: Fri Jan 10 10:28:05 2025 -0500 - - Merge pull request #288 from raja-grewal/shared_media - - Deny sending and receiving shared media redirects - -commit 482960d056ec8d624f127bfe9b1c69a4c30c7e34 -Author: Patrick Schleizer -Date: Fri Jan 10 10:21:12 2025 -0500 - - permission-hardener: move to new state folder `/var/lib/permission-hardener-v2` without migration - - https://github.com/Kicksecure/security-misc/pull/294 - -commit cf435a8fa8e6f795a25ef004cf44a65d461dd32c -Author: raja-grewal -Date: Fri Jan 10 13:22:21 2025 +1100 - - README.md: Note importance of microcode updates - -commit 3a31cc99b34617cdd3c5f8e8950a37158849cb56 -Merge: c4cfb85 5941195 -Author: Patrick Schleizer -Date: Thu Jan 9 09:30:58 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/usrmerge' - -commit 538b312349a97bcecb12e62519d77840afcd6ca3 -Author: raja-grewal -Date: Thu Jan 9 15:28:56 2025 +1100 - - Add comment about microcode updates - -commit 1f8eee47200221e2e38291a31e852e9c222d8c64 -Author: raja-grewal -Date: Wed Jan 8 18:36:00 2025 +1100 - - Add missing sentence full stop - -commit 5e3785d76e616f49407e720b37138f35a50fe4fb -Author: raja-grewal -Date: Wed Jan 8 18:35:52 2025 +1100 - - README.md: Remove double space - -commit 5941195e96880b8beb2a791d3c21f3a4c6d429eb -Author: Aaron Rainbolt -Date: Tue Jan 7 14:10:46 2025 -0600 - - Don't worry about files under /bin anymore, Bookworm uses a merged /usr directory - -commit c4cfb8597d1a8631a4cbfa7e88212b798e2bc514 -Merge: c6be621 93ebf17 -Author: Patrick Schleizer -Date: Mon Jan 6 08:43:54 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-refactor' - -commit c6be621968c898f792ef1a450d2e1be5cd6056da -Author: Patrick Schleizer -Date: Mon Jan 6 10:31:40 2025 +0000 - - bumped changelog version - -commit 6e0787957b53a64132b64e2a29bafe3e4b66d178 -Author: Patrick Schleizer -Date: Mon Jan 6 05:29:40 2025 -0500 - - increase priority of pam wheel so it is checked even before faillock - - in case of attemtping to use `su` without being a member of the required group `sudo`, it's useful to abort the PAM stack as early as possible to avoid needlessly propmting for a password to later - be rejected tu to lack of group membership - -commit d4767b75206b46f1a006cd91b00239a7b828fc89 -Author: Patrick Schleizer -Date: Mon Jan 6 04:24:44 2025 -0500 - - fix: apply PAM wheal only to `su` PAM service - -commit 93ebf176c5f38bd268e5394e01421e46b9ae7dff -Author: Aaron Rainbolt -Date: Thu Jan 2 20:41:40 2025 -0500 - - Make the main field count check in permission-hardener a bit more elegant - -commit 895c0f541fb34f9ebfee9c7ef79c053d5af4a7cc -Merge: 717e6fc 40b23cf -Author: Aaron Rainbolt -Date: Wed Jan 1 15:04:01 2025 -0600 - - Merge branch 'master' into arraybolt3/permission-hardener-refactor - -commit 40b23cfad40825eefc3686e562d78250b58bbc82 -Author: Patrick Schleizer -Date: Tue Dec 31 18:42:01 2024 +0000 - - bumped changelog version - -commit 33114f771aaeb4dccb0b465861d1239129deb8b2 -Author: Patrick Schleizer -Date: Tue Dec 31 13:26:21 2024 -0500 - - copyright - -commit bb24bff2965ca31de6337820eafd787a11a44a2b -Author: Patrick Schleizer -Date: Tue Dec 31 14:09:34 2024 +0000 - - bumped changelog version - -commit 0640964c35b0d977ba718629d4a8791e67700202 -Author: Patrick Schleizer -Date: Tue Dec 31 06:14:29 2024 -0500 - - readme - -commit 717e6fcfbea38cef9d3e201cf2e2b725e3da2267 -Author: Aaron Rainbolt -Date: Mon Dec 30 19:23:20 2024 -0600 - - Post-review improvements to permission-hardener - -commit dbcb612517abbf8d162cfb31ba0585c518df8817 -Author: Aaron Rainbolt -Date: Wed Dec 25 19:48:28 2024 -0600 - - Polish permission-hardener refactor - -commit 397b476a822c9f7e41ec911f5d689b67026660ad -Author: Patrick Schleizer -Date: Thu Dec 26 04:12:02 2024 +0000 - - bumped changelog version - -commit 66f8c18c65f33676d242b57ebb1d4410876461b3 -Merge: aa82202 6602fb1 -Author: Patrick Schleizer -Date: Wed Dec 25 22:43:04 2024 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' - -commit 83d386795940099e0835c51f3522aae3d9217dc8 -Author: Aaron Rainbolt -Date: Tue Dec 24 20:14:57 2024 -0600 - - Refactor permission-hardener to be more idempotent - -commit 6602fb102dedc21300ae4c4519f3d9ef4e668045 -Author: Aaron Rainbolt -Date: Tue Dec 24 20:52:34 2024 -0600 - - Adjust pam-info messaging for sysmaint mode - -commit aa82202e701167eacb63eac208469844e983ca43 -Author: Patrick Schleizer -Date: Tue Dec 24 05:16:22 2024 +0000 - - bumped changelog version - -commit 27d015d58ebc5e750d9d06f042b761720473941d -Merge: 3c73c0c 2f3a2bc -Author: Patrick Schleizer -Date: Tue Dec 24 00:08:58 2024 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' - -commit 2f3a2bce7756efe75cd8aaf5066b599b4c49bbdc -Author: Aaron Rainbolt -Date: Fri Dec 20 11:04:22 2024 -0600 - - Add warning about using non-sysmaint accounts in sysmaint mode - -commit 3c73c0cd3a845d1a484551ff50f59e5f2ef56a68 -Author: Patrick Schleizer -Date: Fri Dec 20 06:01:27 2024 +0000 - - bumped changelog version - -commit a4c76c617a18a49168e0ffdba2d8b0ae834f2877 -Author: Patrick Schleizer -Date: Fri Dec 20 01:01:13 2024 -0500 - - syntax fix - -commit b40bc0a2c9b17b3569918a6839bce1c67af5c9df -Author: Patrick Schleizer -Date: Fri Dec 20 05:58:24 2024 +0000 - - bumped changelog version - -commit b21c394ea52401c0d77b6ec396af6a49335f5e0b -Author: Patrick Schleizer -Date: Fri Dec 20 00:56:20 2024 -0500 - - Trigger permission hardener when new configuration files are being installed. - -commit cd027b86e710b6f6b8fac6dd0ebcdcd691e86dd3 -Author: Patrick Schleizer -Date: Fri Dec 20 05:48:48 2024 +0000 - - bumped changelog version - -commit ad6e1f5ad490e12fc5e69b82da5dc1830cc41c96 -Author: Patrick Schleizer -Date: Fri Dec 20 00:41:06 2024 -0500 - - move from `/etc/permission-hardener.d` to `/usr/lib/permission-hardener.d` - -commit a2c1e8c218117a47ef70dd767d753be5d084adfa -Author: Patrick Schleizer -Date: Fri Dec 20 00:39:51 2024 -0500 - - clean up old files in `/etc/permission-hardener.d` - because will be moved to `/usr/lib/permission-hardener.d` - -commit 6de5d2d0763539d6d0d4b19b501bb316ed3b2c94 -Author: Patrick Schleizer -Date: Fri Dec 20 00:37:44 2024 -0500 - - permission hardener: also parse `/usr/lib/permission-hardener.d/*.conf` folder - -commit 721b100fb64136b7c36c8d43c90c716a1fed42d0 -Author: Patrick Schleizer -Date: Thu Dec 19 10:58:50 2024 +0000 - - bumped changelog version - -commit 642b4eeedc43e69bb82ea259b52c0946ce638983 -Author: raja-grewal -Date: Thu Dec 19 21:57:25 2024 +1100 - - Add link to tabular comparison of CPU mitigations - -commit 175b442d5bb9dfcb4e9b524ec2077e72c74598cc -Author: Patrick Schleizer -Date: Thu Dec 19 05:56:50 2024 -0500 - - use long option name - -commit c99021bb0c1d5b6bf361cc483449330cdd218ee6 -Merge: 95b5357 9d69cd1 -Author: Patrick Schleizer -Date: Thu Dec 19 05:56:01 2024 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' - -commit 2e6e1701a052ef32711f6c3abaad693a773323f6 -Author: raja-grewal -Date: Thu Dec 19 10:35:08 2024 +0000 - - Set `net.ipv4.conf.*.drop_gratuitous_arp=1` - -commit c37f4efadf8f046168732871172cb66f58eb7c78 -Author: raja-grewal -Date: Thu Dec 19 10:33:49 2024 +0000 - - Set `net.ipv4.conf.*.arp_ignore=2` - -commit af1d06973bdd46af3e39b0bdfda81b950ccac996 -Author: raja-grewal -Date: Thu Dec 19 10:31:43 2024 +0000 - - Set `net.ipv4.conf.*.arp_filter=1` - -commit 750367a9066ca2a0ff819b438a92cb1f6c325edb -Author: raja-grewal -Date: Thu Dec 19 10:29:56 2024 +0000 - - Set `net.ipv4.conf.*.shared_media=0` - -commit 95b535764c8a98b67a71ee1fd57b7f01da464106 -Author: Patrick Schleizer -Date: Thu Dec 19 09:43:26 2024 +0000 - - bumped changelog version - -commit daf0a0900b780a9d44d0d9b49b3fca6ddbd20d18 -Author: Patrick Schleizer -Date: Thu Dec 19 04:39:34 2024 -0500 - - fix apt-get-update for non-English locale - - https://forums.kicksecure.com/t/systemcheck-reports-warning-debian-package-update-check-result-apt-get-reports-that-packages-can-be-updated-but-system-is-already-fully-upgraded/785 - -commit e9a5b14a0db6f071424c19e6f4b006386afb6ab4 -Author: Patrick Schleizer -Date: Thu Dec 19 06:57:42 2024 +0000 - - bumped changelog version - -commit 3135a03e21f9e5816097e25aaa7f4a1671f8f87d -Merge: f0c611d c7f7196 -Author: Patrick Schleizer -Date: Thu Dec 19 00:34:56 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit c7f7196471b07a580c6d4a5d86739215508142cd -Merge: e5b67e0 3749f8f -Author: Patrick Schleizer -Date: Thu Dec 19 00:31:25 2024 -0500 - - Merge pull request #287 from raja-grewal/patch - - Refactor and add two CPU mitigations - -commit f0c611d9edb5fd7a3e00d13b248c65abda2c9d8a -Author: Patrick Schleizer -Date: Thu Dec 19 00:18:25 2024 -0500 - - comment - -commit 4f681be77429984695a1b0f689065051884e7bf7 -Merge: 4c3ca68 4cf5757 -Author: Patrick Schleizer -Date: Thu Dec 19 00:17:44 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit e5b67e044bb5011dd667879a73a670f2c5f74057 -Merge: 4cf5757 c116796 -Author: Patrick Schleizer -Date: Thu Dec 19 00:15:02 2024 -0500 - - Merge pull request #279 from raja-grewal/arp - - Provide network-related hardening options via `sysctl`'s - -commit 4cf5757575c1257a14331f0169a9d8d163e1326d -Merge: 9d06341 1708a03 -Author: Patrick Schleizer -Date: Thu Dec 19 00:08:56 2024 -0500 - - Merge pull request #282 from ArrayBolt3/arraybolt3/umask - - Enable umask hardening - -commit 9d69cd1912ab657e7916b38f56b477c2b7abd0a3 -Author: Aaron Rainbolt -Date: Wed Dec 18 21:34:16 2024 -0600 - - Add sysmaint account lock detection - -commit 3749f8ff097551a843e5ed80de52c6770a32e0c6 -Author: raja-grewal -Date: Wed Dec 18 03:36:09 2024 +0000 - - Update presentation on user namespaces - -commit 0dff2cd28fd769955757cdef1b7f9d637a1180c5 -Author: raja-grewal -Date: Wed Dec 18 03:32:35 2024 +0000 - - Minor additions - -commit 3e96fdd9ccb6268403d6c4f9a061c4a33e6f6dd2 -Author: raja-grewal -Date: Tue Dec 17 11:44:11 2024 +0000 - - Enable `kvm.mitigate_smt_rsb=1` - -commit 45355aabdc180a6a2fdd4a374c6f7d72f4d36240 -Author: raja-grewal -Date: Tue Dec 17 11:42:52 2024 +0000 - - Enable `kvm-intel.vmentry_l1d_flush=always` - -commit defba1f2450b2c8bbc668bf5f6f6f0d101338cc7 -Author: raja-grewal -Date: Tue Dec 17 11:42:03 2024 +0000 - - Refactor CPU mitigations - -commit 943c421889ce5dfe3869380e4587ca22724f2ce7 -Author: raja-grewal -Date: Tue Dec 17 11:40:38 2024 +0000 - - Minor refactoring - -commit ca3a73ac13d805515f71f1be7ecedc33d3a1b519 -Author: raja-grewal -Date: Tue Dec 17 11:37:10 2024 +0000 - - Typo - -commit 4c3ca68453b44074025a1ec9f31451c57344f3cf -Author: Aaron Rainbolt -Date: Mon Dec 9 12:37:11 2024 -0600 - - Disable unnecessary sudoers exceptions - -commit 9d06341c91b51f9c737fe67457045924323635f0 -Merge: a9dd592 5b88e92 -Author: Patrick Schleizer -Date: Sat Dec 14 15:18:56 2024 -0500 - - Merge pull request #285 from Kicksecure/permission-hardener-mount - - Permission Hardener: treat mount same as umount - -commit c1167968542a62d0677517e11505f6e9222ec378 -Author: raja-grewal -Date: Thu Dec 12 06:36:47 2024 +0000 - - `arp_ignore`: Add reference to 2024-12-10 Mullvad VPN audit details - -commit a9dd592a8b49226f326e90111178aebba3cc144f -Author: Patrick Schleizer -Date: Tue Dec 10 19:19:10 2024 +0000 - - bumped changelog version - -commit 58722324ec0be98c3e44938df8cb60ca9b261210 -Merge: 518224b 439fa7f -Author: Patrick Schleizer -Date: Tue Dec 10 14:18:50 2024 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/no-recovery-mode' - -commit 518224b8cf9e99a830b584d8d54b5dea2925c8f5 -Author: Patrick Schleizer -Date: Tue Dec 10 19:17:10 2024 +0000 - - bumped changelog version - -commit 439fa7f3be74f5eba4b98f73c0bb50fd37e8b0e1 -Author: Aaron Rainbolt -Date: Sun Dec 8 03:21:27 2024 -0600 - - Harden/disable recovery mode options - -commit 7902311c570edd4286ba36f0cb85223d1e909a03 -Author: Patrick Schleizer -Date: Sat Dec 7 04:54:47 2024 -0500 - - do not create /etc/sysctl.d/30-lkrg-virtualbox.conf if LKRG is not installed - -commit 1ce37d42cd2c132eca8c45ddb04fdb594349d08f -Author: Patrick Schleizer -Date: Sat Dec 7 04:50:40 2024 -0500 - - . - -commit 5b88e92e5c4b951e659e1574fc248bd11158dfb2 -Author: Patrick Schleizer -Date: Fri Dec 6 09:48:58 2024 -0500 - - permission hardner: treat `mount` the same way we treat `umount` - - Thanks to @the-moog for the bug report! - - fixes https://github.com/Kicksecure/security-misc/issues/284 - -commit 93b51819d4693955936456916188b4118fe68a66 -Author: Patrick Schleizer -Date: Fri Dec 6 09:47:08 2024 -0500 - - permission hardener mount chmod change from `745` to `755` - - https://github.com/Kicksecure/security-misc/issues/284 - -commit 1708a03e1edda821ef091f10c46d32f740511d38 -Author: Aaron Rainbolt -Date: Thu Nov 28 15:20:57 2024 -0600 - - Enable umask hardening - -commit 59299a6639fef31565b8f3cef857c9faa331e0f7 -Author: Patrick Schleizer -Date: Mon Nov 25 21:07:42 2024 +0000 - - bumped changelog version - -commit 98d7c245ee11f16e566422a17543aaed2c155d88 -Author: Patrick Schleizer -Date: Mon Nov 25 15:57:30 2024 -0500 - - "|| exit 1" no longer required thanks to errexit - -commit f9b5d7d3f4f2ed8d1baae67d8427f13cf26aee8d -Author: Patrick Schleizer -Date: Mon Nov 25 15:48:01 2024 -0500 - - use strict shell options - -commit d32cb8c95b09721e52c4d682a0ddd39d590a4368 -Author: Patrick Schleizer -Date: Mon Nov 25 15:44:00 2024 -0500 - - use TMP, sponge, refactoring - -commit 62a551cfe39a6a640f32e6e97f3e915aa8673514 -Merge: af43472 d7475e2 -Author: Patrick Schleizer -Date: Mon Nov 25 15:38:01 2024 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sudoers' - -commit d7475e252a64e296913ed8893261e52e72163d55 -Author: Aaron Rainbolt -Date: Thu Nov 21 20:03:42 2024 -0600 - - Make apt-get-update able to be terminated securely - -commit af43472d0ccdecb1725a200d10aeeb1b8d51f31a -Author: Patrick Schleizer -Date: Thu Nov 14 22:24:50 2024 +0000 - - bumped changelog version - -commit c7e9460b2ae8dcb96196fef69a7e0ed992c1b43b -Author: Patrick Schleizer -Date: Thu Nov 14 16:31:12 2024 -0500 - - output - -commit 31804e30ecc9c5a1c5a8e1e014d3dcb85cee4f36 -Author: Patrick Schleizer -Date: Thu Nov 14 20:46:26 2024 +0000 - - bumped changelog version - -commit ef95b3f9a5aed9652c541cf4bf05b20011718466 -Author: Patrick Schleizer -Date: Thu Nov 14 14:41:14 2024 -0500 - - Revert "fix `panic-on-oops.service`" - - This reverts commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751. - -commit 412b371e85044962f6620386b767369b9e25d71e -Merge: 141b84c 57e1edd -Author: raja-grewal -Date: Wed Nov 13 16:47:57 2024 +1100 - - Merge branch 'Kicksecure:master' into arp - -commit 141b84c40de76988ec78bdccf1c1d67fc4367b3f -Author: raja-grewal -Date: Wed Nov 13 05:42:56 2024 +0000 - - Provide option to deny sending and receiving shared media redirects - -commit 18aec201bfb0477fee8800ad1388099e11920016 -Author: raja-grewal -Date: Wed Nov 13 05:41:25 2024 +0000 - - Provide option to harden response to ARP requests - -commit a25d4f8df88908e83e56049204aa625f1196a948 -Author: raja-grewal -Date: Wed Nov 13 05:40:21 2024 +0000 - - Provide option to enable ARP filtering - -commit c2aae73ce161811571e4c85609a0b043399c1b65 -Author: raja-grewal -Date: Wed Nov 13 05:38:03 2024 +0000 - - Add reference and move text - -commit 57e1edde23aa3f313ce087e00ebc14d158356d6c -Author: Patrick Schleizer -Date: Tue Nov 12 09:11:57 2024 +0000 - - bumped changelog version - -commit 7987a3914d364e674eb7479b15708c450041af02 -Author: Patrick Schleizer -Date: Tue Nov 12 02:29:42 2024 -0500 - - deleted no longer used and out-commented `/etc/sudoers.d/xfce-security-misc` leftover - -commit 8c2e8e69798e5255529ab3dbee6ca07b8b293100 -Author: Patrick Schleizer -Date: Tue Nov 12 01:41:12 2024 -0500 - - deleted no longer used and out-commented `etc/sudoers.d/pkexec-security-misc` leftover - -commit 65fc0419a84d62e07c61d7e37ef27d144b6b6794 -Author: Patrick Schleizer -Date: Mon Nov 11 11:07:57 2024 +0000 - - bumped changelog version - -commit 50161f5d79eea2ab796863e4eb30eccc17e0b41d -Author: Patrick Schleizer -Date: Mon Nov 11 05:48:11 2024 -0500 - - moved /etc/dkms/framework.conf.d/30_security-misc.conf (renamed) to usability-misc - -commit 7c06e22c7d11c345428f3ad42ba43805ebc8d810 -Author: Patrick Schleizer -Date: Mon Nov 11 05:43:25 2024 -0500 - - deleted `/usr/bin/pkexec.security-misc` - - This was not used anymore for anything. In the past, we used to `config-package-dev` `replace` `/usr/bin/pkexec` with `/usr/bin/pkexec.security-misc` for the purpose of: - - > Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. - - * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 - * https://forums.whonix.org/t/cannot-use-pkexec/8129 - - This was a worthwhile effort, interesting approach but ultimately a dead-end. - -commit ef05b1a160b24d5aa42da9cc15009d94a37cf120 -Author: Patrick Schleizer -Date: Mon Nov 11 05:40:41 2024 -0500 - - disable legacy matroxfb_base framebuffer driver - - fix typo matroxfb_bases -> matroxfb_base - - Thanks to @ArrayBolt3 for the bug report! - -commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751 -Author: Patrick Schleizer -Date: Mon Nov 11 05:36:41 2024 -0500 - - fix `panic-on-oops.service` - - remove `After=multi-user.target` because already using `WantedBy=multi-user.target` - - Thanks to @ArrayBolt3 for the bug report! - -commit 29ae5f5980d521f6a4b468f5bf41210f78fdf10a -Author: Patrick Schleizer -Date: Mon Nov 11 05:28:31 2024 -0500 - - fix optional opt-in `harden-module-loading.service` - - by making `/usr/libexec/security-misc/disable-kernel-module-loading` executable - - Thanks to @ArrayBolt3 for the bug report! - -commit 4c649577f053af12bcd02c20576bf2d8aec1476d -Author: Patrick Schleizer -Date: Sun Nov 10 11:52:42 2024 +0000 - - bumped changelog version - -commit 29b1f1ec5f3a4bf3991fc1b862751c8eb9769ecd -Merge: 5bd0a27 238f32e -Author: Patrick Schleizer -Date: Sun Nov 10 06:32:30 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 5bd0a277bf39812c6adf40a7a3ef6390935fa08e -Author: Patrick Schleizer -Date: Sun Nov 10 06:29:17 2024 -0500 - - fix permission-hardener issue "Removing capabilities failed. File: '/bin/ping'" - - no longer user end-of-options marker (`--`) for `setcap` - since setcap does not support it - - Fixes https://github.com/QubesOS/qubes-issues/issues/9569 - - https://forums.whonix.org/t/permission-hardener-error/20719 - -commit 238f32e81d835e5b9d3bc43a0654d05efa4c4313 -Merge: 3af2684 8107782 -Author: Patrick Schleizer -Date: Fri Nov 8 07:39:40 2024 -0500 - - Merge pull request #280 from raja-grewal/ssbd - - Enable `ssbd=force-on` - -commit 8107782fa54ec0e21893e6bd4a6baabb71eb864b -Author: raja-grewal -Date: Fri Nov 8 15:36:04 2024 +1100 - - Enable `ssbd=force-on` - -commit a1d1f97955fd9fd3cee77dc04e2eb5e5fa29d243 -Author: raja-grewal -Date: Fri Nov 8 03:58:23 2024 +0000 - - Provide option to drop gratuitous ARP packets - -commit 3af2684134279ba6f5b18b40986f02a50baa5604 -Author: Patrick Schleizer -Date: Wed Oct 30 09:43:05 2024 +0000 - - bumped changelog version - -commit 71c58442ca6d57cd95b72a76ed87f8c248cdbd98 -Author: Patrick Schleizer -Date: Mon Oct 28 05:10:19 2024 -0400 - - minor - -commit cfe19e31d858d7899f4d95e21117c992d236d328 -Author: Patrick Schleizer -Date: Mon Oct 28 05:09:53 2024 -0400 - - shell options - -commit 0d506156587f87a303184f22259ffb57dd92cbc8 -Author: Patrick Schleizer -Date: Mon Oct 28 05:07:00 2024 -0400 - - local - -commit ef0eb5f7a0c5a62c5d26bf6dc534f6aa3decc4b0 -Author: Patrick Schleizer -Date: Mon Oct 28 05:06:26 2024 -0400 - - refactoring - -commit fdd1f4b7f88efc22bb57c2ad3e83c0c2e8cbb064 -Author: Patrick Schleizer -Date: Mon Oct 28 05:06:05 2024 -0400 - - refactoring - -commit d00235897d686895a7e2e7da7435832fee008164 -Author: Patrick Schleizer -Date: Mon Oct 28 05:03:59 2024 -0400 - - hide-hardware-info: also parse `/usr/local/etc/hide-hardware-info.d/*.conf` - -commit 6c2e808b9f34900840bd2857fed10d1ffd4cc4c2 -Author: Patrick Schleizer -Date: Mon Oct 28 05:03:20 2024 -0400 - - refactoring - -commit b44e507900defe3db68f31f3e110b1c3e5aa684c -Author: Patrick Schleizer -Date: Wed Oct 23 09:56:05 2024 +0000 - - bumped changelog version - -commit 566cda5e4bc69f54d63d72f1e30703074fdf0ce8 -Author: Patrick Schleizer -Date: Mon Oct 21 05:47:38 2024 -0400 - - output - -commit 5991a23049491dd04c19d9ea80f7d7381dd494a0 -Author: Patrick Schleizer -Date: Mon Oct 21 05:47:25 2024 -0400 - - comment - -commit fd34baff8ff17ed572469d9d6d884e6c0d881d20 -Merge: b643330 690e8dd -Author: Patrick Schleizer -Date: Mon Oct 21 05:43:53 2024 -0400 - - Merge remote-tracking branch 'ArrayBolt3/master' - -commit 690e8dd826d1cb39c0c12c03792781862cc2dd23 -Author: Aaron Rainbolt -Date: Sat Oct 19 23:49:07 2024 -0500 - - Avoid faillock lock/tally reset on reboot or timeout - -commit b6433309fd7d6839cfba89e1197590e1ff62ef58 -Author: Patrick Schleizer -Date: Fri Oct 18 12:45:02 2024 -0400 - - use end-of-options - -commit 0cfcdf4f89dc75f2a8e3f8a9e8c69dc3ba3da78a -Author: Patrick Schleizer -Date: Wed Oct 16 10:57:20 2024 +0000 - - bumped changelog version - -commit 0adb9b7c0609a51d503b61ab40ae7d8e55635043 -Merge: 263335f e50ad80 -Author: Patrick Schleizer -Date: Wed Oct 16 06:31:09 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit e50ad807c01b5753c67d579126d7b79d38070c0a -Merge: 263335f eb72163 -Author: Patrick Schleizer -Date: Wed Oct 16 06:29:25 2024 -0400 - - Merge pull request #276 from raja-grewal/KSPP_header - - Clarify KSPP compliance header - -commit eb72163d5707c7673db1f12405d2e04261bd43c8 -Author: raja-grewal -Date: Mon Oct 14 03:01:15 2024 +0000 - - README.md: Make line lengths consistent - -commit a9f238fe048acfeff49f96c00570acc6ca4c37e8 -Author: raja-grewal -Date: Mon Oct 14 02:57:31 2024 +0000 - - README.md: Split optional setting to new line - -commit 09fe46adc956e8c6de232f1093c37cdd30933acd -Author: raja-grewal -Date: Mon Oct 14 02:54:30 2024 +0000 - - Clarify KSPP compliance header for the undocumented case - -commit 263335f74ea0f050f9c259e20141c3345e7fa789 -Author: Patrick Schleizer -Date: Tue Oct 8 11:24:56 2024 +0000 - - bumped changelog version - -commit 9169611645d0cd5a308ff48862f351ef5ea5f7e8 -Merge: 8a2d432 8227a3d -Author: Patrick Schleizer -Date: Tue Oct 8 05:54:50 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 8227a3dde2995ceb113164baf49591d52c2b53e1 -Merge: 8a2d432 0c0774f -Author: Patrick Schleizer -Date: Tue Oct 8 05:53:48 2024 -0400 - - Merge pull request #273 from raja-grewal/text_2 - - Documentation update 2 - -commit 0c0774f6c0927ed1cc599f931175985b8f01ec30 -Merge: dc470ca 8a2d432 -Author: raja-grewal -Date: Sun Oct 6 10:48:52 2024 +0000 - - Merge branch 'master' into text_2 - -commit dc470cac1d93656354aeaaac0a6f8cbbd39f9f0f -Author: raja-grewal -Date: Sun Oct 6 10:46:05 2024 +0000 - - Remmove deprecated link - -commit 8a2d432ffe6d4eb661026b6e7dbf534bb1db971b -Author: Patrick Schleizer -Date: Thu Oct 3 07:22:23 2024 +0000 - - bumped changelog version - -commit 0e3ffa3f11a0049e57803c8f2e75dbb7d8ceb22c -Author: Patrick Schleizer -Date: Thu Oct 3 02:58:58 2024 -0400 - - no longer set `kernel.unprivileged_userns_clone=0` - - because it breaks too much - - fixes https://github.com/Kicksecure/security-misc/issues/274 - -commit f401d94d5e0d0f26e93be55deda440fe565a6b22 -Author: Patrick Schleizer -Date: Thu Oct 3 02:44:06 2024 -0400 - - expand documentation on `kernel.unprivileged_userns_clone=0` sysctl - - https://github.com/Kicksecure/security-misc/issues/274 - -commit ac1378743c7448c9a7e7e02bebcf3270592d42a5 -Author: raja-grewal -Date: Mon Sep 30 16:56:18 2024 +1000 - - Consistent formatting - -commit eae38e72f30ff9b9f8d0b8b0b33182a918333e48 -Author: raja-grewal -Date: Thu Sep 26 13:10:36 2024 +0000 - - README.md: Show the current max_map_count - -commit f3b50a23c976ba4feff34eee721c50f698ecc5bf -Author: raja-grewal -Date: Thu Sep 26 13:10:01 2024 +0000 - - Add reference on unprivileged_userns_restriction - -commit 39d063d494cb540f45747f6253ab896200ba03c3 -Author: raja-grewal -Date: Thu Sep 26 13:09:21 2024 +0000 - - Add KSPP=no definition - -commit 5572eb897a10455041df8abec6b6be6de29431a0 -Author: Patrick Schleizer -Date: Wed Sep 25 01:03:42 2024 +0000 - - bumped changelog version - -commit e04f9cd4c17305d5201aa973c34778e81508734b -Merge: 18d426f 65aa910 -Author: Patrick Schleizer -Date: Tue Sep 24 20:16:06 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 65aa910503c07f708abf20f78be2f519ef58764a -Merge: 18d426f 870ff88 -Author: Patrick Schleizer -Date: Tue Sep 24 20:15:03 2024 -0400 - - Merge pull request #272 from raja-grewal/text - - Documentation update - -commit 870ff88605b8167c8882162cc3da005d71ca0cd3 -Author: raja-grewal -Date: Wed Sep 25 10:01:45 2024 +1000 - - Comment on Flatpak requiring unprivileged user namespaces - -commit 769767a96a5de2a8bc05e70ca490d8340b553061 -Author: raja-grewal -Date: Wed Sep 25 09:54:49 2024 +1000 - - Update mmap ASLR docs - -commit 18d426f521b2b1369fe68e143dc8a0be064d0dcc -Author: Patrick Schleizer -Date: Sat Sep 14 02:56:09 2024 +0000 - - bumped changelog version - -commit 3280dbd5d562d7f6b50118ac0da36c3285493be6 -Author: Patrick Schleizer -Date: Fri Sep 13 22:52:47 2024 -0400 - - Fix VirtualBox audio device ICH AC97. - - no longer `blacklist snd_intel8x0` - - Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users. - https://www.kicksecure.com/wiki/Dev/audio - - Fixes https://github.com/Kicksecure/security-misc/issues/271 - -commit 1bc694fa124eaeb6e1517d2191a8fd97446872c4 -Author: Patrick Schleizer -Date: Sun Sep 8 17:41:30 2024 +0000 - - bumped changelog version - -commit 01908d505a59e7ec37cc3de3e1d49ff35ba127aa -Author: Patrick Schleizer -Date: Thu Sep 5 07:00:11 2024 -0400 - - readme - -commit e914028be7a48a3bfdf86e09c029011807f080d7 -Author: Patrick Schleizer -Date: Thu Sep 5 06:03:05 2024 -0400 - - add KSPP compliance status to readme based on comment by @raja-grewal - - https://github.com/Kicksecure/security-misc/issues/256#issuecomment-2330376651 - -commit 40fb14c654df94e9bdfb30ae55fc3bc4f0a0aef4 -Author: Patrick Schleizer -Date: Wed Sep 4 14:13:15 2024 +0000 - - bumped changelog version - -commit 5a255d4831470449a26b324a8f16594432bf834b -Merge: d618f9f 563a898 -Author: Patrick Schleizer -Date: Wed Sep 4 10:12:34 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 563a8980133e15e33ac95a631e37ecfff88f6f8f -Merge: 175945e e61027a -Author: Patrick Schleizer -Date: Wed Sep 4 10:11:48 2024 -0400 - - Merge pull request #265 from raja-grewal/mmap_min_addr - - Set `sysctl vm.mmap_min_addr=65536` - -commit d618f9f35b8e8c6eee1e164a6ec300d63b1ee797 -Merge: 59374ce 175945e -Author: Patrick Schleizer -Date: Wed Sep 4 10:07:50 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 175945ec9a28bf1e5b0fa0d2ae2bd6546d6c6172 -Merge: b0a8544 3101035 -Author: Patrick Schleizer -Date: Wed Sep 4 10:05:47 2024 -0400 - - Merge pull request #268 from raja-grewal/panic_on_warn - - Enable `panic_on_warn=1` - -commit b0a8544182f6ff3c8c3f1068176ff5e9e4f557ef -Merge: 59374ce 7393ba1 -Author: Patrick Schleizer -Date: Wed Sep 4 10:04:45 2024 -0400 - - Merge pull request #270 from raja-grewal/typo - - Small typo - -commit 7393ba159192fdfc45ef31a3fa60786f899dbf25 -Author: raja-grewal -Date: Wed Sep 4 23:23:24 2024 +1000 - - Typo - -commit 59374ce902127e2125addc2ebb57d0d856a63671 -Author: Patrick Schleizer -Date: Thu Aug 29 09:49:51 2024 +0000 - - bumped changelog version - -commit 7e2838ec077b53e41d468d5655290152761c8745 -Merge: 9c918eb 0762794 -Author: Patrick Schleizer -Date: Thu Aug 29 05:06:07 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 0762794ff684049a62b5b92b61177615a5376ad7 -Merge: 9c918eb 6294729 -Author: Patrick Schleizer -Date: Thu Aug 29 04:46:26 2024 -0400 - - Merge pull request #269 from raja-grewal/tidy - - Minor correction - -commit 6294729c8ef24077cd342b4557653806c3aacd34 -Author: Raja Grewal -Date: Thu Aug 29 15:34:24 2024 +1000 - - Follow-up on https://github.com/Kicksecure/security-misc/commit/f70fe308a9f65873d34de2d1906d825f3a56e272 - -commit 3101035a3fd5fbe87c79e95e51dc2da39fee93d5 -Author: Raja Grewal -Date: Thu Aug 29 01:57:32 2024 +1000 - - Enable `panic_on_warn=1` - -commit 9c918eb4313b60dc15aa9fa4474a7977602030c1 -Author: Patrick Schleizer -Date: Wed Aug 28 11:01:37 2024 +0000 - - bumped changelog version - -commit f70fe308a9f65873d34de2d1906d825f3a56e272 -Author: Patrick Schleizer -Date: Wed Aug 28 06:49:50 2024 -0400 - - no longer set sysctl `fs.binfmt_misc.status=0` / - no longer disallow registering interpreters for miscellaneous binary formats - - causing file/folder permissions issue `d????????? ? ? ? ? ? .` - - Firefox no longer starting (probably not not a Firefox issue) - - https://github.com/Kicksecure/security-misc/issues/267 - -commit 463aa58f28b6389d0925fed87096b348b652cc16 -Merge: cf824dd 328840c -Author: Patrick Schleizer -Date: Wed Aug 28 06:42:49 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 328840c933a583adc5458aa08c63fb627b31b298 -Merge: cf824dd 9e91c98 -Author: Patrick Schleizer -Date: Wed Aug 28 06:38:57 2024 -0400 - - Merge pull request #264 from raja-grewal/kspp_compliance - - Add KSPP compliance notices to corresponding parameters and `sysctls` - -commit 9e91c98cc926e7a166458cd78e3c1d1ced23c753 -Author: Raja Grewal -Date: Mon Aug 26 12:40:04 2024 +1000 - - Add details on BPF hardening and split the `sysctl`s - -commit 2c356e8b0ef7db56e7b453535c8cb6c83fc2e3c6 -Author: Raja Grewal -Date: Mon Aug 26 11:34:12 2024 +1000 - - Add KSPP notice definitions - -commit 2841d789bebbd43f855b6ffb92a3a6f017007a72 -Author: Raja Grewal -Date: Mon Aug 26 11:21:26 2024 +1000 - - README: Update - -commit ac6602ac3531ae57603e8a9e5ac2ee1652164b23 -Author: Raja Grewal -Date: Mon Aug 26 11:19:20 2024 +1000 - - Add detail on disabling user namespaces breaking UPower - -commit 9dbd200be415c86e7039463c6269fad8395a4373 -Merge: 32de5e7 cf824dd -Author: raja-grewal -Date: Mon Aug 26 11:08:21 2024 +1000 - - Merge branch 'Kicksecure:master' into kspp_compliance - -commit cf824ddb248957fd9e542c1a5adc5e90381f684c -Author: Patrick Schleizer -Date: Sun Aug 25 15:34:55 2024 +0000 - - bumped changelog version - -commit 500568e322b2e3623fc649209d671c7b9d9fa097 -Merge: 43d13b7 73900b5 -Author: Patrick Schleizer -Date: Sun Aug 25 11:01:58 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 73900b59db37d77bc24bd5088aae3cc760aacc69 -Merge: 43d13b7 1f51d4e -Author: Patrick Schleizer -Date: Sun Aug 25 11:00:51 2024 -0400 - - Merge pull request #263 from raja-grewal/max_user_namespaces - - Provide option to disable user namespaces - -commit 43d13b70f12d2198a800054ce4d1ff901cc474f9 -Merge: 8353764 fae586c -Author: Patrick Schleizer -Date: Sun Aug 25 10:55:52 2024 -0400 - - Merge remote-tracking branch 'raja/syntax' - -commit 835376418d616699023f8e638666f43d34241863 -Merge: ae85fd5 342caf8 -Author: Patrick Schleizer -Date: Sun Aug 25 10:48:25 2024 -0400 - - Merge remote-tracking branch 'raja/mod' - -commit ae85fd5b4ce6f4716f95332c19b79d3daa8f7220 -Author: Patrick Schleizer -Date: Sun Aug 25 14:33:40 2024 +0000 - - bumped changelog version - -commit 433b15f985545f531b87d09659bbbb89993b5a67 -Author: Raja Grewal -Date: Wed Aug 21 12:51:51 2024 +1000 - - README.md: Organise `sysctl`s - -commit af87a84b4f40b2ad9ac05dd9bce837665f239454 -Author: Raja Grewal -Date: Wed Aug 21 12:52:48 2024 +1000 - - README.md: Organise kernel boot parameters - -commit 32de5e7c49d301b62b838ba88550f58b02b6562b -Author: Raja Grewal -Date: Sun Aug 25 12:57:22 2024 +1000 - - Add details on oopses and warnings - -commit e4909b5e28e16f09de0e548c9221578ebe1190a3 -Author: Raja Grewal -Date: Sun Aug 25 12:47:04 2024 +1000 - - Add details on kernel panics - -commit 342caf82b20acc2931563449fafe9a98cbedaba2 -Author: Raja Grewal -Date: Wed Aug 21 12:52:48 2024 +1000 - - README.md: Organise kernel boot parameters - -commit b87a18d4050bbf2add5cc4920684876a440e65bb -Author: Raja Grewal -Date: Wed Aug 21 12:51:51 2024 +1000 - - README.md: Organise `sysctl`s - -commit 18ed77ecc93e9ee759a4990a32edb3dd671b8c26 -Author: Raja Grewal -Date: Wed Aug 21 12:50:14 2024 +1000 - - Refactor modprobe.d to minimise potential future merge conflicts - -commit 56b28e38264fe742b8d694176f1057c15574fc08 -Author: Raja Grewal -Date: Mon Aug 19 11:50:08 2024 +1000 - - Typo - -commit e61027a40e2ab82fac3ae4cfd5f91fd0a47f31e5 -Author: Raja Grewal -Date: Mon Aug 19 11:32:20 2024 +1000 - - Set `sysctl vm.mmap_min_addr=65536` - -commit 94dab1b7c503429e2fa91019a0183b2f36c6693f -Author: Raja Grewal -Date: Mon Aug 19 10:53:05 2024 +1000 - - Partial compliance with the KSPP on kernel panics - -commit 683110e7f02fa5fc6415354386552640cdb8758b -Author: Raja Grewal -Date: Mon Aug 19 01:34:14 2024 +1000 - - Correction - -commit 1f51d4eeb2b0c6e23ce64fb272eecb97e089324d -Author: Raja Grewal -Date: Sun Aug 18 13:53:11 2024 +1000 - - Add details on user namespaces - -commit 248e094b8e0bbf7892f79ad1c3ec77c7ed00d008 -Author: Raja Grewal -Date: Sat Aug 17 01:06:21 2024 +1000 - - Include KSPP compliance notices - -commit 759aee8150a2d1258d73217c071b25432d47496f -Author: Raja Grewal -Date: Fri Aug 16 22:54:57 2024 +1000 - - Provide option to disable user namespaces - -commit fae586c3c5e8382ca01c60f810b26d88189a5514 -Author: Raja Grewal -Date: Fri Aug 16 19:23:48 2024 +1000 - - Patch bug in existing `rp_filter` `sysctl` - -commit e962153f84c4cb8e13fb0cc25d611ae481c7a0c7 -Author: Patrick Schleizer -Date: Fri Aug 16 08:38:12 2024 +0000 - - bumped changelog version - -commit 40b12f5a2a4a40d7033569b11ad4e1c228e7389b -Merge: 12296c6 305467c -Author: Patrick Schleizer -Date: Fri Aug 16 04:30:29 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 305467c652af933bb5aa5a677b10a992a5f19cab -Merge: 12296c6 a5373af -Author: Patrick Schleizer -Date: Fri Aug 16 04:25:43 2024 -0400 - - Merge pull request #245 from raja-grewal/blacklist_to_disable - - Update `/etc/modprobe.d/*` - -commit 12296c68dc0aaa3703e1c36f854a02de8db412fe -Merge: 4bc12b0 036bcea -Author: Patrick Schleizer -Date: Fri Aug 16 04:22:43 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 036bcea4e6757de094fcafdadcf56aaa90729d79 -Merge: ef60c5b 81bf7a8 -Author: Patrick Schleizer -Date: Fri Aug 16 04:20:32 2024 -0400 - - Merge pull request #262 from raja-grewal/docs - - Miscellaneous updates to presentation - -commit 81bf7a8f90098a7107dcb3c783b87a168f5c090f -Merge: cea8e75 ef60c5b -Author: raja-grewal -Date: Fri Aug 16 16:57:01 2024 +1000 - - Merge branch 'Kicksecure:master' into docs - -commit ef60c5b153a521e1cfd522ac471a8ca6dc076d90 -Merge: 4bc12b0 b552b92 -Author: Patrick Schleizer -Date: Fri Aug 16 02:43:57 2024 -0400 - - Merge pull request #249 from raja-grewal/binfmt_misc - - Disallow registering interpreters for miscellaneous binary formats - -commit cea8e753786d100ebe961ad74a99925e54d47771 -Author: Raja Grewal -Date: Fri Aug 16 14:55:22 2024 +1000 - - Consistent formating - -commit 84376d23fc17d2ced890ffca0b05d15907d42a6f -Author: Raja Grewal -Date: Fri Aug 16 13:39:11 2024 +1000 - - Add details on ASLR and move to user space section - -commit a13298002350a39491a509d15633edb95a2e3edd -Author: Raja Grewal -Date: Fri Aug 16 13:24:25 2024 +1000 - - Update README.md - -commit 9212a4e93754a4505be3fcf0ff4b029c073d2f07 -Author: Raja Grewal -Date: Fri Aug 16 13:12:07 2024 +1000 - - Typos - -commit 23a77d4973ec20b2aaab6a9c3a9fd8a98034923e -Author: Raja Grewal -Date: Fri Aug 16 12:46:51 2024 +1000 - - Simplify syntax of some network-related `sysctl`'s - -commit e3a3207a4447568a17129afe9dde34debc465e21 -Author: Raja Grewal -Date: Fri Aug 16 12:41:36 2024 +1000 - - Clarify DMA hardening - -commit be9308e490f79a7b7788a744524d1d91cc870726 -Merge: 73db68d 4bc12b0 -Author: raja-grewal -Date: Fri Aug 16 11:45:43 2024 +1000 - - Merge branch 'Kicksecure:master' into docs - -commit 4bc12b07b42def786862b938e3f63c18cf874158 -Author: Patrick Schleizer -Date: Thu Aug 15 17:51:18 2024 +0000 - - bumped changelog version - -commit 9e61e37c17524b57f185b796f2ac19ba193205a8 -Merge: 89e816d dfd1c97 -Author: Patrick Schleizer -Date: Thu Aug 15 13:47:33 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit dfd1c97168249b229495cbd873d4d8493e244663 -Merge: 89e816d ec3038c -Author: Patrick Schleizer -Date: Thu Aug 15 13:46:30 2024 -0400 - - Merge pull request #248 from raja-grewal/secure_redirects - - Re-enable (default) `secure_redirects` for ICMP redirect messages - -commit b552b92401f67d59e12ac6fda2f7fe1c54b0c8a7 -Author: Raja Grewal -Date: Thu Aug 15 11:54:21 2024 +1000 - - Add references on `fs.binfmt_misc.status` - -commit 326d82a9beee130956dd817812016a6ee16fccbc -Author: Raja Grewal -Date: Thu Aug 15 11:46:56 2024 +1000 - - Revert "Provide optional `sysctl fs.binfmt_misc.status=0`" - - This reverts commit debd7a7b7ae8b03e04d2c8597bcccf2c79000570. - -commit 73db68dbf9a1f9ded95a593db36a4960ce06a173 -Author: Raja Grewal -Date: Fri Aug 9 14:27:30 2024 +1000 - - Add details on KFENCE - -commit f8fa89b245d929aee9884937fdcf44a6551df4cf -Author: Raja Grewal -Date: Fri Aug 9 14:21:59 2024 +1000 - - Add details on `tcp_timestamps` - -commit 3456f1c1d7725846ec201c28dd693bf9b07bab89 -Author: Raja Grewal -Date: Fri Aug 9 13:39:25 2024 +1000 - - Minor consistency update in README.md - -commit 15c638acad64cc3dcc7b5c43d9a6be2fa2350654 -Author: Raja Grewal -Date: Fri Aug 9 13:36:47 2024 +1000 - - Add reference on RDRAND - -commit 077bc48a26d1d3f5d1f758d7e251edccba64742b -Author: Raja Grewal -Date: Fri Aug 9 13:35:33 2024 +1000 - - Add reference on `rp_filter` - -commit d8bcec881f66604e29d6e0c1426635e2ad4979f1 -Author: Raja Grewal -Date: Fri Aug 9 13:33:32 2024 +1000 - - Add some notices for future Debian 13 rebase - -commit 0b0683499a6a21e3995a115c377eb19008bc4cd1 -Author: Raja Grewal -Date: Fri Aug 9 13:30:39 2024 +1000 - - Consistent line length formatting - -commit e5a38fc856c66d2bd6abc35fc08d4f2083ea8e54 -Author: Raja Grewal -Date: Fri Aug 9 13:30:15 2024 +1000 - - Typo - -commit a5373afc55e789f4657f3d843243e878e4afffa2 -Author: Raja Grewal -Date: Wed Aug 7 14:44:14 2024 +1000 - - Details on disabled `fbdev` kernel modules - -commit e98dc8c4f8af32dd3b10c034477fd2154df189ac -Author: Raja Grewal -Date: Wed Aug 7 14:14:47 2024 +1000 - - Update notifications for disabled kernel modules - -commit 50fa721fd54cd696ae90a35bc7df7c8f1eb17a13 -Author: Raja Grewal -Date: Wed Aug 7 14:01:49 2024 +1000 - - Update docs regarding Intel module disabling - -commit ec3038c7bc625f6c8eddb753ffe295ff2697a717 -Author: Raja Grewal -Date: Wed Aug 7 13:48:53 2024 +1000 - - Clarify `secure_redirects` - -commit debd7a7b7ae8b03e04d2c8597bcccf2c79000570 -Author: Raja Grewal -Date: Wed Aug 7 13:33:44 2024 +1000 - - Provide optional `sysctl fs.binfmt_misc.status=0` - -commit 89e816dda6c5a00512b276071c4d9fe108ee63b5 -Author: Patrick Schleizer -Date: Tue Aug 6 14:01:39 2024 +0000 - - bumped changelog version - -commit 967f9e257b09bc73ddb579292d507f7cb9832643 -Merge: fa90918 a25aaf9 -Author: Patrick Schleizer -Date: Tue Aug 6 09:57:56 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit a25aaf900a12666046278a9fab6933b3d5670679 -Merge: 6bc039a 8559079 -Author: Patrick Schleizer -Date: Tue Aug 6 09:55:20 2024 -0400 - - Merge pull request #260 from raja-grewal/vdso32 - - Enable `vdso32=0` - -commit 6bc039a430289342f06857a52a5f13829d6e50f5 -Merge: ce60d56 d102ec1 -Author: Patrick Schleizer -Date: Tue Aug 6 09:52:56 2024 -0400 - - Merge pull request #259 from raja-grewal/kfence - - Enable `kfence.sample_interval=100` - -commit ce60d5615fe99e41c48d459f562d581a688c295a -Merge: b027842 c0d140f -Author: Patrick Schleizer -Date: Tue Aug 6 09:48:08 2024 -0400 - - Merge pull request #258 from raja-grewal/legacy_tiocsti - - Enable `dev.tty.legacy_tiocsti=0` - -commit b0278428a73cd3d329aaa36626005e0c593331f0 -Merge: fa90918 aa34d86 -Author: Patrick Schleizer -Date: Tue Aug 6 09:39:04 2024 -0400 - - Merge pull request #257 from raja-grewal/slab_debug - - Enable `slab_debug=FZ` - -commit 8559079312adb4ed92e5f478120b408dfe7a1124 -Author: Raja Grewal -Date: Mon Aug 5 15:10:02 2024 +1000 - - Enable `vdso32=0` - -commit d102ec19972865032f12f90bffe3e592546f0267 -Author: Raja Grewal -Date: Mon Aug 5 15:07:56 2024 +1000 - - Enable `kfence.sample_interval=100` - -commit c0d140f2211e6490d13e3cd327005027c668905f -Author: Raja Grewal -Date: Mon Aug 5 15:06:34 2024 +1000 - - Enable `dev.tty.legacy_tiocsti=0` - -commit aa34d86598f5b846b007730104e4c99c59f9984d -Author: Raja Grewal -Date: Mon Aug 5 14:27:17 2024 +1000 - - Enable `slab_debug=FZ` - -commit 4f7f82016015f61002ac8f778b61968c572dc7dc -Author: Raja Grewal -Date: Mon Aug 5 14:16:33 2024 +1000 - - Add reference - -commit fa9091869d417c6494840d0cb32623037d70c8be -Merge: 06f0c27 725118c -Author: Patrick Schleizer -Date: Sun Aug 4 16:20:36 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 725118c5759b45118bbd2804492526ea2a7c1a81 -Merge: 6d97408 6d211fa -Author: Patrick Schleizer -Date: Sun Aug 4 16:19:52 2024 -0400 - - Merge pull request #243 from raja-grewal/namespaces - - Restrict unprivileged user namespaces - -commit 06f0c27128a66c1074f405de3139651519e48204 -Merge: 8abc5ae 6d97408 -Author: Patrick Schleizer -Date: Sun Aug 4 16:15:01 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 6d97408a6d2f002461ae6ca1d647fbf24bf1b99e -Merge: 8abc5ae 6f14d68 -Author: Patrick Schleizer -Date: Sun Aug 4 16:11:46 2024 -0400 - - Merge pull request #255 from raja-grewal/SLUB - - Restore option to enable `slub_debug=FZ` - -commit 8abc5ae8f0f152c68f855f0e8d993880589c5d5c -Merge: de6f3ea eab66da -Author: Patrick Schleizer -Date: Sun Aug 4 16:09:52 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit eab66dad0994e408c1beaade3fdcf2cd1d605b31 -Merge: de6f3ea ca2179b -Author: Patrick Schleizer -Date: Sun Aug 4 16:08:32 2024 -0400 - - Merge pull request #254 from raja-grewal/patch - - Updates to kernel and `sysctl` hardening - -commit 6f14d68cdcad3784311e33029eba6906ea0784c2 -Author: Raja Grewal -Date: Sat Aug 3 15:12:15 2024 +1000 - - Update legacy name `slub_debug` -> `slab_debug` - -commit 22b6cee80c74aff3d0f9cd36822ae88f8fa8e601 -Author: Raja Grewal -Date: Sat Aug 3 15:11:14 2024 +1000 - - Add details about `slub_debug` - -commit b77d1a2b980ae20158aa628eec67b016282d0a40 -Author: Raja Grewal -Date: Sat Aug 3 14:49:48 2024 +1000 - - Revert "Remove the optional `slub_debug` parameter since it is no longer recommended" - - This reverts commit 48e1ac416314d2c66f3a0d5044a3c51cb6fb4093. - -commit ca2179bb6a01e3ebbb1e04e3507cc305f25bca4e -Author: Raja Grewal -Date: Sat Aug 3 00:25:49 2024 +1000 - - Provide the option to disable legacy TIOCSTI operation - -commit 52aeacb4da4a8458b0ffdc1ade4094a178def6f4 -Author: Raja Grewal -Date: Sat Aug 3 00:13:38 2024 +1000 - - Provide option to disable 32 bit vDSO mappings - -commit 9099ecce8ae12352f2b739d3d7adf6069488ff49 -Author: Raja Grewal -Date: Sat Aug 3 00:12:50 2024 +1000 - - Provide option to enable the kernel Electric-Fence - -commit f6a16258a116ce5c5f4f6bad9d8ab9b6e1ec6bb7 -Author: Raja Grewal -Date: Sat Aug 3 00:11:06 2024 +1000 - - Add references to KSPP - -commit e53d24fc48b51a21fc182cc59890e97a1d7ac647 -Author: Raja Grewal -Date: Sat Aug 3 00:09:42 2024 +1000 - - Add missing GRUB command lines for disabled boot parameters - -commit de6f3ea74a5a1408e4351c955ecb7010825364c5 -Author: Patrick Schleizer -Date: Sun Jul 28 20:50:22 2024 +0000 - - bumped changelog version - -commit d036094089e3e3a74df981c50882481273fcb6c0 -Merge: e60ce50 0f86fbd -Author: Patrick Schleizer -Date: Sun Jul 28 15:44:40 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 0f86fbd8ceea3157ee035eb9f4a0ff13024f1bc9 -Merge: e60ce50 73979d4 -Author: Patrick Schleizer -Date: Sun Jul 28 15:43:54 2024 -0400 - - Merge pull request #242 from raja-grewal/ptrace - - Disable the usage of `ptrace()` by all processes - -commit 9cabaa1bd15a0639c87bf2e965755d06ff0a7bb4 -Author: Raja Grewal -Date: Sun Jul 28 22:04:30 2024 +1000 - - Typo - -commit d2d024ebe9a371eaf90b7b72f8a227e5d2e9babe -Author: Raja Grewal -Date: Sun Jul 28 22:03:33 2024 +1000 - - Typo - -commit 9fbee9fc82768c3b436307459d174378ee471335 -Author: Raja Grewal -Date: Sun Jul 28 21:57:25 2024 +1000 - - Clarify - -commit e60ce50d30c8981f13d8bab1d6ca8b8efb9d8928 -Author: Patrick Schleizer -Date: Sat Jul 27 16:13:35 2024 +0000 - - bumped changelog version - -commit e86b2e7f8fcda5727b158579610cb6a0354e89cf -Author: Patrick Schleizer -Date: Sat Jul 27 12:13:18 2024 -0400 - - output - -commit 144545762674e914046bb94100237329320e8ece -Author: Raja Grewal -Date: Sat Jul 27 14:00:30 2024 +1000 - - Show details regarding `secure_redirects` (again) - -commit 73979d4342dae2017be52d5182bb66fa28be398d -Author: Raja Grewal -Date: Sat Jul 27 13:28:59 2024 +1000 - - Link to `ptrace()` discussion - -commit 1c9f33f90606fb930744f1b9afc11caf87626194 -Author: Raja Grewal -Date: Sat Jul 27 13:24:08 2024 +1000 - - Revert "Disable the usage of `ptrace()` by all processes" - - This reverts commit b04828f858fa6d101099773d3156841fd6d33b6f. - -commit 330cf14eab248d035fa467dba4f7bc3eb92a33bb -Author: Patrick Schleizer -Date: Fri Jul 26 15:40:24 2024 +0000 - - bumped changelog version - -commit 62bb4bc6269a0603c15f1efaad7ca365ea15c9d7 -Merge: 7969e86 886f609 -Author: Patrick Schleizer -Date: Fri Jul 26 11:10:25 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 886f6095dba71d76d5fd98277374417657e0cd31 -Merge: 7969e86 ed33366 -Author: Patrick Schleizer -Date: Fri Jul 26 11:08:30 2024 -0400 - - Merge pull request #250 from raja-grewal/Panik-Kalm - - Add details on "oopes" and kernel panics - -commit 7969e8607160eae0cb5a3adddeec8d07c1d6e097 -Merge: e2ae93a 0318f57 -Author: Patrick Schleizer -Date: Fri Jul 26 11:06:13 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 0318f577ab554ae2ac0f9417b18134723ea2b580 -Merge: e2ae93a 4397de0 -Author: Patrick Schleizer -Date: Fri Jul 26 11:04:29 2024 -0400 - - Merge pull request #246 from raja-grewal/cfi - - Provide the option to change the default CFI implementation in the future - -commit e2ae93a9571f2f0c9077ea61436a540a3be5a894 -Author: Patrick Schleizer -Date: Fri Jul 26 10:30:45 2024 -0400 - - port to safe_echo - -commit 8ec23ed7128580ed0092df43945ba55e94163a6d -Author: Patrick Schleizer -Date: Fri Jul 26 10:28:57 2024 -0400 - - echo does not support end-of-options - -commit 6096ed1109a0d5a62a844552fee500ebe66071c8 -Author: Patrick Schleizer -Date: Fri Jul 26 10:26:43 2024 -0400 - - comment - -commit ac41d1cfff8b722248a5ef1dfe38a8c704f04134 -Author: Patrick Schleizer -Date: Fri Jul 26 10:25:59 2024 -0400 - - comment - -commit 3b033ceba24e5e14056d54710d782397e5c669df -Author: Patrick Schleizer -Date: Fri Jul 26 10:17:24 2024 -0400 - - shellcheck - -commit 04d9ca1ebe79cae5cce04b6533285b8d1299d692 -Author: Patrick Schleizer -Date: Fri Jul 26 10:16:20 2024 -0400 - - use `find` with `safe_echo_nonewline` - -commit 20454fb81157f1f962f36d9c37d34f4ac650a1e6 -Merge: 28b25bd 6bbf176 -Author: raja-grewal -Date: Sat Jul 27 00:09:30 2024 +1000 - - Merge branch 'Kicksecure:master' into blacklist_to_disable - -commit 6bbf176e3b91f842cf4cdeaf8cb1f4c60e159a0c -Author: Patrick Schleizer -Date: Fri Jul 26 09:33:45 2024 -0400 - - consider end-of-options for `find` - -commit 794f6a25fa87a9d6d796b07ee06b690ea0badc92 -Author: Patrick Schleizer -Date: Fri Jul 26 09:08:29 2024 -0400 - - comment - -commit 7e0f1a87010674c63963b70c87e903cf27b288ef -Author: Patrick Schleizer -Date: Fri Jul 26 09:08:04 2024 -0400 - - dpkg-statoverride can actually handle '--file-name'. - -commit ee037c01a1208b9247c3ae144fa3faa68657ffdb -Author: Patrick Schleizer -Date: Fri Jul 26 08:58:44 2024 -0400 - - Skip file names starting with '--', - - because this would be interpreted by dpkg-statoverride as an option. - -commit 82d401a7de58b74448113bed36c8f0cc073c7f82 -Author: Patrick Schleizer -Date: Fri Jul 26 08:52:42 2024 -0400 - - sanity test - -commit 0e661bc688c7222840c9d83fb3ccab6549b3ac11 -Author: Patrick Schleizer -Date: Fri Jul 26 08:49:14 2024 -0400 - - output - -commit d144f68d1a06a1153c4178b2f6ba9643dededbb8 -Author: Patrick Schleizer -Date: Fri Jul 26 08:46:08 2024 -0400 - - output - -commit 05504b9ab251ae6e48b5d28eb5fdcd12d730ea8a -Author: Patrick Schleizer -Date: Fri Jul 26 08:40:10 2024 -0400 - - minor - -commit d96c0633d431dafd034ae8d1ae0ffbb59c49be4a -Author: Patrick Schleizer -Date: Fri Jul 26 08:39:11 2024 -0400 - - more use of end of options - -commit 8e40c10c319a76e0256c8f135182b0ca7f532f85 -Author: Patrick Schleizer -Date: Fri Jul 26 08:31:17 2024 -0400 - - comment - -commit f2c9c2f5d1b59127b22fae4dd4b8bb7a6f98a485 -Author: Patrick Schleizer -Date: Fri Jul 26 08:26:16 2024 -0400 - - output - -commit 2b40ea75e9c3f679fd09ae331a56f294c3ac7607 -Author: Patrick Schleizer -Date: Fri Jul 26 08:24:23 2024 -0400 - - cleanup - -commit 6f0551b944cbf83d82f7a1a554c4461bc971520b -Author: Patrick Schleizer -Date: Fri Jul 26 08:23:54 2024 -0400 - - refactoring - -commit aac450f80836b03478b9e2632afc5a4519f9b37a -Author: Patrick Schleizer -Date: Fri Jul 26 08:22:04 2024 -0400 - - refactoring - -commit 30f46790a4df7662926fa43d44ac34c3286dd590 -Author: Patrick Schleizer -Date: Fri Jul 26 08:21:21 2024 -0400 - - use end of options whenever possible - -commit 95722d6d7902367afb44175263a8628df9ad01b2 -Author: Patrick Schleizer -Date: Fri Jul 26 08:13:33 2024 -0400 - - use long option name - -commit 19f131c7426aaa5199504e75aba180a7771a2520 -Author: Patrick Schleizer -Date: Fri Jul 26 08:07:08 2024 -0400 - - code simplification - - https://github.com/Kicksecure/security-misc/pull/251 - -commit 9694cf0cd1a225c68d45814e0f4d6995659a0066 -Author: Patrick Schleizer -Date: Fri Jul 26 07:43:59 2024 -0400 - - output - -commit bdfe764f9d805b14dca4196e623e81ce95145d9b -Merge: 9f13523 652a06c -Author: Patrick Schleizer -Date: Fri Jul 26 07:19:05 2024 -0400 - - Merge remote-tracking branch 'ben-grande/stat-dedup' - -commit 9f135231ccdc3f6eba27db2e1794eff23f03fc0f -Author: Patrick Schleizer -Date: Fri Jul 26 06:43:01 2024 -0400 - - no longer disable Intel ME related kernel modules - - because that might break firmware updates - - This reverts commit 64f8b2eb5870664fca06aa060f2f50af358ced55. - - https://github.com/Kicksecure/security-misc/issues/239 - -commit f616da7c0690fc0dffc21be59174ed8754ec55fb -Author: Patrick Schleizer -Date: Fri Jul 26 09:40:59 2024 +0000 - - bumped changelog version - -commit 4397de0138dac47aee66570fcfe4ef38c8179321 -Author: Raja Grewal -Date: Fri Jul 26 11:30:46 2024 +1000 - - Update description of `cfi=kcfi` kerenel parameter - -commit 652a06c8e9f841e043cc5b5fb030b149cb70dc85 -Author: Ben Grande -Date: Thu Jul 25 12:37:21 2024 +0200 - - Only print SUID or SGID values when set - -commit 3b8a3f9b832ee1eee959fbcce8b5eed417d4712e -Author: Ben Grande -Date: Thu Jul 25 12:20:16 2024 +0200 - - Unduplicate stat call - -commit 28b25bda3f51c7d5a6ee6d28446cb5f731f452d0 -Author: Raja Grewal -Date: Thu Jul 25 15:51:32 2024 +1000 - - Partial inclusion of GrapheneOS infrastructure blacklist - -commit ed3336694ce35614ab47db42bce29d3c69d46752 -Author: Raja Grewal -Date: Thu Jul 25 10:28:27 2024 +1000 - - Provide the option to immediately reboot on a kernel panics - -commit 3926b91dcf371377d38c747e5c7718ac2fed3c83 -Author: Raja Grewal -Date: Thu Jul 25 10:26:23 2024 +1000 - - Add documentation on `sysctl kernel.panic_on_oops=1` - -commit f699eb02a27ef54b9ced5866447b63152984af66 -Author: Raja Grewal -Date: Thu Jul 25 10:11:33 2024 +1000 - - Set `sysctl fs.binfmt_misc.status=0` - -commit 9231f058911ab9059e91c4c0c1677ef66b5bb666 -Author: Patrick Schleizer -Date: Wed Jul 24 13:31:49 2024 -0400 - - todo - -commit 4cc1289e89b341e15725d65e405e607ea4784f9f -Author: Patrick Schleizer -Date: Wed Jul 24 13:30:30 2024 -0400 - - output - -commit 10c73b326f824f783169383888b9464965a53cbb -Author: Patrick Schleizer -Date: Wed Jul 24 12:07:26 2024 -0400 - - fix delimiter parsing - -commit a16dd8474bf72c2b8c63adc7500140e89d19fedb -Author: Patrick Schleizer -Date: Wed Jul 24 11:50:30 2024 -0400 - - sanity test - -commit cc2b335ee692cc04a2c4e298902f3503927b2c50 -Author: Patrick Schleizer -Date: Wed Jul 24 11:48:32 2024 -0400 - - cleanup - -commit 6cadc70a96cd709fb7a94abcb14e7dd97c57fdb8 -Author: Patrick Schleizer -Date: Wed Jul 24 11:47:52 2024 -0400 - - output - -commit cda0d26af7c057dab8edf4897f98c2e8f83e3d56 -Author: Patrick Schleizer -Date: Wed Jul 24 11:45:13 2024 -0400 - - cannot use NULL inside a bash variable - - use custom delimiter instead - -commit 4a5312b3a9419c8b3e07dda2b650d5fbf9a38d34 -Author: Patrick Schleizer -Date: Wed Jul 24 11:27:51 2024 -0400 - - output - -commit 3bf1f26c0bb271d63c16b314e4da040abf5b3713 -Author: Patrick Schleizer -Date: Wed Jul 24 11:20:26 2024 -0400 - - downgrade warning of non-existing folders to info - - to avoid all users by default getting a warning for expected non-existing folders - -commit 151ca659a9f5565744ff57f3b581c8c051def148 -Author: Patrick Schleizer -Date: Wed Jul 24 11:19:15 2024 -0400 - - output - -commit c9fd2ceb61ea176c731432f02a9fa40652fbddc8 -Author: Patrick Schleizer -Date: Wed Jul 24 11:13:35 2024 -0400 - - downgrade warning of non-existing files to info - - to avoid all users by default getting a warning for expected non-existing files - -commit 721392901be384014298f59deb57747b825c8b37 -Author: Patrick Schleizer -Date: Wed Jul 24 11:12:39 2024 -0400 - - remove duplicate test - -commit 9712b5b4e3cff3eac8ef03b5e562ff89d74ef4b8 -Author: Patrick Schleizer -Date: Wed Jul 24 11:12:18 2024 -0400 - - output - -commit 00911df5c1de24960ad6d21b4cd99450f2d08a88 -Author: Patrick Schleizer -Date: Wed Jul 24 11:10:56 2024 -0400 - - modify call of stat to use NUL delimiter - - for more robust string parsing - -commit d5366835112cc5fabef7ec46a9c582c08121cb14 -Author: Patrick Schleizer -Date: Wed Jul 24 11:03:28 2024 -0400 - - local clean_output_prefix clean_output - -commit a6e517736b83c124cf8cec52bac184612a29ad0d -Author: Patrick Schleizer -Date: Wed Jul 24 11:02:25 2024 -0400 - - local stat_output - -commit ced02fb9e03e12c7d51923511e7d6a54b09a6274 -Author: Patrick Schleizer -Date: Wed Jul 24 11:01:24 2024 -0400 - - add sanity test for file_name output from stat - -commit b9dfe70a016e46e1f275918be19890526182cfa2 -Author: Patrick Schleizer -Date: Wed Jul 24 10:58:05 2024 -0400 - - check first if file_name is empty - -commit 1cbda7998196dc04e83c48526d15f9ad5f11e6c9 -Author: Patrick Schleizer -Date: Wed Jul 24 10:57:13 2024 -0400 - - check first if array is empty before parsing further - -commit a077ae54ea050af8828813b781738cba24e27624 -Author: Patrick Schleizer -Date: Wed Jul 24 10:56:08 2024 -0400 - - modify call of stat to use NUL delimiter - - for more robust string parsing - -commit 1135d34ab334c9b39e51a147dc94df568f982512 -Author: Raja Grewal -Date: Wed Jul 24 23:33:36 2024 +1000 - - Reword description of `cfi=kcfi` kerenel parameter - -commit 7200e9bd8c793f5ea30c3448fd03fbd38c6292b5 -Author: Patrick Schleizer -Date: Wed Jul 24 09:15:02 2024 -0400 - - output - -commit 1b6161c2dcd9a0686503c84cda4c9f6a29fe4e02 -Merge: d2563ed 8be21b6 -Author: Patrick Schleizer -Date: Wed Jul 24 09:13:48 2024 -0400 - - Merge remote-tracking branch 'ben-grande/fuzz' - -commit 88c88187f2909322211cc08598717068ea7cf1d1 -Author: Raja Grewal -Date: Wed Jul 24 17:26:50 2024 +1000 - - Re-enable (default) `secure_redirects` for ICMP redirect messages - -commit 8be21b6eff40fdd3909ef63468463fc52e8bf45f -Author: Ben Grande -Date: Tue Jul 23 19:36:12 2024 +0200 - - Handle newlines in file names - -commit aa99de68d307cd88462665424996d9b730ab5087 -Author: Ben Grande -Date: Tue Jul 23 18:46:47 2024 +0200 - - Log output with defined levels - -commit 06fbcdac1de6f1830d911f05a4f7c14fd522fad4 -Author: Ben Grande -Date: Tue Jul 23 09:55:02 2024 +0200 - - Prettify log messages - -commit fb494c2ba5b7fd0f864a59896710d9cddf92b458 -Author: Raja Grewal -Date: Tue Jul 23 13:12:13 2024 +1000 - - Update docs relating to the `cfi=kcfi` kernel parameter - -commit 7ee1ea2cc7dd62feee3243d64b414130e68d35e9 -Author: Ben Grande -Date: Mon Jul 22 17:06:07 2024 +0200 - - Unify functions that evaluate commands - -commit 9c3566f524f748b9f7c98a36b3f2b1064cdba3ed -Author: Ben Grande -Date: Mon Jul 22 16:01:14 2024 +0200 - - Delimit file names with null terminator - -commit d6fc71dba78a9c871015ebdde3bef61943369b47 -Author: Raja Grewal -Date: Mon Jul 22 17:26:00 2024 +1000 - - Add option to switch (back) to using kCFI in the future - -commit f582e543434ba20a2fb7f7300058f7c8a7d62878 -Merge: a189956 d2563ed -Author: raja-grewal -Date: Mon Jul 22 15:12:00 2024 +1000 - - Merge branch 'Kicksecure:master' into blacklist_to_disable - -commit d2563ed92317a029340dbb83f30da008b01325f2 -Author: Patrick Schleizer -Date: Sun Jul 21 10:40:14 2024 +0000 - - bumped changelog version - -commit 64f8b2eb5870664fca06aa060f2f50af358ced55 -Author: Patrick Schleizer -Date: Sun Jul 21 06:36:22 2024 -0400 - - Revert "no longer disable Intel ME related kernel modules" - - This reverts commit 6157e328f40a7f3780208489b1ffecef8e6d738a. - - https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Kernel_Modules - - https://github.com/Kicksecure/security-misc/issues/239 - -commit 04fb00572f2e4c9bdfaaa0f6da8007999daab641 -Author: Patrick Schleizer -Date: Sat Jul 20 17:02:05 2024 +0000 - - bumped changelog version - -commit f0a478c7c91697988926a73d3a1880dd8caaca68 -Author: Patrick Schleizer -Date: Sat Jul 20 12:57:56 2024 -0400 - - permission hardener: allow postfix - - postqueue matchwhitelist - postdrop matchwhitelist - -commit a189956adc2cf5a1c8311d0e0e9c7cfbc6e4afe3 -Author: Raja Grewal -Date: Sat Jul 20 20:11:09 2024 +1000 - - Typo - -commit 3c720a0715191c858e8d1df9795dddfea5dbdcf1 -Author: Raja Grewal -Date: Sat Jul 20 15:03:21 2024 +1000 - - Disable some legacy drivers - These were all previously blacklisted for over 2 years. - -commit c4965ed838b1df93ddb9e947fb2f0d23fa8ffc17 -Author: Raja Grewal -Date: Sat Jul 20 14:55:10 2024 +1000 - - Disable legacy framebuffer drivers - These were all previously blacklisted for over 2 years. - -commit 9f53a0182b5f6a7cf8228bf19b04661d39c7a2fe -Author: Patrick Schleizer -Date: Fri Jul 19 07:20:59 2024 -0400 - - undo io_uring related changes - - as these should be done in a separate pull request (if apprpriate) - - https://github.com/Kicksecure/security-misc/pull/244#issuecomment-2238889062 - -commit 8791aecb38a41aa0b0c108505726bc6a1ace903e -Merge: 2d11436 06894d1 -Author: Patrick Schleizer -Date: Fri Jul 19 07:19:09 2024 -0400 - - Merge remote-tracking branch 'raja/fixes' - -commit 06894d1c98e91f43af58cc438559ea76b6a361e3 -Author: Raja Grewal -Date: Fri Jul 19 18:30:42 2024 +1000 - - Typo - -commit 2d11436432d3b2b75f84b05550de06cd77ec6e79 -Author: Patrick Schleizer -Date: Thu Jul 18 18:05:07 2024 +0000 - - bumped changelog version - -commit cac5bbad99a9c083c5b5f85f07c7368287c64f72 -Author: Patrick Schleizer -Date: Thu Jul 18 14:04:00 2024 -0400 - - comment - -commit a5eed00eba76f83c310f62d000830f38b0e87d21 -Author: Patrick Schleizer -Date: Thu Jul 18 14:02:38 2024 -0400 - - cleanup comments - -commit 21efacf1b111d9599e72cef23b791cf4961c04c3 -Author: Patrick Schleizer -Date: Thu Jul 18 14:00:28 2024 -0400 - - cleanup duplicate comments which are already in `/etc/dkms/framework.conf` - -commit 61628c2baf58ca2859bc5fc99782985ef0822750 -Author: Patrick Schleizer -Date: Thu Jul 18 14:11:35 2024 +0000 - - bumped changelog version - -commit 05cf438199ca75f96cf8e67131f4a409b465e7e7 -Author: Patrick Schleizer -Date: Thu Jul 18 10:11:03 2024 -0400 - - no comments / copyright allowed in .displace-extension - -commit 2ccc95f6d44bacd3da97d586542695f33d5faf38 -Author: Patrick Schleizer -Date: Thu Jul 18 14:05:23 2024 +0000 - - bumped changelog version - -commit 95286df50274953326accb615487e21d409b652a -Author: Raja Grewal -Date: Thu Jul 18 15:28:31 2024 +1000 - - Update README.md regarding secure ICMP redirects - -commit 13cc1f0986033855a399b50442a86a8d8552eb96 -Author: Raja Grewal -Date: Thu Jul 18 12:25:00 2024 +1000 - - Clarify (future) disabling of `io_uring` - -commit 9e6facda7017498e8310a9c39403e95e81c5a903 -Author: Raja Grewal -Date: Thu Jul 18 12:21:37 2024 +1000 - - Update module disabling presentation - -commit faa9181a6c0c78b9471c9a4e6bdd3291aec704f6 -Author: Raja Grewal -Date: Thu Jul 18 12:19:27 2024 +1000 - - Typos - -commit 6d211faf591608ea6e7f484e8bc69dd567877abf -Author: Raja Grewal -Date: Thu Jul 18 11:04:54 2024 +1000 - - Restrict unprivileged user namespaces - -commit b04828f858fa6d101099773d3156841fd6d33b6f -Author: Raja Grewal -Date: Thu Jul 18 11:01:41 2024 +1000 - - Disable the usage of `ptrace()` by all processes - -commit d454f36c63bd653e47353fb1c93107b2d5584fe2 -Author: Patrick Schleizer -Date: Wed Jul 17 11:52:29 2024 -0400 - - spelling - -commit f4da582aa31b869413aef6f4e252b7985e961339 -Author: Patrick Schleizer -Date: Wed Jul 17 11:44:17 2024 -0400 - - spelling - -commit 9e976474d5d620be9e4f8d8a97f73c6cc3e64573 -Author: Patrick Schleizer -Date: Wed Jul 17 11:40:51 2024 -0400 - - spelling - -commit b569fc02a4650187e69b62b95439c05ee2611e91 -Author: Patrick Schleizer -Date: Wed Jul 17 11:38:53 2024 -0400 - - spelling - -commit a2e26f441b6f44831c7b1bf3bf9dc2cf6f06e176 -Author: Patrick Schleizer -Date: Wed Jul 17 11:04:03 2024 -0400 - - spelling - -commit c8be4ac83c2563798ee35d56200eb8d11a2c32e3 -Author: Patrick Schleizer -Date: Wed Jul 17 10:56:14 2024 -0400 - - comment - -commit 24cd70a014b221b25669755b955bc114fe083643 -Author: Patrick Schleizer -Date: Wed Jul 17 10:55:12 2024 -0400 - - spelling - -commit 5cec685cf9b0845838f17fba78ac65d6c2e63386 -Author: Patrick Schleizer -Date: Wed Jul 17 10:49:21 2024 -0400 - - spelling - -commit 821a416fe39e11ca030c63f25a5220772d80eae5 -Author: Patrick Schleizer -Date: Wed Jul 17 10:43:16 2024 -0400 - - spelling - -commit 9a387f95e9346030e2adc3252a45942949561b52 -Merge: fd41acd 4afe257 -Author: Patrick Schleizer -Date: Wed Jul 17 10:32:26 2024 -0400 - - Merge remote-tracking branch 'raja/miscellaneous' - -commit fd41acdc721a6463813bc347cb965b6211fb9447 -Merge: 0da22c2 1087387 -Author: Patrick Schleizer -Date: Wed Jul 17 10:27:31 2024 -0400 - - Merge remote-tracking branch 'raja/fack_off' - -commit 4afe257a42576158a54a68948440a2b4c043b67c -Author: Raja Grewal -Date: Thu Jul 18 00:14:13 2024 +1000 - - minor - -commit d0a59617f6b8a90fd5c758699e910af9d7496c98 -Author: Raja Grewal -Date: Thu Jul 18 00:13:30 2024 +1000 - - Add missing Copyright (C) statements - -commit 8f3896c3dac13b604e36d4249f976598f271a215 -Author: Raja Grewal -Date: Wed Jul 17 23:44:37 2024 +1000 - - Upgrade hyperlinks to HTTPS - -commit 1087387b362d5598e44262db07ab0fff9118b064 -Author: Raja Grewal -Date: Wed Jul 17 23:35:25 2024 +1000 - - Remove obsolete `#net.ipv4.tcp_fack=0` - -commit 0da22c20316c8f0f574e0127926506e52ccbc269 -Author: Patrick Schleizer -Date: Wed Jul 17 09:07:31 2024 -0400 - - minor - -commit c336b266f61528cce27e1cafac6377370927a787 -Merge: afe3c25 df80385 -Author: Patrick Schleizer -Date: Wed Jul 17 09:06:44 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit df80385289717fee0266436d056c9aedd0fb06af -Merge: afe3c25 724435e -Author: Patrick Schleizer -Date: Wed Jul 17 09:04:18 2024 -0400 - - Merge pull request #237 from raja-grewal/intel_pmt - - Disable some Intel PMT kernel modules - -commit afe3c25a49940f7f322414c08e8dbd631e696215 -Author: Patrick Schleizer -Date: Wed Jul 17 08:58:00 2024 -0400 - - update readme - - https://github.com/Kicksecure/security-misc/issues/239 - -commit f7772fb85a1fe6d3c0749e5f34fc29111b6a8125 -Author: Patrick Schleizer -Date: Wed Jul 17 08:57:35 2024 -0400 - - minor - -commit 6157e328f40a7f3780208489b1ffecef8e6d738a -Author: Patrick Schleizer -Date: Wed Jul 17 08:52:11 2024 -0400 - - no longer disable Intel ME related kernel modules - - https://github.com/Kicksecure/security-misc/issues/239 - -commit daee8b900b3057235aedc17b1231c3c05599140c -Merge: 954ff1b a4ba6e4 -Author: Patrick Schleizer -Date: Wed Jul 17 08:47:55 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit a4ba6e485d94512fdf737b9f66137c3f692c9904 -Merge: 9a75135 abafb19 -Author: Patrick Schleizer -Date: Wed Jul 17 08:46:27 2024 -0400 - - Merge pull request #236 from raja-grewal/intel_me - - Disable more Intel ME kernel modules - -commit 954ff1be41288b5fa2e50d492d92544915f93bb5 -Merge: d29a616 9a75135 -Author: Patrick Schleizer -Date: Wed Jul 17 08:42:52 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 9a75135633ad172f7cbf318e1206865493c28bb4 -Merge: d29a616 a340899 -Author: Patrick Schleizer -Date: Wed Jul 17 08:41:43 2024 -0400 - - Merge pull request #238 from raja-grewal/uvcvideo_2 - - Minor additions to `30_security-misc_disable.conf` - -commit d29a616142562492db6c45c299f002100e905828 -Author: Patrick Schleizer -Date: Wed Jul 17 08:39:20 2024 -0400 - - minor - -commit a2802f352fc7021ead0d431c665cc16b2821ae0b -Merge: 0b873b7 81a3715 -Author: Patrick Schleizer -Date: Wed Jul 17 08:38:23 2024 -0400 - - Merge remote-tracking branch 'raja/kargs' - -commit 0b873b765e20b06113d808075fa95c8acbb1e0fc -Author: Patrick Schleizer -Date: Wed Jul 17 08:05:27 2024 -0400 - - minor - -commit 070bb46a08afcd84fb638472c39bd543bad4fb17 -Merge: 6d6e547 25fd532 -Author: Patrick Schleizer -Date: Wed Jul 17 08:02:45 2024 -0400 - - Merge remote-tracking branch 'raja/sysctl' - -commit 6d6e5473f2778a2a5b1ca7826d0a3a5a63cff08a -Author: Patrick Schleizer -Date: Wed Jul 17 08:00:24 2024 -0400 - - minor - -commit cf5f0edbb85589a72ec891e9c3e090f9e81c4fda -Merge: fe5c840 693b47e -Author: Patrick Schleizer -Date: Wed Jul 17 07:59:35 2024 -0400 - - Merge remote-tracking branch 'raja/sysctl' - -commit 25fd532ce62399d5bb42d844ad32b5128eaf748d -Author: Raja Grewal -Date: Wed Jul 17 21:56:40 2024 +1000 - - Update README.md relating to `sysctl`'s - -commit 39fd125eb0f0c16c8a64933bbd04709287a2686a -Author: Raja Grewal -Date: Wed Jul 17 21:44:44 2024 +1000 - - Provide explanation on the disabling of IPv6 Privacy Extensions - -commit a3408990ab439e6edbf8691cf7d65fb16c0d24df -Author: Raja Grewal -Date: Wed Jul 17 15:03:39 2024 +1000 - - Uncomment disabling of already disabled ATM modules - -commit 693b47e6235528ab7a9032818cce22fd63a4f5ea -Author: Raja Grewal -Date: Wed Jul 17 14:58:30 2024 +1000 - - Clarify ICMP redirect acceptance and sending - -commit 81a3715c7c0b73796a62297ebe55e861a46f7686 -Author: Raja Grewal -Date: Wed Jul 17 13:32:08 2024 +1000 - - Add info regarding the downsides of disabling SMT - -commit abafb1945cace774429fefd0c1a037fb2ec3f774 -Author: Raja Grewal -Date: Wed Jul 17 13:26:03 2024 +1000 - - Add Intel ME references - -commit f317aaebab126bafe3cfaef8159bf0820c392c87 -Author: Raja Grewal -Date: Wed Jul 17 01:09:02 2024 +1000 - - Disable two network modules - These were previously blacklisted for two years in https://github.com/Kicksecure/security-misc/commit/61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc. - -commit d69fe88091c7212a9af86306c797aed40398584b -Author: Raja Grewal -Date: Wed Jul 17 01:08:01 2024 +1000 - - Provide option to disable `uvcvideo` driver - -commit 49594ccb223c09d70f00434e5875c9dae1a2360d -Author: Raja Grewal -Date: Wed Jul 17 00:49:25 2024 +1000 - - Partially revert https://github.com/raja-grewal/security-misc/commit/f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 - -commit 824d9b82e53485eed8eaf24e9815ac07ad0f2406 -Author: Raja Grewal -Date: Wed Jul 17 00:36:18 2024 +1000 - - Uncomment redundant disabling of TCP FACK` - -commit d1119c38b6ad4193919d4b800de0a3cb014f92c1 -Author: Raja Grewal -Date: Wed Jul 17 00:31:23 2024 +1000 - - Apply changes from code review - -commit fe5c840b79c4aabd5c21a286d3ce1a3ee460812c -Author: Patrick Schleizer -Date: Mon Jul 15 21:18:55 2024 +0000 - - bumped changelog version - -commit 6e63fc8985b97902dbae2553ded51950168dc222 -Merge: fe0846c b7796a5 -Author: Patrick Schleizer -Date: Mon Jul 15 17:14:25 2024 -0400 - - Merge remote-tracking branch 'ben-grande/fuzz' - -commit fe0846c8c2bdfc0534850b1e9bf9c4130381def9 -Author: Patrick Schleizer -Date: Mon Jul 15 12:30:38 2024 -0400 - - fix - - https://github.com/Kicksecure/security-misc/pull/234#discussion_r1678065395 - -commit 94df2e3d244f5e6e8e4320c1f28cc11dba00dd36 -Author: Patrick Schleizer -Date: Mon Jul 15 12:29:52 2024 -0400 - - further discussion required - - https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2228909249 - -commit 41f0b53dd62d2968a6ff88a6fd907ca42f581847 -Merge: 5ba5a85 9300c20 -Author: Patrick Schleizer -Date: Mon Jul 15 12:28:03 2024 -0400 - - Merge remote-tracking branch 'raja/kernel_modules' - -commit 73f6d4b26f51f0c920fe020677f464c536d75410 -Author: Raja Grewal -Date: Tue Jul 16 01:03:41 2024 +1000 - - Fix transcription error - -commit 724435e56ea059183241044a4fc09423187533eb -Author: Raja Grewal -Date: Mon Jul 15 22:38:43 2024 +1000 - - Disable some Intel Platform Monitoring Technology Telemetry (PMT) modules - -commit 61941da37509a4bb809212536b79f461a209f584 -Author: Raja Grewal -Date: Mon Jul 15 22:38:09 2024 +1000 - - Create `disabled-intelpmt-by-security-misc` - -commit 22ba7a7c393a8c9005dfe26aea396815a4d54803 -Author: Raja Grewal -Date: Mon Jul 15 22:21:20 2024 +1000 - - Disable more Intel Management Engine (ME) modules - -commit 9300c208e25d936f2c633a0904126566afc1c275 -Author: Raja Grewal -Date: Mon Jul 15 21:36:25 2024 +1000 - - Fix script - -commit f2db11269e89d4c945642b661aa9cbe356f89037 -Author: Raja Grewal -Date: Mon Jul 15 21:18:32 2024 +1000 - - Fix script - -commit 382f1e9ec00ab5f012f028fa324d6cf73040c37d -Author: Raja Grewal -Date: Mon Jul 15 21:13:25 2024 +1000 - - Fix error - -commit a8bc1144c32b4b4f20904af5f813da1051fe4c9c -Author: Raja Grewal -Date: Mon Jul 15 21:10:13 2024 +1000 - - Updated wording of error files for disabled modules - -commit fda3832eaf293915ab77ce73a0be2caec15e21fa -Author: Raja Grewal -Date: Mon Jul 15 21:08:45 2024 +1000 - - Replace bash file presented for disabling of miscellaneous modules - -commit 8219a1e257525d487a49e7b3a6b14c1e180a7b52 -Author: Raja Grewal -Date: Mon Jul 15 21:02:10 2024 +1000 - - Update README.md relating to disabled miscellaneous modules - -commit cb2fb95b81efa2ebb2bd80aeaacad9122f0f073c -Author: Raja Grewal -Date: Mon Jul 15 21:01:36 2024 +1000 - - Disable more miscellaneous drivers - -commit c52b1a3fd269ef4f98028dd5eead476abe5d138d -Author: Raja Grewal -Date: Mon Jul 15 20:58:45 2024 +1000 - - Create `disabled-miscellaneous-by-security-misc` - -commit 96aa63267a6fcee03f252f0791f37b7b6222a7c1 -Author: Raja Grewal -Date: Mon Jul 15 20:57:14 2024 +1000 - - Disable more Thunderbolt modules - -commit 51f7776bc8722752d53fc503b0c79564d8715d4c -Author: Raja Grewal -Date: Mon Jul 15 20:56:12 2024 +1000 - - Disable more network protocols/drivers - -commit 9e40ff055195b1e8637d1e957c3f8db01f99bbc1 -Author: Raja Grewal -Date: Mon Jul 15 20:54:18 2024 +1000 - - Disable more network file systems - -commit 82c5a93f7cf2846490120c5262a146a313a5ce47 -Author: Raja Grewal -Date: Mon Jul 15 20:53:07 2024 +1000 - - Disable another GPS module - -commit 99b0ce7948213e7f7adf42ddd7c7beb229374bd4 -Author: Raja Grewal -Date: Mon Jul 15 20:47:56 2024 +1000 - - Disable more file systems - -commit 4476a477a77c98cf4334fbcb866bc8f113f568ac -Author: Raja Grewal -Date: Mon Jul 15 20:47:07 2024 +1000 - - Provide option to disable more Bluetooth modules - -commit e0696d02a234e6f7ab9fb601ffe58e7d953846a2 -Author: Raja Grewal -Date: Mon Jul 15 20:46:04 2024 +1000 - - Update `security-misc.maintscript` - Due to previous splitting IN https://github.com/Kicksecure/security-misc/commit/b02230a783941da412be72fb52053db0c6b8010f. - -commit b2657bc61fb15bb89d62f0743a36835c1f0dda8a -Author: Raja Grewal -Date: Mon Jul 15 15:05:00 2024 +1000 - - Improve docs - -commit 1c2afc1f253e15d2605d1bef0e323e6e972a2484 -Author: Raja Grewal -Date: Mon Jul 15 15:01:48 2024 +1000 - - Update presentation of the `kernel.printk` sysctl - -commit c8385d82fbd6ba16ba1f0b4969661474966b74f1 -Author: Raja Grewal -Date: Mon Jul 15 14:57:40 2024 +1000 - - Clarify instructions for increasing log verbosity - -commit d229e8b04d914803fa66c3a695022cfb2d9b2a25 -Author: Raja Grewal -Date: Mon Jul 15 14:50:29 2024 +1000 - - Fix link - -commit fbfdb0fa99087e4160979b612db04e63a1d3e3b1 -Author: Raja Grewal -Date: Mon Jul 15 14:40:03 2024 +1000 - - Update `security-misc.maintscript` relating to grub - -commit f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 -Author: Raja Grewal -Date: Mon Jul 15 14:39:12 2024 +1000 - - Update presentation of `quiet loglevel=0` - -commit 69c8e849270393537d3e024137bc20a42c848333 -Author: Raja Grewal -Date: Mon Jul 15 14:38:21 2024 +1000 - - Fix typos - -commit 48e1ac416314d2c66f3a0d5044a3c51cb6fb4093 -Author: Raja Grewal -Date: Mon Jul 15 02:04:25 2024 +1000 - - Remove the optional `slub_debug` parameter since it is no longer recommended - -commit 99038c7a0621f5c9852638c1706c5306b42e6480 -Author: Raja Grewal -Date: Mon Jul 15 02:02:01 2024 +1000 - - Add option to disable support for x86 processes and syscalls in the future - -commit f550fbe07cafb75112e98268730d1bcc511489e2 -Author: Raja Grewal -Date: Mon Jul 15 01:59:04 2024 +1000 - - Add option to disable the entire IPv6 stack functionality - -commit a33d4cd099b8cbf569ff35627eeacf3562a4371e -Author: Raja Grewal -Date: Mon Jul 15 01:56:25 2024 +1000 - - Refactor existing kernel parameters for clarity - -commit acd60e45d8cbc98ea935c9bf035f2840622ab58d -Author: Raja Grewal -Date: Sun Jul 14 20:07:31 2024 +1000 - - Add comment about enabling core dump files - -commit 5cf9afc21563712b851850e2041141807503807c -Author: Raja Grewal -Date: Sun Jul 14 17:05:49 2024 +1000 - - Include optional `sysctl`'s in README.md - -commit 2b9e174c9db69f2c30828aae236c631d46255e07 -Author: Raja Grewal -Date: Sun Jul 14 16:22:52 2024 +1000 - - Remove empty lines - -commit dd1741c4a1cd18f34f69437c00f3a78a9ebd402a -Author: Raja Grewal -Date: Sun Jul 14 13:40:53 2024 +1000 - - Some documentation additions and fixes - -commit 565597c9a282b08697d04204f5eb9c22153e77bd -Author: Raja Grewal -Date: Sun Jul 14 01:21:24 2024 +1000 - - Minor documentation changes and fixes - -commit 5ba5a85ad09b74a29c5ed0e5c265d54d93da9d32 -Author: Patrick Schleizer -Date: Sat Jul 13 15:01:16 2024 +0000 - - bumped changelog version - -commit ad860063aba0443a8ac8b9cf191d008617d6d904 -Merge: f34b9d7 9f58266 -Author: Patrick Schleizer -Date: Sat Jul 13 10:55:45 2024 -0400 - - Merge remote-tracking branch 'raja/modprobe' - -commit 9f582665467fd4fdf20c83841305785024bceedf -Author: Raja Grewal -Date: Sat Jul 13 23:32:01 2024 +1000 - - Move nf_conntrack_helper disabling into separate file - -commit 8f2ec75f8173b6ab970a5ef213dcf5a3f67aa84a -Author: Raja Grewal -Date: Sat Jul 13 23:30:55 2024 +1000 - - Clarify README.mmd relating to module disabling - -commit 98580bb39a495a141e7b40792fd9d232fcf29d23 -Author: Raja Grewal -Date: Sat Jul 13 23:29:52 2024 +1000 - - Update modprobe presentation - -commit 2de3a795990234134be15be90aa55f547c064d92 -Author: Raja Grewal -Date: Sat Jul 13 22:41:40 2024 +1000 - - Refactor existing sysctl for clarity - -commit f34b9d7c45cd723535eedd3df99896ee7f852388 -Merge: 05c1711 5f10cc8 -Author: Patrick Schleizer -Date: Sat Jul 13 06:14:43 2024 -0400 - - Merge remote-tracking branch 'raja/modules' - -commit 5f10cc8bcf11654f5e0f97c07e0a7ff198013c1e -Author: Raja Grewal -Date: Fri Jul 12 16:22:10 2024 +1000 - - Update README.md relating to modprobe - -commit 41a3bf92fbdac88a1884dee735600cafa35134bf -Author: Raja Grewal -Date: Fri Jul 12 16:21:41 2024 +1000 - - Sort `30_security-misc_disable.conf` - -commit f31dc8aebc652b2037c375351fc478d9b5ba4c27 -Author: Raja Grewal -Date: Fri Jul 12 16:21:03 2024 +1000 - - Fix error in error script - -commit b02230a783941da412be72fb52053db0c6b8010f -Author: Raja Grewal -Date: Fri Jul 12 02:42:37 2024 +1000 - - Split modprobe into blacklisted and disabled configurations - -commit fc792ff23234399ed299c3fdc086d47c87d9b4a3 -Author: Raja Grewal -Date: Fri Jul 12 02:29:36 2024 +1000 - - Alphabetically sort existing modprobe - -commit fe20f3240e2f31099bcaa9f9e2045320df810edf -Author: Raja Grewal -Date: Fri Jul 12 02:28:48 2024 +1000 - - Refactor existing modprobe for clarity - -commit 275a4ffc1114856cbd9a1cd49701dcb25d87bfb5 -Author: Raja Grewal -Date: Fri Jul 12 02:27:56 2024 +1000 - - Remove redundant disabled modules - -commit b7796a5334075d5fa538d7579003fde6287d7e6d -Author: Ben Grande -Date: Thu Jul 11 11:04:22 2024 +0200 - - Unify method to find SUID files - -commit 05c1711b16c96a221c13a011a6666fe6b385ec1e -Author: Patrick Schleizer -Date: Tue Jun 11 12:56:56 2024 +0000 - - bumped changelog version - -commit e48115588caae8e51bb980ac84b1f0f415ca0d17 -Merge: b316352 cad8d85 -Author: Patrick Schleizer -Date: Tue Jun 11 07:25:47 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit cad8d857556e29544f742fdac8fe82758a4f885c -Merge: b316352 e198447 -Author: Patrick Schleizer -Date: Tue Jun 11 07:25:07 2024 -0400 - - Merge pull request #227 from 3uryd1ce/fix-pam.d-path - - fix(etc): delete typo in /etc/apparmor.d tunables - -commit e1984478662fc51e6eacc989bc6bba0ca1fc07cd -Author: Ashlen -Date: Sat Jun 8 22:17:05 2024 -0600 - - fix(etc): delete typo in /etc/apparmor.d tunables - - /etc/pam.d was present twice in a row ("/etc/pam.d//etc/pam.d") in this - file: /etc/apparmor.d/tunables/home.d/security-misc. - -commit b316352ede379d96cff4813735b93eb59506fe42 -Author: Patrick Schleizer -Date: Sat Jun 1 18:13:08 2024 +0000 - - bumped changelog version - -commit c815304026d30f7774f804498d20431ccdf8dc7f -Author: Patrick Schleizer -Date: Sat Jun 1 14:12:57 2024 -0400 - - readme - -commit 641e98e57714f7d38962bfd12d673500b8114356 -Author: Patrick Schleizer -Date: Sat Jun 1 17:35:04 2024 +0000 - - bumped changelog version - -commit e0cd9579d64e6d16667832de51f77a3091ef213e -Author: Patrick Schleizer -Date: Sat Jun 1 13:32:13 2024 -0400 - - remove duplicate `fsckobjects = true` from `/etc/gitconfig` - -commit bbe64a0b7992610dfef6002271718a2aee115cae -Author: Patrick Schleizer -Date: Tue May 28 12:04:53 2024 +0000 - - bumped changelog version - -commit ae24a97d4d0ffcfb3d1cc92edb61e7ecf4535ee7 -Merge: bfca98e a735857 -Author: Patrick Schleizer -Date: Tue May 28 08:02:21 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit a7358578520294b51e1001199670a0bbeeb43eb1 -Merge: bfca98e 4efa293 -Author: Patrick Schleizer -Date: Tue May 28 07:55:31 2024 -0400 - - Merge pull request #226 from Kicksecure/gitconfig - - add `/etc/gitconfig` by default for better `git` security - -commit 4efa293f3b76814bc5399a959482d7db6e7431ec -Author: Patrick Schleizer -Date: Tue May 28 07:51:06 2024 -0400 - - add `/etc/gitconfig` by default for better `git` security - - ``` - [core] - symlinks = false - - [transfer] - fsckobjects = true - fsckobjects = true - [fetch] - fsckobjects = true - fsckobjects = true - [receive] - fsckobjects = true - fsckobjects = true - ``` - - + additional suggestions as comments - - fixes https://github.com/Kicksecure/security-misc/issues/225 - -commit bfca98ea89cea0f8604ecca0c8640860320e8e33 -Author: Patrick Schleizer -Date: Sat May 18 20:45:12 2024 +0000 - - bumped changelog version - -commit eb82884fb2e3d3bb4fa5555d8212146042ba8aa4 -Merge: 5867b1b 12e006e -Author: Patrick Schleizer -Date: Sat May 18 16:42:41 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 12e006ef9cabbbcbe9cb45d9a6631e9a7a47cf3a -Merge: 5867b1b 2f71605 -Author: Patrick Schleizer -Date: Sat May 18 16:30:07 2024 -0400 - - Merge pull request #222 from raja-grewal/text - - Update Readme and Copyright - -commit 2f716050d17016be6f550a7de8e0c1030e869e8f -Author: raja-grewal -Date: Sun May 12 01:06:34 2024 +0000 - - Update README.md - -commit 1bb843ec3863696170242c57668d0b3f44f41d7b -Author: Raja Grewal -Date: Sat May 11 13:18:36 2024 +1000 - - Update Copyright (C) to 2024 - -commit dddac1dc4015a28fc6b12244809685295272edd1 -Author: Raja Grewal -Date: Sat May 11 13:15:42 2024 +1000 - - Update README.md - -commit 5867b1b014f450acdf70c203ffe2f27831f1d9b0 -Author: Patrick Schleizer -Date: Fri May 10 11:20:36 2024 +0000 - - bumped changelog version - -commit 9b589bc3116c8f9d6d574021bcec7b5dec3888b8 -Author: Patrick Schleizer -Date: Fri May 10 06:49:34 2024 -0400 - - comment - -commit 8d01fc2d351285c9c2f810bf5cf10797c9b9eb41 -Author: Patrick Schleizer -Date: Fri May 10 06:48:26 2024 -0400 - - chmod +x - -commit 8a28c1bc38b87bf55f25764c96a0e81e22137232 -Merge: a9886a3 0f1119f -Author: Patrick Schleizer -Date: Fri May 10 06:48:04 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 0f1119f326cd769db8995e8eb54ff35503c70562 -Merge: 547757f 677f75a -Author: Patrick Schleizer -Date: Fri May 10 06:45:57 2024 -0400 - - Merge pull request #221 from raja-grewal/firewire - - Disable Firewire Module - -commit 547757f4514a54437d044656c5e2b6d413a4cc30 -Merge: 7b9fe44 06f13bb -Author: Patrick Schleizer -Date: Fri May 10 06:45:34 2024 -0400 - - Merge pull request #220 from raja-grewal/block_gps - - Block Several GPS-related Modules - -commit 7b9fe44a20f3caf67f386969a5fc7c980e5f0282 -Merge: 62ea4dc 132b41a -Author: Patrick Schleizer -Date: Fri May 10 06:43:43 2024 -0400 - - Merge pull request #219 from raja-grewal/logging_martians - - Revert Logging of Martians - -commit 62ea4dc1768f69bb28a69c20e55c87ae692cc0c8 -Merge: a9886a3 4694268 -Author: Patrick Schleizer -Date: Fri May 10 06:43:15 2024 -0400 - - Merge pull request #218 from raja-grewal/secure_cpu - - More CPU Mitigations and Additional References - -commit 677f75ae8ed64af599f837ced15f34990df498e5 -Author: raja-grewal -Date: Thu May 9 02:34:02 2024 +0000 - - Disable `firewire-net` module - -commit 06f13bb766bd84182331aeb1632b917de4b36020 -Author: raja-grewal -Date: Thu May 9 02:28:53 2024 +0000 - - Disable GPS modules like GNSS - -commit f3800a4e2b7bef87cc3bd8791f9e7f654f8d782a -Author: raja-grewal -Date: Thu May 9 02:25:46 2024 +0000 - - Create disabled-gps-by-security-misc - -commit 132b41ae73e9ea72bc3d8aff22ae75fc622758a3 -Author: raja-grewal -Date: Thu May 9 02:16:50 2024 +0000 - - Revert logging of martians - -commit 4694268b8f779c1a0a56546dc6d12bf9f23a7cdd -Author: raja-grewal -Date: Sun May 5 12:52:51 2024 +0000 - - Remove a word - -commit 8f7768ce96e32e3f1ec52118afffc2a44a160976 -Author: raja-grewal -Date: Sun May 5 12:50:39 2024 +0000 - - Add vendor links - -commit 0c031a29d33d13d9106746d61b87f9d98a80b5cd -Author: raja-grewal -Date: Wed May 1 13:55:09 2024 +1000 - - RFDS mitigation on Intel Atom CPUs (including E-cores) - -commit 1122b3402c0856a087415d7ba1a313048b7e3eea -Author: raja-grewal -Date: Wed May 1 13:50:42 2024 +1000 - - GDS mitigation for CPUs - -commit c002bd62e8584a19e73b3f42673a3f9bafba6a2c -Author: raja-grewal -Date: Wed May 1 13:49:34 2024 +1000 - - Clarify use of `mitigations=auto` - -commit d89d7e8ef8ee3fd45456e82e8f649f7f28c93e80 -Author: raja-grewal -Date: Wed May 1 13:49:00 2024 +1000 - - Add reference for RETBleed - -commit 015dcc4212736417a2202ea0e0a92e5c2e58d6a5 -Author: raja-grewal -Date: Wed May 1 13:48:13 2024 +1000 - - Add reference for SSB - -commit de4f4be94762c9751ea62f744d7d6ede3ef30e88 -Author: raja-grewal -Date: Wed May 1 13:47:40 2024 +1000 - - Merge spectre mitigations - -commit 965c8641fd28e0ee592b50605edb7494fe9c3a28 -Author: raja-grewal -Date: Wed May 1 13:47:02 2024 +1000 - - Update BHI mitigation reference - -commit a9886a3119f9b662b15fc26d28a7fedf316b72c4 -Author: Patrick Schleizer -Date: Fri Apr 12 06:56:39 2024 +0000 - - bumped changelog version - -commit 5cbdf3c1262d26ae03b28baee87b1d268329da40 -Merge: 7fba04d ab8b6da -Author: Patrick Schleizer -Date: Fri Apr 12 02:54:17 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit ab8b6da484a90e9a62f8ba515c757aa3758baf48 -Merge: 7fba04d 4935768 -Author: Patrick Schleizer -Date: Fri Apr 12 02:53:08 2024 -0400 - - Merge pull request #216 from raja-grewal/spectre_bhi - - BHI mitigation on Intel CPUs - -commit 493576836c90653f9c3514fcd5b3bf816e56d689 -Author: raja-grewal -Date: Fri Apr 12 00:17:06 2024 +1000 - - BHI mitigation on Intel CPUs - -commit 7fba04d1485187fe648f3d3ab44cd834b0eb9791 -Author: Patrick Schleizer -Date: Mon Apr 1 06:56:45 2024 +0000 - - bumped changelog version - -commit 7dba3fb7bebd4fdc7f168df378c2d505971f2c04 -Author: Patrick Schleizer -Date: Mon Apr 1 02:55:59 2024 -0400 - - no longer disable MSR by default - - fixes https://github.com/Kicksecure/security-misc/issues/215 - -commit d9ac01ba5c26f9730feb17fe573d447e625e59f8 -Author: Patrick Schleizer -Date: Mon Mar 18 15:10:10 2024 +0000 - - bumped changelog version - -commit ecaa024f226f4f45ac9d2a4f38bcdb82a6e35a2f -Author: Patrick Schleizer -Date: Mon Mar 18 11:01:56 2024 -0400 - - lower debugging - -commit 357ea5deab85debb9dff5d9e4e80a972954249c8 -Author: Patrick Schleizer -Date: Mon Mar 11 15:07:50 2024 +0000 - - bumped changelog version - -commit 0a018bdebca167d671d8bda81a2b0d929d396945 -Merge: 57fc487 0b81316 -Author: Patrick Schleizer -Date: Mon Mar 11 10:13:57 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 0b8131630041dbd80f1aa61dcedde446208c06f7 -Merge: 57fc487 03ed546 -Author: Patrick Schleizer -Date: Mon Mar 11 10:12:46 2024 -0400 - - Merge pull request #211 from wryMitts/patch-1 - - Create proc group on install - -commit 03ed546cd8992b29855ca1c2748ed988dd3c765d -Author: wryMitts <158655396+wryMitts@users.noreply.github.com> -Date: Sun Mar 10 16:55:10 2024 -0400 - - Create proc group on install - - Fixes https://github.com/Kicksecure/security-misc/issues/210 - -commit 57fc487e5e5ffad765f1418236744319cc666871 -Author: Patrick Schleizer -Date: Sun Mar 10 13:19:26 2024 +0000 - - bumped changelog version - -commit a5206bde336c159be065345e7dd5cb86b2b6a27f -Author: Patrick Schleizer -Date: Sun Mar 10 08:44:53 2024 -0400 - - `proc-hidepid.service` add `gid=proc` - - This allows users that are a member of the `proc` group to be excluded from `hidepid` protections. - - https://github.com/Kicksecure/security-misc/issues/208 - -commit 0f0d9ca2a42cf9fc04e405ae90f3d67bc0794e12 -Author: Patrick Schleizer -Date: Mon Mar 4 11:48:30 2024 +0000 - - bumped changelog version - -commit 6b76373395622bac0e701c6d15c6656658febced -Author: Patrick Schleizer -Date: Mon Mar 4 06:44:26 2024 -0500 - - fix panic-on-oops started every 10s in Qubes-Whonix - - by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach - - Thanks to @marmarek for the bug report! - - https://forums.whonix.org/t/panic-on-oops-started-every-10s/19450 - -commit af6c6971a741c69a584ba3f92dbfed12e40784dc -Author: Patrick Schleizer -Date: Mon Mar 4 06:33:51 2024 -0500 - - comment - -commit e013070e0bfc43d006e09ae1c5ae3533f7bebc5f -Author: Patrick Schleizer -Date: Mon Mar 4 06:33:21 2024 -0500 - - newline - -commit a5cc1774f2fbf6475e7b56601fbcd84a2a63fed0 -Author: Patrick Schleizer -Date: Mon Feb 26 13:32:44 2024 +0000 - - bumped changelog version - -commit 808e72f24bf30b3476ab6b87f96eb636632c195c -Author: Patrick Schleizer -Date: Mon Feb 26 08:11:26 2024 -0500 - - use long options - - https://github.com/Kicksecure/security-misc/issues/172 - -commit 2d1d1b246f3fe061d4f817da5cecf46010839e1d -Author: Patrick Schleizer -Date: Mon Feb 26 08:07:29 2024 -0500 - - improve output - - https://github.com/Kicksecure/security-misc/issues/172 - -commit d8f5376c4f36f5deb734e6dead42a62566d13480 -Author: Patrick Schleizer -Date: Mon Feb 26 07:58:06 2024 -0500 - - improve output - - https://github.com/Kicksecure/security-misc/issues/172 - -commit cf84762a3a84d2be3b9510dddb32bdc433170dfa -Author: Patrick Schleizer -Date: Mon Feb 26 07:52:41 2024 -0500 - - improve output - - https://github.com/Kicksecure/security-misc/issues/172 - -commit f2958bbfa5e67ee10380a25d996826233469080a -Author: Patrick Schleizer -Date: Mon Feb 26 07:49:30 2024 -0500 - - comment - -commit bc8f9edc3197e33e75ea1d691834d9abbdcdefd0 -Merge: 02d6f67 b23d167 -Author: Patrick Schleizer -Date: Mon Feb 26 07:48:19 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit b23d167342ef242a1e9d4e91b6a4b945e80c3e7e -Merge: 02d6f67 ef44ece -Author: Patrick Schleizer -Date: Mon Feb 26 07:46:02 2024 -0500 - - Merge pull request #204 from DanWin/sysfs-mount - - Make /sys hardening optional and allow access to /sys/fs to make polkit work - -commit 02d6f67741ef93d9ab39e02ac56b27c551a19dca -Author: Patrick Schleizer -Date: Thu Feb 22 20:08:17 2024 +0000 - - bumped changelog version - -commit d13d1aa7ec7e9ac9f1aa87e4b36228bfd3af6eb2 -Author: Patrick Schleizer -Date: Thu Feb 22 15:07:53 2024 -0500 - - comments - -commit a1f898e3b317f49a5bb9507c8b9d3bd3c4e23abf -Author: Patrick Schleizer -Date: Thu Feb 22 19:58:01 2024 +0000 - - bumped changelog version - -commit c3dd178b19be8c078ed6a2f46a072bef3d144c06 -Author: Patrick Schleizer -Date: Thu Feb 22 14:57:50 2024 -0500 - - output - -commit ef44ecea44ee516b1ba92175eb78b2e8143c4502 -Author: Daniel Winzen -Date: Thu Feb 22 16:51:23 2024 +0100 - - Add option to disabe /sys hardening - -commit 3bc1765dbbd333a1d607ab6962281b4d0a5c4b60 -Author: Daniel Winzen -Date: Wed Feb 21 20:37:34 2024 +0100 - - Allow access to /sys/fs for polkit - -commit 6b73e6c2a9ff1efe211e41e005e4ecaa63731d82 -Author: Patrick Schleizer -Date: Thu Feb 22 16:07:16 2024 +0000 - - bumped changelog version - -commit 37a7abdf0c1e6d8179bd09d3c1bd0363e8bc0a96 -Author: Patrick Schleizer -Date: Thu Feb 22 11:07:01 2024 -0500 - - ConditionKernelCommandLine=!remountsecure=0 - -commit eb3e0b9292f71a5dba312500508f893779fb1b9c -Author: Patrick Schleizer -Date: Thu Feb 22 14:52:55 2024 +0000 - - bumped changelog version - -commit c0924321b84874ae7fc72c59fd58e4c4ae8bc6d9 -Author: Patrick Schleizer -Date: Thu Feb 22 09:52:36 2024 -0500 - - fix systemd unit ExecStart - -commit d148a769b7106831c0b27a7ad63d91ab42257678 -Author: Patrick Schleizer -Date: Thu Feb 22 14:50:05 2024 +0000 - - bumped changelog version - -commit 6d7cf3c12a8a772fee1cd893d5504767690b3b77 -Author: Patrick Schleizer -Date: Thu Feb 22 09:49:48 2024 -0500 - - output - -commit f7831db197b2fff33b66eeb44efd749e482315e0 -Author: Patrick Schleizer -Date: Thu Feb 22 09:17:41 2024 -0500 - - do not exit non-zero if folder does not exist - -commit 5bdd7b8475bdfde8dbee5318fb43d0c2a236e3b0 -Author: Patrick Schleizer -Date: Thu Feb 22 09:14:52 2024 -0500 - - output - -commit 44a15cd97da3066e39d2d7df1f456e703036a6e9 -Author: Patrick Schleizer -Date: Thu Feb 22 09:13:56 2024 -0500 - - mount --make-private - - https://github.com/Kicksecure/security-misc/issues/172 - -commit c0f98b05b609c7c8ac6f86e123af9e0642d82697 -Author: Patrick Schleizer -Date: Thu Feb 22 06:03:59 2024 -0500 - - comment - - https://github.com/Kicksecure/security-misc/pull/202 - -commit 1e1613aa93dca1e7fe7f24dbd32028a0cadd21fd -Author: Patrick Schleizer -Date: Thu Feb 22 06:02:28 2024 -0500 - - allow /opt exec as usually optional binaries are placed there such as firefox - - https://github.com/Kicksecure/security-misc/pull/202 - -commit 7c7b4b24b4959f3ef96ff7ef0b11fa4c0bd48c8e -Author: Patrick Schleizer -Date: Thu Feb 22 06:01:00 2024 -0500 - - fix home_noexec_maybe -> most_noexec_maybe - - https://github.com/Kicksecure/security-misc/pull/202 - -commit 38783faf60b85c4e855bf78c87e1c07765776b50 -Author: Patrick Schleizer -Date: Thu Feb 22 05:58:53 2024 -0500 - - add more bind mounts of mount options hardening - - as suggested in https://github.com/Kicksecure/security-misc/pull/202 - -commit ad9d913902d7e696f1114da74d84f9cdcb22bc25 -Author: Patrick Schleizer -Date: Sat Feb 3 18:28:27 2024 +0000 - - bumped changelog version - -commit 02090da08cfd411314ffeeb6df95f73c701f06c6 -Merge: 8037ce5 ba13657 -Author: Patrick Schleizer -Date: Sat Feb 3 12:51:07 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit ba13657d894f2f30d8deb7c08b85e5fbc1dcea21 -Merge: 8037ce5 b16c99a -Author: Patrick Schleizer -Date: Sat Feb 3 12:50:28 2024 -0500 - - Merge pull request #197 from raja-grewal/mitigations - - Additional Explicit CPU Mitigations - -commit b16c99ab62a902b1f61b9d4fe63273cd614e757c -Author: raja-grewal -Date: Mon Jan 29 13:39:40 2024 +0000 - - Remove hardcoded `spec_rstack_overflow` setting - -commit 139b10a9aad85018f87bdc4bb227e938f7955235 -Author: raja-grewal -Date: Mon Jan 29 12:59:13 2024 +0000 - - Control RAS overflow mitigation on AMD Zen CPUs - -commit 6c54e35027e86ec045102cd1d95f84aa30bc55c9 -Author: raja-grewal -Date: Mon Jan 29 12:58:51 2024 +0000 - - Enable mitigations for RETBleed vulnerability and disable SMT - -commit 4509a5fc95204080f2855849d22c7e05393455d9 -Author: raja-grewal -Date: Mon Jan 29 12:58:14 2024 +0000 - - Enable known mitigations for CPU vulnerabilities and disable SMT - -commit 4231155efa0970d2456b67cc89c8828b0766cf7f -Author: raja-grewal -Date: Mon Jan 29 12:57:48 2024 +0000 - - Add reference for kernel parameters - -commit 8037ce52f96dcc6f8007c1567daf38ff013352d6 -Author: Patrick Schleizer -Date: Thu Jan 25 13:59:29 2024 +0000 - - bumped changelog version - -commit 185bfe749787a8c6e93103ae8c6b0751a169e276 -Author: Patrick Schleizer -Date: Thu Jan 25 06:54:36 2024 -0500 - - use `interest-noawait` instead of `interest-await` - - fixes https://github.com/Kicksecure/security-misc/issues/196 - -commit 64e41b113cae893d1f27f441f99340389ba8b9b3 -Author: Patrick Schleizer -Date: Thu Jan 18 14:10:51 2024 +0000 - - bumped changelog version - -commit 1855fa08b1386b1ea8697767104e7ad0f1521c9c -Author: Patrick Schleizer -Date: Thu Jan 18 08:54:39 2024 -0500 - - readme - -commit f0e2a82b558f64611f037424c6f8f12de32737f6 -Author: Patrick Schleizer -Date: Wed Jan 17 19:18:25 2024 +0000 - - bumped changelog version - -commit 314e5b490c6864b745fbf5fd6d9bb2c724d478b8 -Author: Patrick Schleizer -Date: Wed Jan 17 14:03:09 2024 -0500 - - use wildcards - - instead of outdated, incomplete list - - https://github.com/Kicksecure/security-misc/issues/160 - -commit 08619d6a7307b6ab05a3ba7e71ea33b00db20b27 -Author: Patrick Schleizer -Date: Wed Jan 17 13:59:36 2024 -0500 - - minor RPM updates - - https://github.com/Kicksecure/security-misc/issues/160 - -commit 3048e0ac76e4eba1c53b43ba2424157505578cdd -Author: Patrick Schleizer -Date: Wed Jan 17 13:54:07 2024 -0500 - - usrmerge - - https://github.com/Kicksecure/security-misc/issues/190 - -commit 5a6cd4c2abd243c91575e9477a921aa290c68ba5 -Author: Patrick Schleizer -Date: Wed Jan 17 13:51:30 2024 -0500 - - remove now empty /bin from copying since it is empty after usrmerge - - https://github.com/Kicksecure/security-misc/issues/190 - -commit 071b984a1eaaa8a8ea6a40e4ee36eabcde2d630d -Author: Patrick Schleizer -Date: Wed Jan 17 13:49:05 2024 -0500 - - `sort -d` - - https://github.com/Kicksecure/security-misc/issues/190 - -commit 011e55e3e52485ccd728b4bb249efbc816f38806 -Author: Patrick Schleizer -Date: Wed Jan 17 13:45:17 2024 -0500 - - remove duplicates after usrmerge - - https://github.com/Kicksecure/security-misc/issues/190 - -commit 0efee2f50fd38feade7700c2f033cc3d4c200d34 -Author: Patrick Schleizer -Date: Wed Jan 17 13:39:56 2024 -0500 - - usrmerge - - fixes https://github.com/Kicksecure/security-misc/issues/190 - -commit 18a06935e0cca3dc090643aad406d861e4583085 -Author: Patrick Schleizer -Date: Wed Jan 17 13:23:20 2024 -0500 - - run permission hardener when new packages are install files to /usr or /opt - - (basically anywhere) - - fixes https://github.com/Kicksecure/security-misc/issues/189 - -commit 66e6371221c3395a0523e30e8ef1a051d3e6cdd0 -Author: Patrick Schleizer -Date: Tue Jan 16 14:26:34 2024 +0000 - - bumped changelog version - -commit 0d78ecaee37536379ad2f230f45904f57425cb19 -Author: Patrick Schleizer -Date: Tue Jan 16 09:26:21 2024 -0500 - - README - -commit 3ba8fe586e1abe133bd41076278f8663aba7e641 -Author: Patrick Schleizer -Date: Tue Jan 16 09:23:54 2024 -0500 - - update permission-hardener.service - - Which is now only an additional opt-in systemd unit, - because permission-hardener is run by default at security-misc - package installation time. - - https://github.com/Kicksecure/security-misc/pull/181 - -commit 186f6015da7b3314c95c2833032c6fe953a71afd -Author: Patrick Schleizer -Date: Tue Jan 16 14:14:18 2024 +0000 - - bumped changelog version - -commit 6aa55698ab2a0f3771d28293d7ad14da2763a16f -Author: Patrick Schleizer -Date: Tue Jan 16 09:10:59 2024 -0500 - - delete legacy folder /etc/permission-hardening.d if empty - - https://github.com/Kicksecure/security-misc/pull/181 - -commit 9cafd78fe21baa3c2a36853f57e0638b2facfe5c -Author: Patrick Schleizer -Date: Tue Jan 16 09:05:09 2024 -0500 - - rm_conffile /etc/permission-hardening.d - - https://github.com/Kicksecure/security-misc/pull/181 - -commit fa53848b5cda135fbb8a3855e8508692084fc7e9 -Author: Patrick Schleizer -Date: Tue Jan 16 13:58:55 2024 +0000 - - bumped changelog version - -commit 4f7973bc5628cdc24f5224bd98858249307635d3 -Author: Patrick Schleizer -Date: Tue Jan 16 08:56:26 2024 -0500 - - comment - -commit ed7c09fc46b26440439adf748f597da277a3f1e4 -Author: Patrick Schleizer -Date: Tue Jan 16 08:45:13 2024 -0500 - - permission-hardening -> permission-hardener migration - - mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener - - https://github.com/Kicksecure/security-misc/pull/181 - -commit a90cd43631216f28a18a1b3f066b9f6ef3301ac4 -Author: Patrick Schleizer -Date: Tue Jan 16 08:32:52 2024 -0500 - - fix postinst for new permission-hardener - - https://github.com/Kicksecure/security-misc/pull/181 - -commit 862bf6b5ab29917138325023eb3507f5fbd5653c -Merge: dc8d9ee bc02c72 -Author: Patrick Schleizer -Date: Tue Jan 16 08:19:28 2024 -0500 - - Merge remote-tracking branch 'ben-grande/clean' - -commit dc8d9eece32dec06e63c580c886a240019b3f33e -Author: Patrick Schleizer -Date: Tue Jan 9 05:52:49 2024 +0000 - - bumped changelog version - -commit 1199871d7bbc7316a7e5822d77eee0666b55b203 -Author: Patrick Schleizer -Date: Sun Jan 7 06:37:34 2024 -0500 - - undo IPv6 privacy due to potential server issues - - https://github.com/Kicksecure/security-misc/issues/184 - -commit 128bb01b35d20e97351dfb53768f35482f9756a2 -Author: Patrick Schleizer -Date: Sun Jan 7 06:36:25 2024 -0500 - - undo IPv6 privacy due to potential server issues - - https://github.com/Kicksecure/security-misc/issues/184 - -commit df0f9d3267644c4aea87add2dcade86044c496f0 -Author: Patrick Schleizer -Date: Sat Jan 6 09:19:57 2024 -0500 - - README - -commit 86f91e3030ef0b08000fc28a3a172e6a47918e4e -Author: Patrick Schleizer -Date: Sat Jan 6 09:10:45 2024 -0500 - - revert umask 027 by default - - because broken because this also happens for root while it should not - - https://github.com/Kicksecure/security-misc/issues/185 - -commit 3f1304403fbf04f15dac01963c66f82cd84452d4 -Author: Patrick Schleizer -Date: Sat Jan 6 08:15:31 2024 -0500 - - disable MAC randomization in Network Manager (NM) because it breaks VirtualBox DHCP - - https://github.com/Kicksecure/security-misc/issues/184 - -commit e8f8dcd0fb1c23a62974849f55516da9dce5948e -Author: Patrick Schleizer -Date: Thu Jan 4 02:03:26 2024 +0000 - - bumped changelog version - -commit 70a86fa994c0a894643e876fc86226ad0443a741 -Merge: db0503e 71060f1 -Author: Patrick Schleizer -Date: Wed Jan 3 05:12:48 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 71060f1f53ca7a275f10c4b6ab3e6c25585d5440 -Merge: db0503e 74afcc9 -Author: Patrick Schleizer -Date: Wed Jan 3 05:00:41 2024 -0500 - - Merge pull request #182 from raja-grewal/io_uring - - Clarify validity of disabling io_uring - -commit 74afcc9c63ad064f20778ad2870690925c3cee81 -Author: Raja Grewal -Date: Wed Jan 3 17:52:23 2024 +1100 - - Clarify validity of disabling io_uring - -commit bc02c72018d6458d4c1852dd441287b277421514 -Author: Ben Grande -Date: Tue Jan 2 17:08:45 2024 +0100 - - Fix unbound variable - - - Run messages preceded by INFO; - - Comment unknown unused variables; - - Remove unnecessary variables; and - - Deal with unbound variable due to subshell by writing to a file; - -commit db0503e71d5c37865cbb0a01cb8fa00af2a4e574 -Author: Patrick Schleizer -Date: Tue Jan 2 14:55:13 2024 +0000 - - bumped changelog version - -commit abf72c2ee4286ec069f75e66acf05a42f3645c89 -Author: Ben Grande -Date: Tue Jan 2 13:34:29 2024 +0100 - - Rename file permission hardening script - - Hardener as the script is the agent that is hardening the file - permissions. - -commit f138cf0f78c03e3952801d01d25d5f8065ff1457 -Author: Ben Grande -Date: Tue Jan 2 12:17:16 2024 +0100 - - Refactor permission-hardener - - - Organize comments from default configuration; - - Apply and undo changes from a single file controlled by parameters; - - Arrays should be evaluated as arrays and not normal variables; - - Quote variables; - - Brackets around variables; - - Standardize test cases to "test" command; - - Test against empty or non-empty variables with "-z" and "-n"; - - Show a usage message when necessary; - - Require root to run the script with informative message; - - Permit the user to see the help message without running as root; - - Do not create root directories without passing root check; - - Use long options for "set" command; - -commit a94f2a3f4626a9292660bc7f98a6513f34d0f5b2 -Merge: 94c0e26 8daf97a -Author: Patrick Schleizer -Date: Tue Jan 2 05:30:49 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 8daf97ab0181a9cbb9e9dec57f1f00270dbb3a50 -Merge: 94c0e26 f055fe5 -Author: Patrick Schleizer -Date: Tue Jan 2 05:29:35 2024 -0500 - - Merge pull request #178 from raja-grewal/io_uring - - Disable asynchronous I/O - -commit 94c0e26a082f61f71e89b1fb7386a58166ffa411 -Author: Patrick Schleizer -Date: Fri Dec 29 20:15:50 2023 +0000 - - bumped changelog version - -commit 5b36599c0ce35857239c82459828db1ec4215411 -Author: Patrick Schleizer -Date: Fri Dec 29 14:57:38 2023 -0500 - - /dev/, /dev/shm, /tmp - - https://github.com/Kicksecure/security-misc/issues/157#issuecomment-1869073716 - -commit e15596e7af6fc645dd652c043397baaa91954915 -Author: Patrick Schleizer -Date: Mon Dec 25 16:28:10 2023 +0000 - - bumped changelog version - -commit f64a869bfdd4c746afd206367885851946deb692 -Author: Patrick Schleizer -Date: Mon Dec 25 11:03:22 2023 -0500 - - readme - -commit c86c83cef760906a0d1c56ee8a8c744b2e07f212 -Author: Patrick Schleizer -Date: Mon Dec 25 10:31:58 2023 -0500 - - formatting - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 971ff687b1423499c54495a03e5e6fafcbfefb2a -Author: Patrick Schleizer -Date: Mon Dec 25 10:30:35 2023 -0500 - - do not mount /dev/cdrom by default - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 9fce67fcd942a7e3e0dd2e874226fcdab5e33ba3 -Author: Patrick Schleizer -Date: Mon Dec 25 10:28:47 2023 -0500 - - remove superfluous, broken `remount` mount option - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 40fd8cb6081512e2bc0ef1a7a1ee17cd317024c2 -Author: Patrick Schleizer -Date: Mon Dec 25 09:51:09 2023 -0500 - - no `nofail` mount option to avoid breaking the boot of a system - - unit testing belongs elsewhere - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 4aa645f29ff741b6e5cdf629deade1923fdcc234 -Author: Patrick Schleizer -Date: Mon Dec 25 09:46:33 2023 -0500 - - comment - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 2b7aeedb4a543d0a43a35918999338097d13bb16 -Author: Patrick Schleizer -Date: Mon Dec 25 09:44:51 2023 -0500 - - mount /dev/cdrom to /mnt/cdrom (instead of /mnt/cdrom0) and - nodev,nosuid,noexec - - as per: - https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 0d9e9780daca563a726470a3a5d6fa8c20487240 -Author: Patrick Schleizer -Date: Mon Dec 25 09:37:14 2023 -0500 - - formatting - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 00f9ab43947795c1144d797547968c7c149d6f21 -Author: Patrick Schleizer -Date: Mon Dec 25 09:36:05 2023 -0500 - - /dev devtmpfs - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 55709b3aa0acd6cad0c9fedb8782c49fbea79689 -Author: Patrick Schleizer -Date: Mon Dec 25 09:30:57 2023 -0500 - - /tmp tmpfs - - https://github.com/Kicksecure/security-misc/issues/157 - -commit b0dd967611c27f5b8e2472bb74a664aead7a229e -Author: Patrick Schleizer -Date: Mon Dec 25 09:27:45 2023 -0500 - - usrmerge - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 269fada14a616c53d7421e88e662f6893eb1fd88 -Author: Patrick Schleizer -Date: Mon Dec 25 09:25:14 2023 -0500 - - combine bind lines - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 0810c1ce3c9e19c745b8f0d2cd9410353b172779 -Author: Patrick Schleizer -Date: Mon Dec 25 09:10:31 2023 -0500 - - fix bluetooth in readme - - fixes https://github.com/Kicksecure/security-misc/issues/180 - -commit 37b4ab15a823134e616a2a0fe1dda18d5ebfa3c0 -Author: Patrick Schleizer -Date: Mon Dec 25 09:04:10 2023 -0500 - - readme - -commit 79f398d219b9c4cdf8ea0f9e3135a08fa32659a8 -Author: Patrick Schleizer -Date: Mon Dec 25 08:45:20 2023 -0500 - - formatting - -commit c90ada3c398205227d906e2b2108d36d92edcf3c -Author: Patrick Schleizer -Date: Mon Dec 25 08:37:23 2023 -0500 - - pandoc -f markdown -t markdown --wrap=auto --columns=80 README.md -o README.md - -commit 34bf297bd17af2adf59804bd133a00b7dc1942b7 -Author: Patrick Schleizer -Date: Mon Dec 25 08:32:34 2023 -0500 - - formatting - -commit d5fc9f620169b6975c8d3ef685f47e62cb6b9262 -Author: Patrick Schleizer -Date: Mon Dec 25 08:26:03 2023 -0500 - - improve bluetooth in readme - - as suggested by @monsieuremre - - https://github.com/Kicksecure/security-misc/issues/180 - -commit 7fa597deca7ff2b2932a5f5fad56be57bd78b6cf -Author: Patrick Schleizer -Date: Fri Dec 22 16:31:58 2023 +0000 - - bumped changelog version - -commit f70a034da2b4b615855504e7080baf1a7e7b461c -Author: Patrick Schleizer -Date: Fri Dec 22 08:31:58 2023 -0500 - - exclude hardened malloc from SUID disabler - - fixes https://github.com/Kicksecure/security-misc/issues/179 - -commit f055fe5da2219b68f46c3c577d79fcfd7e79cfc6 -Author: Raja Grewal -Date: Fri Dec 15 08:33:36 2023 +0000 - - Disable asynchronous I/O - - io_uring creation is disabled for all processes. io_uring_setup always fails with -EPERM. Existing io_uring instances can still be used. - -commit 99f2edd4f685cdc9a47b32107125408e12a294c2 -Author: Patrick Schleizer -Date: Tue Dec 12 16:51:21 2023 +0000 - - bumped changelog version - -commit 039de1dc9bd6f3cc6595d66f54d0d88d9b537b17 -Author: Patrick Schleizer -Date: Tue Dec 12 11:50:11 2023 -0500 - - add hardened fstab `/usr/share/doc/security-misc/fstab-vm` - - to the documentation folder as an example - - not directly used by security-misc - - will later be used by Kicksecure VM build process - - https://github.com/Kicksecure/security-misc/issues/157 - -commit dcaafa6c8bf380dd990942e9c10e280943b442a6 -Author: Patrick Schleizer -Date: Mon Dec 4 17:06:45 2023 +0000 - - bumped changelog version - -commit 5a73817a9575fe5bcaf3fd354e5f175db7d45ba4 -Author: Patrick Schleizer -Date: Mon Dec 4 11:38:49 2023 -0500 - - move to `/usr/lib/issue.d/20_security-misc.issue` - - https://github.com/Kicksecure/security-misc/pull/167 - -commit dfaea492c76a277b9cbe84982a135cb4f03a557c -Author: Patrick Schleizer -Date: Mon Dec 4 11:37:02 2023 -0500 - - remove `etc/issue.net.d/20_security-misc` - - since not mentioned on debian.org - -commit 69c895af09f05000ace5f273f3e5032aabf8c64e -Merge: c9ea7a4 36850f8 -Author: Patrick Schleizer -Date: Mon Dec 4 11:27:53 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 36850f89fb07678ca24eb580a18247e593eac608 -Merge: c9ea7a4 0d7af97 -Author: Patrick Schleizer -Date: Mon Dec 4 11:27:16 2023 -0500 - - Merge pull request #167 from monsieuremre/patch-4 - - Non-Identifiable and Generic Issue Banners that include the Recommended Keywords - -commit c9ea7a4dca6e985c3a1044a3b4ddda83909fbc51 -Author: Patrick Schleizer -Date: Mon Dec 4 11:02:55 2023 -0500 - - use `amd_iommu=force_isolation` instead of `amd_iommu=force_enable` - - because we set `iommu=force` already anyhow - - fixes https://github.com/Kicksecure/security-misc/issues/175 - -commit e83c1d7ed662bb0533c670dd5b7a6745a75e9ca4 -Merge: c4e21ca befd21e -Author: Patrick Schleizer -Date: Mon Dec 4 11:01:02 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit befd21e0c0c38eaf91c7096e9f60120f533a5842 -Merge: c4e21ca f2ad838 -Author: Patrick Schleizer -Date: Mon Dec 4 11:00:29 2023 -0500 - - Merge pull request #176 from monsieuremre/patch-1 - - Iommu Kernel Parameters - -commit c4e21ca5f49fbc2d67853eebca647539acbca815 -Author: Patrick Schleizer -Date: Mon Dec 4 10:58:16 2023 -0500 - - added development philosophy - - https://github.com/Kicksecure/security-misc/issues/154 - -commit feab1432f9d0966118ca233c9f88270b98c3f120 -Author: Patrick Schleizer -Date: Mon Dec 4 10:48:27 2023 -0500 - - clarify scope - - https://github.com/Kicksecure/security-misc/issues/154 - -commit dc04040cb3644c9e3be9b44a34da4a5f7b61f2cc -Author: Patrick Schleizer -Date: Mon Dec 4 10:36:48 2023 -0500 - - typo - -commit 2634dbff2bd9d7482e7b02be2b5b6fa1c58ef6c7 -Author: Patrick Schleizer -Date: Mon Dec 4 10:36:21 2023 -0500 - - shuffle - -commit f2ad8383cfea4bba42e8b246b05b85101d707641 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sun Dec 3 19:51:38 2023 +0000 - - fix - -commit dd15823a97e953750d7a8288c7d3b8d5f554d6f9 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sun Dec 3 19:50:07 2023 +0000 - - undo superfluousness - -commit 83e13bb62d028cfeea7a4d3f3def3bff8d2b5eaa -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sun Dec 3 19:42:34 2023 +0000 - - Update 40_enable_iommu.cfg - -commit 0d7af9707f802fb600d9eb39bbe0b3bd4a65e3b0 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sun Dec 3 19:31:12 2023 +0000 - - Update 20_security-misc - -commit 04d27a10b0cd1c22cb166c9fccb93a09d5f388f0 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sun Dec 3 19:30:55 2023 +0000 - - Update 20_security-misc - -commit 7963f811e1bb6f5e0e2ba41e96b14e4a3a70f847 -Merge: c8b9f5a 82bd913 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sun Dec 3 19:30:22 2023 +0000 - - Merge branch 'Kicksecure:master' into patch-4 - -commit 82bd9138de750a3590be9c91c898cbd04c550e7e -Author: Patrick Schleizer -Date: Mon Nov 20 13:13:10 2023 +0000 - - bumped changelog version - -commit c2b3ff5243c69c4e1ba28e9966bf0ffd3ce550ce -Author: Patrick Schleizer -Date: Mon Nov 20 04:40:28 2023 -0500 - - moved libpam-tmpdir dependency to kicksecure-meta-packages - - https://github.com/Kicksecure/security-misc/pull/147 - -commit c8b9f5a917e6c415575d6763a65930f1a91a7c78 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sat Nov 18 10:03:19 2023 +0000 - - net - -commit 3b614f3753608bd62ff6bc6e56e15f280994c646 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sat Nov 18 10:02:16 2023 +0000 - - 20_security-misc - -commit 4e4df5dd7c6b5cf1deb179a2c3f8fe7a8844884d -Author: Patrick Schleizer -Date: Sat Nov 11 22:29:57 2023 +0000 - - bumped changelog version - -commit a51674410cb8a7ac2119ea7c85f986223ce8fc25 -Author: Patrick Schleizer -Date: Sat Nov 11 17:29:37 2023 -0500 - - fix - -commit 8d58077d68e6363313cdc62f7fac14840f5d9a8e -Author: Patrick Schleizer -Date: Sat Nov 11 20:22:34 2023 +0000 - - bumped changelog version - -commit 5b85a0b34d30d191654158506e0209b34a8f9fe8 -Author: Patrick Schleizer -Date: Sat Nov 11 14:46:35 2023 -0500 - - license - -commit 7757080519858492a7fcbf735ec854029b29d67a -Author: Patrick Schleizer -Date: Sat Nov 11 13:41:28 2023 -0500 - - change license to AGPL-3+ - - https://forums.whonix.org/t/license-change-to-agplv3/17455 - -commit 20f804f19c046e3ef2b38c367de9d5c80cccccd9 -Author: Patrick Schleizer -Date: Mon Nov 6 17:28:21 2023 -0500 - - bumped changelog version - -commit a1e00be0e09a7271a3fae9e9abdbe9a2279b7197 -Author: Patrick Schleizer -Date: Mon Nov 6 16:58:23 2023 -0500 - - update link - -commit 5bb357cac02c7217f4e897a0625f531602ac69cf -Author: Patrick Schleizer -Date: Mon Nov 6 16:55:00 2023 -0500 - - spice-client-glib-usb-acl-helper matchwhitelist - -commit 7309445ee518c093ba3f9aec56197e391e0a194a -Author: Patrick Schleizer -Date: Mon Nov 6 16:52:27 2023 -0500 - - comment - -commit f09d97fc9efc98d8b197a497e2ce4c5965be531a -Author: Patrick Schleizer -Date: Mon Nov 6 16:50:19 2023 -0500 - - whitelist VirtualBox - -commit 64c8c7a8d5a42d2e3da9ce243bc708d1bcbe6039 -Author: Patrick Schleizer -Date: Mon Nov 6 16:47:31 2023 -0500 - - whitelist SSH - -commit 9682b51d548396717867a0c336f1fb1677ccfe2b -Author: Patrick Schleizer -Date: Mon Nov 6 16:44:36 2023 -0500 - - whitelist virtualbox - -commit a40b9bc095bb0f363911dacee050234b3a555744 -Author: Patrick Schleizer -Date: Mon Nov 6 16:40:22 2023 -0500 - - comments - -commit 2c1a3da433b8dc96039caab17e81666896ade58c -Author: Patrick Schleizer -Date: Mon Nov 6 16:38:50 2023 -0500 - - VirtualBoxVM matchwhitelist - -commit 4e96ffaabb7c2e73bf686e56bcaa220f4d2e9e93 -Author: Patrick Schleizer -Date: Mon Nov 6 16:37:19 2023 -0500 - - chrome-sandbox matchwhitelist - -commit df5f3e80566da210ee5d807cc1b5dd53678fdae0 -Author: Patrick Schleizer -Date: Mon Nov 6 16:36:22 2023 -0500 - - output - -commit 72f6e6bb9c2426535bfc48175d88707331ec5346 -Author: Patrick Schleizer -Date: Mon Nov 6 16:28:23 2023 -0500 - - output - -commit 3bc831a1f71a80a178601bdd5c7f06b22ada75ab -Author: Patrick Schleizer -Date: Mon Nov 6 16:27:29 2023 -0500 - - lintian - -commit fd1f38b2ebe31aec04b22d968b38305504f7f935 -Author: Patrick Schleizer -Date: Mon Nov 6 16:22:42 2023 -0500 - - remount-secure systemd unit - - https://github.com/Kicksecure/security-misc/pull/152 - -commit 79f9c1fb3adac319342a22c099401cb21af4429f -Author: Patrick Schleizer -Date: Mon Nov 6 15:48:09 2023 -0500 - - add sysinit-post.target - - https://github.com/Kicksecure/security-misc/pull/152 - -commit 2de5ab41201c561a2684f15196ce37b0f34038a9 -Author: Patrick Schleizer -Date: Mon Nov 6 13:47:30 2023 -0500 - - clarify scope of application specific hardening - - fixes https://github.com/Kicksecure/security-misc/issues/154 - -commit 5a96616b39e7188903bd0d35c9812a02fddc02f9 -Author: Patrick Schleizer -Date: Sun Nov 5 21:13:14 2023 -0500 - - bumped changelog version - -commit ad079ac5cc4d7ce2270e9abf21fa520fc9b2761f -Author: Patrick Schleizer -Date: Sun Nov 5 20:55:55 2023 -0500 - - readme - - https://github.com/Kicksecure/security-misc/pull/152 - -commit be023c77223c4ec0e26ffe2a88acd94653efee9a -Author: Patrick Schleizer -Date: Sun Nov 5 20:54:43 2023 -0500 - - readme - - https://github.com/Kicksecure/security-misc/issues/159 - -commit e1f413c1ee5107468cb2a9c4aa8bd061d0dc911b -Author: Patrick Schleizer -Date: Sun Nov 5 20:53:26 2023 -0500 - - disable harden-module-loading.service for now - - due to issues - - https://github.com/Kicksecure/security-misc/issues/159 - -commit f2ea1abc9b3efc035f4d1381bece458de9b89ff3 -Author: Patrick Schleizer -Date: Sun Nov 5 20:53:03 2023 -0500 - - comment - -commit 95d1cfb4a03afc987cf89bb0f4cd6d2f1ad431b1 -Author: Patrick Schleizer -Date: Sun Nov 5 20:49:36 2023 -0500 - - Revert "remove no longer required remount-service systemd unit" - - This reverts commit 479ab61a1d0c91d26c2cd200d97b39b2b786e073. - - https://github.com/Kicksecure/security-misc/pull/152 - -commit 24b4d59ce41bc95e0b0aadf401223dc40b0f9c8f -Author: Patrick Schleizer -Date: Sun Nov 5 20:14:33 2023 -0500 - - bumped changelog version - -commit 4482f1841cfc6caa063e2274db890cfa01944811 -Author: Patrick Schleizer -Date: Sun Nov 5 20:13:14 2023 -0500 - - newline - -commit c5167c8f0d398946fdfae56fa78b32fade4cb451 -Author: Patrick Schleizer -Date: Sun Nov 5 20:12:03 2023 -0500 - - fix systemd unit - - https://github.com/Kicksecure/security-misc/issues/159 - -commit 2571bbf315693f65f564ef4ad1b2ff4941f2ebc3 -Author: Patrick Schleizer -Date: Sun Nov 5 18:42:25 2023 -0500 - - duplicate - -commit aa170878838b2218da8295be8b6898bc86056cec -Author: Patrick Schleizer -Date: Sun Nov 5 18:42:08 2023 -0500 - - update path - -commit d203e539aa975b042cd6ec9608a0cc16b3314372 -Author: Patrick Schleizer -Date: Sun Nov 5 18:17:59 2023 -0500 - - bumped changelog version - -commit 4ebab940c750154a396c4ffdbde61367e12c72f8 -Author: Patrick Schleizer -Date: Sun Nov 5 17:56:35 2023 -0500 - - description too long, fixed - -commit ad010ef5b4c90e4abbd1c88724f99450740fb2eb -Author: Patrick Schleizer -Date: Sun Nov 5 17:52:44 2023 -0500 - - debugging - -commit 826e76d037f88636fdde7d4ef1eb72f29ac5f4a5 -Author: Patrick Schleizer -Date: Sun Nov 5 17:43:33 2023 -0500 - - bumped changelog version - -commit 3130a39d8c280d913fb632a40562438b82a499bb -Author: Patrick Schleizer -Date: Sun Nov 5 17:43:07 2023 -0500 - - set -e - -commit 18a2d814cc0c477599b276bb319ed8bdd34499ea -Merge: 4fda9d2 36f3c30 -Author: Patrick Schleizer -Date: Sun Nov 5 17:42:28 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 36f3c30440e73c8bf4946742095f0495994fed99 -Merge: 4fda9d2 2e64d89 -Author: Patrick Schleizer -Date: Sun Nov 5 17:41:56 2023 -0500 - - Merge pull request #148 from monsieuremre/module-loading-hardening - - Harden the loading of new modules to the kernel after install - -commit 4fda9d2e8459c043ec27178ceb87483229b45d5f -Author: Patrick Schleizer -Date: Sun Nov 5 16:46:18 2023 -0500 - - bumped changelog version - -commit 4219347f0a739ed1ea93a596968295ddcd3a940f -Author: Patrick Schleizer -Date: Sun Nov 5 16:43:44 2023 -0500 - - fix permission-hardener config parsing issue - -commit e72f79236b7b704c60c6920b51c86832f4fda9e3 -Author: Patrick Schleizer -Date: Sun Nov 5 16:41:41 2023 -0500 - - refactoring - -commit dea0d9a78a99c441a1738f88cef2cd3c5f433454 -Author: Patrick Schleizer -Date: Sun Nov 5 16:40:49 2023 -0500 - - fix permission-hardener config parsing issue - -commit 017ae18ad7a757a18c5a7a92677f24053280e8b5 -Author: Patrick Schleizer -Date: Sun Nov 5 16:39:10 2023 -0500 - - fix permission-hardener config parsing issue - -commit 65e3c14643ca2b5167e0f5bc30a6bbc45cb4f645 -Author: Patrick Schleizer -Date: Sun Nov 5 16:35:11 2023 -0500 - - fix permission-hardener config parsing issue - -commit 40e536a9beb48f1938e67ae2010fc34f80e3bd1f -Author: Patrick Schleizer -Date: Sun Nov 5 16:04:03 2023 -0500 - - bumped changelog version - -commit 51decff2fd48c2437b08136e97d4211e5eaccd89 -Author: Patrick Schleizer -Date: Sun Nov 5 16:03:36 2023 -0500 - - exclude qfile-unpacker from permission hardener - -commit 52b6e92e002987952c908eeb05a293dd401ee9be -Author: Patrick Schleizer -Date: Sun Nov 5 15:58:21 2023 -0500 - - bumped changelog version - -commit 1900c1ab07e4d55577815b942b34457596a1d703 -Author: Patrick Schleizer -Date: Sun Nov 5 15:57:49 2023 -0500 - - pam exclude from permission-hardener - -commit 76e3a3c5f9fa5e95b90e4ea3f3ba7019615a3d1a -Author: Patrick Schleizer -Date: Sun Nov 5 15:29:38 2023 -0500 - - bumped changelog version - -commit d4494fd3c341796081dd8c114c8cc97e627c236c -Author: Patrick Schleizer -Date: Sun Nov 5 15:27:09 2023 -0500 - - disable remount-secure dracut modules - - pending new systemd based implementation - - https://github.com/Kicksecure/security-misc/pull/152 - -commit 949c1633701ac168e908794d4dd74c5a9b09a437 -Author: Patrick Schleizer -Date: Sun Nov 5 15:14:43 2023 -0500 - - bumped changelog version - -commit 4a19fbae0be2ab99c1f21826eca2ec3cef605a0e -Author: Patrick Schleizer -Date: Sun Nov 5 15:13:01 2023 -0500 - - move permission-hardening to /usr/bin to make it more easily accessible - -commit c75f80b29f2fee3f2ead579390b8d3a8ff86b9d2 -Author: Patrick Schleizer -Date: Sun Nov 5 15:09:29 2023 -0500 - - lower verbosity of permission hardener - - fixes https://github.com/Kicksecure/security-misc/issues/158 - -commit 0544657123100b333211a91ef32054dc7e14c7db -Author: Patrick Schleizer -Date: Sun Nov 5 14:56:06 2023 -0500 - - bumped changelog version - -commit 42be6310237bdb663f38982b221327a337251e0a -Author: Patrick Schleizer -Date: Sun Nov 5 14:54:05 2023 -0500 - - readme - -commit 55ba5d48321ec4224bcbf03cf2bf51226cf34e50 -Author: Patrick Schleizer -Date: Sun Nov 5 14:51:31 2023 -0500 - - renamed: usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf -> usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf - renamed: usr/lib/NetworkManager/conf.d/99_randomize-mac.conf -> usr/lib/NetworkManager/conf.d/80_randomize-mac.conf - renamed: usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf -> usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf - -commit eab5d7d4ec58baaf7eedc777e250ad9f00e4b71b -Author: Patrick Schleizer -Date: Sun Nov 5 14:50:13 2023 -0500 - - cleanup - -commit 811d1cd0dd0dcb9021d2f72638dd6c12b734964c -Merge: 9343795 5a75bcf -Author: Patrick Schleizer -Date: Sun Nov 5 14:49:43 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 5a75bcfb19ac6c555a52cb1600e4efd13a8cfc06 -Merge: 9343795 229032d -Author: Patrick Schleizer -Date: Sun Nov 5 14:49:00 2023 -0500 - - Merge pull request #145 from monsieuremre/wifi-and-bluetooth - - Wifi and Bluetooth Patch | Security and Privacy - -commit 93437952b4f64866dfe6067d8caf19415112418d -Author: Patrick Schleizer -Date: Sun Nov 5 14:41:01 2023 -0500 - - readme - -commit f32b5438872ad0b9e10cb7b0519f1f18fce1913e -Merge: 56b90ee 4946f85 -Author: Patrick Schleizer -Date: Sun Nov 5 14:38:20 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 4946f85d43083c64bc3f8f02e26b08f79b622bfe -Merge: 817ca11 1abac79 -Author: Patrick Schleizer -Date: Sun Nov 5 14:37:47 2023 -0500 - - Merge pull request #146 from monsieuremre/thunderbird - - Thunderbird Hardening - -commit 56b90eecbfb21e546d52d1f41ce9361f2843cd71 -Merge: 3178677 817ca11 -Author: Patrick Schleizer -Date: Sun Nov 5 14:35:23 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 817ca116f693893e6dcb69254ee91815d200b8a1 -Merge: d9b5d77 fbd9e5d -Author: Patrick Schleizer -Date: Sun Nov 5 14:34:13 2023 -0500 - - Merge pull request #153 from monsieuremre/readme - - Updated Readme - -commit 317867758478619fe1df4ebdb5e22240c40104c0 -Merge: dcead44 d9b5d77 -Author: Patrick Schleizer -Date: Sun Nov 5 14:32:21 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit d9b5d770cfd5f7747f1d606f3136a93034928f30 -Merge: dcead44 ac224b2 -Author: Patrick Schleizer -Date: Sun Nov 5 14:31:26 2023 -0500 - - Merge pull request #150 from monsieuremre/sysreq - - Disable SysRq by default - -commit dcead44cc6d4272b0966562046f9dab1792845b6 -Author: Patrick Schleizer -Date: Sun Nov 5 11:32:46 2023 -0500 - - output - -commit f6bf69b41fa3e1168c2c49884197770e1a78b888 -Author: Patrick Schleizer -Date: Sun Nov 5 11:31:09 2023 -0500 - - update link - -commit 2e64d89b042227fe5f38bb6d6a859deb4c5183b7 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sat Nov 4 21:18:45 2023 +0000 - - undo unnecessary manual activation - -commit 19eceaa8108879ee5477b157fb2175993c487959 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sat Nov 4 20:56:46 2023 +0000 - - more fix - -commit a187d23c4187fd08611e5cba85d09666dfd9f735 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sat Nov 4 20:56:08 2023 +0000 - - big fix - -commit fbd9e5d017c4b00d838e9f225c7748c4b362f023 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sat Nov 4 14:33:35 2023 +0000 - - README.md - -commit 97054b2b1076d6d428996967304b29620923eff4 -Author: Patrick Schleizer -Date: Fri Nov 3 15:55:17 2023 -0400 - - revert enabling kernel module signature enforcement - - due to issues - - https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63 - - https://github.com/dell/dkms/issues/359 - -commit 978e3e4abd8f55a877dfe0d6e39b45ee9f58ba6d -Author: Patrick Schleizer -Date: Fri Nov 3 14:53:40 2023 -0400 - - readme - -commit 0242c04dc26638dc1250e3f681b46d15459cf8aa -Author: Patrick Schleizer -Date: Fri Nov 3 14:51:14 2023 -0400 - - port to DKMS drop-in folder - - undisplace /etc/dkms/framework.conf.security-misc - moved to /etc/dkms/framework.conf.d/30_security-misc.conf - -commit d1b5a3ffd525ec92554ffc9c666f8007c8522aac -Author: Patrick Schleizer -Date: Fri Nov 3 12:55:34 2023 -0400 - - /usr/sbin/pam-tmpdir-helper exactwhitelist - - https://github.com/Kicksecure/security-misc/pull/147 - -commit 48adb44c6fd157673cdf7fab3b86ecf7c6b31966 -Author: Patrick Schleizer -Date: Fri Nov 3 12:17:24 2023 -0400 - - bumped changelog version - -commit b6d53f698d0ad21a31da6bf74a44577a0c8869fc -Author: Patrick Schleizer -Date: Fri Nov 3 12:17:00 2023 -0400 - - Revert "allow loading unsigned modules due to issues" - - This reverts commit 661bcd8603425934188cf139f33e20675ff4b765. - -commit 04b210ee88589ef9e6e214d3a5a614780244abc9 -Author: Patrick Schleizer -Date: Fri Nov 3 12:10:48 2023 -0400 - - bumped changelog version - -commit 5e73f78ed9282bf0895b01d44d9c261ea0050cce -Merge: ceffd2b 8e66a41 -Author: Patrick Schleizer -Date: Fri Nov 3 12:10:33 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 8e66a4177868ee7b51dafdb06062b0cb7cbc7415 -Merge: ceffd2b 7dc99d5 -Author: Patrick Schleizer -Date: Fri Nov 3 12:10:00 2023 -0400 - - Merge pull request #147 from monsieuremre/PAM-tmp-files-hardening - - Depend on libpam-tmpdir for very solid extra security - -commit 7dc99d54c0358842745ee48c7cc24f589fd63d14 -Author: Patrick Schleizer -Date: Fri Nov 3 12:09:39 2023 -0400 - - fix - -commit 2a602e78d6ca0f87f11de9a30ae2114468243075 -Merge: 3ee4be6 ceffd2b -Author: Patrick Schleizer -Date: Fri Nov 3 12:08:50 2023 -0400 - - Merge branch 'master' into PAM-tmp-files-hardening - -commit ceffd2b3ee453122e66f594ec31dde6ec3bb7187 -Author: Patrick Schleizer -Date: Fri Nov 3 12:06:43 2023 -0400 - - bumped changelog version - -commit cdd66ee3762c441843d421a9e6b11a20580ed7ac -Author: Patrick Schleizer -Date: Fri Nov 3 10:48:46 2023 -0400 - - wrap-and-sort - -commit c33a3d9aadcc4c0ff90f330239eff4b7c905a022 -Author: Patrick Schleizer -Date: Fri Nov 3 10:44:48 2023 -0400 - - readme - -commit d71ac03d96c9861513ff56c68aec9090ef5c50bb -Author: Patrick Schleizer -Date: Fri Nov 3 10:36:15 2023 -0400 - - comment - -commit 8326aecdb460fffa450bbf3ec0b051010f87ee2a -Author: Patrick Schleizer -Date: Fri Nov 3 10:33:02 2023 -0400 - - bumped changelog version - -commit b85d48eb83005da8fd9edc658c71493f407e3670 -Author: Patrick Schleizer -Date: Fri Nov 3 10:31:59 2023 -0400 - - do not change default umask for root - - since this causes permission issues in `/etc/` - - https://github.com/Kicksecure/security-misc/pull/151 - -commit 07540db90d60b10cbd10881b0024d8e8871330de -Author: Patrick Schleizer -Date: Fri Nov 3 09:45:12 2023 -0400 - - Revert "Revert "set default umask to 027"" - - This reverts commit f8913ceb2e2fdd274011377c41b5d08e7459e4af. - -commit f8913ceb2e2fdd274011377c41b5d08e7459e4af -Author: Patrick Schleizer -Date: Fri Nov 3 09:43:44 2023 -0400 - - Revert "set default umask to 027" - - This reverts commit cd216095eb8d9387437e653d7764ec765ce42a10. - -commit 43bd789c30a562aa60349d019107277a428aece8 -Author: Patrick Schleizer -Date: Fri Nov 3 09:28:08 2023 -0400 - - bumped changelog version - -commit cd216095eb8d9387437e653d7764ec765ce42a10 -Author: Patrick Schleizer -Date: Fri Nov 3 09:12:24 2023 -0400 - - set default umask to 027 - - using package libpam-umask - - https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#id-1.5.14.19 - - https://github.com/Kicksecure/security-misc/pull/151 - -commit ac224b270a3a0945d187202f8cca89af0e71a166 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 13:01:55 2023 +0000 - - disable sysrq - -commit 07882f61a8003026a9e4c135a6e18a8fd204060f -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 10:44:19 2023 +0000 - - enable service on install - - not sure if this would be the right way to do it - -commit 9f063584c1f96267b04f8f7fe0eee773f9345370 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 10:28:41 2023 +0000 - - disable-kernel-module-loading - -commit 3e604618a8ba2531553af4f9af00470bd9629615 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 10:24:35 2023 +0000 - - harden-module-loading.service - -commit 3ee4be652b28201ba208757ce5144e51c453ad70 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 09:36:58 2023 +0000 - - depend on libpam-tmpdir - -commit 1abac794b564d178df37a385cf0d25bac5842c3c -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 09:15:20 2023 +0000 - - very secure and private defaults - -commit 5a583ca48ce608fee4fe55c1d6948505e83a98d8 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 08:30:26 2023 +0000 - - typo in file name - -commit 229032d691c614a926cf3cf96b44752364e4e087 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Wed Nov 1 17:54:05 2023 +0000 - - Rename etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf to usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf - -commit 1049298e7bfa4ca0e8f02b4086f8aa086d51c725 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Wed Nov 1 17:52:40 2023 +0000 - - Update and rename etc/NetworkManager/conf.d/99_randomize-mac.conf to usr/lib/NetworkManager/conf.d/99_randomize-mac.conf - -commit 76e684cc0ac0544219d200eeefae1356864fe702 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Wed Nov 1 17:51:27 2023 +0000 - - Update and rename etc/NetworkManager/conf.d/99_ipv6-privacy.conf to usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf - -commit a768f1f1ebfc29b0c0105f2965a4290f8dfd8e63 -Author: Patrick Schleizer -Date: Wed Nov 1 12:26:21 2023 -0400 - - bumped changelog version - -commit bb14a058520b13e242fea9f3022c439c4677bd1d -Merge: 5ed2a5c 44906e8 -Author: Patrick Schleizer -Date: Wed Nov 1 11:11:54 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 44906e8f398aae6e9565b131b82124e738e2d0d1 -Merge: 5ed2a5c f2c23a2 -Author: Patrick Schleizer -Date: Wed Nov 1 11:11:27 2023 -0400 - - Merge pull request #142 from monsieuremre/patch-5 - - ssh config - -commit 5ed2a5ce4a24a1a9c3e722a30aa9c6af1dc5d78a -Author: Patrick Schleizer -Date: Wed Nov 1 11:10:36 2023 -0400 - - bumped changelog version - -commit bb1161986b6d108c4fc5a16a48cdac55f98ab35d -Merge: 7d57684 b7cddd6 -Author: Patrick Schleizer -Date: Wed Nov 1 10:31:04 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit b7cddd6e552cb5f5139de91ef2aeae6fde691136 -Merge: 7d57684 c975c3c -Author: Patrick Schleizer -Date: Wed Nov 1 10:30:26 2023 -0400 - - Merge pull request #143 from monsieuremre/patch-6 - - new lines 990-security-misc.conf - -commit fc8e201e84e4c777c087fd113c539ca368fd3a31 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 14:49:24 2023 +0000 - - rename - -commit 90a88225a4fde2f09cc14b24f8467bb1ded90c9d -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 14:38:31 2023 +0000 - - security-misc.maintscript - -commit 13b4ddbb627d2279b41d1dcbe5c8ce1ac384b088 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 14:34:21 2023 +0000 - - 30_security-misc.conf - -commit b298d152fc10c66892698d9dcae769a44a32037b -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 14:32:08 2023 +0000 - - 30_security-misc.conf - -commit 3d4b04fddc16067ed345074683281e74f41eeadf -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 12:35:39 2023 +0000 - - 99_ipv6-privacy.conf - -commit e90f62eaabfeee7483af573ef8e9d015ba1977dc -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 12:34:15 2023 +0000 - - 99_randomize_mac.conf - -commit 604d839537c409604ed2c4c88992ea1a31368f6f -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 12:30:26 2023 +0000 - - 99_ipv6-privacy-extensions.conf - -commit c975c3c0ff7cc5a1e29b651c2db6c27e3f952870 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 11:07:53 2023 +0000 - - new lines 990-security-misc.conf - - added new recommended hardening settings with comments - -commit f2c23a28319e359c642da2dde424456a1064763f -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 10:53:45 2023 +0000 - - ssh config - -commit 7d576842fb6f3c124db2b6deb5abfc095974a67f -Author: Patrick Schleizer -Date: Thu Oct 26 20:08:41 2023 -0400 - - bumped changelog version - -commit 7cff267002485fd0abca98d12b0024e061f4ba51 -Author: Patrick Schleizer -Date: Thu Oct 26 19:31:14 2023 -0400 - - remove duplicates - -commit 928cdb81d43dfd337c82917182d2914d9c9d0915 -Merge: a330a9f 39fed05 -Author: Patrick Schleizer -Date: Thu Oct 26 19:29:55 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 39fed058f4734029b303fac4ea9a1b11f652fab4 -Merge: 92a6ecc 99355c6 -Author: Patrick Schleizer -Date: Thu Oct 26 19:27:41 2023 -0400 - - Merge pull request #140 from monsieuremre/patch-3 - - New lines in default permission config - -commit a330a9fd75314931639e7e873adc31c5cc65d555 -Author: Patrick Schleizer -Date: Thu Oct 26 19:20:21 2023 -0400 - - refactor permission-lockdown - -commit 8bf5ff82be706599f33228ecd6df42be0dc29f39 -Merge: 1123d23 92a6ecc -Author: Patrick Schleizer -Date: Thu Oct 26 19:15:04 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 92a6ecc40a4d3bd4d8f3cec7dd9b1334c72399dc -Merge: ca9603a 91c4452 -Author: Patrick Schleizer -Date: Thu Oct 26 19:13:34 2023 -0400 - - Merge pull request #141 from monsieuremre/patch-4 - - New permission-lockdown - -commit 1123d23114201988ac3f5f50ab6e74a5307d3d52 -Author: Patrick Schleizer -Date: Thu Oct 26 18:45:07 2023 -0400 - - remount-secure: disable debugging to save space in initrd - -commit 91c445244c47c163e2466f8c4dff710eda20c337 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 19:41:07 2023 +0000 - - actually we do it once indeed - -commit 88f396264ca9d072e4e5de4e1acaee54f3b39749 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 19:35:59 2023 +0000 - - avoiding /etc/passwd - -commit b5ba03247a5b5bb1f4e010130e4a575ad1397117 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 19:31:25 2023 +0000 - - readability - -commit f487752ba1b469eb0b2f85657e2ee0860f58496b -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 19:30:58 2023 +0000 - - not limiting ourselves. we do not do this not just once. - -commit 88cd5a905d8aa0f6033ac4ba72903fbad4a90b4b -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 19:25:24 2023 +0000 - - strip unnecessary - -commit d9f10c221a2b6794f0a3c5bcd1c15e2a4f352751 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 18:17:50 2023 +0000 - - new permission-lockdown - -commit 99355c616974d167e3a5424d63cd56b1f64f0eaf -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 17:45:28 2023 +0000 - - new lines 30_default.conf - -commit ca9603af1713ff37392662c9d1b4251052e7b983 -Author: Patrick Schleizer -Date: Thu Oct 26 12:23:48 2023 -0400 - - bumped changelog version - -commit 5f4222c1c3d7fa057b31bba7b0b5c2e83c92a7be -Author: Patrick Schleizer -Date: Thu Oct 26 12:20:48 2023 -0400 - - enable SUID Disabler and Permission Hardener by default - - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener - - https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706 - -commit e5d989af5ac2899985c48d60311856fb86e0ddeb -Author: Patrick Schleizer -Date: Thu Oct 26 12:04:13 2023 -0400 - - comment - -commit 8557e0963ed6159f7f6c816ad4e009cc7323a760 -Author: Patrick Schleizer -Date: Wed Oct 25 17:55:37 2023 -0400 - - bumped changelog version - -commit b7e2d49f5f3f49fab2e1c0647f10bda1921e0a80 -Author: Patrick Schleizer -Date: Wed Oct 25 17:41:05 2023 -0400 - - comment - -commit 5d71217e597aa3366658524ec5395c9f76dd527b -Merge: 6a22351 a2f811a -Author: Patrick Schleizer -Date: Wed Oct 25 17:40:13 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 6a22351d298e475ecae22bb99249a308b294ff9a -Author: Patrick Schleizer -Date: Wed Oct 25 17:30:07 2023 -0400 - - renamed: usr/lib/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/990-security-misc.conf - -commit b7c52800f4c16b1573e372089704a68fd47c5906 -Author: Patrick Schleizer -Date: Wed Oct 25 17:28:43 2023 -0400 - - renamed: etc/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/30_security-misc.conf - renamed: etc/sysctl.d/30_security-misc_kexec-disable.conf -> usr/lib/sysctl.d/30_security-misc_kexec-disable.conf - renamed: etc/sysctl.d/30_silent-kernel-printk.conf -> usr/lib/sysctl.d/30_silent-kernel-printk.conf - -commit a2f811aff0cb4e73c3975093012c223127495707 -Merge: 3317332 ee6716e -Author: Patrick Schleizer -Date: Wed Oct 25 17:26:46 2023 -0400 - - Merge pull request #135 from monsieuremre/kernel-fix - - Kernel hardening fix - -commit ee6716e178806912da08b671ae31504ed2f3ac56 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Tue Oct 24 20:43:10 2023 +0000 - - security-misc.maintscript - -commit 3317332cb431115f81d832ba974181c74427c884 -Author: Patrick Schleizer -Date: Tue Oct 24 05:51:11 2023 -0400 - - bumped changelog version - -commit 42c802cd1eca3d2586abde871e4842cdf83490c4 -Merge: f3b40f1 5320c11 -Author: Patrick Schleizer -Date: Tue Oct 24 05:30:15 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 5320c11f3f92b66b7dcab7ca1f67fcba2de5deba -Merge: f3b40f1 f0857fd -Author: Patrick Schleizer -Date: Tue Oct 24 05:22:33 2023 -0400 - - Merge pull request #134 from monsieuremre/patch-1 - - Fix double mount issue for /var/log and /var/tmp - -commit 1f489719efb37492b9c040ba4e332e8dd70fde1f -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Mon Oct 23 16:38:58 2023 +0000 - - rename - -commit 9dda6f69a7df792966005f9c6feb057483cd9ea4 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Mon Oct 23 16:38:40 2023 +0000 - - more rename - -commit 89381fe7abcc2f4418b95c3eb290c975bf6d612c -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Mon Oct 23 16:38:23 2023 +0000 - - rename - -commit f0857fd5608525115bd8a96c2f75368263f6f830 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Mon Oct 23 15:33:05 2023 +0000 - - Fix double mount issue for /var/log and /var/tmp - - Mounting var with bind and mounting a subdirectory causes /var/tmp and /var/log bind mounted twice each. can be checked with lsblk. When we bind mount var only after having mounted the subdirectories, everything is mounted only one. - -commit f3b40f12cb4bad0f2f00d4ba2dec59fb315c0798 -Author: Patrick Schleizer -Date: Sun Oct 22 19:23:22 2023 -0400 - - bumped changelog version - -commit d2e8a6dad3b94d574cb9c043303160b06893ab97 -Author: Patrick Schleizer -Date: Sun Oct 22 19:21:51 2023 -0400 - - debugging - -commit e7aafd64d4418d43426b310653861f9024a54255 -Author: Patrick Schleizer -Date: Sun Oct 22 19:16:12 2023 -0400 - - refactoring - -commit ee15f749bb4e68350498e52e8505bed43c98cbaf -Author: Patrick Schleizer -Date: Sun Oct 22 16:54:58 2023 -0400 - - bumped changelog version - -commit d521662d04892fb6d5477fa4450fb5488892a87a -Author: Patrick Schleizer -Date: Sun Oct 22 16:49:36 2023 -0400 - - comment - -commit 0e80acf38d430784fbb779f4f10c81bfe8a3813f -Author: Patrick Schleizer -Date: Sun Oct 22 16:45:10 2023 -0400 - - fix - -commit a1c3b87fcee07496af4b42e387b46488b58b73a0 -Author: Patrick Schleizer -Date: Sun Oct 22 16:29:08 2023 -0400 - - bumped changelog version - -commit f6d1346e2bde51cd70bc60246c0bfba923c00c3d -Author: Patrick Schleizer -Date: Sun Oct 22 16:22:08 2023 -0400 - - fix - -commit 9a649ddd091b116c9091f3fa582d411b5186375a -Author: Patrick Schleizer -Date: Sun Oct 22 16:16:40 2023 -0400 - - bumped changelog version - -commit 11382881b56556741fad5f0291ccb57a24e9c617 -Author: Patrick Schleizer -Date: Sun Oct 22 16:12:26 2023 -0400 - - comments - -commit 5182d7502b34a95fd751c69c4bc3f01d5f5e02b9 -Author: Patrick Schleizer -Date: Sun Oct 22 16:08:21 2023 -0400 - - improve remount-secure - -commit 555d83792df9aa599ae9e0e7c41af49b0601c1c1 -Author: Patrick Schleizer -Date: Sun Oct 22 15:44:47 2023 -0400 - - bumped changelog version - -commit a88c0a3ad2d83fe72612faf97866e255c5527384 -Author: Patrick Schleizer -Date: Sun Oct 22 15:44:30 2023 -0400 - - fix - -commit 316282952f7d2470c89f268beea01b8bac9bb4bb -Author: Patrick Schleizer -Date: Sun Oct 22 15:40:59 2023 -0400 - - bumped changelog version - -commit a7629b98cf4e7f86bab07c2b75fa712adcd63ee5 -Author: Patrick Schleizer -Date: Sun Oct 22 15:40:49 2023 -0400 - - fix - -commit 7112eac3be014938f757e0c0def74bb04dc72d2f -Author: Patrick Schleizer -Date: Sun Oct 22 15:37:21 2023 -0400 - - output - -commit f80b5fe3767502f6890bdfb7bc32a602c94828d6 -Author: Patrick Schleizer -Date: Sun Oct 22 15:36:16 2023 -0400 - - fix - -commit ce0babce215dc4ec08101cff5e0d25ad6ec87e70 -Author: Patrick Schleizer -Date: Sun Oct 22 15:35:03 2023 -0400 - - comment - -commit fa0804b7ae46ecfc1e9e82ca83342c9d456aa9c3 -Author: Patrick Schleizer -Date: Sun Oct 22 15:33:21 2023 -0400 - - bumped changelog version - -commit 70cbe4daaa5cd857c49f2f9b9241f24e2867ab5a -Author: Patrick Schleizer -Date: Sun Oct 22 15:33:11 2023 -0400 - - fix - -commit 36f2acb93f65958b27bae030f1d2bd66a278e073 -Author: Patrick Schleizer -Date: Sun Oct 22 15:28:04 2023 -0400 - - bumped changelog version - -commit 9b9e9ce1c0feb4ca854189754c47ca826eef1c32 -Author: Patrick Schleizer -Date: Sun Oct 22 15:27:01 2023 -0400 - - fix - -commit 3731716a497c233127bff3febbe22d5cf088aad8 -Author: Patrick Schleizer -Date: Sun Oct 22 15:14:22 2023 -0400 - - fix - -commit eec87a0508a6242430a1f0b8ad341f4c3ea43059 -Author: Patrick Schleizer -Date: Sun Oct 22 15:11:26 2023 -0400 - - fix - -commit f3286cf440992661ba85b5c7e41b92ffaca62cf3 -Author: Patrick Schleizer -Date: Sun Oct 22 15:10:21 2023 -0400 - - fix - -commit eb90d38d8ca6d6292dbb8013bb9bca8ec26f4792 -Author: Patrick Schleizer -Date: Sun Oct 22 15:05:33 2023 -0400 - - fix - -commit f44020973897d98fdc21ced748ad64106979829e -Author: Patrick Schleizer -Date: Sun Oct 22 14:46:42 2023 -0400 - - bumped changelog version - -commit 7f03c2b13742e583e426c91ff4e111b6c0e7da43 -Author: Patrick Schleizer -Date: Sun Oct 22 14:45:45 2023 -0400 - - fix - -commit c85db586cadbe781704e62405a76e43650046d2c -Author: Patrick Schleizer -Date: Sun Oct 22 14:44:58 2023 -0400 - - improve - -commit 7c0ea4324aa1713f365f7352a3e4db1b703d9750 -Author: Patrick Schleizer -Date: Sun Oct 22 14:39:52 2023 -0400 - - fix - -commit b29b626b41545fd49b67631820ae40d0fe000f22 -Author: Patrick Schleizer -Date: Sun Oct 22 14:30:28 2023 -0400 - - bumped changelog version - -commit 6198ae317c4d8cbd06d95d5e2a585892f455cab6 -Author: Patrick Schleizer -Date: Sun Oct 22 14:29:02 2023 -0400 - - fix - -commit 245fad09868c2d84bee66d65ecca32704786919b -Author: Patrick Schleizer -Date: Sun Oct 22 14:00:06 2023 -0400 - - fix - -commit 619f1705e13232680f38bc630f19f2ace32f48ad -Author: Patrick Schleizer -Date: Sun Oct 22 13:58:55 2023 -0400 - - output - -commit 52fa7db0874be85a3db296499ab76f84a5f518db -Author: Patrick Schleizer -Date: Sun Oct 22 13:57:38 2023 -0400 - - output - -commit 8a592c2e371de1136d566e707ba56ce89309230a -Author: Patrick Schleizer -Date: Sun Oct 22 13:56:17 2023 -0400 - - fix remountsecure kernel parameter logic - -commit 3c183294cd8a402418eafc1e657c6524be49c487 -Author: Patrick Schleizer -Date: Sun Oct 22 13:31:55 2023 -0400 - - bumped changelog version - -commit e689f38ad0ba9727d482dbab25ea5d88e67a8edf -Author: Patrick Schleizer -Date: Sun Oct 22 13:31:44 2023 -0400 - - todo - -commit 6675a2e93194ea15daeb22bee707cf49563f69fe -Author: Patrick Schleizer -Date: Sun Oct 22 13:30:50 2023 -0400 - - fix - -commit 4288e10554f854d6dd9be092ddbf6a62686b1549 -Author: Patrick Schleizer -Date: Sun Oct 22 13:25:31 2023 -0400 - - fix, rework remount-secure kernel parameters parsing - -commit b0181af099a2bc20a6d8cc20e6e27371ecc50bf1 -Author: Patrick Schleizer -Date: Sun Oct 22 13:12:25 2023 -0400 - - fix - -commit 28cb53341d48ece9e042caea03e7159b0f93c2ee -Author: Patrick Schleizer -Date: Sun Oct 22 13:11:44 2023 -0400 - - remount-secure dracut module: improve output - -commit f70f36e6cfead0038075d715e430e15aedae459f -Author: Patrick Schleizer -Date: Sun Oct 22 12:55:41 2023 -0400 - - bumped changelog version - -commit 479ab61a1d0c91d26c2cd200d97b39b2b786e073 -Author: Patrick Schleizer -Date: Sun Oct 22 12:55:20 2023 -0400 - - remove no longer required remount-service systemd unit - -commit 84ca0ac8a0b6a72a28e030081299b402749b9348 -Author: Patrick Schleizer -Date: Sun Oct 22 12:54:25 2023 -0400 - - improve remount-secure - -commit 1696c37251fe6158118ac3a694c2e11439de5c46 -Author: Patrick Schleizer -Date: Sun Oct 22 11:28:18 2023 -0400 - - bumped changelog version - -commit e7d30955e88b0a052e9159c11f4c1e1a47dadb49 -Author: Patrick Schleizer -Date: Sun Oct 22 11:28:08 2023 -0400 - - debugging - -commit 975a017dec26f671b7869ba4ad94b3a4d2faf999 -Author: Patrick Schleizer -Date: Sun Oct 22 11:13:05 2023 -0400 - - bumped changelog version - -commit 8eb4607a0e8c3db10f64e4ed5a02e87fd3ee8903 -Author: Patrick Schleizer -Date: Sun Oct 22 11:12:54 2023 -0400 - - improve - -commit f1da0ce7461fab2eeb421daa886ddd9856c9fd52 -Author: Patrick Schleizer -Date: Sun Oct 22 11:11:10 2023 -0400 - - fix - -commit 26826e8398c4d3feed07e8e3e095a87bbde9907a -Author: Patrick Schleizer -Date: Sun Oct 22 11:06:34 2023 -0400 - - fix - -commit a423b85f81e0c066271ad7db78902ccddbeabb5a -Author: Patrick Schleizer -Date: Sun Oct 22 10:50:30 2023 -0400 - - bumped changelog version - -commit 233fa4625bb60ef65c707d28e7c8a51ef5a1d66e -Author: Patrick Schleizer -Date: Sun Oct 22 10:49:53 2023 -0400 - - output - -commit 3ebe8cf4de5c77f26f93ac40bdc596c0c38451f5 -Author: Patrick Schleizer -Date: Sun Oct 22 10:41:42 2023 -0400 - - refactoring - -commit 24d2e26397e8f1e8e350fb60206ab1c5b597cbe6 -Author: Patrick Schleizer -Date: Sun Oct 22 10:40:19 2023 -0400 - - no longer reproducible - -commit fcba70df2e4e6c71fd29852d6f0b20f80e2e2d5e -Author: Patrick Schleizer -Date: Sun Oct 22 10:38:48 2023 -0400 - - refactoring - -commit a05bd3dd0e7319807fa7ea523407ec82ce8aa39c -Author: Patrick Schleizer -Date: Sun Oct 22 10:37:02 2023 -0400 - - /home last because most likely to fail - -commit 41077c94fbc1a0c90ee870292fe82e16a70b52f1 -Author: Patrick Schleizer -Date: Sun Oct 22 10:32:24 2023 -0400 - - improve remount-secure - -commit ef69e512bd2e2eba0e292470bfef6336216e2605 -Author: Patrick Schleizer -Date: Sun Oct 22 10:25:57 2023 -0400 - - refactoring - -commit d5cb7ecec9d10069e2e37a2f88680dff6d3f6eb6 -Author: Patrick Schleizer -Date: Sun Oct 22 10:22:21 2023 -0400 - - use findmnt - -commit 1120d0652ddead556801958973d61502b75f9fc7 -Author: Patrick Schleizer -Date: Sun Oct 22 10:16:53 2023 -0400 - - bumped changelog version - -commit 45ce0ff74d8f42d6a424e0742989008403891f8a -Author: Patrick Schleizer -Date: Sun Oct 22 10:16:43 2023 -0400 - - debugging - -commit b81a991731e912fa0f7d4ca59b0531bafb02a25a -Author: Patrick Schleizer -Date: Sun Oct 22 10:15:11 2023 -0400 - - fix - -commit 292a5c3a8a37bc9dd807913bd76826e57e978b67 -Author: Patrick Schleizer -Date: Sun Oct 22 10:11:31 2023 -0400 - - fix - -commit bb57b1a289cc64cc5b2ab5518c151df5355a9f29 -Author: Patrick Schleizer -Date: Sun Oct 22 10:10:51 2023 -0400 - - fix - -commit 4f6f45fb3902f6c49d01b5ccb33a4e24804cd02a -Author: Patrick Schleizer -Date: Sun Oct 22 10:01:54 2023 -0400 - - bumped changelog version - -commit 181a6424796b1cafc87a8d74aad197135381a389 -Author: Patrick Schleizer -Date: Sun Oct 22 10:01:38 2023 -0400 - - root check - -commit 84fd41931ce3ba4d6e3785dc8052ee14ce62b80e -Author: Patrick Schleizer -Date: Sun Oct 22 09:44:17 2023 -0400 - - /var/run -> /run - -commit 33d97a2560fe4aaab24f90057e825802541a408b -Author: Patrick Schleizer -Date: Sun Oct 22 09:39:54 2023 -0400 - - improve output of remount-secure dracut module - -commit c409e3221e179437ed0b162dde1e72cd116ba795 -Author: Patrick Schleizer -Date: Sun Oct 22 09:36:03 2023 -0400 - - implement remount-secure - -commit f472ce690ae350085d40cfd5ec46084dc559a51d -Author: Patrick Schleizer -Date: Sun Oct 22 08:57:35 2023 -0400 - - comments - -commit 90f2b5e11c341c38bb0b11db603ceeba28e14b1c -Author: Patrick Schleizer -Date: Sun Oct 22 08:51:37 2023 -0400 - - code simplification - -commit 167683ce763e97838e62950f00313b63d7c968b0 -Author: Patrick Schleizer -Date: Sun Oct 22 08:50:57 2023 -0400 - - code simplification - -commit 05e9accf64a3a6bfa24aac7aaa62620f814b05d1 -Author: Patrick Schleizer -Date: Sun Oct 22 08:12:30 2023 -0400 - - bumped changelog version - -commit e065f85c8809d04a9a4c041dd8b9b81bacd04e24 -Author: Patrick Schleizer -Date: Sun Oct 22 08:10:48 2023 -0400 - - add remount-secure dracut module - -commit f0ee470ecd0fc37125165dd6a5cefb47339b14b4 -Author: Patrick Schleizer -Date: Sun Oct 22 07:51:05 2023 -0400 - - comment - -commit e257f2a3806ba7013e8e47005fde1385044bc8d9 -Author: Patrick Schleizer -Date: Sun Oct 22 07:50:14 2023 -0400 - - remount-secure: - no longer use /usr/libexec/helper-scripts/pre.bsh as not simple with dracut - -commit 27b3ba8bdf2556066a4be02cd1be9a4451a591b2 -Author: Patrick Schleizer -Date: Sun Oct 22 07:06:00 2023 -0400 - - bumped changelog version - -commit ed11c68ac64c1ec4eaa590dbb56734d450c89b04 -Author: Patrick Schleizer -Date: Sun Oct 22 06:51:52 2023 -0400 - - move remount-secure to /usr/bin/remount-secure to make it easier to manually run - -commit 6f4bf57ff2bc878f03a50d91a5db0afaf897d70e -Author: Patrick Schleizer -Date: Sun Oct 22 06:48:56 2023 -0400 - - `remount-secure`: add support for `--force`; output - -commit 6dec5cb1d6b841bc6ea92986d6567902109f5ed0 -Author: Patrick Schleizer -Date: Sun Oct 22 06:32:19 2023 -0400 - - debugging - -commit bc768aa196a08218aac0b6ef1c4ca013f2034122 -Author: Patrick Schleizer -Date: Sun Oct 22 06:31:57 2023 -0400 - - output - -commit c069c73109b45fbb8fa230ad4f90f4252db730f2 -Author: Patrick Schleizer -Date: Sun Oct 22 06:29:38 2023 -0400 - - refactoring - -commit abc35927345e14bbe4b9f13d205a648ce7a8bd8d -Author: Patrick Schleizer -Date: Sun Oct 22 06:23:48 2023 -0400 - - remount-secure: stricter error handling - -commit 59a5fea25d0b0c39a6e7b3b11f9242ebe5eaa462 -Author: Patrick Schleizer -Date: Sun Oct 22 05:41:56 2023 -0400 - - documentation - -commit ac63b0eb3db3d168908459fecd6b3275cce015bc -Author: Patrick Schleizer -Date: Sun Oct 22 05:41:11 2023 -0400 - - remove duplicate - -commit ef3f1575733c668f652326cdb4f4fba8c71bf0ed -Author: Patrick Schleizer -Date: Sat Oct 21 14:19:24 2023 -0400 - - bumped changelog version - -commit ae2c1c5a7a02a5f3f6a8bcd4a90fdc9e3b512e62 -Author: Patrick Schleizer -Date: Sat Oct 21 14:18:50 2023 -0400 - - fix xession environment variable - -commit 43375fa1f4d32f04907edf1297fef737342b49ea -Author: Patrick Schleizer -Date: Sat Oct 21 12:34:59 2023 -0400 - - bumped changelog version - -commit d543825d85a5d84274c21cd85db6df777948606e -Author: Patrick Schleizer -Date: Sat Oct 21 12:24:59 2023 -0400 - - comments - -commit dd43ab634d9ab0a59234798e1b14ba99099c65c9 -Author: Patrick Schleizer -Date: Fri Oct 13 15:22:58 2023 -0400 - - bumped changelog version - -commit 645ee814e4f3dc330dd6fb24ec4fac0e278c4f42 -Author: Patrick Schleizer -Date: Fri Oct 13 15:22:48 2023 -0400 - - fix - -commit 13a4f37e50805a0e51b8f63808e166318e39a074 -Author: Patrick Schleizer -Date: Thu Oct 12 12:51:37 2023 -0400 - - bumped changelog version - -commit 2d4524108445829d7ac80e828e9a1442cf038a6b -Author: Patrick Schleizer -Date: Thu Oct 12 11:37:01 2023 -0400 - - avoid duplicate environment variables - -commit e96e6aa38e29888a64fa35f85becc1596118a812 -Author: Patrick Schleizer -Date: Thu Oct 12 10:43:40 2023 -0400 - - bumped changelog version - -commit fa820e897895eda93011a0f2bbd915ffffcb1459 -Author: Patrick Schleizer -Date: Thu Oct 12 10:40:27 2023 -0400 - - refactoring environment variables loading mechanism - -commit 358e4226f1b3db32e560e4bbe1c663828eac7059 -Author: Patrick Schleizer -Date: Mon Jul 17 11:48:35 2023 -0400 - - bumped changelog version - -commit 81ad786dfcdd416056c6ae8a9d02231bda6fcbde -Author: Patrick Schleizer -Date: Mon Jul 17 11:19:07 2023 -0400 - - Kicksecure - -commit ab56b7ca0cf1a2cb6bc19514750ca618f4ebb7fe -Author: Patrick Schleizer -Date: Mon Jul 17 11:10:05 2023 -0400 - - Kicksecure - -commit 29aaf13c13ec1023d33e84442db0f5afeaa4436d -Author: Patrick Schleizer -Date: Fri Jun 23 08:18:12 2023 +0000 - - bumped changelog version - -commit 8a6baea99017fd971ae4a5e89599b87bc945b276 -Author: Patrick Schleizer -Date: Thu Jun 22 16:16:15 2023 +0000 - - comment - -commit 609c8c0697ecf3414e38de9d32dc367a25172802 -Author: Patrick Schleizer -Date: Wed Jun 21 09:36:44 2023 +0000 - - bumped changelog version - -commit 94a326ec7ff8704be224e76b2f3f9c2a12cbd4a7 -Author: Patrick Schleizer -Date: Wed Jun 21 09:11:31 2023 +0000 - - bookworm - -commit b610cdcbcd85ee4c433a3df0662e225b52b592cd -Author: Patrick Schleizer -Date: Fri Jun 16 11:09:02 2023 +0000 - - bumped changelog version - -commit 0c56d3d9d2dd1b40b07226b70d3d1b9343757d1a -Author: Patrick Schleizer -Date: Fri Jun 16 10:49:05 2023 +0000 - - readme - -commit 63599a09d795d82b0f069f88d73fd607129af0ef -Author: Patrick Schleizer -Date: Wed Jun 14 09:59:20 2023 +0000 - - bumped changelog version - -commit 25760f70246dd07376465d9a4222098fd24b8516 -Author: Patrick Schleizer -Date: Tue Jun 13 08:34:41 2023 +0000 - - bookworm - -commit be990188f56f059585cf70589de03afb992b9ea2 -Author: Patrick Schleizer -Date: Mon Jun 12 18:01:55 2023 +0000 - - bumped changelog version - -commit 07b3ce0bcdb6ddb72c7064f527ff4d6250b54ad2 -Author: Patrick Schleizer -Date: Mon Jun 12 16:22:32 2023 +0000 - - Standards-Version: 4.6.1.0 - -commit 4e28ace103e11373d1b5cf5de8be6b1f94c567ce -Author: Patrick Schleizer -Date: Mon May 15 17:31:59 2023 +0000 - - bumped changelog version - commit b11a336b4ff6c748d20aade6e98b25c251bd8c8e Merge: c921d4e b0b73db Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index a0ef4b0..f86b988 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,987 +1,3 @@ -security-misc (3:45.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 25 Apr 2025 09:54:23 +0000 - -security-misc (3:45.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 25 Apr 2025 08:19:34 +0000 - -security-misc (3:45.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 21 Apr 2025 10:21:54 +0000 - -security-misc (3:44.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 19 Apr 2025 17:33:56 +0000 - -security-misc (3:44.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 15 Apr 2025 20:59:37 +0000 - -security-misc (3:44.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 10 Apr 2025 11:38:17 +0000 - -security-misc (3:44.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 09 Apr 2025 15:15:59 +0000 - -security-misc (3:44.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 08 Apr 2025 14:08:24 +0000 - -security-misc (3:44.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 03 Mar 2025 11:00:37 +0000 - -security-misc (3:44.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 09 Feb 2025 23:04:36 +0000 - -security-misc (3:44.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 31 Jan 2025 19:38:41 +0000 - -security-misc (3:44.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 30 Jan 2025 12:58:48 +0000 - -security-misc (3:44.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jan 2025 14:36:41 +0000 - -security-misc (3:43.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 23 Jan 2025 16:28:58 +0000 - -security-misc (3:43.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 22 Jan 2025 14:11:21 +0000 - -security-misc (3:43.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 22 Jan 2025 13:52:29 +0000 - -security-misc (3:43.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 20 Jan 2025 11:35:08 +0000 - -security-misc (3:43.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 20 Jan 2025 10:11:42 +0000 - -security-misc (3:43.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 17 Jan 2025 13:35:27 +0000 - -security-misc (3:43.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 15 Jan 2025 15:02:43 +0000 - -security-misc (3:43.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 14:32:12 +0000 - -security-misc (3:43.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 14:30:58 +0000 - -security-misc (3:43.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 14:16:45 +0000 - -security-misc (3:42.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 14:07:50 +0000 - -security-misc (3:42.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 14:06:50 +0000 - -security-misc (3:42.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 13:53:49 +0000 - -security-misc (3:42.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 09:26:05 +0000 - -security-misc (3:42.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 08:24:05 +0000 - -security-misc (3:42.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 12 Jan 2025 11:47:17 +0000 - -security-misc (3:42.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 10 Jan 2025 15:34:20 +0000 - -security-misc (3:42.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 06 Jan 2025 10:31:40 +0000 - -security-misc (3:42.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 31 Dec 2024 18:42:01 +0000 - -security-misc (3:42.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 31 Dec 2024 14:09:34 +0000 - -security-misc (3:41.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 26 Dec 2024 04:12:02 +0000 - -security-misc (3:41.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 24 Dec 2024 05:16:21 +0000 - -security-misc (3:41.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 20 Dec 2024 06:01:27 +0000 - -security-misc (3:41.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 20 Dec 2024 05:58:24 +0000 - -security-misc (3:41.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 20 Dec 2024 05:48:48 +0000 - -security-misc (3:41.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 19 Dec 2024 10:58:50 +0000 - -security-misc (3:41.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 19 Dec 2024 09:43:26 +0000 - -security-misc (3:41.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 19 Dec 2024 06:57:42 +0000 - -security-misc (3:41.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 10 Dec 2024 19:19:10 +0000 - -security-misc (3:41.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 10 Dec 2024 19:17:10 +0000 - -security-misc (3:40.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 25 Nov 2024 21:07:41 +0000 - -security-misc (3:40.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 14 Nov 2024 22:24:50 +0000 - -security-misc (3:40.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 14 Nov 2024 20:46:26 +0000 - -security-misc (3:40.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 12 Nov 2024 09:11:57 +0000 - -security-misc (3:40.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 11 Nov 2024 11:07:57 +0000 - -security-misc (3:40.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 10 Nov 2024 11:52:42 +0000 - -security-misc (3:40.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 30 Oct 2024 09:43:05 +0000 - -security-misc (3:40.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 23 Oct 2024 09:56:05 +0000 - -security-misc (3:40.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 16 Oct 2024 10:57:20 +0000 - -security-misc (3:40.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 08 Oct 2024 11:24:55 +0000 - -security-misc (3:39.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 03 Oct 2024 07:22:23 +0000 - -security-misc (3:39.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 25 Sep 2024 01:03:42 +0000 - -security-misc (3:39.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 14 Sep 2024 02:56:08 +0000 - -security-misc (3:39.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 08 Sep 2024 17:41:30 +0000 - -security-misc (3:39.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 04 Sep 2024 14:13:15 +0000 - -security-misc (3:39.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 29 Aug 2024 09:49:51 +0000 - -security-misc (3:39.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 28 Aug 2024 11:01:36 +0000 - -security-misc (3:39.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 25 Aug 2024 15:34:54 +0000 - -security-misc (3:39.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 25 Aug 2024 14:33:39 +0000 - -security-misc (3:39.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 16 Aug 2024 08:38:11 +0000 - -security-misc (3:38.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 15 Aug 2024 17:51:18 +0000 - -security-misc (3:38.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 06 Aug 2024 14:01:38 +0000 - -security-misc (3:38.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 28 Jul 2024 20:50:21 +0000 - -security-misc (3:38.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 27 Jul 2024 16:13:34 +0000 - -security-misc (3:38.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 26 Jul 2024 15:40:23 +0000 - -security-misc (3:38.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 26 Jul 2024 09:40:58 +0000 - -security-misc (3:38.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 21 Jul 2024 10:40:13 +0000 - -security-misc (3:38.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 20 Jul 2024 17:02:04 +0000 - -security-misc (3:38.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 18 Jul 2024 18:05:06 +0000 - -security-misc (3:38.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 18 Jul 2024 14:11:35 +0000 - -security-misc (3:37.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 18 Jul 2024 14:05:22 +0000 - -security-misc (3:37.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 15 Jul 2024 21:18:54 +0000 - -security-misc (3:37.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 13 Jul 2024 15:01:15 +0000 - -security-misc (3:37.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 11 Jun 2024 12:56:56 +0000 - -security-misc (3:37.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 01 Jun 2024 18:13:08 +0000 - -security-misc (3:37.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 01 Jun 2024 17:35:04 +0000 - -security-misc (3:37.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 28 May 2024 12:04:52 +0000 - -security-misc (3:37.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 18 May 2024 20:45:11 +0000 - -security-misc (3:37.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 10 May 2024 11:20:36 +0000 - -security-misc (3:37.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 12 Apr 2024 06:56:38 +0000 - -security-misc (3:36.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 01 Apr 2024 06:56:44 +0000 - -security-misc (3:36.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 18 Mar 2024 15:10:10 +0000 - -security-misc (3:36.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 11 Mar 2024 15:07:50 +0000 - -security-misc (3:36.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 10 Mar 2024 13:19:26 +0000 - -security-misc (3:36.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 04 Mar 2024 11:48:30 +0000 - -security-misc (3:36.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 26 Feb 2024 13:32:44 +0000 - -security-misc (3:36.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 22 Feb 2024 20:08:17 +0000 - -security-misc (3:36.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 22 Feb 2024 19:58:00 +0000 - -security-misc (3:36.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 22 Feb 2024 16:07:16 +0000 - -security-misc (3:36.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 22 Feb 2024 14:52:54 +0000 - -security-misc (3:35.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 22 Feb 2024 14:50:05 +0000 - -security-misc (3:35.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 03 Feb 2024 18:28:26 +0000 - -security-misc (3:35.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 25 Jan 2024 13:59:29 +0000 - -security-misc (3:35.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 18 Jan 2024 14:10:50 +0000 - -security-misc (3:35.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 17 Jan 2024 19:18:24 +0000 - -security-misc (3:35.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 16 Jan 2024 14:26:34 +0000 - -security-misc (3:35.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 16 Jan 2024 14:14:18 +0000 - -security-misc (3:35.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 16 Jan 2024 13:58:54 +0000 - -security-misc (3:35.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 09 Jan 2024 05:52:48 +0000 - -security-misc (3:35.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 04 Jan 2024 02:03:26 +0000 - -security-misc (3:34.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 02 Jan 2024 14:55:13 +0000 - -security-misc (3:34.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 29 Dec 2023 20:15:50 +0000 - -security-misc (3:34.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 25 Dec 2023 16:28:09 +0000 - -security-misc (3:34.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 22 Dec 2023 16:31:57 +0000 - -security-misc (3:34.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 12 Dec 2023 16:51:21 +0000 - -security-misc (3:34.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 04 Dec 2023 17:06:45 +0000 - -security-misc (3:34.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 20 Nov 2023 13:13:10 +0000 - -security-misc (3:34.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 11 Nov 2023 22:29:57 +0000 - -security-misc (3:34.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 11 Nov 2023 20:22:34 +0000 - -security-misc (3:34.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 06 Nov 2023 22:28:21 +0000 - -security-misc (3:33.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 06 Nov 2023 02:13:14 +0000 - -security-misc (3:33.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 06 Nov 2023 01:14:33 +0000 - -security-misc (3:33.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 23:17:59 +0000 - -security-misc (3:33.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 22:43:33 +0000 - -security-misc (3:33.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 21:46:18 +0000 - -security-misc (3:33.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 21:04:02 +0000 - -security-misc (3:33.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 20:58:21 +0000 - -security-misc (3:33.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 20:29:38 +0000 - -security-misc (3:33.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 20:14:43 +0000 - -security-misc (3:33.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 19:56:06 +0000 - -security-misc (3:32.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 03 Nov 2023 16:17:24 +0000 - -security-misc (3:32.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 03 Nov 2023 16:10:48 +0000 - -security-misc (3:32.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 03 Nov 2023 16:06:43 +0000 - -security-misc (3:32.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 03 Nov 2023 14:33:02 +0000 - -security-misc (3:32.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 03 Nov 2023 13:28:08 +0000 - -security-misc (3:32.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 01 Nov 2023 16:26:21 +0000 - -security-misc (3:32.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 01 Nov 2023 15:10:36 +0000 - -security-misc (3:32.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 27 Oct 2023 00:08:41 +0000 - -security-misc (3:32.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 26 Oct 2023 16:23:48 +0000 - -security-misc (3:32.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 25 Oct 2023 21:55:37 +0000 - -security-misc (3:31.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 24 Oct 2023 09:51:11 +0000 - -security-misc (3:31.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 23:23:22 +0000 - -security-misc (3:31.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 20:54:58 +0000 - -security-misc (3:31.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 20:29:08 +0000 - -security-misc (3:31.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 20:16:40 +0000 - -security-misc (3:31.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 19:44:47 +0000 - -security-misc (3:31.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 19:40:59 +0000 - -security-misc (3:31.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 19:33:21 +0000 - -security-misc (3:31.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 19:28:04 +0000 - -security-misc (3:31.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 18:46:42 +0000 - -security-misc (3:30.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 18:30:28 +0000 - -security-misc (3:30.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 17:31:55 +0000 - -security-misc (3:30.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 16:55:41 +0000 - -security-misc (3:30.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 15:28:18 +0000 - -security-misc (3:30.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 15:13:05 +0000 - -security-misc (3:30.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 14:50:30 +0000 - -security-misc (3:30.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 14:16:53 +0000 - -security-misc (3:30.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 14:01:54 +0000 - -security-misc (3:30.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 12:12:30 +0000 - -security-misc (3:30.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 11:06:00 +0000 - -security-misc (3:29.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 21 Oct 2023 18:19:24 +0000 - -security-misc (3:29.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 21 Oct 2023 16:34:59 +0000 - -security-misc (3:29.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 13 Oct 2023 19:22:58 +0000 - -security-misc (3:29.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 12 Oct 2023 16:51:37 +0000 - -security-misc (3:29.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 12 Oct 2023 14:43:40 +0000 - -security-misc (3:29.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 17 Jul 2023 15:48:35 +0000 - -security-misc (3:29.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 23 Jun 2023 08:18:12 +0000 - -security-misc (3:29.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 21 Jun 2023 09:36:44 +0000 - -security-misc (3:29.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 16 Jun 2023 11:09:01 +0000 - -security-misc (3:29.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 14 Jun 2023 09:59:20 +0000 - -security-misc (3:28.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 12 Jun 2023 18:01:55 +0000 - security-misc (3:28.8-1) unstable; urgency=medium * New upstream version (local package). diff --git a/debian/control b/debian/control index fd56b5f..7a95366 100644 --- a/debian/control +++ b/debian/control @@ -1,41 +1,27 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. Source: security-misc Section: misc Priority: optional -Maintainer: Patrick Schleizer -Build-Depends: config-package-dev, - debhelper (>= 13), - debhelper-compat (= 13), - dh-apparmor, - po-debconf -Homepage: https://www.kicksecure.com/wiki/Security-misc -Vcs-Browser: https://github.com/Kicksecure/security-misc -Vcs-Git: https://github.com/Kicksecure/security-misc.git -Standards-Version: 4.6.2 +Maintainer: Patrick Schleizer +Build-Depends: debhelper (>= 13), debhelper-compat (= 13), config-package-dev, dh-apparmor +Homepage: https://github.com/Whonix/security-misc +Vcs-Browser: https://github.com/Whonix/security-misc +Vcs-Git: https://github.com/Whonix/security-misc.git +Standards-Version: 4.5.1 Rules-Requires-Root: no Package: security-misc Architecture: all -Depends: adduser, - apparmor-profile-dist, - dmsetup, - helper-scripts, - libcap2-bin, - libglib2.0-bin, - libpam-modules-bin, - libpam-runtime, - libpam-umask, - python3, - secure-delete, - sudo, - ${misc:Depends} -Replaces: anon-gpg-tweaks, swappiness-lowest, tcp-timestamps-disable +Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, + apparmor-profile-dist, helper-scripts, libpam-modules-bin, + secure-delete, dmsetup, ${misc:Depends} +Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest Description: Enhances Miscellaneous Security Settings - https://github.com/Kicksecure/security-misc/blob/master/README.md + https://github.com/Whonix/security-misc/blob/master/README.md . - https://www.kicksecure.com/wiki/Security-misc + https://www.whonix.org/wiki/Security-misc . Discussion: . diff --git a/debian/copyright b/debian/copyright index 829d909..4d66db5 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,668 +1,73 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2025 ENCRYPTED SUPPORT LLC -License: AGPL-3+ - -License: AGPL-3+ - GNU AFFERO GENERAL PUBLIC LICENSE - Version 3, 19 November 2007 - . - Copyright (C) 2007 Free Software Foundation, Inc. - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - . - Preamble - . - The GNU Affero General Public License is a free, copyleft license for - software and other kinds of works, specifically designed to ensure - cooperation with the community in the case of network server software. - . - The licenses for most software and other practical works are designed - to take away your freedom to share and change the works. By contrast, - our General Public Licenses are intended to guarantee your freedom to - share and change all versions of a program--to make sure it remains free - software for all its users. - . - When we speak of free software, we are referring to freedom, not - price. Our General Public Licenses are designed to make sure that you - have the freedom to distribute copies of free software (and charge for - them if you wish), that you receive source code or can get it if you - want it, that you can change the software or use pieces of it in new - free programs, and that you know you can do these things. - . - Developers that use our General Public Licenses protect your rights - with two steps: (1) assert copyright on the software, and (2) offer - you this License which gives you legal permission to copy, distribute - and/or modify the software. - . - A secondary benefit of defending all users' freedom is that - improvements made in alternate versions of the program, if they - receive widespread use, become available for other developers to - incorporate. Many developers of free software are heartened and - encouraged by the resulting cooperation. However, in the case of - software used on network servers, this result may fail to come about. - The GNU General Public License permits making a modified version and - letting the public access it on a server without ever releasing its - source code to the public. - . - The GNU Affero General Public License is designed specifically to - ensure that, in such cases, the modified source code becomes available - to the community. It requires the operator of a network server to - provide the source code of the modified version running there to the - users of that server. Therefore, public use of a modified version, on - a publicly accessible server, gives the public access to the source - code of the modified version. - . - An older license, called the Affero General Public License and - published by Affero, was designed to accomplish similar goals. This is - a different license, not a version of the Affero GPL, but Affero has - released a new version of the Affero GPL which permits relicensing under - this license. - . - The precise terms and conditions for copying, distribution and - modification follow. - . - TERMS AND CONDITIONS - . - 0. Definitions. - . - "This License" refers to version 3 of the GNU Affero General Public License. - . - "Copyright" also means copyright-like laws that apply to other kinds of - works, such as semiconductor masks. - . - "The Program" refers to any copyrightable work licensed under this - License. Each licensee is addressed as "you". "Licensees" and - "recipients" may be individuals or organizations. - . - To "modify" a work means to copy from or adapt all or part of the work - in a fashion requiring copyright permission, other than the making of an - exact copy. The resulting work is called a "modified version" of the - earlier work or a work "based on" the earlier work. - . - A "covered work" means either the unmodified Program or a work based - on the Program. - . - To "propagate" a work means to do anything with it that, without - permission, would make you directly or secondarily liable for - infringement under applicable copyright law, except executing it on a - computer or modifying a private copy. Propagation includes copying, - distribution (with or without modification), making available to the - public, and in some countries other activities as well. - . - To "convey" a work means any kind of propagation that enables other - parties to make or receive copies. Mere interaction with a user through - a computer network, with no transfer of a copy, is not conveying. - . - An interactive user interface displays "Appropriate Legal Notices" - to the extent that it includes a convenient and prominently visible - feature that (1) displays an appropriate copyright notice, and (2) - tells the user that there is no warranty for the work (except to the - extent that warranties are provided), that licensees may convey the - work under this License, and how to view a copy of this License. If - the interface presents a list of user commands or options, such as a - menu, a prominent item in the list meets this criterion. - . - 1. Source Code. - . - The "source code" for a work means the preferred form of the work - for making modifications to it. "Object code" means any non-source - form of a work. - . - A "Standard Interface" means an interface that either is an official - standard defined by a recognized standards body, or, in the case of - interfaces specified for a particular programming language, one that - is widely used among developers working in that language. - . - The "System Libraries" of an executable work include anything, other - than the work as a whole, that (a) is included in the normal form of - packaging a Major Component, but which is not part of that Major - Component, and (b) serves only to enable use of the work with that - Major Component, or to implement a Standard Interface for which an - implementation is available to the public in source code form. A - "Major Component", in this context, means a major essential component - (kernel, window system, and so on) of the specific operating system - (if any) on which the executable work runs, or a compiler used to - produce the work, or an object code interpreter used to run it. - . - The "Corresponding Source" for a work in object code form means all - the source code needed to generate, install, and (for an executable - work) run the object code and to modify the work, including scripts to - control those activities. However, it does not include the work's - System Libraries, or general-purpose tools or generally available free - programs which are used unmodified in performing those activities but - which are not part of the work. For example, Corresponding Source - includes interface definition files associated with source files for - the work, and the source code for shared libraries and dynamically - linked subprograms that the work is specifically designed to require, - such as by intimate data communication or control flow between those - subprograms and other parts of the work. - . - The Corresponding Source need not include anything that users - can regenerate automatically from other parts of the Corresponding - Source. - . - The Corresponding Source for a work in source code form is that - same work. - . - 2. Basic Permissions. - . - All rights granted under this License are granted for the term of - copyright on the Program, and are irrevocable provided the stated - conditions are met. This License explicitly affirms your unlimited - permission to run the unmodified Program. The output from running a - covered work is covered by this License only if the output, given its - content, constitutes a covered work. This License acknowledges your - rights of fair use or other equivalent, as provided by copyright law. - . - You may make, run and propagate covered works that you do not - convey, without conditions so long as your license otherwise remains - in force. You may convey covered works to others for the sole purpose - of having them make modifications exclusively for you, or provide you - with facilities for running those works, provided that you comply with - the terms of this License in conveying all material for which you do - not control copyright. Those thus making or running the covered works - for you must do so exclusively on your behalf, under your direction - and control, on terms that prohibit them from making any copies of - your copyrighted material outside their relationship with you. - . - Conveying under any other circumstances is permitted solely under - the conditions stated below. Sublicensing is not allowed; section 10 - makes it unnecessary. - . - 3. Protecting Users' Legal Rights From Anti-Circumvention Law. - . - No covered work shall be deemed part of an effective technological - measure under any applicable law fulfilling obligations under article - 11 of the WIPO copyright treaty adopted on 20 December 1996, or - similar laws prohibiting or restricting circumvention of such - measures. - . - When you convey a covered work, you waive any legal power to forbid - circumvention of technological measures to the extent such circumvention - is effected by exercising rights under this License with respect to - the covered work, and you disclaim any intention to limit operation or - modification of the work as a means of enforcing, against the work's - users, your or third parties' legal rights to forbid circumvention of - technological measures. - . - 4. Conveying Verbatim Copies. - . - You may convey verbatim copies of the Program's source code as you - receive it, in any medium, provided that you conspicuously and - appropriately publish on each copy an appropriate copyright notice; - keep intact all notices stating that this License and any - non-permissive terms added in accord with section 7 apply to the code; - keep intact all notices of the absence of any warranty; and give all - recipients a copy of this License along with the Program. - . - You may charge any price or no price for each copy that you convey, - and you may offer support or warranty protection for a fee. - . - 5. Conveying Modified Source Versions. - . - You may convey a work based on the Program, or the modifications to - produce it from the Program, in the form of source code under the - terms of section 4, provided that you also meet all of these conditions: - . - a) The work must carry prominent notices stating that you modified - it, and giving a relevant date. - . - b) The work must carry prominent notices stating that it is - released under this License and any conditions added under section - 7. This requirement modifies the requirement in section 4 to - "keep intact all notices". - . - c) You must license the entire work, as a whole, under this - License to anyone who comes into possession of a copy. This - License will therefore apply, along with any applicable section 7 - additional terms, to the whole of the work, and all its parts, - regardless of how they are packaged. This License gives no - permission to license the work in any other way, but it does not - invalidate such permission if you have separately received it. - . - d) If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your - work need not make them do so. - . - A compilation of a covered work with other separate and independent - works, which are not by their nature extensions of the covered work, - and which are not combined with it such as to form a larger program, - in or on a volume of a storage or distribution medium, is called an - "aggregate" if the compilation and its resulting copyright are not - used to limit the access or legal rights of the compilation's users - beyond what the individual works permit. Inclusion of a covered work - in an aggregate does not cause this License to apply to the other - parts of the aggregate. - . - 6. Conveying Non-Source Forms. - . - You may convey a covered work in object code form under the terms - of sections 4 and 5, provided that you also convey the - machine-readable Corresponding Source under the terms of this License, - in one of these ways: - . - a) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by the - Corresponding Source fixed on a durable physical medium - customarily used for software interchange. - . - b) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by a - written offer, valid for at least three years and valid for as - long as you offer spare parts or customer support for that product - model, to give anyone who possesses the object code either (1) a - copy of the Corresponding Source for all the software in the - product that is covered by this License, on a durable physical - medium customarily used for software interchange, for a price no - more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the - Corresponding Source from a network server at no charge. - . - c) Convey individual copies of the object code with a copy of the - written offer to provide the Corresponding Source. This - alternative is allowed only occasionally and noncommercially, and - only if you received the object code with such an offer, in accord - with subsection 6b. - . - d) Convey the object code by offering access from a designated - place (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to - copy the object code is a network server, the Corresponding Source - may be on a different server (operated by you or a third party) - that supports equivalent copying facilities, provided you maintain - clear directions next to the object code saying where to find the - Corresponding Source. Regardless of what server hosts the - Corresponding Source, you remain obligated to ensure that it is - available for as long as needed to satisfy these requirements. - . - e) Convey the object code using peer-to-peer transmission, provided - you inform other peers where the object code and Corresponding - Source of the work are being offered to the general public at no - charge under subsection 6d. - . - A separable portion of the object code, whose source code is excluded - from the Corresponding Source as a System Library, need not be - included in conveying the object code work. - . - A "User Product" is either (1) a "consumer product", which means any - tangible personal property which is normally used for personal, family, - or household purposes, or (2) anything designed or sold for incorporation - into a dwelling. In determining whether a product is a consumer product, - doubtful cases shall be resolved in favor of coverage. For a particular - product received by a particular user, "normally used" refers to a - typical or common use of that class of product, regardless of the status - of the particular user or of the way in which the particular user - actually uses, or expects or is expected to use, the product. A product - is a consumer product regardless of whether the product has substantial - commercial, industrial or non-consumer uses, unless such uses represent - the only significant mode of use of the product. - . - "Installation Information" for a User Product means any methods, - procedures, authorization keys, or other information required to install - and execute modified versions of a covered work in that User Product from - a modified version of its Corresponding Source. The information must - suffice to ensure that the continued functioning of the modified object - code is in no case prevented or interfered with solely because - modification has been made. - . - If you convey an object code work under this section in, or with, or - specifically for use in, a User Product, and the conveying occurs as - part of a transaction in which the right of possession and use of the - User Product is transferred to the recipient in perpetuity or for a - fixed term (regardless of how the transaction is characterized), the - Corresponding Source conveyed under this section must be accompanied - by the Installation Information. But this requirement does not apply - if neither you nor any third party retains the ability to install - modified object code on the User Product (for example, the work has - been installed in ROM). - . - The requirement to provide Installation Information does not include a - requirement to continue to provide support service, warranty, or updates - for a work that has been modified or installed by the recipient, or for - the User Product in which it has been modified or installed. Access to a - network may be denied when the modification itself materially and - adversely affects the operation of the network or violates the rules and - protocols for communication across the network. - . - Corresponding Source conveyed, and Installation Information provided, - in accord with this section must be in a format that is publicly - documented (and with an implementation available to the public in - source code form), and must require no special password or key for - unpacking, reading or copying. - . - 7. Additional Terms. - . - "Additional permissions" are terms that supplement the terms of this - License by making exceptions from one or more of its conditions. - Additional permissions that are applicable to the entire Program shall - be treated as though they were included in this License, to the extent - that they are valid under applicable law. If additional permissions - apply only to part of the Program, that part may be used separately - under those permissions, but the entire Program remains governed by - this License without regard to the additional permissions. - . - When you convey a copy of a covered work, you may at your option - remove any additional permissions from that copy, or from any part of - it. (Additional permissions may be written to require their own - removal in certain cases when you modify the work.) You may place - additional permissions on material, added by you to a covered work, - for which you have or can give appropriate copyright permission. - . - Notwithstanding any other provision of this License, for material you - add to a covered work, you may (if authorized by the copyright holders of - that material) supplement the terms of this License with terms: - . - a) Disclaiming warranty or limiting liability differently from the - terms of sections 15 and 16 of this License; or - . - b) Requiring preservation of specified reasonable legal notices or - author attributions in that material or in the Appropriate Legal - Notices displayed by works containing it; or - . - c) Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or - . - d) Limiting the use for publicity purposes of names of licensors or - authors of the material; or - . - e) Declining to grant rights under trademark law for use of some - trade names, trademarks, or service marks; or - . - f) Requiring indemnification of licensors and authors of that - material by anyone who conveys the material (or modified versions of - it) with contractual assumptions of liability to the recipient, for - any liability that these contractual assumptions directly impose on - those licensors and authors. - . - All other non-permissive additional terms are considered "further - restrictions" within the meaning of section 10. If the Program as you - received it, or any part of it, contains a notice stating that it is - governed by this License along with a term that is a further - restriction, you may remove that term. If a license document contains - a further restriction but permits relicensing or conveying under this - License, you may add to a covered work material governed by the terms - of that license document, provided that the further restriction does - not survive such relicensing or conveying. - . - If you add terms to a covered work in accord with this section, you - must place, in the relevant source files, a statement of the - additional terms that apply to those files, or a notice indicating - where to find the applicable terms. - . - Additional terms, permissive or non-permissive, may be stated in the - form of a separately written license, or stated as exceptions; - the above requirements apply either way. - . - 8. Termination. - . - You may not propagate or modify a covered work except as expressly - provided under this License. Any attempt otherwise to propagate or - modify it is void, and will automatically terminate your rights under - this License (including any patent licenses granted under the third - paragraph of section 11). - . - However, if you cease all violation of this License, then your - license from a particular copyright holder is reinstated (a) - provisionally, unless and until the copyright holder explicitly and - finally terminates your license, and (b) permanently, if the copyright - holder fails to notify you of the violation by some reasonable means - prior to 60 days after the cessation. - . - Moreover, your license from a particular copyright holder is - reinstated permanently if the copyright holder notifies you of the - violation by some reasonable means, this is the first time you have - received notice of violation of this License (for any work) from that - copyright holder, and you cure the violation prior to 30 days after - your receipt of the notice. - . - Termination of your rights under this section does not terminate the - licenses of parties who have received copies or rights from you under - this License. If your rights have been terminated and not permanently - reinstated, you do not qualify to receive new licenses for the same - material under section 10. - . - 9. Acceptance Not Required for Having Copies. - . - You are not required to accept this License in order to receive or - run a copy of the Program. Ancillary propagation of a covered work - occurring solely as a consequence of using peer-to-peer transmission - to receive a copy likewise does not require acceptance. However, - nothing other than this License grants you permission to propagate or - modify any covered work. These actions infringe copyright if you do - not accept this License. Therefore, by modifying or propagating a - covered work, you indicate your acceptance of this License to do so. - . - 10. Automatic Licensing of Downstream Recipients. - . - Each time you convey a covered work, the recipient automatically - receives a license from the original licensors, to run, modify and - propagate that work, subject to this License. You are not responsible - for enforcing compliance by third parties with this License. - . - An "entity transaction" is a transaction transferring control of an - organization, or substantially all assets of one, or subdividing an - organization, or merging organizations. If propagation of a covered - work results from an entity transaction, each party to that - transaction who receives a copy of the work also receives whatever - licenses to the work the party's predecessor in interest had or could - give under the previous paragraph, plus a right to possession of the - Corresponding Source of the work from the predecessor in interest, if - the predecessor has it or can get it with reasonable efforts. - . - You may not impose any further restrictions on the exercise of the - rights granted or affirmed under this License. For example, you may - not impose a license fee, royalty, or other charge for exercise of - rights granted under this License, and you may not initiate litigation - (including a cross-claim or counterclaim in a lawsuit) alleging that - any patent claim is infringed by making, using, selling, offering for - sale, or importing the Program or any portion of it. - . - 11. Patents. - . - A "contributor" is a copyright holder who authorizes use under this - License of the Program or a work on which the Program is based. The - work thus licensed is called the contributor's "contributor version". - . - A contributor's "essential patent claims" are all patent claims - owned or controlled by the contributor, whether already acquired or - hereafter acquired, that would be infringed by some manner, permitted - by this License, of making, using, or selling its contributor version, - but do not include claims that would be infringed only as a - consequence of further modification of the contributor version. For - purposes of this definition, "control" includes the right to grant - patent sublicenses in a manner consistent with the requirements of - this License. - . - Each contributor grants you a non-exclusive, worldwide, royalty-free - patent license under the contributor's essential patent claims, to - make, use, sell, offer for sale, import and otherwise run, modify and - propagate the contents of its contributor version. - . - In the following three paragraphs, a "patent license" is any express - agreement or commitment, however denominated, not to enforce a patent - (such as an express permission to practice a patent or covenant not to - sue for patent infringement). To "grant" such a patent license to a - party means to make such an agreement or commitment not to enforce a - patent against the party. - . - If you convey a covered work, knowingly relying on a patent license, - and the Corresponding Source of the work is not available for anyone - to copy, free of charge and under the terms of this License, through a - publicly available network server or other readily accessible means, - then you must either (1) cause the Corresponding Source to be so - available, or (2) arrange to deprive yourself of the benefit of the - patent license for this particular work, or (3) arrange, in a manner - consistent with the requirements of this License, to extend the patent - license to downstream recipients. "Knowingly relying" means you have - actual knowledge that, but for the patent license, your conveying the - covered work in a country, or your recipient's use of the covered work - in a country, would infringe one or more identifiable patents in that - country that you have reason to believe are valid. - . - If, pursuant to or in connection with a single transaction or - arrangement, you convey, or propagate by procuring conveyance of, a - covered work, and grant a patent license to some of the parties - receiving the covered work authorizing them to use, propagate, modify - or convey a specific copy of the covered work, then the patent license - you grant is automatically extended to all recipients of the covered - work and works based on it. - . - A patent license is "discriminatory" if it does not include within - the scope of its coverage, prohibits the exercise of, or is - conditioned on the non-exercise of one or more of the rights that are - specifically granted under this License. You may not convey a covered - work if you are a party to an arrangement with a third party that is - in the business of distributing software, under which you make payment - to the third party based on the extent of your activity of conveying - the work, and under which the third party grants, to any of the - parties who would receive the covered work from you, a discriminatory - patent license (a) in connection with copies of the covered work - conveyed by you (or copies made from those copies), or (b) primarily - for and in connection with specific products or compilations that - contain the covered work, unless you entered into that arrangement, - or that patent license was granted, prior to 28 March 2007. - . - Nothing in this License shall be construed as excluding or limiting - any implied license or other defenses to infringement that may - otherwise be available to you under applicable patent law. - . - 12. No Surrender of Others' Freedom. - . - If conditions are imposed on you (whether by court order, agreement or - otherwise) that contradict the conditions of this License, they do not - excuse you from the conditions of this License. If you cannot convey a - covered work so as to satisfy simultaneously your obligations under this - License and any other pertinent obligations, then as a consequence you may - not convey it at all. For example, if you agree to terms that obligate you - to collect a royalty for further conveying from those to whom you convey - the Program, the only way you could satisfy both those terms and this - License would be to refrain entirely from conveying the Program. - . - 13. Remote Network Interaction; Use with the GNU General Public License. - . - Notwithstanding any other provision of this License, if you modify the - Program, your modified version must prominently offer all users - interacting with it remotely through a computer network (if your version - supports such interaction) an opportunity to receive the Corresponding - Source of your version by providing access to the Corresponding Source - from a network server at no charge, through some standard or customary - means of facilitating copying of software. This Corresponding Source - shall include the Corresponding Source for any work covered by version 3 - of the GNU General Public License that is incorporated pursuant to the - following paragraph. - . - Notwithstanding any other provision of this License, you have - permission to link or combine any covered work with a work licensed - under version 3 of the GNU General Public License into a single - combined work, and to convey the resulting work. The terms of this - License will continue to apply to the part which is the covered work, - but the work with which it is combined will remain governed by version - 3 of the GNU General Public License. - . - 14. Revised Versions of this License. - . - The Free Software Foundation may publish revised and/or new versions of - the GNU Affero General Public License from time to time. Such new versions - will be similar in spirit to the present version, but may differ in detail to - address new problems or concerns. - . - Each version is given a distinguishing version number. If the - Program specifies that a certain numbered version of the GNU Affero General - Public License "or any later version" applies to it, you have the - option of following the terms and conditions either of that numbered - version or of any later version published by the Free Software - Foundation. If the Program does not specify a version number of the - GNU Affero General Public License, you may choose any version ever published - by the Free Software Foundation. - . - If the Program specifies that a proxy can decide which future - versions of the GNU Affero General Public License can be used, that proxy's - public statement of acceptance of a version permanently authorizes you - to choose that version for the Program. - . - Later license versions may give you additional or different - permissions. However, no additional obligations are imposed on any - author or copyright holder as a result of your choosing to follow a - later version. - . - 15. Disclaimer of Warranty. - . - THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY - APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT - HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY - OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, - THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM - IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +Copyright: 2012 - 2023 ENCRYPTED SUPPORT LP +License: GPL-3+-with-additional-terms-1 + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see . + . + On Debian systems, the full text of the GNU General Public + License version 3 can be found in the file + `/usr/share/common-licenses/GPL-3'. + . + ADDITIONAL TERMS APPLICABLE per GNU GPL version 3 section 7 + . + 1. Replacement of Section 15. Section 15 of the GPL shall be deleted in its + entirety and replaced with the following: + . + 15. Disclaimer of Warranty. + . + THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED, + INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR + PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY. THE PROGRAM IS BEING + DELIVERED OR MADE AVAILABLE 'AS IS', 'WITH ALL FAULTS' AND WITHOUT WARRANTY OR + REPRESENTATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE + PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. . - 16. Limitation of Liability. + 2. Replacement of Section 16. Section 16 of the GPL shall be deleted in its + entirety and replaced with the following: . - IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING - WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS - THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY - GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE - USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF - DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD - PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), - EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF - SUCH DAMAGES. + 16. LIMITATION OF LIABILITY. . - 17. Interpretation of Sections 15 and 16. + UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY + OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE + LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY + DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL, + INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN + CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH + THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED + INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE + PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER + OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH + DAMAGES COULD HAVE BEEN FORESEEN. . - If the disclaimer of warranty and limitation of liability provided - above cannot be given local legal effect according to their terms, - reviewing courts shall apply local law that most closely approximates - an absolute waiver of all civil liability in connection with the - Program, unless a warranty or assumption of liability accompanies a - copy of the Program in return for a fee. + 3. LEGAL NOTICES; NO TRADEMARK LICENSE; ORIGIN. You must reproduce faithfully + all trademark, copyright and other proprietary and legal notices on any copies + of the Program or any other required author attributions. This license does not + grant you rights to use any copyright holder or any other party's name, logo, or + trademarks. Neither the name of the copyright holder or its affiliates, or any + other party who modifies and/or conveys the Program may be used to endorse or + promote products derived from this software without specific prior written + permission. The origin of the Program must not be misrepresented; you must not + claim that you wrote the original Program. Altered source versions must be + plainly marked as such, and must not be misrepresented as being the original + Program. . - END OF TERMS AND CONDITIONS - . - How to Apply These Terms to Your New Programs - . - If you develop a new program, and you want it to be of the greatest - possible use to the public, the best way to achieve this is to make it - free software which everyone can redistribute and change under these terms. - . - To do so, attach the following notices to the program. It is safest - to attach them to the start of each source file to most effectively - state the exclusion of warranty; and each file should have at least - the "copyright" line and a pointer to where the full notice is found. - . - - Copyright (C) - . - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU Affero General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - . - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU Affero General Public License for more details. - . - You should have received a copy of the GNU Affero General Public License - along with this program. If not, see . - . - Also add information on how to contact you by electronic and paper mail. - . - If your software can interact with users remotely through a computer - network, you should also make sure that it provides a way for users to - get its source. For example, if your program is a web application, its - interface could display a "Source" link that leads users to an archive - of the code. There are many ways you could offer source, and different - solutions will be better for different programs; see section 13 for the - specific requirements. - . - You should also get your employer (if you work as a programmer) or school, - if any, to sign a "copyright disclaimer" for the program, if necessary. - For more information on this, and how to apply and follow the GNU AGPL, see - . + 4. INDEMNIFICATION. IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT + OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK, + YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND + AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF + ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE + ATTORNEYS' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR + IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY. diff --git a/debian/make-helper-overrides.bsh b/debian/make-helper-overrides.bsh index 4804b3e..c43ca87 100755 --- a/debian/make-helper-overrides.bsh +++ b/debian/make-helper-overrides.bsh @@ -1,7 +1,7 @@ #!/bin/bash -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24 -genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file --suppress-tags no-complete-debconf-translation" +genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file" diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in deleted file mode 100644 index 435938f..0000000 --- a/debian/po/POTFILES.in +++ /dev/null @@ -1 +0,0 @@ -[type: gettext/rfc822deb] security-misc.templates diff --git a/debian/po/templates.pot b/debian/po/templates.pot deleted file mode 100644 index adb123b..0000000 --- a/debian/po/templates.pot +++ /dev/null @@ -1,36 +0,0 @@ -# SOME DESCRIPTIVE TITLE. -# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER -# This file is distributed under the same license as the security-misc package. -# FIRST AUTHOR , YEAR. -# -#, fuzzy -msgid "" -msgstr "" -"Project-Id-Version: security-misc\n" -"Report-Msgid-Bugs-To: security-misc@packages.debian.org\n" -"POT-Creation-Date: 2025-01-14 09:31-0500\n" -"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" -"Last-Translator: FULL NAME \n" -"Language-Team: LANGUAGE \n" -"Language: \n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=CHARSET\n" -"Content-Transfer-Encoding: 8bit\n" - -#. Type: note -#. Description -#: ../security-misc.templates:1001 -msgid "Manual intervention may be required for permission-hardener update" -msgstr "" - -#. Type: note -#. Description -#: ../security-misc.templates:1001 -msgid "" -"No need to panic. Nothing is broken. A rare condition has been encountered. " -"permission-hardener is being updated to fix a minor bug that caused " -"corruption in the permission-hardener state file. If you installed your own " -"custom permission-hardener configuration, some manual intervention may be " -"required. See: https://www.kicksecure.com/wiki/" -"SUID_Disabler_and_Permission_Hardener#fixing_state_files" -msgstr "" diff --git a/debian/rules b/debian/rules index ca5e85c..a1570ba 100755 --- a/debian/rules +++ b/debian/rules @@ -1,6 +1,6 @@ #!/usr/bin/make -f -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #export DH_VERBOSE=1 diff --git a/debian/security-misc.config b/debian/security-misc.config deleted file mode 100755 index e200fb6..0000000 --- a/debian/security-misc.config +++ /dev/null @@ -1,190 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then - source /usr/libexec/helper-scripts/pre.bsh -fi - -source /usr/share/debconf/confmodule - -set -e - -## Not set by DPKG for '.config' script. -DPKG_MAINTSCRIPT_PACKAGE="security-misc" -DPKG_MAINTSCRIPT_NAME="config" - -true " -##################################################################### -## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* -##################################################################### -" - -## NOTE: Code duplication. -## Copied from: helper-scripts /usr/libexec/helper-scripts/package_installed_check.bsh -## -## '.config' scripts are run very early. Even 'Pre-Depends: helper-scripts' would be insufficient. -## Therefore the code is duplicated here. -pkg_installed() { - local package_name dpkg_query_output - local requested_action status error_state - - package_name="$1" - ## Cannot use '&>' because it is a bashism. - dpkg_query_output="$(dpkg-query --show --showformat='${Status}' "$package_name" 2>/dev/null)" || true - ## dpkg_query_output Examples: - ## install ok half-configured - ## install ok installed - - requested_action=$(printf '%s' "$dpkg_query_output" | awk '{print $1}') - status=$(printf '%s' "$dpkg_query_output" | awk '{print $2}') - error_state=$(printf '%s' "$dpkg_query_output" | awk '{print $3}') - - if [ "$requested_action" = 'install' ]; then - true "$0: INFO: $package_name is installed, ok." - return 0 - fi - - true "$0: INFO: $package_name is not installed, ok." - return 1 -} - -check_migrate_permission_hardener_state() { - local pkg_list modified_pkg_data_str custom_hardening_arr config_file - - ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. - if [ ! -d '/var/lib/permission-hardener' ]; then - return 0 - fi - - local orig_hardening_arr custom_hardening_arr config_file custom_config_file - if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then - return 0 - fi - mkdir --parents '/var/lib/security-misc/do_once' - - orig_hardening_arr=( - '/usr/lib/permission-hardener.d/25_default_passwd.conf' - '/usr/lib/permission-hardener.d/25_default_sudo.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf' - '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' - '/usr/lib/permission-hardener.d/30_ping.conf' - '/usr/lib/permission-hardener.d/30_default.conf' - '/etc/permission-hardener.d/25_default_passwd.conf' - '/etc/permission-hardener.d/25_default_sudo.conf' - '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf' - '/etc/permission-hardener.d/25_default_whitelist_chromium.conf' - '/etc/permission-hardener.d/25_default_whitelist_dbus.conf' - '/etc/permission-hardener.d/25_default_whitelist_firejail.conf' - '/etc/permission-hardener.d/25_default_whitelist_fuse.conf' - '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' - '/etc/permission-hardener.d/25_default_whitelist_mount.conf' - '/etc/permission-hardener.d/25_default_whitelist_pam.conf' - '/etc/permission-hardener.d/25_default_whitelist_passwd.conf' - '/etc/permission-hardener.d/25_default_whitelist_policykit.conf' - '/etc/permission-hardener.d/25_default_whitelist_postfix.conf' - '/etc/permission-hardener.d/25_default_whitelist_qubes.conf' - '/etc/permission-hardener.d/25_default_whitelist_selinux.conf' - '/etc/permission-hardener.d/25_default_whitelist_spice.conf' - '/etc/permission-hardener.d/25_default_whitelist_ssh.conf' - '/etc/permission-hardener.d/25_default_whitelist_sudo.conf' - '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' - '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf' - '/etc/permission-hardener.d/20_user-sysmaint-split.conf' - '/etc/permission-hardener.d/30_ping.conf' - '/etc/permission-hardener.d/30_default.conf' - ) - - pkg_list=( "security-misc" ) - if pkg_installed user-sysmaint-split ; then - pkg_list+=( "user-sysmaint-split" ) - fi - if pkg_installed anon-apps-config ; then - pkg_list+=( "anon-apps-config" ) - fi - - ## This will exit non-zero if some of the packages don't exist, but we - ## don't care. The packages that *are* installed will still be scanned. - modified_pkg_data_str="$(dpkg --verify "${pkg_list[@]}")" || true - - ## Example modified_pkg_data_str: - #modified_pkg_data_str='missing /usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' - - readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}") - - ## If the above `dpkg --verify` command doesn't return any permission-hardener - ## related lines, the array will contain no meaningful info, just a single - ## blank element at the start. Set the array to be explicitly empty in - ## this scenario. - if [ -z "${custom_hardening_arr[0]}" ]; then - custom_hardening_arr=() - fi - - for config_file in \ - /usr/lib/permission-hardener.d/*.conf \ - /etc/permission-hardener.d/*.conf \ - /usr/local/etc/permission-hardener.d/*.conf \ - /etc/permission-hardening.d/*.conf \ - /usr/local/etc/permission-hardening.d/*.conf - do - # shellcheck disable=SC2076 - if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then - if [ -f "${config_file}" ]; then - custom_hardening_arr+=( "${config_file}" ) - fi - fi - done - - if [ "${#custom_hardening_arr[@]}" != '0' ]; then - for custom_config_file in "${custom_hardening_arr[@]}"; do - if ! test -e "${custom_config_file}" ; then - echo "$0: INFO: Possible missing configuration file found: '${custom_config_file}'" - else - echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'" - fi - done - ## db_input will return code 30 if the message won't be displayed, which - ## causes a non-interactive install to error out if you don't use || true - db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true - ## db_go can return code 30 too in some instances, we don't care here - # shellcheck disable=SC2119 - db_go || true - fi - - touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" -} - -check_migrate_permission_hardener_state - -true "INFO: debhelper beginning here." - -#DEBHELPER# - -true "INFO: Done with debhelper." - -true " -##################################################################### -## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* -##################################################################### -" - -## Explicitly "exit 0", so eventually trapped errors can be ignored. -exit 0 diff --git a/debian/security-misc.displace b/debian/security-misc.displace index 78257f6..54c5862 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -1,5 +1,6 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. /etc/securetty.security-misc /etc/security/faillock.conf.security-misc +/etc/dkms/framework.conf.security-misc diff --git a/debian/security-misc.gconf-defaults b/debian/security-misc.gconf-defaults index b79536a..26d57ff 100644 --- a/debian/security-misc.gconf-defaults +++ b/debian/security-misc.gconf-defaults @@ -1,6 +1,3 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - /apps/nautilus/preview_sound never /apps/nautilus/show_icon_text never /apps/nautilus/show-image-thumbnails never diff --git a/debian/security-misc.install b/debian/security-misc.install index 6d5f850..126a525 100644 --- a/debian/security-misc.install +++ b/debian/security-misc.install @@ -1,8 +1,10 @@ -## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2020 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This file was generated using 'genmkfile debinstfile'. +bin/* etc/* +lib/* usr/* var/* diff --git a/debian/security-misc.links b/debian/security-misc.links deleted file mode 100644 index c3369df..0000000 --- a/debian/security-misc.links +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -/etc/profile.d/30_security-misc.sh /etc/zprofile.d/30_security-misc.zsh -/etc/profile.d/30_security-misc.sh /etc/X11/Xsession.d/30_security-misc diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 0a1759b..4be0d9a 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -1,8 +1,11 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. rm_conffile /etc/sudoers.d/umask-security-misc +## https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23 +rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg + ## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079 rm_conffile /etc/sysctl.d/sysrq.conf @@ -10,7 +13,7 @@ rm_conffile /etc/sysctl.d/sysrq.conf rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown -## merged into 3 files /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf, /usr/lib/sysctl.d/30_silent-kernel-printk.conf, and /usr/lib/sysctl.d/990-security-misc.conf +## merged into 1 file /etc/sysctl.d/30_security-misc.conf rm_conffile /etc/sysctl.d/fs_protected.conf rm_conffile /etc/sysctl.d/kptr_restrict.conf rm_conffile /etc/sysctl.d/suid_dumpable.conf @@ -24,88 +27,16 @@ rm_conffile /etc/sysctl.d/kexec.conf rm_conffile /etc/sysctl.d/tcp_hardening.conf rm_conffile /etc/sysctl.d/tcp_sack.conf -## merged into 3 files /etc/modprobe.d/30_security-misc_blacklist.conf, 30_security-misc_conntrack.conf, and /etc/modprobe.d/30_security-misc_disable.conf +## merged into 1 file /etc/modprobe.d/30_security-misc.conf rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf rm_conffile /etc/modprobe.d/vivid.conf rm_conffile /etc/modprobe.d/blacklist-dma.conf rm_conffile /etc/modprobe.d/msr.conf rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf -rm_conffile /etc/modprobe.d/30_security-misc.conf ## renamed to /etc/security/limits.d/30_security-misc.conf rm_conffile /etc/security/limits.d/disable-coredumps.conf ## moved to separate package ram-wipe rm_conffile /etc/default/grub.d/40_cold_boot_attack_defense.cfg - -rm_conffile /etc/X11/Xsession.d/50panic_on_oops -rm_conffile /etc/X11/Xsession.d/50security-misc - -## moved to /usr/lib/sysctl.d -rm_conffile /etc/sysctl.d/30_security-misc.conf -rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf -rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf - -## moved to /etc/permission-hardener.d -rm_conffile /etc/permission-hardening.d/25_default_passwd.conf -rm_conffile /etc/permission-hardening.d/25_default_sudo.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_chromium.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_dbus.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_firejail.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_fuse.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_mount.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_pam.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_policykit.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_qubes.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_selinux.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_spice.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_ssh.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf -rm_conffile /etc/permission-hardening.d/30_default.conf - -## moved to /usr/lib/permission-hardener.d -rm_conffile /etc/permission-hardener.d/25_default_passwd.conf -rm_conffile /etc/permission-hardener.d/25_default_sudo.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_chromium.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_dbus.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_firejail.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_fuse.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_mount.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_pam.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_policykit.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_postfix.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_qubes.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_selinux.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_spice.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_ssh.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_sudo.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_virtualbox.conf -rm_conffile /etc/permission-hardener.d/30_default.conf - -## merged into 1 file /etc/default/grub.d/40_kernel_hardening.cfg -rm_conffile /etc/default/grub.d/40_distrust_bootloader.cfg -rm_conffile /etc/default/grub.d/40_distrust_cpu.cfg -rm_conffile /etc/default/grub.d/40_enable_iommu.cfg - -## renamed to /etc/default/grub.d/40_remount_secure.cfg -rm_conffile /etc/default/grub.d/40_remmount-secure.cfg - -## renamed to /etc/default/grub.d/40_signed_modules.cfg -rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg - -## renamed to /etc/default/grub.d/41_quiet_boot.cfg -rm_conffile /etc/default/grub.d/41_quiet.cfg - -## moved to usability-misc -rm_conffile /etc/dkms/framework.conf.d/30_security-misc.conf - -## renamed to reflect the fact that this uses a whitelist -rm_conffile /usr/lib/permission-hardener.d/25_default_passwd.conf diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index ac81a23..d00d8cf 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -1,79 +1,20 @@ #!/bin/bash -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then source /usr/libexec/helper-scripts/pre.bsh fi -## Required since this package uses debconf - this is mandatory even though -## the postinst itself does not use debconf commands. -source /usr/share/debconf/confmodule - set -e true " ##################################################################### -## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* +## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ ##################################################################### " -permission_hardening_legacy_config_folder() { - if ! test -d /etc/permission-hardening.d ; then - return 0 - fi - rmdir --verbose --ignore-fail-on-non-empty /etc/permission-hardening.d || true -} - -permission_hardening() { - echo "Running SUID Disabler and Permission Hardener... See also:" - echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener" - echo "$0: INFO: running: permission-hardener enable" - if ! permission-hardener enable ; then - echo "$0: ERROR: Permission hardening failed." >&2 - return 0 - fi - echo "$0: INFO: Permission hardening success." -} - -migrate_permission_hardener_state() { - local existing_mode_dir new_mode_dir dpkg_statoverride_list - ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. - if [ ! -d '/var/lib/permission-hardener' ]; then - return 0 - fi - - if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then - return 0 - fi - mkdir --parents '/var/lib/security-misc/do_once' - - existing_mode_dir='/var/lib/permission-hardener-v2/existing_mode' - new_mode_dir='/var/lib/permission-hardener-v2/new_mode' - - mkdir --parents "${existing_mode_dir}"; - mkdir --parents "${new_mode_dir}"; - - cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' "${existing_mode_dir}/statoverride" - cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' "${new_mode_dir}/statoverride" - - dpkg_statoverride_list="$(dpkg-statoverride --admindir "${new_mode_dir}" --list)" - - if [ "$(stat --format '%G' /usr/bin/sudo)" = 'sysmaint' ]; then - if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/sudo' ]]; then - dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/sudo' - fi - fi - if [ "$(stat --format '%G' /usr/bin/pkexec)" = 'sysmaint' ]; then - if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/pkexec' ]]; then - dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/pkexec' - fi - fi - - touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" -} - case "$1" in configure) if [ -d /etc/skel/.gnupg ]; then @@ -83,22 +24,15 @@ case "$1" in ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override glib-compile-schemas /usr/share/glib-2.0/schemas || true - - ## state dir for faillock - mkdir -p /var/lib/security-misc/faillock - - ## migrate permission_hardener state to v2 if applicable - migrate_permission_hardener_state ;; abort-upgrade|abort-remove|abort-deconfigure) ;; triggered) - echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\*: '$*' 2: '$2'" + echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'" /usr/share/security-misc/lkrg/lkrg-virtualbox || true /usr/libexec/security-misc/mmap-rnd-bits || true - permission_hardening exit 0 ;; @@ -112,8 +46,6 @@ pam-auth-update --package /usr/libexec/security-misc/permission-lockdown -permission_hardening - ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: ## https://bugs.debian.org/481542 @@ -134,11 +66,9 @@ true "INFO: debhelper beginning here." true "INFO: Done with debhelper." -permission_hardening_legacy_config_folder - true " ##################################################################### -## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* +## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ ##################################################################### " diff --git a/debian/security-misc.postrm b/debian/security-misc.postrm index 13dc588..c40721f 100644 --- a/debian/security-misc.postrm +++ b/debian/security-misc.postrm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 8e900d0..43f8e2c 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then @@ -20,9 +20,6 @@ user_groups_modifications() { addgroup --system sysfs addgroup --system cpuinfo - ## /usr/lib/systemd/system/proc-hidepid.service - addgroup --system proc - ## group 'sudo' membership required to use 'su' ## /usr/share/pam-configs/wheel-security-misc adduser root sudo @@ -47,7 +44,7 @@ user_groups_modifications() { ## an "empty" /etc/securetty. ## In case a system administrator edits /etc/securetty, there is no need to ## block for this to be still blocked by console lockdown. See also: - ## https://www.kicksecure.com/wiki/Root#Root_Login + ## https://www.whonix.org/wiki/Root#Root_Login adduser root console } @@ -98,13 +95,12 @@ sudo_users_check () { ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2 echo "$0: ERROR: You probably want to run:" >&2 - echo "$0: NOTE: Replace user 'user' with your actual Linux user account name." >&2 echo "" >&2 echo "sudo adduser user sudo" >&2 echo "sudo adduser user console" >&2 echo "" >&2 echo "$0: ERROR: See also installation instructions:" >&2 - echo "https://www.kicksecure.com/wiki/security-misc#install" >&2 + echo "https://www.whonix.org/wiki/security-misc#install" >&2 if [ "$SECURITY_MISC_INSTALL" = "force" ]; then output_skip_checks "Environment variable SECURITY_MISC_INSTALL is set to 'force'." diff --git a/debian/security-misc.prerm b/debian/security-misc.prerm index 1c4cd87..78d5f3a 100644 --- a/debian/security-misc.prerm +++ b/debian/security-misc.prerm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.templates b/debian/security-misc.templates deleted file mode 100644 index 1b543e7..0000000 --- a/debian/security-misc.templates +++ /dev/null @@ -1,9 +0,0 @@ -Template: security-misc/alert-on-permission-hardener-v2-upgrade -Type: note -_Description: Manual intervention may be required for permission-hardener update - No need to panic. Nothing is broken. A rare condition has been encountered. - permission-hardener is being updated to fix a minor bug that caused - corruption in the permission-hardener state file. If you installed your own - custom permission-hardener configuration, some manual intervention may be - required. See: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#fixing_state_files diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index 1f4a592..5dc870f 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -1,16 +1,25 @@ -## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## use noawait -## https://github.com/Kicksecure/security-misc/issues/196 +#### meta start +#### project Whonix +#### category security +#### description -## Trigger permission hardener when new binaries are being installed. -interest-noawait /usr -interest-noawait /opt +## Trigger 'activate-noawait update-initramfs' also works with both, +## initramfs-tools as well as dracut. +## - Activate initramfs hook that sets the sysctl values before init is executed. +## - dracut module 40sdmem-security-misc +activate-noawait update-initramfs -## Trigger permission hardener when new configuration files are being installed. -interest-noawait /usr/lib/permission-hardener.d -interest-noawait /etc/permission-hardener.d -interest-noawait /usr/local/etc/permission-hardener.d -interest-noawait /etc/permission-hardening.d -interest-noawait /usr/local/etc/permission-hardening.d +## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox +interest-noawait /usr/bin/vboxmanage + +## /usr/libexec/security-misc/mmap-rnd-bits +## auto generates: +## /etc/sysctl.d/30_security-misc_aslr-mmap.conf +## sets: +## vm.mmap_rnd_bits +interest-noawait /boot + +#### meta end diff --git a/debian/security-misc.undisplace b/debian/security-misc.undisplace index 990101a..0b23381 100644 --- a/debian/security-misc.undisplace +++ b/debian/security-misc.undisplace @@ -1,6 +1,5 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. /etc/login.defs.security-misc /usr/bin/pkexec.security-misc -/etc/dkms/framework.conf.security-misc diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides index c657565..942fd18 100644 --- a/debian/source/lintian-overrides +++ b/debian/source/lintian-overrides @@ -1,2 +1,2 @@ ## https://phabricator.whonix.org/T277 -debian-watch-does-not-check-openpgp-signature +debian-watch-does-not-check-gpg-signature diff --git a/debian/watch b/debian/watch index 86f015f..4a80d35 100644 --- a/debian/watch +++ b/debian/watch @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. version=4 diff --git a/etc/X11/Xsession.d/50panic_on_oops b/etc/X11/Xsession.d/50panic_on_oops new file mode 100755 index 0000000..79646cb --- /dev/null +++ b/etc/X11/Xsession.d/50panic_on_oops @@ -0,0 +1,8 @@ +#!/bin/sh + +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +if [ -x /usr/libexec/security-misc/panic-on-oops ]; then + sudo --non-interactive /usr/libexec/security-misc/panic-on-oops +fi diff --git a/etc/X11/Xsession.d/50security-misc b/etc/X11/Xsession.d/50security-misc new file mode 100755 index 0000000..0d8efce --- /dev/null +++ b/etc/X11/Xsession.d/50security-misc @@ -0,0 +1,9 @@ +#!/bin/sh + +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +if [ -z "$XDG_CONFIG_DIRS" ]; then + XDG_CONFIG_DIRS=/etc/xdg +fi +export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS diff --git a/etc/apparmor.d/tunables/home.d/security-misc b/etc/apparmor.d/tunables/home.d/security-misc index d63d5db..b1aad3d 100644 --- a/etc/apparmor.d/tunables/home.d/security-misc +++ b/etc/apparmor.d/tunables/home.d/security-misc @@ -1,7 +1,7 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -alias /etc/pam.d/common-session -> /etc/pam.d/common-session.security-misc, +alias /etc/pam.d/common-session -> /etc/pam.d//etc/pam.d/common-session.security-misc, alias /etc/pam.d/common-session-noninteractive -> /etc/pam.d/common-session-noninteractive.security-misc, alias /etc/login.defs -> /etc/login.defs.security-misc, alias /etc/securetty -> /etc/securetty.security-misc, diff --git a/etc/apt/apt.conf.d/40error-on-any b/etc/apt/apt.conf.d/40error-on-any index f1be472..fbde1db 100644 --- a/etc/apt/apt.conf.d/40error-on-any +++ b/etc/apt/apt.conf.d/40error-on-any @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Make "sudo apt-get update" exit non-zero for transient failures. diff --git a/etc/apt/apt.conf.d/40sandbox b/etc/apt/apt.conf.d/40sandbox index 43150ec..eb7ef7a 100644 --- a/etc/apt/apt.conf.d/40sandbox +++ b/etc/apt/apt.conf.d/40sandbox @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702 diff --git a/etc/bluetooth/30_security-misc.conf b/etc/bluetooth/30_security-misc.conf deleted file mode 100644 index 91ce2d3..0000000 --- a/etc/bluetooth/30_security-misc.conf +++ /dev/null @@ -1,33 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[General] -# How long to stay in pairable mode before going back to non-discoverable -# The value is in seconds. Default is 0. -# 0 = disable timer, i.e. stay pairable forever -PairableTimeout = 30 - -# How long to stay in discoverable mode before going back to non-discoverable -# The value is in seconds. Default is 180, i.e. 3 minutes. -# 0 = disable timer, i.e. stay discoverable forever -DiscoverableTimeout = 30 - -# Maximum number of controllers allowed to be exposed to the system. -# Default=0 (unlimited) -MaxControllers=1 - -# How long to keep temporary devices around -# The value is in seconds. Default is 30. -# 0 = disable timer, i.e. never keep temporary devices -TemporaryTimeout = 0 - -[Policy] -# AutoEnable defines option to enable all controllers when they are found. -# This includes adapters present on start as well as adapters that are plugged -# in later on. Defaults to 'true'. -AutoEnable=false - -# network/on: A device will only accept advertising packets from peer -# devices that contain private addresses. It may not be compatible with some -# legacy devices since it requires the use of RPA(s) all the time. -Privacy=network/on diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 9b29760..1351206 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,188 +1,61 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Enable known mitigations for CPU vulnerabilities. -## Note, the mitigations for SSB and Retbleed are not currently mentioned in the first link. +## Enables all known mitigations for CPU vulnerabilities. +## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html -## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 -## Check for potential updates directly from AMD and Intel. -## https://www.amd.com/en/resources/product-security.html -## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html -## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html - -## Tabular comparison between the utility and functionality of various mitigations. -## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/587 - -## For complete protection, users must install the latest relevant security microcode update. -## BIOS/UEFI updates should only be obtained directly from OEMs and/or motherboard manufacturers. -## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues. -## The parameters below only provide (partial) protection at both the kernel and user space level. - -## If using Secure Boot, users must also ensure the Secure Boot Forbidden Signature Database (DBX) is up to date. -## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems. -## If using compatible hardware, the database can be updated directly in user space using fwupd. -## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues. -## https://uefi.org/revocationlistfile -## https://github.com/fwupd/fwupd - -## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT. -## -## KSPP=yes -## KSPP sets the kernel parameters. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" - -## Disable SMT as it has been the cause of and amplified numerous CPU exploits. -## The only full mitigation of cross-HT attacks is to disable SMT. -## Disabling will significantly decrease system performance on multi-threaded tasks. -## Note, this setting will prevent re-enabling SMT via the sysfs interface. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html -## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 -## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365 -## -## KSPP=yes -## KSPP sets the kernel parameter. -## -## To re-enable SMT: -## - Remove "nosmt=force". -## - Remove all occurrences of ",nosmt" in this file (note the comma ","). -## - Downgrade "l1tf=full,force" protection to "l1tf=flush". -## - Regenerate the dracut initramfs and then reboot system. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" - -## Spectre Side Channels (BTI and BHI): -## Unconditionally enable mitigation for Spectre Variant 2 (branch target injection). -## Enable mitigation for the Intel branch history injection vulnerability. -## Currently affects both AMD and Intel CPUs. +## Enable mitigations for Spectre variant 2 (indirect branch speculation). ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html -## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" -## Speculative Store Bypass (SSB): -## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide. -## Unconditionally enable the mitigation for both kernel and userspace. -## Currently affects both AMD and Intel CPUs. -## -## https://en.wikipedia.org/wiki/Speculative_Store_Bypass -## https://www.suse.com/support/kb/doc/?id=000019189 -## +## Disable Speculative Store Bypass. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on" -## L1 Terminal Fault (L1TF): -## Mitigate the vulnerability by disabling L1D flush runtime control and SMT. -## If L1D flushing is conditional, mitigate the vulnerability for certain KVM hypervisor configurations. -## Currently affects Intel CPUs. +## Enable mitigations for the L1TF vulnerability through disabling SMT +## and L1D flush runtime control. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html -## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always" -## Microarchitectural Data Sampling (MDS): -## Mitigate the vulnerability by clearing the CPU buffer cache and disabling SMT. -## Currently affects Intel CPUs. +## Enable mitigations for the MDS vulnerability through clearing buffer cache +## and disabling SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html -## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" -## TSX Asynchronous Abort (TAA): -## Mitigate the vulnerability by disabling TSX. -## If TSX is enabled, clear CPU buffer rings on transitions and disable SMT. -## Currently affects Intel CPUs. +## Patches the TAA vulnerability by disabling TSX and enables mitigations using +## TSX Async Abort along with disabling SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" -## iTLB Multihit: -## Mitigate the vulnerability by marking all huge pages in the EPT as non-executable. -## Currently affects Intel CPUs. +## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html -## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" -## Special Register Buffer Data Sampling (SRBDS): -## Mitigation of the vulnerability is only possible via microcode update from Intel. -## Currently affects Intel CPUs. +## Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions. +## Only mitigated through microcode updates from Intel. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html ## https://access.redhat.com/solutions/5142691 -## L1D Flushing: -## Mitigate leaks from the L1D cache on context switches by enabling the prctl() interface. -## Currently affects Intel CPUs. +## Force disable SMT as it has caused numerous CPU vulnerabilities. +## The only full mitigation of cross-HT attacks is to disable SMT. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" + +## Enables the prctl interface to prevent leaks from L1D on context switches. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html -## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" -## Processor MMIO Stale Data: -## Mitigate the vulnerabilities by appropriately clearing the CPU buffer and disabling SMT. -## Currently affects Intel CPUs. +## Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html -## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" - -## Arbitrary Speculative Code Execution with Return Instructions (Retbleed): -## Mitigate the vulnerability through CPU-dependent implementation and disable SMT. -## Currently affects both AMD Zen 1-2 and Intel CPUs. -## -## https://en.wikipedia.org/wiki/Retbleed -## https://comsec.ethz.ch/research/microarch/retbleed/ -## https://www.suse.com/support/kb/doc/?id=000020693 -## https://access.redhat.com/solutions/retbleed -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" - -## Cross-Thread Return Address Predictions: -## Mitigate the vulnerability for certain KVM hypervisor configurations. -## Currently affects AMD Zen 1-2 CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/cross-thread-rsb.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1" - -## Speculative Return Stack Overflow (SRSO): -## Mitigate the vulnerability by ensuring all RET instructions speculate to a controlled location. -## Currently affects AMD Zen 1-4 CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html -## -## The default kernel setting will be utilized until provided sufficient evidence to modify. -## Using "spec_rstack_overflow=ipbp" may provide stronger security at a greater performance impact. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" - -## Gather Data Sampling (GDS): -## Mitigate the vulnerability either via microcode update or by disabling AVX. -## Note, without a suitable microcode update, this will entirely disable use of the AVX instructions set. -## Currently affects Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" - -## Register File Data Sampling (RFDS): -## Mitigate the vulnerability by appropriately clearing the CPU buffer. -## Currently affects Intel Atom CPUs (which encompasses E-cores on hybrid architectures). -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" diff --git a/etc/default/grub.d/40_distrust_bootloader.cfg b/etc/default/grub.d/40_distrust_bootloader.cfg new file mode 100644 index 0000000..36ce183 --- /dev/null +++ b/etc/default/grub.d/40_distrust_bootloader.cfg @@ -0,0 +1,7 @@ +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Distrusts the bootloader for initial entropy at boot. +## +## https://lkml.org/lkml/2022/6/5/271 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" diff --git a/etc/default/grub.d/40_distrust_cpu.cfg b/etc/default/grub.d/40_distrust_cpu.cfg new file mode 100644 index 0000000..107b717 --- /dev/null +++ b/etc/default/grub.d/40_distrust_cpu.cfg @@ -0,0 +1,12 @@ +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Distrusts the CPU for initial entropy at boot as it is not possible to +## audit, may contain weaknesses or a backdoor. +## +## https://en.wikipedia.org/wiki/RDRAND#Reception +## https://twitter.com/pid_eins/status/1149649806056280069 +## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html +## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 +## https://lkml.org/lkml/2022/6/5/271 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg new file mode 100644 index 0000000..579ccca --- /dev/null +++ b/etc/default/grub.d/40_enable_iommu.cfg @@ -0,0 +1,17 @@ +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Enables IOMMU to prevent DMA attacks. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on" + +## Disable the busmaster bit on all PCI bridges during very +## early boot to avoid holes in IOMMU. +## +## https://mjg59.dreamwidth.org/54433.html +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" + +## Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents +## https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97 +## Page 11 of https://lenovopress.lenovo.com/lp1467.pdf +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0 iommu.strict=1" diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 99f2d16..b673d6d 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -1,329 +1,64 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. kpkg="linux-image-$(dpkg --print-architecture)" || true kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true #echo "## kver: $kver" -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## This configuration file is split into 4 sections: -## 1. Kernel Space -## 2. Direct Memory Access -## 3. Entropy -## 4. Networking - -## See the documentation below for details on the majority of the selected commands: -## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html -## https://wiki.archlinux.org/title/Kernel_parameters#GRUB - -## 1. Kernel Space: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters -## https://kspp.github.io/Recommended_Settings#kernel-command-line-options - -## Disable merging of slabs with similar size. -## Reduces the risk of triggering heap overflows. -## Prevents overwriting objects from merged caches and limits influencing slab cache layout. -## -## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33 -## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10 -## -## KSPP=yes -## KSPP sets the kernel parameter and does not set CONFIG_SLAB_MERGE_DEFAULT. -## +## Disables the merging of slabs of similar sizes. +## Sometimes a slab can be used in a vulnerable way which an attacker can exploit. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -## Enable sanity checks and red zoning of slabs via debugging options to detect corruption. -## As a by product of debugging, this will implicitly disabling kernel pointer hashing. -## Enabling will therefore leak exact and all kernel memory addresses to root. -## Has the potential to cause a noticeable performance decrease. -## -## https://www.kernel.org/doc/html/latest/mm/slub.html -## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u -## https://gitlab.tails.boum.org/tails/tails/-/issues/19613 -## https://github.com/Kicksecure/security-misc/issues/253 -## -## KSPP=yes -## KSPP sets the kernel parameters and CONFIG_SLUB_DEBUG. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ" +## Enables sanity checks (F) and redzoning (Z). +## Disabled due to kernel deciding to implicitly disable kernel pointer hashing +## https://github.com/torvalds/linux/commit/792702911f581f7793962fbeb99d5c3a1b28f4c3 +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" -## Zero memory at allocation time and free time. -## Fills newly allocated pages, freed pages, and heap objects with zeros. -## Mitigates use-after-free exploits by erasing sensitive information in memory. -## -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef -## -## KSPP=yes -## KSPP sets the kernel parameters, CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y, and CONFIG_INIT_ON_FREE_DEFAULT_ON=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" +## Zero memory at allocation and free time. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" -## Enable the kernel page allocator to randomize free lists. -## During early boot, the page allocator has predictable FIFO behavior for physical pages. -## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location. -## Also improves performance by optimizing memory-side cache utilization. -## -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692 -## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks -## -## KSPP=yes -## KSPP sets the kernel parameter and CONFIG_SHUFFLE_PAGE_ALLOCATOR=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" - -## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses. -## Mitigates the Meltdown CPU vulnerability. -## -## https://en.wikipedia.org/wiki/Kernel_page-table_isolation -## -## KSPP=yes -## KSPP sets the kernel parameter and CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" - -## Enable randomization of the kernel stack offset on syscall entries. -## Hardens against memory corruption attacks due to increased entropy. -## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure. -## -## https://lkml.org/lkml/2019/3/18/246 -## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html -## -## KSPP=yes -## KSPP sets the kernel parameter and CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" - -## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO. -## Vulnerable to ROP attacks as vsyscalls are located at fixed addresses in memory. -## -## https://lwn.net/Articles/446528/ -## https://en.wikipedia.org/wiki/VDSO -## -## KSPP=yes -## KSPP sets the kernel parameter, CONFIG_LEGACY_VSYSCALL_NONE=y and does not set CONFIG_X86_VSYSCALL_EMULATION. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" - -## Restrict access to debugfs by not registering the file system. -## Deactivated since the file system can contain sensitive information. -## -## https://lkml.org/lkml/2020/7/16/122 -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" - -## Force the kernel to panic on "oopses". -## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. -## Panics may be due to false-positives such as bad drivers. -## -## https://en.wikipedia.org/wiki/Kernel_panic#Linux -## https://en.wikipedia.org/wiki/Linux_kernel_oops -## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 -## -## KSPP=partial -## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. -## -## See /usr/libexec/security-misc/panic-on-oops for implementation. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" - -## Modify machine check exception handler. -## Can decide whether the system should panic or not based on the occurrence of an exception. -## -## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html -## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check +## Machine check exception handler decides whether the system should panic or not based on the exception that happened. ## https://forums.whonix.org/t/kernel-hardening/7296/494 -## -## The default kernel setting will be utilized until provided sufficient evidence to modify. -## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" -## Prevent sensitive kernel information leaks in the console during boot. -## Must be used in combination with the kernel.printk sysctl. -## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. -## -## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html -## https://wiki.archlinux.org/title/silent_boot -## -## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" +## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" -## Enable the kernel "Electric-Fence" sampling-based memory safety error detector. -## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors. -## Aims to have very low processing overhead at each sampling interval. -## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation. -## -## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html -## https://google.github.io/kernel-sanitizers/KFENCE.html -## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4 -## https://lwn.net/Articles/835542/ -## -## KSPP=yes -## KSPP sets the kernel parameter, CONFIG_KFENCE=y, and CONFIG_KFENCE_SAMPLE_INTERVAL=100. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" +## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" -## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings. -## Legacy compatibility feature for superseded glibc versions. -## -## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/ -## https://lists.openwall.net/linux-kernel/2014/03/11/3 -## -## KSPP=yes -## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" +## Enables page allocator freelist randomization. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" -## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. -## The default implementation is FineIBT as of Linux kernel 6.2. -## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. -## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. -## FineIBT may result in some performance benefits as it only performs checking at destinations. -## FineIBT is considered weaker against attacks that can write arbitrary executables into memory. -## Upstream hardening work has provided users the ability to disable FineIBT based on requests. -## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both. -## Do not modify from the default setting if unsure of implications. -## -## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/ -## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u -## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/ -## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/ -## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/ -## https://docs.kernel.org/next/x86/shstk.html -## https://source.android.com/docs/security/test/kcfi -## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf -## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561 -## -## KSPP=yes -## KSPP sets the kernel parameter. -## -## TODO: Debian 13 Trixie -## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" +## Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13). +## https://lkml.org/lkml/2019/3/18/246 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" -## Disable support for x86 processes and syscalls. -## Unconditionally disables IA32 emulation to substantially reduce attack surface. +## Enables kernel lockdown. ## -## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ +## Disabled for now as it enforces module signature verification which breaks +## too many things. +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 ## -## KSPP=yes -## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL. -## -## TODO: Debian 13 Trixie -## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" +#if dpkg --compare-versions "${kver}" ge "5.4"; then +# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" +#fi -## Disable EFI persistent storage feature. -## Prevents the kernel from writing crash logs and other persistent data to the EFI variable store. -## -## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system -## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/ -## https://lwn.net/Articles/434821/ -## https://manpages.debian.org/testing/systemd/systemd-pstore.service.8.en.html -## https://gitlab.tails.boum.org/tails/tails/-/issues/20813 -## https://github.com/Kicksecure/security-misc/issues/299 -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1" - -## 2. Direct Memory Access: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks - -## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks. -## -## KSPP=yes -## KSPP sets CONFIG_INTEL_IOMMU=y, CONFIG_INTEL_IOMMU_DEFAULT_ON=y, CONFIG_INTEL_IOMMU_SVM=y, CONFIG_AMD_IOMMU=y, and CONFIG_AMD_IOMMU_V2=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" - -## Enable and force use of IOMMU translation to protect against some DMA attacks. -## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs. -## Ensures devices will never be able to access stale data contents. -## -## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit -## https://en.wikipedia.org/wiki/DMA_attack -## https://lenovopress.lenovo.com/lp1467.pdf -## -## KSPP=yes -## KSPP sets the kernel parameters, CONFIG_IOMMU_SUPPORT=y, CONFIG_IOMMU_DEFAULT_DMA_STRICT=y, and does not set CONFIG_IOMMU_DEFAULT_PASSTHROUGH. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" - -## Clear the busmaster bit on all PCI bridges during the EFI hand-off. -## Terminates all existing DMA transactions prior to the kernel's IOMMU setup. -## Forces third party PCI devices to then re-set their busmaster bit in order to perform DMA. -## Assumes that the motherboard chipset and firmware are not malicious. -## May cause complete boot failure on certain hardware with incompatible firmware. -## -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 -## https://mjg59.dreamwidth.org/54433.html -## -## KSPP=yes -## KSPP sets CONFIG_EFI_DISABLE_PCI_DMA=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" - -## 3. Entropy: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand - -## Do not credit the CPU or bootloader seeds as entropy sources at boot. -## The RDRAND CPU (RNG) instructions are proprietary and closed-source. -## Numerous implementations of RDRAND have a long history of being defective. -## The RNG seed passed by the bootloader could also potentially be tampered. -## Maximizing the entropy pool at boot is desirable for all cryptographic operations. -## These settings ensure additional entropy is obtained from other sources to initialize the RNG. -## Note that distrusting these (relatively fast) sources of entropy will increase boot time. -## -## https://en.wikipedia.org/wiki/RDRAND#Reception -## https://systemd.io/RANDOM_SEEDS/ -## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND -## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ -## https://x.com/pid_eins/status/1149649806056280069 -## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html -## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 -## https://github.com/NixOS/nixpkgs/pull/165355 -## https://lkml.org/lkml/2022/6/5/271 -## -## KSPP=yes -## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" - -## Obtain more entropy during boot as the runtime memory allocator is being initialized. -## Entropy will be extracted from up to the first 4GB of RAM. -## Requires the linux-hardened kernel patch. -## -## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened -## https://github.com/anthraxx/linux-hardened/commit/c3e7df1dba1eb8105d6d5143079a6a0ad9e9ebc7 -## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4 +## Gather more entropy during boot. ## +## Requires linux-hardened kernel patch. +## https://github.com/anthraxx/linux-hardened GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" -## 4. Networking -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters +## Restrict access to debugfs since it can contain a lot of sensitive information. +## https://lkml.org/lkml/2020/7/16/122 +## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" -## Disable the entire IPv6 stack functionality. -## Removes attack surface associated with the IPv6 module. -## -## https://www.kernel.org/doc/html/latest/networking/ipv6.html -## https://wiki.archlinux.org/title/IPv6#Disable_IPv6 -## -## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ipv6.disable=1" +## Force the kernel to panic on "oopses" (which may be due to false positives) +## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 +## Implemented differently: +## /usr/libexec/security-misc/panic-on-oops +## /etc/X11/Xsession.d/50panic_on_oops +## /etc/sudoers.d/security-misc +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg deleted file mode 100644 index c3cc30a..0000000 --- a/etc/default/grub.d/40_remount_secure.cfg +++ /dev/null @@ -1,31 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Remount Secure provides enhanced security via mount options: -## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure - -## Option A (No Security): -## Disable Remount Secure. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0" - -## Option B (Low Security): -## Re-mount with nodev and nosuid only. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" - -## Option C (Medium Security): -## Re-mount with nodev, nosuid, and noexec for most mount points, excluding /home. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2" - -## Option D (Highest Security): -## Re-mount with nodev, nosuid, and noexec for all mount points including /home. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg deleted file mode 100644 index 36af7f3..0000000 --- a/etc/default/grub.d/40_signed_modules.cfg +++ /dev/null @@ -1,37 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Require every kernel module to be signed before being loaded. -## Any module that is unsigned or signed with an invalid key cannot be loaded. -## This prevents all out-of-tree kernel modules unless signed. -## This makes it harder to load a malicious module. -## -## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61 -## https://github.com/dell/dkms/issues/359 -## -## KSPP=yes -## KSPP sets CONFIG_MODULE_SIG=y, CONFIG_MODULE_SIG_FORCE=y, and CONFIG_MODULE_SIG_ALL=y. -## -## Not enabled by default yet due to several issues. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" - -## Enable kernel lockdown to enforce security boundary between user and kernel space. -## Confidentiality mode enforces module signature verification. -## -## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 -## -## KSPP=yes -## KSPP sets CONFIG_SECURITY_LOCKDOWN_LSM=y, CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y, and CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y. -## -## Not enabled by default yet due to several issues. -## -#if dpkg --compare-versions "${kver}" ge "5.4"; then -# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" -#fi diff --git a/etc/default/grub.d/41_quiet.cfg b/etc/default/grub.d/41_quiet.cfg new file mode 100644 index 0000000..b863029 --- /dev/null +++ b/etc/default/grub.d/41_quiet.cfg @@ -0,0 +1,27 @@ +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Prevent kernel info leaks in console during boot. +## https://phabricator.whonix.org/T950 + +## LANG=C str_replace is provided by package helper-scripts. + +## The following command actually removed "quiet" from the kernel command line. +## If verbosity is desired, the user might want to keep this line. +## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. +GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" + +## If verbosity is desired, the user might want to out-comment the following line. +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet loglevel=0" + +## NOTE: +## After editing this file, running: +## sudo update-grub +## is required. +## +## If higher verbosity is desired, the user might also want to delete file +## /etc/sysctl.d/30_silent-kernel-printk.conf +## (or out-comment its settings). +## +## Alternatively, the user could consider to install the debug-misc package, +## which will undo the settings found here. diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg deleted file mode 100644 index 7221ac0..0000000 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ /dev/null @@ -1,35 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Some default configuration files automatically include the "quiet" parameter. -## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. -## str_replace is provided by package helper-scripts. -## -## https://github.com/Kicksecure/security-misc/pull/233#issuecomment-2228792461 -## -GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "quiet" "")" - -## Prevent sensitive kernel information leaks in the console during boot. -## Must be used in combination with the kernel.printk sysctl. -## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. -## -## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html -## https://wiki.archlinux.org/title/silent_boot -## -## For easier debugging, these are not applied to the recovery boot option. -## Switch the pair of commands to universally apply parameters to all boot options. -## -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT loglevel=0" -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" - -## For Increased Log Verbosity: -## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf. -## Alternatively, installing the debug-misc package will undo these settings. diff --git a/etc/default/grub.d/41_recovery_restrict.cfg b/etc/default/grub.d/41_recovery_restrict.cfg deleted file mode 100644 index f54247b..0000000 --- a/etc/default/grub.d/41_recovery_restrict.cfg +++ /dev/null @@ -1,21 +0,0 @@ -## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Disable access to single-user (recovery) mode. -## -## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727 -## -GRUB_DISABLE_RECOVERY="true" - -## Disable access to Dracut's recovery console. -## -## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724 -## -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt" -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0" diff --git a/etc/dkms/framework.conf.security-misc b/etc/dkms/framework.conf.security-misc new file mode 100644 index 0000000..f9a643d --- /dev/null +++ b/etc/dkms/framework.conf.security-misc @@ -0,0 +1,64 @@ +## This configuration file modifies the behavior of +## DKMS (Dynamic Kernel Module Support) and is sourced +## in by DKMS every time it is run. + +## Source Tree Location (default: /usr/src) +# source_tree="/usr/src" + +## DKMS Tree Location (default: /var/lib/dkms) +# dkms_tree="/var/lib/dkms" + +## Install Tree Location (default: /lib/modules) +# install_tree="/lib/modules" + +## tmp Location (default: /tmp) +# tmp_location="/tmp" + +## verbosity setting (verbose will be active if you set it to a non-null value) +# verbose="" + +## symlink kernel modules (will be active if you set it to a non-null value) +## This creates symlinks from the install_tree into the dkms_tree instead of +## copying the modules. This preserves some space on the costs of being less +## safe. +# symlink_modules="" + +## Automatic installation and upgrade for all installed kernels (if set to a +## non-null value) +# autoinstall_all_kernels="" + +## Script to sign modules during build, script is called with kernel version +## and module name +# sign_tool="/etc/dkms/sign_helper.sh" + +### BEGIN modifications by package security-misc ### + +## original: +## https://github.com/dell/dkms/blob/master/dkms_framework.conf + +## DKMS feature request: +## add /etc/dkms/framework.conf.d configuration file drop-in folder +## https://github.com/dell/dkms/issues/116 + +## Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing +## of virtual machines. +## +## This does not necessarily belong into security-misc, however likely +## security-misc will need to modify /etc/dkms/framework.conf in the future to +## enable kernel module signing. See below. +## +## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26 +ENOUGH_RAM="1950" +total_ram="$(free -m | sed -n -e '/^Mem:/s/^[^0-9]*\([0-9]*\) .*/\1/p')" +if [ "$total_ram" -ge "$ENOUGH_RAM" ]; then + true "INFO: Enough RAM available. Not lowering compilation cores." +else + true "INFO: Not enough RAM available. Lowering compilation cores to 1." + parallel_jobs=1 +fi + +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58 +## https://github.com/dell/dkms/blob/master/sign_helper.sh +#sign_tool="/etc/dkms/sign_helper.sh" + +### END modifications by package security-misc ### diff --git a/etc/dracut.conf.d/30-security-misc.conf b/etc/dracut.conf.d/30-security-misc.conf index 5b3c7b5..90c7698 100644 --- a/etc/dracut.conf.d/30-security-misc.conf +++ b/etc/dracut.conf.d/30-security-misc.conf @@ -1,6 +1,3 @@ -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - reproducible=yes ## Debugging. diff --git a/etc/gitconfig b/etc/gitconfig deleted file mode 100644 index 8ce67b4..0000000 --- a/etc/gitconfig +++ /dev/null @@ -1,38 +0,0 @@ -## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Lines starting with a hash symbol ('#') are comments. -## https://github.com/Kicksecure/security-misc/issues/225 - -[core] -## https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm - symlinks = false - -## https://forums.whonix.org/t/git-users-enable-fsck-by-default-for-better-security/2066 -[transfer] - fsckobjects = true -[fetch] - fsckobjects = true -[receive] - fsckobjects = true - -## Generally a good idea but too intrusive to enable by default. -## Listed here as suggestions what users should put into their ~/.gitconfig -## file. - -## Not enabled by default because it requires essential knowledge about OpenPG -## and an already existing local signing key. Otherwise would prevent all new -## commits. -#[commit] -# gpgsign = true - -## Not enabled by default because it would break the 'git merge' command for -## unsigned commits and require the '--no-verify-signature' command line -## option. -#[merge] -# verifySignatures = true - -## Not enabled by default because it would break for users who are not having -## an account at the git server and having added a SSH public key. -#[url "ssh://git@github.com/"] -# insteadOf = https://github.com/ diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf index d1bc221..df6952e 100644 --- a/etc/hide-hardware-info.d/30_default.conf +++ b/etc/hide-hardware-info.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Disable the /sys whitelist. @@ -7,9 +7,6 @@ ## Disable the /proc/cpuinfo whitelist. #cpuinfo_whitelist=0 -## Disable /sys hardening. -#sysfs=0 - ## Disable selinux mode. -## https://www.kicksecure.com/wiki/Security-misc#selinux +## https://www.whonix.org/wiki/Security-misc#selinux #selinux=0 diff --git a/etc/initramfs-tools/hooks/sysctl-initramfs b/etc/initramfs-tools/hooks/sysctl-initramfs index 022c6af..f1e3589 100755 --- a/etc/initramfs-tools/hooks/sysctl-initramfs +++ b/etc/initramfs-tools/hooks/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e @@ -18,4 +18,4 @@ prereqs) esac . /usr/share/initramfs-tools/hook-functions -copy_exec /usr/sbin/sysctl /usr/sbin +copy_exec /sbin/sysctl /sbin diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index e4792e7..d932fc1 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. PREREQ="" diff --git a/etc/kernel/postinst.d/30_remove-system-map b/etc/kernel/postinst.d/30_remove-system-map index 416c808..14ac9b6 100755 --- a/etc/kernel/postinst.d/30_remove-system-map +++ b/etc/kernel/postinst.d/30_remove-system-map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if test -x /usr/libexec/security-misc/remove-system.map ; then diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf new file mode 100644 index 0000000..128ab9c --- /dev/null +++ b/etc/modprobe.d/30_security-misc.conf @@ -0,0 +1,146 @@ +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## See the following links for a community discussion and overview regarding the selections +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules + +## Disable automatic conntrack helper assignment +## https://phabricator.whonix.org/T486 +options nf_conntrack nf_conntrack_helper=0 + +## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities +## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns +install bluetooth /bin/disabled-bluetooth-by-security-misc +install btusb /bin/disabled-bluetooth-by-security-misc + +## Disable thunderbolt and firewire modules to prevent some DMA attacks +install thunderbolt /bin/disabled-thunderbolt-by-security-misc +install firewire-core /bin/disabled-firewire-by-security-misc +install firewire_core /bin/disabled-firewire-by-security-misc +install firewire-ohci /bin/disabled-firewire-by-security-misc +install firewire_ohci /bin/disabled-firewire-by-security-misc +install firewire_sbp2 /bin/disabled-firewire-by-security-misc +install firewire-sbp2 /bin/disabled-firewire-by-security-misc +install ohci1394 /bin/disabled-firewire-by-security-misc +install sbp2 /bin/disabled-firewire-by-security-misc +install dv1394 /bin/disabled-firewire-by-security-misc +install raw1394 /bin/disabled-firewire-by-security-misc +install video1394 /bin/disabled-firewire-by-security-misc + +## Disable CPU MSRs as they can be abused to write to arbitrary memory. +## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode +install msr /bin/disabled-msr-by-security-misc + +## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. +## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. +## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. +## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. +install dccp /bin/disabled-network-by-security-misc +install sctp /bin/disabled-network-by-security-misc +install rds /bin/disabled-network-by-security-misc +install tipc /bin/disabled-network-by-security-misc +install n-hdlc /bin/disabled-network-by-security-misc +install ax25 /bin/disabled-network-by-security-misc +install netrom /bin/disabled-network-by-security-misc +install x25 /bin/disabled-network-by-security-misc +install rose /bin/disabled-network-by-security-misc +install decnet /bin/disabled-network-by-security-misc +install econet /bin/disabled-network-by-security-misc +install af_802154 /bin/disabled-network-by-security-misc +install ipx /bin/disabled-network-by-security-misc +install appletalk /bin/disabled-network-by-security-misc +install psnap /bin/disabled-network-by-security-misc +install p8023 /bin/disabled-network-by-security-misc +install p8022 /bin/disabled-network-by-security-misc +install can /bin/disabled-network-by-security-misc +install atm /bin/disabled-network-by-security-misc + +## Disable uncommon file systems to reduce attack surface +## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI parition format +install cramfs /bin/disabled-filesys-by-security-misc +install freevxfs /bin/disabled-filesys-by-security-misc +install jffs2 /bin/disabled-filesys-by-security-misc +install hfs /bin/disabled-filesys-by-security-misc +install hfsplus /bin/disabled-filesys-by-security-misc +install udf /bin/disabled-filesys-by-security-misc + +## Disable uncommon network file systems to reduce attack surface +install cifs /bin/disabled-netfilesys-by-security-misc +install nfs /bin/disabled-netfilesys-by-security-misc +install nfsv3 /bin/disabled-netfilesys-by-security-misc +install nfsv4 /bin/disabled-netfilesys-by-security-misc +install ksmbd /bin/disabled-netfilesys-by-security-misc +install gfs2 /bin/disabled-netfilesys-by-security-misc + +## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities +## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 +## https://www.openwall.com/lists/oss-security/2019/11/02/1 +## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 +install vivid /bin/disabled-vivid-by-security-misc + +## Disable Intel Management Engine (ME) interface with the OS +## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html +install mei /bin/disabled-intelme-by-security-misc +install mei-me /bin/disabled-intelme-by-security-misc + +## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco +blacklist ath_pci + +## Blacklist automatic loading of miscellaneous modules +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +blacklist evbug +blacklist usbmouse +blacklist usbkbd +blacklist eepro100 +blacklist de4x5 +blacklist eth1394 +blacklist snd_intel8x0m +blacklist snd_aw2 +blacklist prism54 +blacklist bcm43xx +blacklist garmin_gps +blacklist asus_acpi +blacklist snd_pcsp +blacklist pcspkr +blacklist amd76x_edac + +## Blacklist automatic loading of framebuffer drivers +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +blacklist aty128fb +blacklist atyfb +blacklist radeonfb +blacklist cirrusfb +blacklist cyber2000fb +blacklist cyblafb +blacklist gx1fb +blacklist hgafb +blacklist i810fb +blacklist intelfb +blacklist kyrofb +blacklist lxfb +blacklist matroxfb_bases +blacklist neofb +blacklist nvidiafb +blacklist pm2fb +blacklist rivafb +blacklist s1d13xxxfb +blacklist savagefb +blacklist sisfb +blacklist sstfb +blacklist tdfxfb +blacklist tridentfb +blacklist vesafb +blacklist vfb +blacklist viafb +blacklist vt8623fb +blacklist udlfb + +## Disable CD-ROM devices +## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 +#install cdrom /bin/disabled-cdrom-by-security-misc +#install sr_mod /bin/disabled-cdrom-by-security-misc +blacklist cdrom +blacklist sr_mod diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf deleted file mode 100644 index 5ce1edc..0000000 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ /dev/null @@ -1,63 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## See the following links for a community discussion and overview regarding the selections. -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules - -## Blacklisting prevents kernel modules from automatically starting. -## Disabling prohibits kernel modules from starting. - -## CD-ROM/DVD: -## Blacklist CD-ROM and DVD modules. -## Not disabled by default due to potential future ISO plans. -## -## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 -## -blacklist cdrom -blacklist sr_mod -## -#install cdrom /usr/bin/disabled-cdrom-by-security-misc -#install sr_mod /usr/bin/disabled-cdrom-by-security-misc - -## Miscellaneous: - -## GrapheneOS: -## Partial selection of their infrastructure blacklist. -## Duplicate and already disabled modules have been omitted. -## -## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf -## -#blacklist cfg80211 -#blacklist intel_agp -#blacklist ip_tables -blacklist joydev -#blacklist mousedev -#blacklist psmouse -## TODO: Re-check in Debian trixie -## In GrapheneOS list, yes, "should" be out-commented here. -## But not actually out-commented. -## Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users. -## https://www.kicksecure.com/wiki/Dev/audio -## https://github.com/Kicksecure/security-misc/issues/271 -#blacklist snd_intel8x0 -#blacklist tls -#blacklist virtio_balloon -#blacklist virtio_console - -## Ubuntu: -## Already disabled modules have been omitted. -## -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco -## -blacklist amd76x_edac -blacklist ath_pci -blacklist evbug -blacklist pcspkr -blacklist snd_aw2 -blacklist snd_intel8x0m -blacklist snd_pcsp -blacklist usbkbd -blacklist usbmouse diff --git a/etc/modprobe.d/30_security-misc_conntrack.conf b/etc/modprobe.d/30_security-misc_conntrack.conf deleted file mode 100644 index 7f36327..0000000 --- a/etc/modprobe.d/30_security-misc_conntrack.conf +++ /dev/null @@ -1,12 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Conntrack: -## Disable Netfilter's automatic connection tracking helper assignment. -## This functionality adds unnecessary features, such as IRC protocol parsing, into the kernel. -## Disabling it reduces the kernel attack surface and improves security. -## -## https://conntrack-tools.netfilter.org/manual.html -## https://forums.whonix.org/t/disable-conntrack-helper/18917 -## -options nf_conntrack nf_conntrack_helper=0 diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf deleted file mode 100644 index 79b5ed6..0000000 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ /dev/null @@ -1,310 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## See the following links for a community discussion and overview regarding the selections: -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules - -## Blacklisting prevents kernel modules from automatically starting. -## Disabling prohibits kernel modules from starting. - -## This configuration file is split into 4 sections: -## 1. Hardware -## 2. File Systems -## 3. Networking -## 4. Miscellaneous - -## 1. Hardware: - -## Bluetooth: -## Disable Bluetooth to reduce the attack surface due to its long history of security vulnerabilities. -## -## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -## -## Now replaced with a privacy- and security-preserving default Bluetooth configuration for better usability. -## https://github.com/Kicksecure/security-misc/pull/145 -## -#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc -#install bluetooth_6lowpan /usr/bin/disabled-bluetooth-by-security-misc -#install bt3c_cs /usr/bin/disabled-bluetooth-by-security-misc -#install btbcm /usr/bin/disabled-bluetooth-by-security-misc -#install btintel /usr/bin/disabled-bluetooth-by-security-misc -#install btmrvl /usr/bin/disabled-bluetooth-by-security-misc -#install btmrvl_sdio /usr/bin/disabled-bluetooth-by-security-misc -#install btmtk /usr/bin/disabled-bluetooth-by-security-misc -#install btmtksdio /usr/bin/disabled-bluetooth-by-security-misc -#install btmtkuart /usr/bin/disabled-bluetooth-by-security-misc -#install btnxpuart /usr/bin/disabled-bluetooth-by-security-misc -#install btqca /usr/bin/disabled-bluetooth-by-security-misc -#install btrsi /usr/bin/disabled-bluetooth-by-security-misc -#install btrtl /usr/bin/disabled-bluetooth-by-security-misc -#install btsdio /usr/bin/disabled-bluetooth-by-security-misc -#install btusb /usr/bin/disabled-bluetooth-by-security-misc -#install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc - -## FireWire (IEEE 1394): -## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent certain DMA attacks. -## -## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues -## -install dv1394 /usr/bin/disabled-firewire-by-security-misc -install firewire-core /usr/bin/disabled-firewire-by-security-misc -install firewire-ohci /usr/bin/disabled-firewire-by-security-misc -install firewire-net /usr/bin/disabled-firewire-by-security-misc -install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc -install ohci1394 /usr/bin/disabled-firewire-by-security-misc -install raw1394 /usr/bin/disabled-firewire-by-security-misc -install sbp2 /usr/bin/disabled-firewire-by-security-misc -install video1394 /usr/bin/disabled-firewire-by-security-misc - -## Global Positioning Systems (GPS): -## Disable GPS-related modules like GNSS (Global Navigation Satellite System). -## -install garmin_gps /usr/bin/disabled-gps-by-security-misc -install gnss /usr/bin/disabled-gps-by-security-misc -install gnss-mtk /usr/bin/disabled-gps-by-security-misc -install gnss-serial /usr/bin/disabled-gps-by-security-misc -install gnss-sirf /usr/bin/disabled-gps-by-security-misc -install gnss-ubx /usr/bin/disabled-gps-by-security-misc -install gnss-usb /usr/bin/disabled-gps-by-security-misc - -## Intel Management Engine (ME): -## Partially disable the Intel ME interface with the OS. -## ME functionality has increasingly become intertwined with basic Intel system operation. -## Disabling it may lead to breakages in various components without clear debugging/error messages. -## It may affect firmware updates, security, power management, display, and DRM. -## -## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html -## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities -## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages -## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 -## https://github.com/Kicksecure/security-misc/issues/239 -## -#install mei /usr/bin/disabled-intelme-by-security-misc -#install mei-gsc /usr/bin/disabled-intelme-by-security-misc -#install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc -#install mei_hdcp /usr/bin/disabled-intelme-by-security-misc -#install mei-me /usr/bin/disabled-intelme-by-security-misc -#install mei_phy /usr/bin/disabled-intelme-by-security-misc -#install mei_pxp /usr/bin/disabled-intelme-by-security-misc -#install mei-txe /usr/bin/disabled-intelme-by-security-misc -#install mei-vsc /usr/bin/disabled-intelme-by-security-misc -#install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc -#install mei_wdt /usr/bin/disabled-intelme-by-security-misc -#install microread_mei /usr/bin/disabled-intelme-by-security-misc - -## Intel Platform Monitoring Technology (PMT) Telemetry: -## Disable certain functionalities of the Intel PMT components. -## -## https://github.com/intel/Intel-PMT -## -install pmt_class /usr/bin/disabled-intelpmt-by-security-misc -install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc -install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc - -## Thunderbolt: -## Disable Thunderbolt modules to prevent certain DMA attacks. -## -## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities -## -install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc -install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc -install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc - -## 2. File Systems: - -## File Systems: -## Disable uncommon file systems to reduce attack surface. -## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. -## -install cramfs /usr/bin/disabled-filesys-by-security-misc -install freevxfs /usr/bin/disabled-filesys-by-security-misc -install hfs /usr/bin/disabled-filesys-by-security-misc -install hfsplus /usr/bin/disabled-filesys-by-security-misc -install jffs2 /usr/bin/disabled-filesys-by-security-misc -install jfs /usr/bin/disabled-filesys-by-security-misc -install reiserfs /usr/bin/disabled-filesys-by-security-misc -install udf /usr/bin/disabled-filesys-by-security-misc - -## Network File Systems: -## Disable uncommon network file systems to reduce attack surface. -## -install gfs2 /usr/bin/disabled-netfilesys-by-security-misc -install ksmbd /usr/bin/disabled-netfilesys-by-security-misc -## -## Common Internet File System (CIFS): -## -install cifs /usr/bin/disabled-netfilesys-by-security-misc -install cifs_arc4 /usr/bin/disabled-netfilesys-by-security-misc -install cifs_md4 /usr/bin/disabled-netfilesys-by-security-misc -## -## Network File System (NFS): -## -install nfs /usr/bin/disabled-netfilesys-by-security-misc -install nfs_acl /usr/bin/disabled-netfilesys-by-security-misc -install nfs_layout_nfsv41_files /usr/bin/disabled-netfilesys-by-security-misc -install nfs_layout_flexfiles /usr/bin/disabled-netfilesys-by-security-misc -install nfsd /usr/bin/disabled-netfilesys-by-security-misc -install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc -install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc -install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc - -## 2. Networking: - -## Network Protocols: -## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. -## Previously had blacklisted eepro100 and eth1394. -## -## https://tails.boum.org/blueprint/blacklist_modules/ -## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco -## https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2230732015 -## -install af_802154 /usr/bin/disabled-network-by-security-misc -install appletalk /usr/bin/disabled-network-by-security-misc -install ax25 /usr/bin/disabled-network-by-security-misc -#install brcm80211 /usr/bin/disabled-network-by-security-misc -install decnet /usr/bin/disabled-network-by-security-misc -install dccp /usr/bin/disabled-network-by-security-misc -install econet /usr/bin/disabled-network-by-security-misc -install eepro100 /usr/bin/disabled-network-by-security-misc -install eth1394 /usr/bin/disabled-network-by-security-misc -install ipx /usr/bin/disabled-network-by-security-misc -install n-hdlc /usr/bin/disabled-network-by-security-misc -install netrom /usr/bin/disabled-network-by-security-misc -install p8022 /usr/bin/disabled-network-by-security-misc -install p8023 /usr/bin/disabled-network-by-security-misc -install psnap /usr/bin/disabled-network-by-security-misc -install rose /usr/bin/disabled-network-by-security-misc -install x25 /usr/bin/disabled-network-by-security-misc -## -## Asynchronous Transfer Mode (ATM): -## -install atm /usr/bin/disabled-network-by-security-misc -install ueagle-atm /usr/bin/disabled-network-by-security-misc -install usbatm /usr/bin/disabled-network-by-security-misc -install xusbatm /usr/bin/disabled-network-by-security-misc -## -## Controller Area Network (CAN) Protocol: -## -install c_can /usr/bin/disabled-network-by-security-misc -install c_can_pci /usr/bin/disabled-network-by-security-misc -install c_can_platform /usr/bin/disabled-network-by-security-misc -install can /usr/bin/disabled-network-by-security-misc -install can-bcm /usr/bin/disabled-network-by-security-misc -install can-dev /usr/bin/disabled-network-by-security-misc -install can-gw /usr/bin/disabled-network-by-security-misc -install can-isotp /usr/bin/disabled-network-by-security-misc -install can-raw /usr/bin/disabled-network-by-security-misc -install can-j1939 /usr/bin/disabled-network-by-security-misc -install can327 /usr/bin/disabled-network-by-security-misc -install ifi_canfd /usr/bin/disabled-network-by-security-misc -install janz-ican3 /usr/bin/disabled-network-by-security-misc -install m_can /usr/bin/disabled-network-by-security-misc -install m_can_pci /usr/bin/disabled-network-by-security-misc -install m_can_platform /usr/bin/disabled-network-by-security-misc -install phy-can-transceiver /usr/bin/disabled-network-by-security-misc -install slcan /usr/bin/disabled-network-by-security-misc -install ucan /usr/bin/disabled-network-by-security-misc -install vxcan /usr/bin/disabled-network-by-security-misc -install vcan /usr/bin/disabled-network-by-security-misc -## -## Transparent Inter Process Communication (TIPC): -## -install tipc /usr/bin/disabled-network-by-security-misc -install tipc_diag /usr/bin/disabled-network-by-security-misc -## -## Reliable Datagram Sockets (RDS): -## -install rds /usr/bin/disabled-network-by-security-misc -install rds_rdma /usr/bin/disabled-network-by-security-misc -install rds_tcp /usr/bin/disabled-network-by-security-misc -## -## Stream Control Transmission Protocol (SCTP): -## -install sctp /usr/bin/disabled-network-by-security-misc -install sctp_diag /usr/bin/disabled-network-by-security-misc - -## 4. Miscellaneous: - -## Amateur Radios: -## -install hamradio /usr/bin/disabled-miscellaneous-by-security-misc - -## CPU Model-Specific Registers (MSRs): -## Disable CPU MSRs as they can be abused to write to arbitrary memory. -## -## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -## https://github.com/Kicksecure/security-misc/issues/215 -## -#install msr /usr/bin/disabled-miscellaneous-by-security-misc - -## Floppy Disks: -## -install floppy /usr/bin/disabled-miscellaneous-by-security-misc - -## Framebuffer (fbdev): -## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices. -## These were all previously blacklisted. -## -## https://docs.kernel.org/fb/index.html -## https://en.wikipedia.org/wiki/Linux_framebuffer -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco -## -install aty128fb /usr/bin/disabled-framebuffer-by-security-misc -install atyfb /usr/bin/disabled-framebuffer-by-security-misc -install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc -install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc -install cyblafb /usr/bin/disabled-framebuffer-by-security-misc -install gx1fb /usr/bin/disabled-framebuffer-by-security-misc -install hgafb /usr/bin/disabled-framebuffer-by-security-misc -install i810fb /usr/bin/disabled-framebuffer-by-security-misc -install intelfb /usr/bin/disabled-framebuffer-by-security-misc -install kyrofb /usr/bin/disabled-framebuffer-by-security-misc -install lxfb /usr/bin/disabled-framebuffer-by-security-misc -install matroxfb_base /usr/bin/disabled-framebuffer-by-security-misc -install neofb /usr/bin/disabled-framebuffer-by-security-misc -install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc -install pm2fb /usr/bin/disabled-framebuffer-by-security-misc -install radeonfb /usr/bin/disabled-framebuffer-by-security-misc -install rivafb /usr/bin/disabled-framebuffer-by-security-misc -install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc -install savagefb /usr/bin/disabled-framebuffer-by-security-misc -install sisfb /usr/bin/disabled-framebuffer-by-security-misc -install sstfb /usr/bin/disabled-framebuffer-by-security-misc -install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc -install tridentfb /usr/bin/disabled-framebuffer-by-security-misc -install vesafb /usr/bin/disabled-framebuffer-by-security-misc -install vfb /usr/bin/disabled-framebuffer-by-security-misc -install viafb /usr/bin/disabled-framebuffer-by-security-misc -install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc -install udlfb /usr/bin/disabled-framebuffer-by-security-misc - -## Replaced Modules: -## These legacy drivers have all been entirely replaced and superseded by newer drivers. -## These were all previously blacklisted. -## -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco -## -install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc -install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc -install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc -install prism54 /usr/bin/disabled-miscellaneous-by-security-misc - -## USB Video Device Class: -## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. -## -#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc - -## Vivid: -## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. -## -## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 -## https://www.openwall.com/lists/oss-security/2019/11/02/1 -## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -## -## No longer disabled by default: -## https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393 -## https://github.com/Kicksecure/security-misc/issues/298 -## -#install vivid /usr/bin/disabled-miscellaneous-by-security-misc diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf b/etc/permission-hardening.d/25_default_passwd.conf similarity index 51% rename from usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf rename to etc/permission-hardening.d/25_default_passwd.conf index e7bc816..32fd72e 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf +++ b/etc/permission-hardening.d/25_default_passwd.conf @@ -1,15 +1,14 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. # Keep the `passwd` utility executable to prevent issues with the # /usr/libexec/security-misc/pam-abort-on-locked-password script blocking -# user logins with `su` and KScreenLocker. exactwhitelist is needed to keep -# the nosuid rule on /usr/bin from fighting with these rules. +# user logins with `su` and KScreenLocker # # See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd -/usr/bin/passwd exactwhitelist /usr/bin/passwd 0755 root root +/bin/passwd 0755 root root diff --git a/etc/permission-hardening.d/25_default_sudo.conf b/etc/permission-hardening.d/25_default_sudo.conf new file mode 100644 index 0000000..67be9ac --- /dev/null +++ b/etc/permission-hardening.d/25_default_sudo.conf @@ -0,0 +1,20 @@ +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## https://forums.whonix.org/t/restrict-root-access/7658/116 +## This restricts the file permissions of the sudo executable so that a vulnerability +## in the program will not be exploitable by any users not in the "sudo" group. sudo +## is a very complex program and is setuid so vulnerabilities in it can allow privilege +## escalation, regardless of other root access restrictions. For example, the following +## buffer overflow vulnerability could have been exploited by any user on the system: +## https://www.openwall.com/lists/oss-security/2021/01/26/3 +## With this restriction, only users explicitly permitted to use sudo by being added to +## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a +## compromised network-facing daemon (such as web servers, time synchronization daemons, +## etc.) running as its own user from exploiting sudo to escalate privileges. +#/usr/bin/sudo 4750 root sudo +#/bin/sudo 4750 root sudo diff --git a/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf b/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf new file mode 100644 index 0000000..2ffc8c2 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/bin/bwrap exactwhitelist +/bin/bwrap exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_chromium.conf b/etc/permission-hardening.d/25_default_whitelist_chromium.conf new file mode 100644 index 0000000..1bd3206 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_chromium.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/lib/chromium/chrome-sandbox exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_dbus.conf b/etc/permission-hardening.d/25_default_whitelist_dbus.conf new file mode 100644 index 0000000..e1325ff --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_dbus.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +dbus-daemon-launch-helper matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf b/etc/permission-hardening.d/25_default_whitelist_firejail.conf similarity index 50% rename from usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf rename to etc/permission-hardening.d/25_default_whitelist_firejail.conf index e3441e1..99608df 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf +++ b/etc/permission-hardening.d/25_default_whitelist_firejail.conf @@ -1,11 +1,11 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## There is a controversy about firejail but those who choose to install it ## should be able to use it. -## https://www.kicksecure.com/wiki/Dev/Firejail#Security +## https://www.whonix.org/wiki/Dev/Firejail#Security /usr/bin/firejail exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_fuse.conf b/etc/permission-hardening.d/25_default_whitelist_fuse.conf new file mode 100644 index 0000000..1293214 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_fuse.conf @@ -0,0 +1,10 @@ +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## required for AppImages such as electrum Bitcoin wallet +## https://forums.whonix.org/t/disable-suid-binaries/7706/57 +/fusermount matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf b/etc/permission-hardening.d/25_default_whitelist_mount.conf similarity index 59% rename from usr/lib/permission-hardener.d/25_default_whitelist_mount.conf rename to etc/permission-hardening.d/25_default_whitelist_mount.conf index ac5e9d1..1557318 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf +++ b/etc/permission-hardening.d/25_default_whitelist_mount.conf @@ -1,17 +1,17 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 ## Protect from 'chmod -x' (and SUID removal). ## SUID will be removed below in separate step. +/bin/mount exactwhitelist /usr/bin/mount exactwhitelist -/usr/bin/umount exactwhitelist ## Remove SUID from 'mount' but keep executable. ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 -/usr/bin/mount 755 root root -/usr/bin/umount 755 root root +/bin/mount 745 root root +/usr/bin/mount 745 root root diff --git a/etc/permission-hardening.d/25_default_whitelist_policykit.conf b/etc/permission-hardening.d/25_default_whitelist_policykit.conf new file mode 100644 index 0000000..fb4fa86 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_policykit.conf @@ -0,0 +1,17 @@ +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/bin/pkexec exactwhitelist +/bin/pkexec exactwhitelist +/usr/bin/pkexec.security-misc-orig exactwhitelist +/bin/pkexec.security-misc-orig exactwhitelist + +## TODO: research +## match both: +#/usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist +#/lib/policykit-1/polkit-agent-helper-1 +polkit-agent-helper-1 matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_qubes.conf b/etc/permission-hardening.d/25_default_whitelist_qubes.conf new file mode 100644 index 0000000..bb6e951 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_qubes.conf @@ -0,0 +1,13 @@ +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## TODO: research +## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c +## match both: +#/usr/lib/qubes/qfile-unpacker whitelist +#/lib/qubes/qfile-unpacker +/qubes/qfile-unpacker matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_selinux.conf b/etc/permission-hardening.d/25_default_whitelist_selinux.conf new file mode 100644 index 0000000..f0464b9 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_selinux.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/utempter/utempter matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_spice.conf b/etc/permission-hardening.d/25_default_whitelist_spice.conf new file mode 100644 index 0000000..1ed1ed2 --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_spice.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_sudo.conf b/etc/permission-hardening.d/25_default_whitelist_sudo.conf new file mode 100644 index 0000000..07051dd --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_sudo.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/bin/sudo exactwhitelist +/bin/sudo exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf b/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf similarity index 54% rename from usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf rename to etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf index 1faf380..c086dab 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf +++ b/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf @@ -1,10 +1,11 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## required for performing password validation from unprivileged user ## processes such as KScreenLocker's unlock prompt /usr/sbin/unix_chkpwd exactwhitelist +/sbin/unix_chkpwd exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf b/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf new file mode 100644 index 0000000..fc2369e --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## TODO: research +/usr/lib/virtualbox/ matchwhitelist diff --git a/usr/lib/permission-hardener.d/30_default.conf b/etc/permission-hardening.d/30_default.conf similarity index 67% rename from usr/lib/permission-hardener.d/30_default.conf rename to etc/permission-hardening.d/30_default.conf index 27605d9..e0d310d 100644 --- a/usr/lib/permission-hardener.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -1,16 +1,18 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## File permission hardening. ## ## Syntax: ## [filename] [mode] [owner] [group] [capability] -## [filename] [exactwhitelist|matchwhitelist|disablewhitelist|nosuid] ## +## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" +## argument. + ## TODO: white spaces inside file name untested and probably will not work. ###################################################################### @@ -20,9 +22,13 @@ #whitelists_disable_all=true ###################################################################### -# SUID disables below (or in lexically higher) files: disablewhitelist +# SUID disablewhitelist ###################################################################### +## disablewhitelist disables below (or in lexically higher) files +## exactwhitelist and matchwhitelist. Add these here (discouraged) or better +## in file "/etc/permission-hardening.d/20_user.conf". + ## For example, if you are not using SELinux the following might make sense to ## enable. TODO: research #/utempter/utempter disablewhitelist @@ -31,83 +37,82 @@ #/fusermount disablewhitelist ###################################################################### -# SUID whitelist matches full path: exactwhitelist +# SUID exact match whitelist ###################################################################### ## In case you need to use 'su'. See also: ## https://www.kicksecure.com/wiki/root#su +#/bin/su exactwhitelist #/usr/bin/su exactwhitelist +###################################################################### +# SUID exact match whitelist +###################################################################### + ## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html ## https://lwn.net/Articles/590315/ -## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/35 +## http://forums.whonix.org/t/permission-hardening/8655/25 #/usr/lib/xorg/Xorg.wrap whitelist ###################################################################### -# SUID whitelist matches in any section of the path: matchwhitelist +# SUID regex match whitelist ###################################################################### -## Examples below are already configured: -#ssh-agent matchwhitelist -#/usr/lib/openssh matchwhitelist +###################################################################### +# SUID regex match whitelist +###################################################################### ###################################################################### # Permission Hardening ###################################################################### /home/ 0755 root root +/home/user/ 0700 user user /root/ 0700 root root /boot/ 0700 root root -/etc/permission-hardener.d 0600 root root -/usr/local/etc/permission-hardener.d 0600 root root -/usr/lib/modules/ 0700 root root -/usr/src 0700 root root -/etc/cups/cupsd.conf 0400 root root -/etc/syslog.conf 0600 root root -/etc/ssh/sshd_config 0600 root root -/etc/crontab 0600 root root -/etc/cron.d 0700 root root -/etc/cron.daily 0700 root root -/etc/sudoers.d 0700 root root -/etc/cron.hourly 0700 root root -/etc/cron.weekly 0700 root root -/etc/cron.monthly 0700 root root -/etc/group 0644 root root -/etc/group- 0644 root root -/etc/hosts.allow 0644 root root -/etc/hosts.deny 0644 root root -/etc/issue 0644 root root -/etc/issue.net 0644 root root -/etc/motd 0644 root root -/etc/passwd 0644 root root -/etc/passwd- 0644 root root +/etc/permission-hardening.d 0600 root root +/usr/local/etc/permission-hardening.d 0600 root root +/lib/modules/ 0700 root root ###################################################################### -# SUID/SGID Removal: nosuid +# SUID/SGID Removal ###################################################################### -## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" -## argument. -## ## Remove all SUID/SGID binaries/libraries. -/opt/ nosuid -/usr/bin/ nosuid -/usr/lib32/ nosuid -/usr/lib64/ nosuid -/usr/lib/ nosuid +/bin/ nosuid /usr/local/bin/ nosuid -/usr/local/lib32/ nosuid -/usr/local/lib64/ nosuid -/usr/local/lib/ nosuid -/usr/local/opt/ nosuid -/usr/local/sbin/ nosuid + +/usr/bin/ nosuid /usr/local/usr/bin/ nosuid -/usr/local/usr/lib32/ nosuid -/usr/local/usr/lib64/ nosuid -/usr/local/usr/lib/ nosuid -/usr/local/usr/sbin/ nosuid + +/sbin/ nosuid +/usr/local/sbin/ nosuid + /usr/sbin/ nosuid +/usr/local/usr/sbin/ nosuid + +/lib/ nosuid +/usr/local/lib/ nosuid + +/lib32/ nosuid +/usr/local/lib32/ nosuid + +/lib64/ nosuid +/usr/local/lib64/ nosuid + +/usr/lib/ nosuid +/usr/local/usr/lib/ nosuid + +/usr/lib32/ nosuid +/usr/local/usr/lib32/ nosuid + +/usr/lib64/ nosuid +/usr/local/usr/lib64/ nosuid + +## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68 +/opt/ nosuid +/usr/local/opt/ nosuid ###################################################################### # Capability Removal @@ -116,7 +121,7 @@ ## Ping doesn't work with Tor anyway so its capabilities are removed to ## reduce attack surface. ## anon-apps-config does this. -#/usr/bin/ping 0744 root root none +#/bin/ping 0744 root root none ## TODO: research #/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper 0744 root root none diff --git a/etc/profile.d/30_security-misc.sh b/etc/profile.d/30_security-misc.sh deleted file mode 100755 index c1adb22..0000000 --- a/etc/profile.d/30_security-misc.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -if [ -z "$XDG_CONFIG_DIRS" ]; then - XDG_CONFIG_DIRS=/etc/xdg -fi -if ! echo "$XDG_CONFIG_DIRS" | grep --quiet /usr/share/security-misc/ ; then - export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS -fi diff --git a/etc/securetty.security-misc b/etc/securetty.security-misc index c98d20d..ca0d81b 100644 --- a/etc/securetty.security-misc +++ b/etc/securetty.security-misc @@ -1,5 +1,2 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - # /etc/securetty: list of terminals on which root is allowed to login. # See securetty(5) and login(1). diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index e8bc2ab..248335c 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -1,8 +1,8 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## To enable root login, see: -## https://www.kicksecure.com/wiki/Root#Root_Login +## https://www.whonix.org/wiki/Root#Root_Login ## Console Lockdown ## https://forums.whonix.org/t/etc-security-hardening/8592 diff --git a/etc/security/faillock.conf.security-misc b/etc/security/faillock.conf.security-misc index 4b70cde..bb81754 100644 --- a/etc/security/faillock.conf.security-misc +++ b/etc/security/faillock.conf.security-misc @@ -1,12 +1,9 @@ -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - # Configuration for locking the user after multiple failed # authentication attempts. # # The directory where the user files with the failure records are kept. # The default is /var/run/faillock. -dir = /var/lib/security-misc/faillock +# dir = /var/run/faillock # # Will log the user name into the system log if the user is not found. # Enabled if option is present. @@ -38,19 +35,14 @@ deny = 50 # authentication failures must happen for the user account # lock out is n seconds. # The default is 900 (15 minutes). -# security-misc note: the interval should be set to infinity if possible, -# however pam_faillock arbitrarily limits this variable to a maximum of 604800 -# seconds (7 days). See -# https://github.com/linux-pam/linux-pam/blob/539816e4a0a277dbb632412be91e482fff9d9d09/modules/pam_faillock/faillock_config.h#L59 -# for details. Therefore we set this to the maximum allowable value of 7 days. -fail_interval = 604800 +# fail_interval = 900 # # The access will be re-enabled after n seconds after the lock out. # The value 0 has the same meaning as value `never` - the access # will not be re-enabled without resetting the faillock # entries by the `faillock` command. # The default is 600 (10 minutes). -unlock_time = never +# unlock_time = 600 # # Root account can become locked as well as regular accounts. # Enabled if option is present. diff --git a/etc/security/limits.d/30_security-misc.conf b/etc/security/limits.d/30_security-misc.conf index d494b14..bbbe31d 100644 --- a/etc/security/limits.d/30_security-misc.conf +++ b/etc/security/limits.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Disable coredumps. diff --git a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml index dd94349..fa9d01d 100644 --- a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +++ b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml @@ -1,6 +1,6 @@ - + diff --git a/etc/skel/.gnupg/gpg.conf b/etc/skel/.gnupg/gpg.conf index f0ed5a4..f8004fe 100644 --- a/etc/skel/.gnupg/gpg.conf +++ b/etc/skel/.gnupg/gpg.conf @@ -282,13 +282,13 @@ display-charset utf-8 ################################################################## ################################################################## -## BEGIN Some suggestions from Debian https://keyring.debian.org/creating-key.html +## BEGIN Some suggestions from Debian http://keyring.debian.org/creating-key.html personal-digest-preferences SHA512 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed -## END Some suggestions from Debian https://keyring.debian.org/creating-key.html +## END Some suggestions from Debian http://keyring.debian.org/creating-key.html ################################################################## ################################################################## diff --git a/etc/sudoers.d/pkexec-security-misc b/etc/sudoers.d/pkexec-security-misc new file mode 100644 index 0000000..db5f32f --- /dev/null +++ b/etc/sudoers.d/pkexec-security-misc @@ -0,0 +1,11 @@ +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## REVIEW: is it ok that users can find out the PATH setting of root? +#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/echo-path + +## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be +## set. Would otherwise error out with the following error message: +## "This program must only be run through pkexec" +## REVIEW: Can bad things be done by spoofing PKEXEC_UID? +#Defaults:ALL env_keep += "PKEXEC_UID" diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index 1fa2146..4256683 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -1,12 +1,6 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Neither of these are needed. -#user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops -#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops +user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops +%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops -## Use a more open umask when executing commands with sudo -## Can be overridden on a per-user basis using .[z]profile if desirable -## https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#umask_hardening -Defaults umask_override -Defaults umask=0022 diff --git a/etc/sudoers.d/xfce-security-misc b/etc/sudoers.d/xfce-security-misc new file mode 100644 index 0000000..4e04020 --- /dev/null +++ b/etc/sudoers.d/xfce-security-misc @@ -0,0 +1,19 @@ +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 +## /usr/share/polkit-1/actions/org.xfce.power.policy + +## Feel free to out comment this if you are not using xfce4-power-manager or XFCE. + +#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]] +#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]] +#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]][[\:digit\:]] + +#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]] +#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]] +#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]][[\:digit\:]] + +## XXX: Should we allow this? +#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --suspend +#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --hibernate diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf new file mode 100644 index 0000000..1fcb0ea --- /dev/null +++ b/etc/sysctl.d/30_security-misc.conf @@ -0,0 +1,158 @@ +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. +## security-misc also disables coredumps in other ways. +kernel.core_pattern=|/bin/false + +## Restricts the kernel log to root only. +kernel.dmesg_restrict=1 + +## Don't allow writes to files that we don't own +## in world writable sticky directories, unless +## they are owned by the owner of the directory. +fs.protected_fifos=2 +fs.protected_regular=2 + +## Only allow symlinks to be followed when outside of +## a world-writable sticky directory, or when the owner +## of the symlink and follower match, or when the directory +## owner matches the symlink's owner. +## +## Prevent hardlinks from being created by users that do not +## have read/write access to the source file. +## +## These prevent many TOCTOU races. +fs.protected_symlinks=1 +fs.protected_hardlinks=1 + +## Hardens the BPF JIT compiler and restricts it to root. +kernel.unprivileged_bpf_disabled=1 +net.core.bpf_jit_harden=2 + +## Hides kernel addresses in various files in /proc. +## Kernel addresses can be very useful in certain exploits. +## +## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak +kernel.kptr_restrict=2 + +## Improves ASLR effectiveness for mmap. +## Both explicit sysctl are made redundant due to automation +## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 +## Do NOT enable either - displaying only for clarity +## +#vm.mmap_rnd_bits=32 +#vm.mmap_rnd_compat_bits=16 + +## Restricts the use of ptrace to root. This might break some programs running under WINE. +## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: +## +## sudo apt-get install libcap2-bin +## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver +## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader +kernel.yama.ptrace_scope=2 + +## Prevent setuid processes from creating coredumps. +fs.suid_dumpable=0 + +## Randomize the addresses for mmap base, heap, stack, and VDSO pages +kernel.randomize_va_space=2 + +#### meta start +#### project Kicksecure +#### category networking and security +#### description +## TCP/IP stack hardening + +## Protects against time-wait assassination. +## It drops RST packets for sockets in the time-wait state. +net.ipv4.tcp_rfc1337=1 + +## Disables ICMP redirect acceptance. +net.ipv4.conf.all.accept_redirects=0 +net.ipv4.conf.default.accept_redirects=0 +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.conf.default.secure_redirects=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.default.accept_redirects=0 + +## Disables ICMP redirect sending. +net.ipv4.conf.all.send_redirects=0 +net.ipv4.conf.default.send_redirects=0 + +## Ignores ICMP requests. +net.ipv4.icmp_echo_ignore_all=1 +net.ipv6.icmp.echo_ignore_all=1 + +## Ignores bogus ICMP error responses +net.ipv4.icmp_ignore_bogus_error_responses=1 + +## Enables TCP syncookies. +net.ipv4.tcp_syncookies=1 + +## Disable source routing. +net.ipv4.conf.all.accept_source_route=0 +net.ipv4.conf.default.accept_source_route=0 +net.ipv6.conf.all.accept_source_route=0 +net.ipv6.conf.default.accept_source_route=0 + +## Enable reverse path filtering to prevent IP spoofing and +## mitigate vulnerabilities such as CVE-2019-14899. +## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 +net.ipv4.conf.default.rp_filter=1 +net.ipv4.conf.all.rp_filter=1 + +#### meta end + + +## Previously disabled SACK, DSACK, and FACK. +## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109 +#net.ipv4.tcp_sack=0 +#net.ipv4.tcp_dsack=0 +#net.ipv4.tcp_fack=0 + + +#### meta start +#### project Kicksecure +#### category networking and security +#### description +## disable IPv4 TCP Timestamps + +net.ipv4.tcp_timestamps=0 + +#### meta end + + +## Only allow the SysRq key to be used for shutdowns and the +## Secure Attention Key (SAK). +## +## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/ +kernel.sysrq=132 + +## Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent +## unprivileged attackers from loading vulnerable line disciplines +## with the TIOCSETD ioctl which has been used in exploits before +## such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html +## +## https://lkml.org/lkml/2019/4/15/890 +dev.tty.ldisc_autoload=0 + +## Restrict the userfaultfd() syscall to root as it can make heap sprays +## easier. +## +## https://duasynt.com/blog/linux-kernel-heap-spray +vm.unprivileged_userfaultfd=0 + +## Let the kernel only swap if it is absolutely necessary. +## Better not be set to zero: +## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html +## - https://en.wikipedia.org/wiki/Swappiness +vm.swappiness=1 + +## Disallow kernel profiling by users without CAP_SYS_ADMIN +## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt +kernel.perf_event_paranoid=3 + +# Do not accept router advertisments +net.ipv6.conf.all.accept_ra=0 +net.ipv6.conf.default.accept_ra=0 diff --git a/etc/sysctl.d/30_security-misc_kexec-disable.conf b/etc/sysctl.d/30_security-misc_kexec-disable.conf new file mode 100644 index 0000000..5cca304 --- /dev/null +++ b/etc/sysctl.d/30_security-misc_kexec-disable.conf @@ -0,0 +1,16 @@ +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html +## +## kexec_load_disabled: +## +## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. +## Disables kexec which can be used to replace the running kernel. +kernel.kexec_load_disabled=1 + +## Why is this in a dedicated config file? +## Package ram-wipe requires kexec. However, ram-wipe could not ship a config +## file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'. +## This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1' +## it cannot be undone without reboot. This is a upstream Linux security feature. diff --git a/etc/sysctl.d/30_silent-kernel-printk.conf b/etc/sysctl.d/30_silent-kernel-printk.conf new file mode 100644 index 0000000..e99f0b5 --- /dev/null +++ b/etc/sysctl.d/30_silent-kernel-printk.conf @@ -0,0 +1,14 @@ +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Prevent kernel info leaks in console during boot. +## https://phabricator.whonix.org/T950 +kernel.printk = 3 3 3 3 + +## NOTE: +## For higher verbosity, the user might also want to delete file +## /etc/default/grub.d/41_quiet.cfg +## (or out-comment its settings). +## +## Alternatively, the user could consider to install the debug-misc package, +## which will undo the settings found here. diff --git a/etc/systemd/system/emergency.service.d/override.conf b/etc/systemd/system/emergency.service.d/override.conf index 42fefd4..b24186a 100644 --- a/etc/systemd/system/emergency.service.d/override.conf +++ b/etc/systemd/system/emergency.service.d/override.conf @@ -1,6 +1,3 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 ## https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d diff --git a/etc/systemd/system/rescue.service.d/override.conf b/etc/systemd/system/rescue.service.d/override.conf index 42fefd4..b24186a 100644 --- a/etc/systemd/system/rescue.service.d/override.conf +++ b/etc/systemd/system/rescue.service.d/override.conf @@ -1,6 +1,3 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 ## https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d diff --git a/etc/thunderbird/pref/40_security-mic.js b/etc/thunderbird/pref/40_security-mic.js new file mode 100644 index 0000000..5d849ea --- /dev/null +++ b/etc/thunderbird/pref/40_security-mic.js @@ -0,0 +1,11 @@ +//#### Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +//#### See the file COPYING for copying conditions. + +//#### meta start +//#### project Whonix and Kicksecure +//#### category security and apps +//#### description https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 +//#### meta end + +// https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 +pref("network.IDN_show_punycode", true); diff --git a/etc/thunderbird/pref/40_security-misc.js b/etc/thunderbird/pref/40_security-misc.js deleted file mode 100644 index 931f9d2..0000000 --- a/etc/thunderbird/pref/40_security-misc.js +++ /dev/null @@ -1,59 +0,0 @@ -//#### Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -//#### See the file COPYING for copying conditions. - -//#### meta start -//#### project Whonix and Kicksecure -//#### category security and apps -//#### description https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 -//#### meta end - -// https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 -pref("network.IDN_show_punycode", true); - -// Disable all and any kind of telemetry by default -pref("toolkit.telemetry.enabled", false); -pref("toolkit.telemetry.unified", false); -pref("toolkit.telemetry.shutdownPingSender.enabled", false); -pref("toolkit.telemetry.updatePing.enabled", false); -pref("toolkit.telemetry.archive.enabled", false); -pref("toolkit.telemetry.bhrPing.enabled", false); -pref("toolkit.telemetry.firstShutdownPing.enabled", false); -pref("toolkit.telemetry.newProfilePing.enabled", false); -pref("toolkit.telemetry.server", ""); // Defense in depth -pref("toolkit.telemetry.server_owner", ""); // Defense in depth -pref("datareporting.healthreport.uploadEnabled", false); -pref("datareporting.policy.dataSubmissionEnabled", false); -pref("toolkit.telemetry.coverage.opt-out", true); // from Firefox -pref("toolkit.coverage.opt-out", true); // from Firefox - -// Disable implicit outbound traffic -pref("network.connectivity-service.enabled", false); -pref("network.prefetch-next", false); -pref("network.dns.disablePrefetch", true); -pref("network.predictor.enabled", false); - -// No need to explain the problems with javascript -// If you want javascript, use your browser -// Thunderbird needs no javascript -// pref("javascript.enabled", false); // Will break setting up services that require redirecting to their javascripted webpage for login, like gmail etc. So commented out for now. - -// Disable scripting when viewing pdf files -user_pref("pdfjs.enableScripting", false); - -// If you want cookies, use your browser -pref("network.cookie.cookieBehavior", 2); - -// Do not send user agent information -// For email clients, this is more like a relic of the past -// Completely not necessary and just exposes a lot of information about the client -// Since v115.0 Thunderbird already minimizes the user agent -// But we want it gone for good for no information leak at all -// https://hg.mozilla.org/comm-central/rev/cbbbc8d93cd7 -pref("mailnews.headers.sendUserAgent", false); - -// Normally we send emails after marking them with a time stamp -// That includes our local time zone -// This option makes our local time zone appear as UTC -// And rounds the time stamp to the closes minute -// https://hg.mozilla.org/comm-central/rev/98aa0bf2e719 -pref("mail.sanitize_date_header", true); diff --git a/lib/systemd/coredump.conf.d/30_security-misc.conf b/lib/systemd/coredump.conf.d/30_security-misc.conf new file mode 100644 index 0000000..519f838 --- /dev/null +++ b/lib/systemd/coredump.conf.d/30_security-misc.conf @@ -0,0 +1,2 @@ +[Coredump] +Storage=none diff --git a/usr/lib/systemd/system-preset/50-security-misc.preset b/lib/systemd/system-preset/50-security-misc.preset similarity index 56% rename from usr/lib/systemd/system-preset/50-security-misc.preset rename to lib/systemd/system-preset/50-security-misc.preset index 1895526..be35459 100644 --- a/usr/lib/systemd/system-preset/50-security-misc.preset +++ b/lib/systemd/system-preset/50-security-misc.preset @@ -1,19 +1,14 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 disable hide-hardware-info.service ## Disable for now until development finished / tested. -disable permission-hardener.service +disable permission-hardening.service ## Disable for now until development finished / tested. -## https://github.com/Kicksecure/security-misc/pull/152 disable remount-secure.service ## Disable due to pkexec issues. disable proc-hidepid.service - -## Disable due to issues. See: -## https://github.com/Kicksecure/security-misc/issues/159 -disable harden-module-loading.service diff --git a/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf b/lib/systemd/system/haveged.service.d/30_security-misc.conf similarity index 69% rename from usr/lib/systemd/system/haveged.service.d/30_security-misc.conf rename to lib/systemd/system/haveged.service.d/30_security-misc.conf index 2981464..fd79dc8 100644 --- a/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf +++ b/lib/systemd/system/haveged.service.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Service] diff --git a/usr/lib/systemd/system/hide-hardware-info.service b/lib/systemd/system/hide-hardware-info.service similarity index 72% rename from usr/lib/systemd/system/hide-hardware-info.service rename to lib/systemd/system/hide-hardware-info.service index 659c3f5..d1e02fd 100644 --- a/usr/lib/systemd/system/hide-hardware-info.service +++ b/lib/systemd/system/hide-hardware-info.service @@ -1,10 +1,9 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] Description=Hide hardware information to unprivileged users -Documentation=https://github.com/Kicksecure/security-misc - +Documentation=https://github.com/Whonix/security-misc DefaultDependencies=no Before=sysinit.target Requires=local-fs.target diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardening.service new file mode 100644 index 0000000..4987d02 --- /dev/null +++ b/lib/systemd/system/permission-hardening.service @@ -0,0 +1,20 @@ +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +[Unit] +Description=SUID, SGID, Capability and File Permission Hardening +Documentation=https://github.com/Whonix/security-misc + +DefaultDependencies=no +Before=sysinit.target +Requires=local-fs.target +After=local-fs.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/security-misc/permission-hardening +RemainAfterExit=yes + +[Install] +WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/proc-hidepid.service b/lib/systemd/system/proc-hidepid.service similarity index 55% rename from usr/lib/systemd/system/proc-hidepid.service rename to lib/systemd/system/proc-hidepid.service index d7ea4d9..8d4d207 100644 --- a/usr/lib/systemd/system/proc-hidepid.service +++ b/lib/systemd/system/proc-hidepid.service @@ -1,10 +1,9 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] Description=Mounts /proc with hidepid=2 -Documentation=https://github.com/Kicksecure/security-misc - +Documentation=https://github.com/Whonix/security-misc DefaultDependencies=no Before=sysinit.target Requires=local-fs.target @@ -12,7 +11,7 @@ After=local-fs.target [Service] Type=oneshot -ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2,gid=proc /proc +ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2 /proc RemainAfterExit=yes [Install] diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service new file mode 100644 index 0000000..2e08b65 --- /dev/null +++ b/lib/systemd/system/remount-secure.service @@ -0,0 +1,22 @@ +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +[Unit] +Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) +Documentation=https://github.com/Whonix/security-misc + +DefaultDependencies=no +Before=sysinit.target +Requires=local-fs.target +After=local-fs.target + +After=qubes-sysinit.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/security-misc/remount-secure +RemainAfterExit=yes + +[Install] +WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/remove-system-map.service b/lib/systemd/system/remove-system-map.service similarity index 70% rename from usr/lib/systemd/system/remove-system-map.service rename to lib/systemd/system/remove-system-map.service index 1e36d61..1675c77 100644 --- a/usr/lib/systemd/system/remove-system-map.service +++ b/lib/systemd/system/remove-system-map.service @@ -1,10 +1,9 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] Description=Removes the System.map files -Documentation=https://github.com/Kicksecure/security-misc - +Documentation=https://github.com/Whonix/security-misc DefaultDependencies=no Before=sysinit.target Requires=local-fs.target diff --git a/lib/systemd/system/user@.service.d/sysfs.conf b/lib/systemd/system/user@.service.d/sysfs.conf new file mode 100644 index 0000000..e0cf3a7 --- /dev/null +++ b/lib/systemd/system/user@.service.d/sysfs.conf @@ -0,0 +1,2 @@ +[Service] +SupplementaryGroups=sysfs diff --git a/rpm_spec/security-misc.spec.in b/rpm_spec/security-misc.spec.in index b42625e..bdc4e61 100644 --- a/rpm_spec/security-misc.spec.in +++ b/rpm_spec/security-misc.spec.in @@ -3,8 +3,8 @@ Version: @VERSION@ Release: 1%{?dist} Summary: enhances misc security settings -License: AGPL-3+ -URL: https://github.com/Kicksecure/security-misc +License: GPL-3+-with-additional-terms-1 +URL: https://github.com/Whonix/security-misc Source0: %{name}-%{version}.tar.xz BuildRequires: dpkg-dev @@ -13,7 +13,50 @@ Requires: make BuildArch: noarch %description -See README. +The following settings are changed: + +deactivates previews in Dolphin; +deactivates previews in Nautilus; +deactivates thumbnails in Thunar; +deactivates TCP timestamps; +deactivates Netfilter's connection tracking helper; + +TCP time stamps (RFC 1323) allow for tracking clock +information with millisecond resolution. This may or may not allow an +attacker to learn information about the system clock at such +a resolution, depending on various issues such as network lag. +This information is available to anyone who monitors the network +somewhere between the attacked system and the destination server. +It may allow an attacker to find out how long a given +system has been running, and to distinguish several +systems running behind NAT and using the same IP address. It might +also allow one to look for clocks that match an expected value to find the +public IP used by a user. + +Hence, this package disables this feature by shipping the +/etc/sysctl.d/tcp_timestamps.conf configuration file. + +Note that TCP time stamps normally have some usefulness. They are +needed for: + +* the TCP protection against wrapped sequence numbers; however, to + trigger a wrap, one needs to send roughly 2^32 packets in one + minute: as said in RFC 1700, "The current recommended default + time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". + So, this probably won't be a practical problem in the context + of Anonymity Distributions. + +* "Round-Trip Time Measurement", which is only useful when the user + manages to saturate their connection. When using Anonymity Distributions, + probably the limiting factor for transmission speed is rarely the capacity + of the user connection. + +Netfilter's connection tracking helper module increases kernel attack +surface by enabling superfluous functionality such as IRC parsing in +the kernel. (!) + +Hence, this package disables this feature by shipping the +/etc/sysctl.d/nf_conntrack_helper.conf configuration file. %prep %setup -q @@ -29,9 +72,47 @@ make %{?_smp_mflags} %files %license debian/copyright -/etc/* -/lib/* -/usr/* +/etc/X11/Xsession.d/50panic_on_oops +/etc/X11/Xsession.d/50security-misc +/etc/apparmor.d/tunables/home.d/security-misc +/etc/apt/apt.conf.d/40sandbox +/etc/default/grub.d/40_enable_iommu.cfg +/etc/default/grub.d/40_kernel_hardening.cfg +/etc/login.defs.security-misc +/etc/modprobe.d/30_nf_conntrack_helper_disable.conf +/etc/modprobe.d/blacklist-dma.conf +/etc/modprobe.d/uncommon-network-protocols.conf +/etc/securetty.security-misc +/etc/security/limits.d/disable-coredumps.conf +/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +/etc/sudoers.d/security-misc +/etc/sysctl.d/coredumps.conf +/etc/sysctl.d/dmesg_restrict.conf +/etc/sysctl.d/fs_protected.conf +/etc/sysctl.d/harden_bpf.conf +/etc/sysctl.d/kexec.conf +/etc/sysctl.d/kptr_restrict.conf +/etc/sysctl.d/mmap_aslr.conf +/etc/sysctl.d/ptrace_scope.conf +/etc/sysctl.d/suid_dumpable.conf +/etc/sysctl.d/sysrq.conf +/etc/sysctl.d/tcp_hardening.conf +/etc/sysctl.d/tcp_sack.conf +/etc/sysctl.d/tcp_timestamps.conf +/etc/systemd/system/emergency.service.d/override.conf +/etc/systemd/system/rescue.service.d/override.conf +/lib/systemd/coredump.conf.d/disable-coredumps.conf +/lib/systemd/system/proc-hidepid.service +/lib/systemd/system/remove-system-map.service +/usr/libexec/security-misc/apt-get-update +/usr/libexec/security-misc/apt-get-update-sanity-test +/usr/libexec/security-misc/panic-on-oops +/usr/libexec/security-misc/remove-system.map +/usr/share/glib-2.0/schemas/30_security-misc.gschema.override +/usr/share/lintian/overrides/security-misc +/usr/share/pam-configs/usergroups +/usr/share/pam-configs/wheel +/usr/share/security-misc/dolphinrc %changelog @CHANGELOG@ diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc deleted file mode 100755 index 0a4c308..0000000 --- a/usr/bin/disabled-bluetooth-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc deleted file mode 100755 index f017e76..0000000 --- a/usr/bin/disabled-cdrom-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc deleted file mode 100755 index f0cf9b4..0000000 --- a/usr/bin/disabled-filesys-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc deleted file mode 100755 index c0d035a..0000000 --- a/usr/bin/disabled-firewire-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-framebuffer-by-security-misc b/usr/bin/disabled-framebuffer-by-security-misc deleted file mode 100755 index c287c21..0000000 --- a/usr/bin/disabled-framebuffer-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This framebuffer (fbdev) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc deleted file mode 100755 index 149249a..0000000 --- a/usr/bin/disabled-gps-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This Global Positioning System (GPS) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc deleted file mode 100755 index 094fa29..0000000 --- a/usr/bin/disabled-intelme-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-intelpmt-by-security-misc b/usr/bin/disabled-intelpmt-by-security-misc deleted file mode 100755 index 45a7aa4..0000000 --- a/usr/bin/disabled-intelpmt-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This Intel Platform Monitoring Technology (PMT) Telemetry kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-miscellaneous-by-security-misc b/usr/bin/disabled-miscellaneous-by-security-misc deleted file mode 100755 index 5848c6e..0000000 --- a/usr/bin/disabled-miscellaneous-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc deleted file mode 100755 index ed4e792..0000000 --- a/usr/bin/disabled-netfilesys-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc deleted file mode 100755 index f8c3129..0000000 --- a/usr/bin/disabled-network-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc deleted file mode 100755 index c6d1d71..0000000 --- a/usr/bin/disabled-thunderbolt-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener deleted file mode 100755 index 9f70834..0000000 --- a/usr/bin/permission-hardener +++ /dev/null @@ -1,994 +0,0 @@ -#!/bin/bash -# shellcheck disable=SC2076 - -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## https://forums.whonix.org/t/disable-suid-binaries/7706 -## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 - -## dpkg-statoverride does not support end-of-options ("--"). - -## SC2076 is disabled because ShellCheck seems to think that any use of -## [[ ... =~ ... ]] is supposed to be a regex match. But [[ '...' =~ '...' ]] -## works very well for literal matching, and it is used that way extensively -## throughout this script. - -set -o errexit -o nounset -o pipefail - -## Constants -# shellcheck disable=SC2034 -log_level=notice -store_dir="/var/lib/permission-hardener-v2" -state_file="${store_dir}/existing_mode/statoverride" -dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" -dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" -delimiter="#permission-hardener-delimiter#" - -## Library imports -# shellcheck disable=SC1091 -source /usr/libexec/helper-scripts/safe_echo.sh -# shellcheck disable=SC1091 -source /usr/libexec/helper-scripts/log_run_die.sh - -## Functions -echo_wrapper_ignore() { - if [ "${1}" = 'verbose' ]; then - shift - log notice "Executing: $*" - elif [ "${1}" = 'silent' ]; then - shift - else - log error "Unrecognized command '${1}'! calling function name: '${FUNCNAME[1]}'" >&2 - return - fi - "$@" 2>/dev/null || true -} - -echo_wrapper_audit() { - local return_code - if [ "${1}" = 'verbose' ]; then - shift - log notice "Executing: $*" - elif [ "${1}" = 'silent' ]; then - shift - else - log error "Unrecognized command '${1}'! calling function name: '${FUNCNAME[1]}'" >&2 - return - fi - return_code=0 - "$@" || - { - return_code="$?" - exit_code=203 - log error "Command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 - } -} - -## Some tools may fail on newlines and even variable assignment to array may -## fail if a variable that will be assigned to an array element contains -## characters that are used as delimiters. -block_newlines() { - local newline_variable newline_value - newline_variable="${1:-}" - newline_value="${2:-}" - ## dpkg-statoverride: error: path may not contain newlines - if [[ "${newline_value}" != "${newline_value//$'\n'/NEWLINE}" ]]; then - log warn "Skipping ${newline_variable} that contains newlines: '${newline_value}'" >&2 - return 1 - fi -} - -output_stat() { - local file_name stat_output stat_output_newlined hardlink_count - declare -a arr - file_name="${1:-}" - - if [ -z "${file_name}" ]; then - log error "File name is empty. file_name: '${file_name}'" >&2 - return 1 - fi - - block_newlines file "${file_name}" - - if [ ! -e "${file_name}" ]; then - log info "File does not exist. file_name: '${file_name}'" >&2 - existing_mode='' - existing_owner='' - existing_group='' - file_name_from_stat='' - return 0 - fi - - if ! stat_output="$(stat -L \ - --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}%h${delimiter}" \ - -- "${file_name}")"; then - log error "Failed to run 'stat' on file: '${file_name}'!" >&2 - return 1 - fi - - if [ -z "$stat_output" ]; then - log error "stat_output is empty. -File name: '${file_name}' -Stat output: '${stat_output}' -stat_output_newlined: '${stat_output_newlined}' -line: '${processed_config_line}' -" >&2 - return 1 - fi - - stat_output_newlined="$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}")" - - if [ -z "${stat_output_newlined}" ]; then - log error "stat_output_newlined is empty. -File name: '${file_name}' -Stat output: '${stat_output}' -stat_output_newlined: '${stat_output_newlined}' -line: '${processed_config_line}' -" >&2 - return 1 - fi - - readarray -t arr <<< "${stat_output_newlined}" - - if [ "${#arr[@]}" = '0' ]; then - log error "Array length is 0. -File name: '${file_name}' -Stat output: '${stat_output}' -stat_output_newlined: '${stat_output_newlined}' -line: '${processed_config_line}' -" >&2 - return 1 - fi - - existing_mode="${arr[0]}" - existing_owner="${arr[1]}" - existing_group="${arr[2]}" - file_name_from_stat="${arr[3]}" - hardlink_count="${arr[4]}" - - if [ "$file_name" != "$file_name_from_stat" ]; then - log error "\ -File name is different from file name received from stat: -File name: '${file_name}' -File name from stat: '${file_name_from_stat}' -line: '${processed_config_line}' -" >&2 - return 1 - fi - - ## We can't handle files with hardlinks because figuring out all of the files - ## in a "hardlink pool" requires scanning the whole filesystem, which would - ## result in an unacceptable performance hit for this script. We don't check - ## directory hardlinks since directories can't have traditional hardlinks. - if [ ! -d "${file_name_from_stat}" ]; then - if (( hardlink_count > 1 )); then - log error "\ -File has unexpected hardlinks, cannot handle. -File name: '${file_name}' -File name from stat: '${file_name_from_stat}' -line: '${processed_config_line}' -" >&2 - return 1 - fi - fi - - if [ -z "${existing_mode}" ]; then - log error "Existing mode is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 - return 1 - fi - if [ -z "${existing_owner}" ]; then - log error "Existing owner is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 - return 1 - fi - if [ -z "${existing_group}" ]; then - log error "Existing group is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 - return 1 - fi - - ## If a symlink was passed as input, return the original file's path rather - ## than the symlink to avoid problems stemming from using the wrong path - if [ -h "${file_name_from_stat}" ]; then - file_name_from_stat="$(realpath "${file_name_from_stat}")" - fi -} - -print_usage(){ - safe_echo "Usage: ${0##*/} enable - ${0##*/} disable [FILE|all] - ${0##*/} print-policy - ${0##*/} print-state - ${0##*/} print-policy-applied-state - ${0##*/} print-diagnostics - -Examples: - ${0##*/} enable - ${0##*/} disable all - ${0##*/} disable /usr/bin/newgrp" >&2 -} - -add_to_policy() { - local file_name file_mode file_owner file_group updated_entry policy_idx \ - file_capabilities - file_name="${1:-}" - file_mode="${2:-}" - file_owner="${3:-}" - file_group="${4:-}" - file_capabilities="${5:-}" - updated_entry=false - - if [ -h "${file_name}" ]; then - file_name="$(realpath "${file_name}")" || return 1 - fi - - for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do - if [ "${policy_file_list[policy_idx]}" = "${file_name}" ]; then - policy_mode_list[policy_idx]="${file_mode}" - policy_user_owner_list[policy_idx]="${file_owner}" - policy_group_owner_list[policy_idx]="${file_group}" - policy_capability_list[policy_idx]="${file_capabilities}" - updated_entry=true - break - fi - done - - if [ "${updated_entry}" != 'true' ]; then - policy_file_list+=( "${file_name}" ) - policy_mode_list+=( "${file_mode}" ) - policy_user_owner_list+=( "${file_owner}" ) - policy_group_owner_list+=( "${file_group}" ) - policy_capability_list+=( "${file_capabilities}" ) - fi -} - -check_nosuid_whitelist() { - local target_file match_white_list_entry - - target_file="${1:-}" - - ## Handle whitelists, if we're supposed to - [ "${whitelists_disable_all}" = 'true' ] && return 0 - - ## literal matching is intentional here - [[ " ${policy_disable_white_list[*]} " =~ " ${target_file} " ]] && return 0 - - ## literal matching is intentional here too - [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]] && return 1 - - for match_white_list_entry in "${policy_match_white_list[@]:-}"; do - if safe_echo "${target_file}" \ - | grep --quiet --fixed-strings -- "${match_white_list_entry}"; then - return 1 - fi - done - - return 0 -} - -load_early_nosuid_policy() { - local target_file find_list_item - - target_file="${1:-}" - - # shellcheck disable=SC2185 - while IFS="" read -r -d "" find_list_item; do - check_nosuid_whitelist "${find_list_item}" || continue - - ## sets: - ## exiting_mode - ## existing_owner - ## existing_group - output_stat "${find_list_item}" - if [ -z "${file_name_from_stat}" ]; then - continue - fi - - ## -h file True if file is a symbolic link. - if [ -h "${find_list_item}" ]; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - log info "Skip symlink: '${find_list_item}'" - continue - fi - - if [ -d "${find_list_item}" ]; then - log info "Skip directory: '${find_list_item}'" - continue - fi - - ## Remove suid / gid and execute permission for 'group' and 'others'. - ## Similar to: chmod og-ugx /path/to/filename - ## Removing execution permission is useful to make binaries such as 'su' - ## fail closed rather than fail open if suid was removed from these. - ## Do not remove read access since no security benefit and easier to - ## manually undo for users. - ## Are there suid or sgid binaries which are still useful if suid / sgid - ## has been removed from these? - local new_mode - new_mode='744' - - add_to_policy "${file_name_from_stat}" "${new_mode}" "${existing_owner}" \ - "${existing_group}" - done < <(safe_echo_nonewline "${target_file}" \ - | find -files0-from - -perm /u=s,g=s -print0) -} - -## If the "target file" matches the start of the state file name, that's a -## likely match. This is used by load_late_nosuid_policy for detecting info -## about files that need SUID-locked that are in the state. -match_dir() { - local base_str match_str base_arr match_arr base_idx - - base_str="${1}" - match_str="${2}" - [[ "${base_str}" =~ '//' ]] && return 1 - [[ "${match_str}" =~ '//' ]] && return 1 - - IFS='/' read -r -a base_arr <<< "${base_str}" - IFS='/' read -r -a match_arr <<< "${match_str}" - (( ${#base_arr[@]} > ${#match_arr[@]} )) && return 1 - - for (( base_idx=0; base_idx < ${#base_arr[@]}; base_idx++ )); do - if [ "${base_arr[base_idx]}" != "${match_arr[base_idx]}" ]; then - return 1 - fi - done - - return 0 -} - -load_late_nosuid_policy() { - local target_file state_idx state_file_item state_user_owner_item \ - state_group_owner_item new_mode - - target_file="${1:-}" - for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do - state_file_item="${state_file_list[state_idx]}" - check_nosuid_whitelist "${state_file_item}" || continue - - match_dir "${target_file}" "${state_file_item}" || continue - - if [ -h "${state_file_item}" ]; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - log info "Skip symlink: '${state_file_item}'" - continue - fi - - if [ -d "${state_file_item}" ]; then - log info "Skip directory: '${state_file_item}'" - continue - fi - - state_user_owner_item="${state_user_owner_list[state_idx]}" - state_group_owner_item="${state_group_owner_list[state_idx]}" - new_mode='744' - add_to_policy "${state_file_item}" "${new_mode}" \ - "${state_user_owner_item}" "${state_group_owner_item}" - done -} - -load_state_without_policy() { - local line field_list - - ## Load the state file from disk - if [ -f "${state_file}" ]; then - while read -r line; do - read -r -a field_list <<< "${line}" - if (( ${#field_list[@]} != 4 )); then - log info \ - "Invalid number of fields in state file line: '${line}'. Skipping." - continue - fi - state_user_owner_list+=( "${field_list[0]}" ) - state_group_owner_list+=( "${field_list[1]}" ) - state_mode_list+=( "${field_list[2]}" ) - state_file_list+=( "${field_list[3]}" ) - done < "${state_file}" - fi -} - -load_state() { - ## Config format: - ## path options - ## where options is one of: - ## user_owner group_owner filemode [capability-setting] - ## [nosuid|exactwhitelist|matchwhitelist|disablewhitelist] - ## - ## Additionally, the special value 'whitelists_disable_all=true' is understood - ## to mean that all whitelisting should be ignored. - - local config_file line field_list policy_nosuid_file_item policy_file_item - - ## Load configuration, deferring whitelist handling until later - for config_file in \ - /usr/lib/permission-hardener.d/*.conf \ - /etc/permission-hardener.d/*.conf \ - /usr/local/etc/permission-hardener.d/*.conf \ - /etc/permission-hardening.d/*.conf \ - /usr/local/etc/permission-hardening.d/*.conf - do - if [ ! -f "${config_file}" ]; then - continue - fi - - while read -r line; do - if [ -z "${line}" ]; then - true 'DEBUG: line is empty. Skipping.' - continue - fi - - if [[ "${line}" =~ ^\s*# ]]; then - continue - fi - - if ! [[ "${line}" =~ ^[-0-9a-zA-Z._/[:space:]]*$ ]]; then - exit_code=200 - log error "Line contains invalid characters: '${line}'" >&2 - ## Safer to exit with error in this case. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 - exit "${exit_code}" - fi - - if [ "${line}" = 'whitelists_disable_all=true' ]; then - whitelists_disable_all=true - log info "whitelists_disable_all=true" - continue - fi - - processed_config_line="${line}" - - IFS=' ' read -r -a field_list <<< "${line}" - - case "${#field_list[@]}" in - 2|4|5) true;; - *) - exit_code=200 - log error "Line contains an invalid number of fields: '${line}'" >&2 - exit "${exit_code}" - ;; - esac - - # Strip trailing slash if appropriate - field_list[0]="${field_list[0]%/}" - - case "${field_list[1]}" in - 'exactwhitelist') - [ ! -e "${field_list[0]}" ] && continue - policy_exact_white_list+=( "${field_list[0]}" ) - continue - ;; - 'matchwhitelist') - policy_match_white_list+=( "${field_list[0]}" ) - continue - ;; - 'disablewhitelist') - policy_disable_white_list+=( "${field_list[0]}" ) - continue - ;; - 'nosuid') - [ ! -e "${field_list[0]}" ] && continue - policy_nosuid_file_list+=( "${field_list[0]}" ) - ;; - *) - [ ! -e "${field_list[0]}" ] && continue - add_to_policy "${field_list[@]}" - ;; - esac - done < "${config_file}" - done - - ## We have to handle nosuid files at the end since the whitelist arrays need - ## built first. - for policy_nosuid_file_item in "${policy_nosuid_file_list[@]}"; do - load_early_nosuid_policy "${policy_nosuid_file_item}" - done - - load_state_without_policy - - ## Find any files in the policy that don't already have a matching file in - ## the state. Add those files to the state, and save them to the state file - ## as well. - for policy_file_item in "${policy_file_list[@]}"; do - if [[ " ${state_file_list[*]} " =~ " ${policy_file_item} " ]]; then - continue - fi - output_stat "${policy_file_item}" - if [ -z "${file_name_from_stat}" ]; then - continue - fi - state_file_list+=( "${file_name_from_stat}" ) - state_user_owner_list+=( "${existing_owner}" ) - state_group_owner_list+=( "${existing_group}" ) - state_mode_list+=( "${existing_mode}" ) - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride \ - ${dpkg_admindir_parameter_existing_mode} \ - --add "${existing_owner}" "${existing_group}" "${existing_mode}" \ - "${file_name_from_stat}" - done - - ## Fix up nosuid policies using state information - for policy_nosuid_file_item in "${policy_nosuid_file_list[@]}"; do - load_late_nosuid_policy "${policy_nosuid_file_item}" - done -} - -apply_policy() { - local policy_idx did_state_update state_idx - - ## Modify the in-memory state so that all items that the policy affects match - ## the policy. DO NOT save these changes to the state file! - for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do - did_state_update=false - for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do - if [ "${state_file_list[state_idx]}" = "${policy_file_list[policy_idx]}" ]; then - state_user_owner_list[state_idx]="${policy_user_owner_list[policy_idx]}" - state_group_owner_list[state_idx]="${policy_group_owner_list[policy_idx]}" - state_mode_list[state_idx]="${policy_mode_list[policy_idx]}" - did_state_update=true - break - fi - done - if [ "${did_state_update}" = 'false' ]; then - exit_code=206 - log error \ - "File exists in policy but not in state! File: '${policy_file_list[policy_idx]}'" - exit "${exit_code}" - fi - done -} - -commit_policy() { - local policy_idx state_idx state_file_item \ - state_user_owner_item state_group_owner_item \ - state_mode_item orig_main_statoverride_db orig_new_statoverride_db \ - policy_file_item policy_capability_item - - ## Check each file on the filesystem against the state, and update it if the - ## state does not match. Also ensure the consistency of the new_mode database - ## so that people can compare the original permissions of files with the new - ## permissions. - orig_main_statoverride_db="$(dpkg-statoverride --list)" || true - # shellcheck disable=SC2086 - orig_new_statoverride_db="$(dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --list)" || true - - for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do - state_file_item="${state_file_list[state_idx]}" - state_user_owner_item="${state_user_owner_list[state_idx]}" - state_group_owner_item="${state_group_owner_list[state_idx]}" - state_mode_item="${state_mode_list[state_idx]}" - - ## Get rid of leading zeros, stat doesn't output them due to how we use it. - ## Using BASH_REMATCH is faster than sed. We capture all leading zeros into - ## one group, and the rest of the string into a second group. The second - ## group is the string we want. BASH_REMATCH[0] is the entire string, - ## BASH_REMATCH[1] is the first match that we want to discard, and - ## BASH_REMATCH[2] is the desired second group. - [[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true; - state_mode_item="${BASH_REMATCH[2]}" - - output_stat "${state_file_item}" - if [ -z "${file_name_from_stat}" ]; then - continue - fi - - if [ "${existing_owner}" != "${state_user_owner_item}" ] \ - || [ "${existing_group}" != "${state_group_owner_item}" ] \ - || [ "${existing_mode}" != "${state_mode_item}" ]; then - if ! [[ "${passwd_file_contents}" =~ "${state_user_owner_item}:" ]]; then - log error "Owner from config does not exist: '${state_user_owner_item}'" >&2 - continue - fi - - if ! [[ "${group_file_contents}" =~ "${state_group_owner_item}:" ]]; then - log error "Group from config does not exist: '${state_group_owner_item}'" >&2 - continue - fi - ## Remove and reapply in main list - if [[ "${orig_main_statoverride_db}" =~ "${file_name_from_stat}" ]]; then - echo_wrapper_ignore silent dpkg-statoverride --remove \ - "${file_name_from_stat}" - fi - echo_wrapper_audit verbose dpkg-statoverride --add --update \ - "${state_user_owner_item}" "${state_group_owner_item}" \ - "${state_mode_item}" "${file_name_from_stat}" - - ## Update item in secondary list - if [[ "${orig_new_statoverride_db}" =~ "${file_name_from_stat}" ]]; then - # shellcheck disable=SC2086 - echo_wrapper_ignore silent dpkg-statoverride \ - ${dpkg_admindir_parameter_new_mode} --remove \ - "${file_name_from_stat}" - fi - # shellcheck disable=SC2086 - echo_wrapper_audit verbose dpkg-statoverride \ - ${dpkg_admindir_parameter_new_mode} --add \ - "${state_user_owner_item}" "${state_group_owner_item}" \ - "${state_mode_item}" "${file_name_from_stat}" - fi - done - - ## Apply capability hardening, dpkg-statoverride can't handle this so we have - ## to do this manually - for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do - policy_file_item="${policy_file_list[policy_idx]}" - policy_capability_item="${policy_capability_list[policy_idx]}" - if [ -z "${policy_capability_item}" ]; then - continue - fi - - if [ "${policy_capability_item}" = 'none' ]; then - echo_wrapper_ignore verbose setcap -r "${policy_file_item}" - if [ -n "$(getcap -- "${policy_file_item}")" ]; then - exit_code=205 - log error \ - "Removing capabilities failed. File: '${policy_file_item}'" >&2 - continue - fi - else - if ! capsh --print \ - | grep --fixed-strings -- "Bounding set" \ - | grep --quiet -- "${policy_capability_item}"; then - log error \ - "Capability from config does not exist: '${policy_capability_item}'" \ - >&2 - continue - fi - - ## feature request: dpkg-statoverride: support for capabilities - ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 - echo_wrapper_audit verbose setcap "${policy_capability_item}+ep" \ - -- "${policy_file_item}" - fi - done - - log notice "\ -To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: - sudo apt install --no-install-recommends meld - meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" -} - -undo_policy_for_file() { - local undo_file state_idx state_file_item did_undo \ - undo_all verbose orig_main_statoverride_db orig_new_statoverride_db \ - state_user_owner_item state_group_owner_item state_mode_item - - undo_file="${1}" - undo_all=false - verbose='--verbose' - if [ "${undo_file}" = 'all' ]; then - undo_all=true - verbose='' - fi - - if [ ! -f "${state_file}" ]; then - true 'DEBUG: State file does not exist, hardening was not applied before.' - return 0 - fi - - did_undo=false - - for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do - state_file_item="${state_file_list[state_idx]}" - if [ "${undo_all}" = 'true' ]; then - undo_file="${state_file_item}" - fi - - if [ "${state_file_item}" = "${undo_file}" ]; then - orig_main_statoverride_db="$(dpkg-statoverride --list)" || true - # shellcheck disable=SC2086 - orig_new_statoverride_db="$(dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --list)" || true - - if [[ "${orig_main_statoverride_db}" =~ "${undo_file}" ]]; then - echo_wrapper_ignore silent dpkg-statoverride --remove \ - "${undo_file}" - fi - - if [[ "${orig_new_statoverride_db}" =~ "${undo_file}" ]]; then - # shellcheck disable=SC2086 - echo_wrapper_ignore silent dpkg-statoverride \ - ${dpkg_admindir_parameter_new_mode} --remove \ - "${undo_file}" - fi - - if [ -e "${undo_file}" ]; then - state_user_owner_item="${state_user_owner_list[state_idx]}" - state_group_owner_item="${state_group_owner_list[state_idx]}" - state_mode_item="${state_mode_list[state_idx]}" - chown ${verbose} -- "${state_user_owner_item}:${state_group_owner_item}" \ - "${undo_file}" || exit_code=202 - ## chmod needs to be run after chown since chown removes suid. - chmod ${verbose} "${state_mode_item}" "${undo_file}" || exit_code=203 - else - log info "File does not exist: '${undo_file}'" - fi - did_undo=true - - if [ "${undo_all}" = 'false' ]; then - break - fi - fi - done - - if ! [[ "${did_undo}" = 'false' ]]; then - log info "The specified file is not hardened, leaving unchanged. - - File '${undo_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if no policy was ever applied to the file before. - - This program expects the full path to the file. Example: - $0 disable /usr/bin/newgrp # absolute path: works - $0 disable newgrp # relative path: does not work - - To remove all: - $0 disable all - - This change might not be permanent. For full instructions, see: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener - - To view list of changed by SUID Disabler and Permission Hardener: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener - - For re-enabling any specific SUID binary: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries - - For completely disabling SUID Disabler and Permission Hardener: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" - fi -} - -print_columns() { - local format_str bogus_str - format_str='' - for bogus_str in "$@"; do - format_str="${format_str}%s\t" - done - format_str="${format_str}\n" - ## Using a dynamically generated format string on purpose. - # shellcheck disable=SC2059 - printf "${format_str}" "$@" -} - -print_policy() { - local policy_idx - - print_columns 'File' 'User' 'Group' 'Mode' 'Capabilities' - - for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do - print_columns \ - "${policy_file_list[policy_idx]}" \ - "${policy_user_owner_list[policy_idx]}" \ - "${policy_group_owner_list[policy_idx]}" \ - "${policy_mode_list[policy_idx]}" \ - "${policy_capability_list[policy_idx]}" - done -} - -print_state() { - local state_idx - - print_columns 'File' 'User' 'Group' 'Mode' - for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do - print_columns \ - "${state_file_list[state_idx]}" \ - "${state_user_owner_list[state_idx]}" \ - "${state_group_owner_list[state_idx]}" \ - "${state_mode_list[state_idx]}" - done -} - -print_raw_policy_config() { - local config_file - for config_file in \ - /usr/lib/permission-hardener.d/*.conf \ - /etc/permission-hardener.d/*.conf \ - /usr/local/etc/permission-hardener.d/*.conf \ - /etc/permission-hardening.d/*.conf \ - /usr/local/etc/permission-hardening.d/*.conf - do - if [ ! -f "${config_file}" ]; then - continue - fi - echo "*** begin ${config_file} ***" - cat "${config_file}" - echo "*** end ${config_file} ***" - done -} - -print_raw_state() { - local state_file - for state_file in "${store_dir}/existing_mode/statoverride" \ - "${store_dir}/new_mode/statoverride"; do - echo "*** begin ${state_file} ***" - cat "${state_file}" - echo "*** end ${state_file} ***" - done -} - -print_fs_audit() { - local state_idx state_file_item state_user_owner_item state_group_owner_item \ - state_mode_item - - echo 'Legend:' - echo '... - Warning about an unusual, but not necessarily wrong, condition' - echo '!!! - Warning about an unusual and definitely wrong condition' - echo '*** - File permission data, actual state on filesystem is consistent with policy' - echo '^^^ - File permission data, actual state on filesystem is inconsistent with policy' - echo 'vvv - File permissions specified by state, always shown after a ^^^ item' - echo - - for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do - state_file_item="${state_file_list[state_idx]}" - state_user_owner_item="${state_user_owner_list[state_idx]}" - state_group_owner_item="${state_group_owner_list[state_idx]}" - state_mode_item="${state_mode_list[state_idx]}" - - ## Get rid of leading zeros, stat doesn't output them due to how we use it. - ## Using BASH_REMATCH is faster than sed. We capture all leading zeros into - ## one group, and the rest of the string into a second group. The second - ## group is the string we want. BASH_REMATCH[0] is the entire string, - ## BASH_REMATCH[1] is the first match that we want to discard, and - ## BASH_REMATCH[2] is the desired second group. - [[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true; - state_mode_item="${BASH_REMATCH[2]}" - - output_stat "${state_file_item}" - if [ -z "${file_name_from_stat}" ]; then - echo "... '${file_name_from_stat}' does not exist" - continue - fi - - if [ "${existing_owner}" != "${state_user_owner_item}" ] \ - || [ "${existing_group}" != "${state_group_owner_item}" ] \ - || [ "${existing_mode}" != "${state_mode_item}" ]; then - if ! [[ "${passwd_file_contents}" =~ "${state_user_owner_item}:" ]]; then - echo "!!! Owner from config does not exist: '${state_user_owner_item}'" - continue - fi - - if ! [[ "${group_file_contents}" =~ "${state_group_owner_item}:" ]]; then - echo "!!! Group from config does not exist: '${state_group_owner_item}'" - continue - fi - - echo "^^^ ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" - echo "vvv ${file_name_from_stat} ${state_user_owner_item}:${state_group_owner_item} ${state_mode_item}" - else - echo "*** ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" - fi - done -} - -reset_global_vars() { - ## Global variables - policy_file_list=() - policy_user_owner_list=() - policy_group_owner_list=() - policy_mode_list=() - policy_capability_list=() - policy_exact_white_list=() - policy_match_white_list=() - policy_disable_white_list=() - policy_nosuid_file_list=() - state_file_list=() - state_user_owner_list=() - state_group_owner_list=() - state_mode_list=() - whitelists_disable_all=false - existing_mode='' - existing_owner='' - existing_group='' - processed_config_line='' - file_name_from_stat='' - passwd_file_contents="$(getent passwd)" - group_file_contents="$(getent group)" - exit_code=0 -} - -reset_global_vars - -## Setup and sanity checking -if [ "$(id -u)" != '0' ]; then - log error "Not running as root, aborting." - exit 1 -fi - -mkdir --parents "${store_dir}/existing_mode" -mkdir --parents "${store_dir}/new_mode" - -echo_wrapper_audit silent which capsh getcap setcap stat find \ - dpkg-statoverride getent grep 1>/dev/null - -## Command parsing and execution -case "${1:-}" in - enable) - shift - load_state - apply_policy - commit_policy - ;; - disable) - shift - case "${1:-}" in - "") - print_usage - exit 1 - ;; - *) - load_state_without_policy - undo_policy_for_file "${1}" - ;; - esac - ;; - print-policy) - load_state - print_policy - ;; - print-state) - load_state - print_state - ;; - print-policy-applied-state) - load_state - apply_policy - print_state - ;; - print-diagnostics) - echo '=== BEGIN PERMISSION-HARDENER DIAGNOSTICS ===' - - echo '--- BEGIN State without policy ---' - load_state_without_policy - print_state - echo '--- END State without policy ---' - - reset_global_vars - - echo '--- BEGIN Policy without state ---' - load_state - print_policy - echo '--- END Policy without state ---' - - reset_global_vars - - echo '--- BEGIN Policy-applied-state ---' - load_state - apply_policy - print_state - echo '--- END Policy-applied state ---' - - reset_global_vars - - echo '--- BEGIN Master dpkg-statoverride database ---' - dpkg-statoverride --list - echo '--- END Master dpkg-statoverride database ---' - - echo '--- BEGIN Raw policy configuration ---' - print_raw_policy_config - echo '--- END Raw policy configuration ---' - - echo '--- BEGIN Raw state data ---' - print_raw_state - echo '--- END Raw state data ---' - - echo '--- BEGIN Filesystem state audit ---' - load_state - apply_policy - print_fs_audit - echo '--- END Filesystem state audit ---' - - echo '=== END PERMISSION-HARDENER DIAGNOSTICS ===' - ;; - -h|--help) - print_usage - exit 0 - ;; - *) - print_usage - exit 1 - ;; -esac - -## Exit -if test "${exit_code}" != "0"; then - log error "Exiting with non-zero exit code: '${exit_code}'" >&2 -fi - -exit "${exit_code}" diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc new file mode 100755 index 0000000..cb57c9a --- /dev/null +++ b/usr/bin/pkexec.security-misc @@ -0,0 +1,132 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with +## hidepid. +## * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 +## * https://forums.whonix.org/t/cannot-use-pkexec/8129 + +set -e + +my_real_path="$(realpath "$0")" || true +identifier="$my_real_path wrapper" +exec > >(systemd-cat --identifier="$identifier output by program:") 2>&1 + +log_to_journal() { + echo "$@" | systemd-cat --identifier="$identifier output by wrapper:" || true +} + +log_to_journal "$0 $@" +log_to_journal "DISPLAY: '$DISPLAY'" +my_pstree="$(pstree -p $$)" || true +log_to_journal "my_pstree: '$my_pstree'" + +## If hidepid is not in use, just use pkexec normally. +if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then + pkexec.security-misc-orig "$@" + exit $? +fi + +switch_user=false + +original_args="$@" + +## Thanks to: +## http://mywiki.wooledge.org/BashFAQ/035 + +while : +do + case $1 in + ## Should show 'pkexec --version' or fail? + --version) + shift + pkexec.security-misc-orig "$original_args" + exit $? + ;; + ## Should show 'pkexec --help' or fail? + --help) + shift + pkexec.security-misc-orig "$original_args" + exit $? + ;; + ## Drop --disable-internal-agent as not needed and breaking both, + ## lxqt-sudo and sudo. + --disable-internal-agent) + shift + ;; + --user) + ## lxqt-sudo does not support "--user". + ## We should not make this wrapper run something as root which + ## is supposed to run under a different user. Try using + ## "sudo -A --user user --set-home" instead. + user_pkexec_wrapper="$2" + if [ "$user_pkexec_wrapper" = "" ]; then + shift + else + shift 2 + fi + switch_user=true + maybe_switch_to_user="--user $user_pkexec_wrapper" + ;; + --) + shift + break + ;; + *) + break + ;; + esac +done + +## If there are input files (for example) that follow the options, they +## will remain in the "$@" positional parameters. + +if [ "$PKEXEC_UID" = "" ]; then + if [ ! "$user_pkexec_wrapper" = "" ]; then + PKEXEC_UID="$user_pkexec_wrapper" + elif [ ! "$SUDO_USER" = "" ]; then + PKEXEC_UID="$SUDO_USER" + else + PKEXEC_UID="$(whoami)" + fi +fi +export PKEXEC_UID + +if [[ "$@" = "" ]]; then + ## Call original pkexec in case there are no arguments. + pkexec.security-misc-orig $original_args + exit $? +fi + +exit_code=0 + +## lxqt-sudo does not check /etc/sudoers / /etc/sudoers.d exceptions. +## Therefore use 'sudo -l' to see if there is any already existing sudoers exception. +## Did not work. 'sudo -l' will always exit with exit code '0'. +# if sudo -l --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" ; then +# log_to_journal "sudoers exception: yes" +# sudo --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; }; +# log_to_journal "sudo --user | exit_code: '$exit_code'" +# exit "$exit_code" +# fi +# +# log_to_journal "sudoers exception: no" + +if [ "$switch_user" = "true" ]; then + ## 'sudo --user user' clears environment variables such as PATH. + lxqt-sudo sudo $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; }; +else + ## set PATH same as root + ## This is required for gdebi. + ## REVIEW: is it ok that users can find out the PATH setting of root? + ## lxqt-sudo does not clear environment variable PATH. + PATH="$(sudo --non-interactive /usr/libexec/security-misc/echo-path)" + export PATH + lxqt-sudo "$@" || { exit_code=$? ; true; }; +fi + +log_to_journal "exit_code: '$exit_code'" + +exit "$exit_code" diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure deleted file mode 100755 index 865867d..0000000 --- a/usr/bin/remount-secure +++ /dev/null @@ -1,388 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## features: -## - nodev,nosuid where appropriate -## - optional noexec for most except /home -## - optional noexec for all including /home -## - idempotent (script can be safely re-run) -## - can be run from: -## - systemd -## - dracut -## - manually from command line -## - can safely handle non-existing folders -## - error handling -## - log output: -## - shows each and every command executed -## - shows old mount options prior running remount-secure -## - shows new mount options after running remount-secure - -## noexec in /tmp and/or /home can break some malware but also legitimate -## applications. - -## https://www.kicksecure.com/wiki/Noexec -## https://www.kicksecure.com/wiki/Dev/remount-secure -## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 - -#set -x -set -e -set -o pipefail -set -o nounset - -init() { - if test -o xtrace ; then - output_command=true - else - output_command=echo - fi - - $output_command "$0: INFO: START" - - ## dracut does not have id. Saving space in initial ramdisk. - if command -v id &>/dev/null ; then - if [ "$(id -u)" != "0" ]; then - $output_command "ERROR: must be run as root! sudo $0" - exit 1 - fi - fi - - mkdir --parents "/run/remount-secure" - exit_code=0 - - ## dracut sets NEWROOT=/sysroot - [[ -v NEWROOT ]] || NEWROOT="" - if [ "$NEWROOT" = "" ]; then - $output_command "INFO: dracut detected: no" - else - $output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'" - fi - - ## Debugging. - #echo "ls -la /root/" - #ls -la / || true - #echo "ls -la /sysroot/" - #ls -la /sysroot/ || true - #echo "env" - #env || true -} - -parse_options() { - ## Thanks to: - ## https://mywiki.wooledge.org/BashFAQ/035 - - while : - do - case ${1:-} in - 0) - $output_command "WARNING: Not using remount-secure." - exit 0 - shift - ;; - 1) - $output_command "INFO: level 1/3 (low)" - most_noexec_maybe="" - home_noexec_maybe="" - parsed=true - shift - ;; - 2) - $output_command "INFO: level 2/3 (medium)" - most_noexec_maybe=",noexec" - home_noexec_maybe="" - parsed=true - shift - ;; - 3) - $output_command "INFO: level 3/3 (high)" - most_noexec_maybe=",noexec" - home_noexec_maybe=",noexec" - parsed=true - shift - ;; - --force) - $output_command "INFO: --force" - option_force=true - shift - ;; - --) - shift - break - ;; - -*) - echo "ERROR: unknown option: $1" >&2 - exit 1 - ;; - *) - break - ;; - esac - done - - [[ -v option_force ]] || option_force="" - [[ -v parsed ]] || parsed=false - [[ -v home_noexec_maybe ]] || home_noexec_maybe="" - [[ -v most_noexec_maybe ]] || most_noexec_maybe="" - - $output_command "INFO: using nosuid,nodev: yes" - - if [ "$home_noexec_maybe" = "" ]; then - $output_command "INFO: using noexec for all: no" - else - $output_command "INFO: using noexec for all: yes" - return 0 - fi - - if [ "$most_noexec_maybe" = "" ]; then - $output_command "INFO: using noexec for most: no" - else - $output_command "INFO: using noexec for most (not all): yes" - return 0 - fi - - if [ "$parsed" = "true" ]; then - return 0 - fi - - $output_command "ERROR: syntax error. use either: -$0 0 -$0 1 -$0 2 -$0 3" - - exit 1 -} - -preparation() { - ## Debugging. - #$output_command "INFO: 'findmnt --list' output at the START." - #$output_command "$(findmnt --list)" - #$output_command "" - true -} - -remount_secure() { - $output_command "" - - ## ${FUNCNAME[1]} is the name of the calling function. I.e. the function - ## which called this function. - status_file_name="${FUNCNAME[1]}" - ## example status_file_name: - ## _home - status_file_full_path="/run/remount-secure/${status_file_name}" - ## example status_file_full_path: - ## /run/remount-secure/_home - - old_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true - ## example old_mount_options: - ## rw,nosuid,nodev,relatime,discard - - $output_command "INFO: '$mount_folder' old_mount_options: '$old_mount_options'" - - if echo "$old_mount_options" | grep --quiet "$intended_mount_options" ; then - $output_command "INFO: '$mount_folder' has already intended mount options. ('$intended_mount_options')" - return 0 - fi - - ## When this package is upgraded, the systemd unit will run again. - ## If the user meanwhile manually relaxed mount options, this should not be undone. - - if [ ! "$option_force" == "true" ]; then - if [ -e "$status_file_full_path" ]; then - $output_command "INFO: '$mount_folder' already remounted earlier. Not remounting again. Use --force if this is what you want." - return 0 - fi - fi - - if ! test -d "$mount_folder" ; then - ## For example /boot/efi does not always exist on all systems. - $output_command "INFO: '$mount_folder' folder exists: no" - return 0 - fi - $output_command "INFO: '$mount_folder' folder exists: yes" - - if findmnt --noheadings "$mount_folder" >/dev/null ; then - $output_command "INFO: '$mount_folder' already mounted, therefore using remount." - $output_command INFO: Executing: mount --make-private --options "remount,${intended_mount_options}" "$mount_folder" - mount --make-private --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 - else - $output_command "INFO: '$mount_folder' not yet mounted, therefore using mount bind." - $output_command INFO: Executing: mount --make-private --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" - mount --make-private --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 - fi - - new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true - $output_command "INFO: '$mount_folder' new_mount_options: '$new_mount_options'" - - touch "$status_file_full_path" -} - -_boot() { - mount_folder="$NEWROOT/boot" - ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html - intended_mount_options="nosuid,nodev,noexec" - remount_secure -} - -_boot_efi() { - ## TODO: new, test - mount_folder="$NEWROOT/boot/efi" - intended_mount_options="nosuid,nodev,noexec" - remount_secure -} - -_run() { - mount_folder="/run" - ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_dev() { - mount_folder="/dev" - ## /dev should be nosuid,noexec as per: - ## https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1991975 - intended_mount_options="nosuid,noexec" - remount_secure -} - -_dev_shm() { - mount_folder="/dev/shm" - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_sys() { - ## TODO: new, test - mount_folder="/sys" - intended_mount_options="nosuid,nodev,noexec" - remount_secure -} - -_tmp() { - mount_folder="$NEWROOT/tmp" - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_var_tmp() { - mount_folder="$NEWROOT/var/tmp" - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_var_log() { - mount_folder="$NEWROOT/var/log" - intended_mount_options="nosuid,nodev,noexec" - remount_secure -} - -_var() { - mount_folder="$NEWROOT/var" - ## noexec: Not possible. Reason: - ## Debian stores executable maintainer scripts in /var/lib/dpkg/info folder. - intended_mount_options="nosuid,nodev" - remount_secure -} - -_usr() { - ## TODO: new, test - mount_folder="$NEWROOT/usr" - intended_mount_options="nodev" - remount_secure -} - -_home() { - mount_folder="$NEWROOT/home" - intended_mount_options="nosuid,nodev${home_noexec_maybe}" - remount_secure -} - -_root() { - ## TODO: new, test - mount_folder="$NEWROOT/root" - intended_mount_options="nosuid,nodev${home_noexec_maybe}" - remount_secure -} - -_srv() { - ## TODO: new, test - mount_folder="$NEWROOT/srv" - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_media() { - ## TODO: new, test - mount_folder="$NEWROOT/media" - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_mnt() { - ## TODO: new, test - mount_folder="$NEWROOT/mnt" - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_opt() { - ## TODO: new, test - mount_folder="$NEWROOT/opt" - ## Allow /opt exec as usually optional binaries are placed there such as Firefox - ## when manually installed from tarball. - intended_mount_options="nosuid,nodev" - remount_secure -} - -_etc() { - ## TODO: new, test - ## /etc cannot be noexec because various executables are there. To find, run: - ## sudo find /etc -executable - mount_folder="$NEWROOT/etc" - intended_mount_options="nosuid,nodev" - remount_secure -} - -end() { - ## Debugging. - #$output_command "INFO: 'findmnt --list' output at the END." - #$output_command "$(findmnt --list)" - - $output_command "" - $output_command "INFO: exit_code: $exit_code" - $output_command "$0: INFO: END" - exit $exit_code -} - -main() { - init - parse_options "$@" - preparation - - _boot - _boot_efi - _run - _dev - _dev_shm - _tmp - _var_tmp - _var_log - _var - _usr - _home - _root - _srv - _media - _mnt - _opt - _etc - - end -} - -## TODO: see also hidepid /usr/lib/systemd/system/proc-hidepid.service -#mount --options defaults,nosuid,nodev,noexec,remount,subset=pid /proc - -main "$@" diff --git a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf deleted file mode 100644 index 3d0a483..0000000 --- a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf +++ /dev/null @@ -1,13 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. -## -## https://datatracker.ietf.org/doc/html/rfc4941 -## https://github.com/Kicksecure/security-misc/pull/145 -## https://github.com/Kicksecure/security-misc/issues/184 -## -## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. - -#[connection] -#ipv6.ip6-privacy=2 diff --git a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf deleted file mode 100644 index 8088591..0000000 --- a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf +++ /dev/null @@ -1,17 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. -## -## https://datatracker.ietf.org/doc/html/rfc4941 -## https://github.com/Kicksecure/security-misc/pull/145 -## https://github.com/Kicksecure/security-misc/issues/184 -## -## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. - -#[device-mac-randomization] -#wifi.scan-rand-mac-address=yes - -#[connection-mac-randomization] -#ethernet.cloned-mac-address=random -#wifi.cloned-mac-address=random diff --git a/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh deleted file mode 100755 index 8917091..0000000 --- a/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -# called by dracut -check() { - ## For debugging only. - ## Saving space in initial ramdisk. - #require_binaries id || return 1 - #require_binaries env || return 1 - - require_binaries findmnt || return 1 - require_binaries touch || return 1 - require_binaries grep || return 1 - require_binaries mount || return 1 - require_binaries remount-secure || return 1 - return 0 -} - -# called by dracut -depends() { - return 0 -} - -# called by dracut -install() { - ## For debugging only. - ## Saving space in initial ramdisk. - #inst_multiple id - #inst_multiple env - - inst_multiple findmnt - inst_multiple touch - inst_multiple grep - inst_multiple mount - inst_multiple remount-secure - inst_hook cleanup 90 "$moddir/remount-secure.sh" -} - -# called by dracut -installkernel() { - return 0 -} diff --git a/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh deleted file mode 100755 index 0e0a0c1..0000000 --- a/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## This script is intended to remount specified mount points with more secure -## options based on kernel command line parameters. - -remount_hook() { - local remountsecure_action - ## getarg returns the last parameter only. - ## If /proc/cmdline contains 'remountsecure=0 remountsecure=1' the last one wins. - remountsecure_action=$(getarg remountsecure) - - if ! remount-secure $remountsecure_action; then - warn "$0: ERROR: 'remount-secure $remountsecure_action' failed." - return 1 - fi - info "$0: INFO: 'remount-secure $remountsecure_action' success." - return 0 -} - -remount_hook diff --git a/usr/lib/issue.d/20_security-misc.issue b/usr/lib/issue.d/20_security-misc.issue deleted file mode 100644 index d03f39b..0000000 --- a/usr/lib/issue.d/20_security-misc.issue +++ /dev/null @@ -1,2 +0,0 @@ -By continuing, you acknowledge and give consent that the owner of this system has a right to keep a log of all activity. -Unauthorized access is strictly prohibited and may result in legal action. Do not proceed! diff --git a/usr/lib/modules-load.d/30_security-misc.conf b/usr/lib/modules-load.d/30_security-misc.conf index 6ee13ca..072c9b0 100644 --- a/usr/lib/modules-load.d/30_security-misc.conf +++ b/usr/lib/modules-load.d/30_security-misc.conf @@ -1,7 +1,7 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## https://www.kicksecure.com/wiki/Dev/Entropy +## https://www.whonix.org/wiki/Dev/Entropy ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972 ## https://forums.whonix.org/t/jitterentropy-rngd/7204 jitterentropy_rng diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf deleted file mode 100644 index f1e873f..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf +++ /dev/null @@ -1,8 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -/usr/bin/bwrap exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf b/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf deleted file mode 100644 index bdb2b2a..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf +++ /dev/null @@ -1,17 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## Chrome/Chromium now uses namespace-based sandboxing rather than a SUID -## sandbox for most use cases, and while the SUID sandbox is still technically -## supported [1], it's also virtually unused [2]. Chromium still works fine -## when it is stripped of its SUID bit and rendered no longer executable, -## and opening `chrome://sandbox` while in this state shows that sandboxing is -## still working perfectly fine. -## -## [1] https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_sandboxing.md -## [2] https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_suid_sandbox.md -#chrome-sandbox matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf b/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf deleted file mode 100644 index 4b455ae..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf +++ /dev/null @@ -1,16 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## Needed for D-Bus system activation to work. -## https://dbus.freedesktop.org/doc/system-activation.txt -## -## May be vital for desktop features to work normally. -## -## Appears to have been designed with security in mind and can only be called -## by root or a user in the `messagebus` group (which currently has one member, -## namely user `messagebus`). -dbus-daemon-launch-helper matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf b/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf deleted file mode 100644 index 084510c..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf +++ /dev/null @@ -1,17 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## Critical component of FUSE (Filesystem in USErspace) -## -## Used by things such as: -## - AppImages -## - such as electrum Bitcoin wallet -## - Docker -## If not SUID, unprivileged users will be unable to use FUSE any longer. -## -## https://forums.whonix.org/t/disable-suid-binaries/7706/57 -/fusermount matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf b/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf deleted file mode 100644 index acf20b6..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf +++ /dev/null @@ -1,9 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -libhardened_malloc.so matchwhitelist -libhardened_malloc-light.so matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf deleted file mode 100644 index b787e5f..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf +++ /dev/null @@ -1,22 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## Used by the pam_tmpdir module to create a secure temporary directory for the -## user that is logging in. -## https://manpages.ubuntu.com/manpages/oracular/man8/pam-tmpdir-helper.8.html -## Apparently specific to Debian, there isn't actually any Git repo with this -## code in it, it's just a "floating" package in the Debian archive. Written by -## the same person who maintains the package. Almost certainly cannot be -## disabled without causing serious problems, but may be worth auditing. -## (Worthy of note, it doesn't seem this program takes any user input, but -## relies solely on the calling user's UID and GID, though this could require -## further review.) -## -## Without this, Xfce fails to start with a dbus-launch error. -## -## TODO: audit pam-tmpdir-helper -pam-tmpdir-helper matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf deleted file mode 100644 index de20400..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf +++ /dev/null @@ -1,27 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## user-sysmaint-split hardens this further. -/usr/bin/pkexec exactwhitelist -/usr/bin/pkexec.security-misc-orig exactwhitelist - -## Required for PolicyKit (Polkit) to function. -## -## https://polkit-devel.freedesktop.narkive.com/zXO4yEg7/documentation-on-polkit-agent-helper-1-and-suid# -## https://gitlab.freedesktop.org/polkit/polkit/-/issues/168 -## https://cgit.freedesktop.org/polkit/tree/src/polkitagent/polkitagenthelper-pam.c#n93 -## -## Changing permissions here may break more than just normal privilege escalation. -## May be safe to disable for users other than sysmaint similar to what was done with pkexec and sudo, -## however even that might not be safe. -## -## matches both: -## - /usr/lib/policykit-1/polkit-agent-helper-1 -## - /lib/policykit-1/polkit-agent-helper-1 -## -## user-sysmaint-split hardens this further. -polkit-agent-helper-1 matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf deleted file mode 100644 index bf76069..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf +++ /dev/null @@ -1,10 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## TODO: research and document -postqueue matchwhitelist -postdrop matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf deleted file mode 100644 index 40f9b59..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf +++ /dev/null @@ -1,24 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## TODO: research -## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c -## -## Historic Qubes upstream security issue: -## qfile-unpacker allows unprivileged users in VMs to gain root privileges -## https://github.com/QubesOS/qubes-issues/issues/8633 -## -## matches both: -## - /usr/lib/qubes/qfile-unpacker whitelist -## - Not bit-for-bit identical to /usr/lib/qubes/qfile-unpacker. -## - Stripping SUID from this does *not* break file copying. -## - TODO: further reserach required on its purpose -## - /usr/bin/qfile-unpacker -## - Appears to be an integral part of file transfer between qubes, stripping -## SUID from this in an AppVM results in that AppVM being unable to receive -## files any longer. (It can still send files to other qubes though.) -qfile-unpacker matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf deleted file mode 100644 index 62d3198..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf +++ /dev/null @@ -1,9 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## TODO: research and document -/utempter/utempter matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf deleted file mode 100644 index 5b79059..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf +++ /dev/null @@ -1,9 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## TODO: research and document -spice-client-glib-usb-acl-helper matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf deleted file mode 100644 index 8688dfe..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ /dev/null @@ -1,15 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## Used only for SSH host-based authentication -## https://linux.die.net/man/8/ssh-keysign -## Needed to allow access to the machine's host key for use in the -## authentication process. This is a non-default method of authenticating to -## SSH, and is likely rarely used, thus this should be safe to disable. -#ssh-agent matchwhitelist -#ssh-keysign matchwhitelist -#/usr/lib/openssh matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf deleted file mode 100644 index e15b265..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf +++ /dev/null @@ -1,9 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## user-sysmaint-split hardens this further. -/usr/bin/sudo exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf b/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf deleted file mode 100644 index 76c2eee..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf +++ /dev/null @@ -1,15 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## TODO: research -/usr/lib/virtualbox/ matchwhitelist -VirtualBoxVM matchwhitelist -VBoxSDL matchwhitelist -VBoxNetNAT matchwhitelist -VBoxNetDHCP matchwhitelist -VBoxHeadless matchwhitelist -VBoxNetAdpCtl matchwhitelist diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf deleted file mode 100644 index 0ef99da..0000000 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ /dev/null @@ -1,26 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## NOTE: -## This configuration is in a dedicated file because the ram-wipe package -## requires kexec. However, ram-wipe cannot ship a config file -## /etc/sysctl.d/40_ram-wipe.conf that sets 'kernel.kexec_load_disabled=0'. -## Once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1', -## it cannot be undone without a reboot. This is an upstream Linux security feature. -## Instead, ram-wipe will config-package-dev 'hide' this file. - -## Disables kexec, which can be used to replace the running kernel. -## Useful for live kernel patching without rebooting. -## -## https://en.wikipedia.org/wiki/Kexec -## -## KSPP=yes -## KSPP sets the sysctl and does not set CONFIG_KEXEC. -## -kernel.kexec_load_disabled=1 diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf deleted file mode 100644 index d8febf9..0000000 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ /dev/null @@ -1,20 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Prevent kernel information leaks in the console during boot. -## Must be used in conjunction with kernel boot parameters. -## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. -## -## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html -## -kernel.printk=3 3 3 3 - -## For increased log verbosity: -## A) Adjust (or comment out) the kernel parameters in /etc/default/grub.d/41_quiet_boot.cfg. Or, -## B) Alternatively, install the debug-misc package to undo these settings. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf deleted file mode 100644 index 3b2e38c..0000000 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ /dev/null @@ -1,574 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## NOTE: -## This file has a special name to ensure that /usr/lib/sysctl.d/99-protect-links.conf -## is parsed first, followed by /usr/lib/sysctl.d/990-security-misc.conf. -## https://github.com/Kicksecure/security-misc/pull/135 - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## This configuration file is divided into 5 sections: -## 1. Kernel Space -## 2. User Space -## 3. Core Dumps -## 4. Swap Space -## 5. Networking - -## For detailed explanations of most of the selected commands, refer to: -## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html -## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html -## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html -## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/vm.html -## https://www.kernel.org/doc/html/latest//networking/ip-sysctl.html - -## 1. Kernel Space: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel -## https://kspp.github.io/Recommended_Settings#sysctls -## https://wiki.archlinux.org/title/Security#Kernel_hardening - -## Restrict kernel address visibility via /proc and other interfaces, regardless of user privileges. -## Kernel pointers expose specific locations in kernel memory. -## -## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak -## -## KSPP=yes -## KSPP sets the sysctl. -## -kernel.kptr_restrict=2 - -## Restrict access to the kernel log buffer to users with CAP_SYSLOG. -## Kernel logs often contain sensitive information such as kernel pointers. -## -## KSPP=yes -## KSPP sets the sysctl and CONFIG_SECURITY_DMESG_RESTRICT=y. -## -kernel.dmesg_restrict=1 - -## Prevent kernel information leaks in the console during boot. -## Must be used in conjunction with kernel boot parameters. -## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. -## -## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html -## -## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. -## -#kernel.printk=3 3 3 3 - -## Restrict eBPF access to CAP_BPF. -## Disables unprivileged calls to bpf() without recovery. -## -## https://en.wikipedia.org/wiki/EBPF#Security -## https://lwn.net/Articles/660331/ -## -## KSPP=yes -## KSPP sets the sysctl. -## -kernel.unprivileged_bpf_disabled=1 - -## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE. -## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl. -## -## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html -## https://lkml.org/lkml/2019/4/15/890 -## -## KSPP=yes -## KSPP sets the sysctl does not set CONFIG_LDISC_AUTOLOAD. -## -dev.tty.ldisc_autoload=0 - -## Restrict the userfaultfd() syscall to users with SYS_CAP_PTRACE. -## Reduces the likelihood of use-after-free exploits from heap sprays. -## -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0 -## https://duasynt.com/blog/linux-kernel-heap-spray -## -## KSPP=yes -## KSPP sets the sysctl. -## -vm.unprivileged_userfaultfd=0 - -## Disables kexec, which can be used to replace the running kernel. -## Useful for live kernel patching without rebooting. -## -## https://en.wikipedia.org/wiki/Kexec -## -## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation. -## -## KSPP=yes -## KSPP sets the sysctl and does not set CONFIG_KEXEC. -## -#kernel.kexec_load_disabled=1 - -## Disable the SysRq key to prevent leakage of kernel information. -## The Secure Attention Key (SAK) can no longer be utilized. -## -## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html -## https://www.kicksecure.com/wiki/SysRq -## https://github.com/xairy/unlockdown -## -## KSPP=yes -## KSPP sets the less strict CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176. -## -kernel.sysrq=0 - -## Disable user namespaces entirely. -## User namespaces aim to improve sandboxing and accessibility for unprivileged users. -## Disabling entirely will reduce compatibility with some AppArmor profiles. -## Disabling entirely is known to break the UPower systemd service. -## Not recommended due to well-known breakages across numerous software packages. -## -## https://lwn.net/Articles/673597/ -## https://madaidans-insecurities.github.io/linux.html#kernel -## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers -## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 -## https://github.com/Kicksecure/security-misc/pull/263 -## -## KSPP=no -## KSPP sets the sysctl. -## -#user.max_user_namespaces=0 - -## Restrict user namespaces to users with CAP_SYS_ADMIN. -## See the user.max_user_namespaces setting for more details. -## This is a Debian-specific kernel feature, not a Linux mainline setting. -## Unprivileged user namespaces pose substantial privilege escalation risks. -## Flatpak requires unprivileged users to create new user namespaces for sandboxing. -## Restricting is known to cause breakages in some AppImages and the Evolution Email Client. -## Not recommended due to widespread breakages across many software packages. -## -## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian -## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction -## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements -## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592 -## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594 -## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601 -## https://github.com/Kicksecure/security-misc/issues/274 -## -#kernel.unprivileged_userns_clone=0 - -## Restricts kernel profiling to users with CAP_PERFMON. -## The performance events system should not be accessible by unprivileged users. -## Other distributions such as Ubuntu and Fedora may permit further restricting. -## -## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users -## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ -## -## KSPP=yes -## KSPP sets the sysctl. -## -kernel.perf_event_paranoid=3 - -## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path. -## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. -## Panics may be due to false-positives such as bad drivers. -## Oopses are serious but non-fatal errors. -## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. -## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). -## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. -## Forcing immediate system reboots on any single kernel panic is an extreme option. -## -## https://en.wikipedia.org/wiki/Kernel_panic#Linux -## https://en.wikipedia.org/wiki/Linux_kernel_oops -## https://en.wikipedia.org/wiki/Kdump_(Linux) -## https://lwn.net/Articles/876209/ -## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf -## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 -## -## KSPP=partial -## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. -## -## See /usr/libexec/security-misc/panic-on-oops for implementation. -## -## TODO: Debian 13 Trixie -## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). -## -#kernel.panic=-1 -#kernel.panic_on_oops=1 -#kernel.panic_on_warn=1 -#kernel.oops_limit=1 -#kernel.warn_limit=1 - -## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. -## Can lead to privilege escalation by pushing characters into a controlling TTY. -## Will break out-dated screen readers that continue to rely on this legacy functionality. -## -## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ -## -## KSPP=yes -## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI. -## -## TODO: Debian 13 Trixie -## This is disabled by default when using Linux kernel >= 6.2. -## -dev.tty.legacy_tiocsti=0 - -## Disable asynchronous I/O for all processes. -## Leading cause of numerous kernel exploits. -## Disabling will reduce the read/write performance of storage devices. -## -## https://en.wikipedia.org/wiki/Io_uring#Security -## https://lwn.net/Articles/902466/ -## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html -## https://github.com/moby/moby/pull/46762 -## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890 -## -## TODO: Debian 13 Trixie -## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). -## -kernel.io_uring_disabled=2 - -## 2. User Space: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace - -## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. -## Limit ptrace() as it enables programs to inspect and modify other active processes. -## Prevents native code debugging which some programs use as a method to detect tampering. -## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. -## -## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope -## https://en.wikipedia.org/wiki/Ptrace -## https://grapheneos.org/features#attack-surface-reduction -## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 -## https://github.com/netblue30/firejail/issues/2860 -## -## KSPP=partial -## KSPP sets the stricter sysctl kernel.yama.ptrace_scope=3. -## -## It is possible to harden further by disabling ptrace() for all users, see documentation. -## https://github.com/Kicksecure/security-misc/pull/242 -## -kernel.yama.ptrace_scope=2 - -## Maximize bits of entropy for improved effectiveness of mmap ASLR. -## The maximum number of bits depends on CPU architecture (the ones shown below are for x86). -## Both explicit sysctl are made redundant due to automation. -## Do NOT enable either sysctl - displaying only for clarity. -## -## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 -## -## See /usr/libexec/security-misc/mmap-rnd-bits for implementation. -## -#vm.mmap_rnd_bits=32 -#vm.mmap_rnd_compat_bits=16 - -## Prevent hardlink creation by users who do not have read/write/ownership of source file. -## Only allow symlinks to be followed when outside of world-writable sticky directories. -## Allow symlinks when the owner and follower match or when the directory owner matches the symlink's owner. -## Hardens cross-privilege boundaries if root process follows a hardlink/symlink belonging to another user. -## This mitigates many hardlink/symlink-based TOCTOU races in world-writable directories like /tmp. -## -## https://wiki.archlinux.org/title/Security#File_systems -## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp -## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU -## -## KSPP=yes -## KSPP sets the sysctls. -## -fs.protected_hardlinks=1 -fs.protected_symlinks=1 - -## Disallow writes to files in world-writable sticky directories unless owned by the directory owner. -## Also applies to group-writable sticky directories to make data spoofing attacks more difficult. -## Prevents unintentional writes to attacker-controlled files. -## -## KSPP=yes -## KSPP sets the sysctls. -## -fs.protected_fifos=2 -fs.protected_regular=2 - -## Enable ASLR for mmap base, stack, VDSO pages, and heap. -## Forces shared libraries to be loaded to random addresses. -## Start location of PIE-linked binaries is randomized. -## Heap randomization can lead to breakages with legacy applications. -## -## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux -## -## KSPP=yes -## KSPP sets the sysctl. -## -kernel.randomize_va_space=2 - -## Raise the minimum address a process can request for memory mapping to 64KB as a form of defense-in-depth. -## Prevents kernel null pointer dereference vulnerabilities which may trigger kernel panics. -## Protects against local unprivileged users gaining root privileges by mapping data to low memory pages. -## Some legacy applications may still depend on low virtual memory addresses for proper functionality. -## -## https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html -## https://access.redhat.com/articles/20484 -## https://wiki.debian.org/mmap_min_addr -## -## KSPP=yes -## KSPP sets CONFIG_DEFAULT_MMAP_MIN_ADDR=65536. -## -vm.mmap_min_addr=65536 - -## Increase the maximum number of memory map areas a process is permitted to utilize. -## Addresses performance, crash, and start-up issues for some memory-intensive applications. -## Required to accommodate the very large number of guard pages created by hardened_malloc. -## Kicksecure version 18 will deprecate hardened_malloc, so this sysctl will be applied here instead. -## -## https://archlinux.org/news/increasing-the-default-vmmax_map_count-value/ -## https://github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems -## https://github.com/Kicksecure/hardened_malloc/blob/master/debian/hardened_malloc.conf -## https://www.kicksecure.com/wiki/Hardened_Malloc#Deprecation_in_Kicksecure -## -vm.max_map_count=1048576 - -## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. -## Prevents registering interpreters for various binary formats based on a magic number or their file extension. -## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications. -## These interpreters will then run with root permissions when a setuid binary is owned by root. -## Can stop maliciously crafted files with specific file extensions from automatically executing. -## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). -## -## https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html -## https://salsa.debian.org/debian/binfmt-support -## https://access.redhat.com/solutions/1985633 -## https://en.wikipedia.org/wiki/Binfmt_misc -## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil -## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al -## https://github.com/Kicksecure/security-misc/pull/249 -## -## KSPP=no -## KSPP does not set CONFIG_BINFMT_MISC. -## -## This is disabled by default due to file/folder permission issues: -## https://github.com/Kicksecure/security-misc/issues/267 -## -#fs.binfmt_misc.status=0 - -## 3. Core Dumps: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps - -## Disable core dump files by preventing any pattern names. -## This setting may be overwritten by systemd and is not comprehensive. -## Core dumps are also disabled in security-misc via other means. -## -## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps -## -kernel.core_pattern=|/bin/false - -## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps. -## Any process which has changed privilege levels or is execute-only will not be dumped. -## -## KSPP=yes -## KSPP sets the sysctl. -## -fs.suid_dumpable=0 - -## Set core dump file name to 'core.PID' instead of 'core' as a form of defense-in-depth. -## If core dumps are permitted, only useful if PID listings are hidden from non-root users. -## -kernel.core_uses_pid=1 - -## 4. Swap Space: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap - -## Limit the copying of memory to the swap device only if absolutely necessary. -## Minimizes the likelihood of writing potentially sensitive contents to disk. -## Not recommended to set to zero since this disables periodic write behavior. -## -## https://en.wikipedia.org/wiki/Memory_paging#Linux -## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html -## -vm.swappiness=1 - -## 5. Networking: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network -## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening - -## Enable hardening of the BPF JIT compiler for all users. -## Provides some mitigation against JIT spraying. -## -## https://en.wikipedia.org/wiki/JIT_spraying -## https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray-wp.pdf -## https://lwn.net/Articles/686098/ -## https://lwn.net/Articles/525609/ -## -## KSPP=yes -## KSPP sets the sysctl. -## -net.core.bpf_jit_harden=2 - -## Enable TCP SYN cookie protection to assist against SYN flood attacks. -## -## https://en.wikipedia.org/wiki/SYN_flood -## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html -## -## KSPP=yes -## KSPP sets CONFIG_SYN_COOKIES=y. -## -net.ipv4.tcp_syncookies=1 - -## Protect against TCP time-wait assassination hazards. -## Drops RST packets for sockets in the time-wait state. -## -## https://tools.ietf.org/html/rfc1337 -## -net.ipv4.tcp_rfc1337=1 - -## Enable reverse path filtering (source validation) of packets received from all interfaces. -## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899. -## The second "default" command fixes a bug in the existing kernel implementation. -## -## https://en.wikipedia.org/wiki/IP_address_spoofing -## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-reverse_path_forwarding#sect-Security_Guide-Server_Security-Reverse_Path_Forwarding -## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 -## https://seclists.org/oss-sec/2019/q4/122 -## https://github.com/Kicksecure/security-misc/pull/261 -## -net.ipv4.conf.*.rp_filter=1 -net.ipv4.conf.default.rp_filter=1 - -## Disable ICMP redirect acceptance and redirect sending messages. -## Prevents man-in-the-middle attacks and minimizes information disclosure. -## If ICMP redirects are permitted, accept messages only through approved gateways (kernel default). -## Approving gateways requires the managing of a default gateway list. -## -## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing -## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html -## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html -## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked -## https://github.com/Kicksecure/security-misc/pull/248 -## -net.ipv4.conf.*.accept_redirects=0 -net.ipv4.conf.*.send_redirects=0 -net.ipv6.conf.*.accept_redirects=0 -#net.ipv4.conf.*.secure_redirects=1 - -## Deny sending and receiving RFC1620 shared media redirects. -## Relevant mainly for network interfaces that operate over shared media such as Ethernet hubs. -## Stops the kernel from sending ICMP redirects to specific networks from the connected network. -## This variable overrides the use secure_redirects. -## -## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf -## https://datatracker.ietf.org/doc/html/rfc1620 -## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html -## -net.ipv4.conf.*.shared_media=0 - -## Enable ARP (Address Resolution Protocol) filtering. -## Prevents the Linux kernel from handling the ARP table globally. -## Can mitigate some ARP spoofing and ARP cache poisoning attacks. -## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests. -## -## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf -## -net.ipv4.conf.*.arp_filter=1 - -## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link. -## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses. -## -## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf -## https://github.com/mullvad/mullvadvpn-app/blob/main/audits/2024-12-10-X41-D-Sec.md#mllvd-cr-24-03-virtual-ip-address-of-tunnel-device-leaks-to-network-adjacent-participant-severity-medium -## https://github.com/mullvad/mullvadvpn-app/pull/7141 -## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf -## -net.ipv4.conf.*.arp_ignore=2 - -## Drop gratuitous ARP (Address Resolution Protocol) packets. -## Stops ARP responses sent by a device without being explicitly requested. -## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. -## Prevents man-in-the-middle and denial-of-service attacks. -## May cause breakages when ARP proxies are used in the network. -## -## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf -## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/ -## https://www.practicalnetworking.net/series/arp/gratuitous-arp/ -## -net.ipv4.conf.*.drop_gratuitous_arp=1 - -## Ignore ICMP echo requests. -## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. -## -## https://en.wikipedia.org/wiki/Smurf_attack -## -net.ipv4.icmp_echo_ignore_all=1 -net.ipv6.icmp.echo_ignore_all=1 - -## Ignore bogus ICMP error responses. -## Mitigates attacks designed to fill log files with useless error messages. -## -net.ipv4.icmp_ignore_bogus_error_responses=1 - -## Disable source routing which allows users to redirect network traffic. -## Prevents man-in-the-middle attacks in which the traffic is redirected. -## -## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing -## -net.ipv4.conf.*.accept_source_route=0 -net.ipv6.conf.*.accept_source_route=0 - -## Do not accept IPv6 router advertisements and solicitations. -## -net.ipv6.conf.*.accept_ra=0 - -## Disable SACK and DSACK. -## Select acknowledgements (SACKs) are a known common vector of exploitation. -## Duplicate select acknowledgements (DSACKs) are an extension of SACK. -## Disabling can cause severe connectivity issues on networks with high latency or packet loss. -## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections. -## -## https://datatracker.ietf.org/doc/html/rfc2018 -## https://datatracker.ietf.org/doc/html/rfc2883 -## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf -## https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md -## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement -## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5 -## -## SACK and DSACK are currently enabled. -## -#net.ipv4.tcp_sack=0 -#net.ipv4.tcp_dsack=0 - -## Disable TCP timestamps to limit device fingerprinting via system time. -## Timestamps allow round-trip time measurement and protection against wrapped sequence numbers. -## Disabling timestamps on very fast links is likely to cause TCP Sequence Numbers to wrap. -## Segments with wrapped numbers will be incorrectly discarded, reducing network performance. -## -## https://datatracker.ietf.org/doc/html/rfc1323 -## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824 -## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html -## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf -## -net.ipv4.tcp_timestamps=0 - -## Enable logging of packets with impossible source or destination addresses. -## Martian and unroutable packets may be used for malicious purposes. -## Recommended to keep a (kernel dmesg) log of these to identify suspicious packets. -## Useful for troubleshooting and diagnostics but not necessary by default. -## Known to cause performance issues, especially on systems with multiple interfaces. -## -## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets -## https://github.com/Kicksecure/security-misc/issues/214 -## -## The logging of martian packets is currently disabled. -## -#net.ipv4.conf.*.log_martians=1 - -## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses. -## The temporary/privacy address is used as the source for all outgoing traffic. -## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf. -## Must be used in combination with /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf. -## Should be used with MAC randomization in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf. -## -## MAC randomization breaks root server and VirtualBox DHCP, likely due to IPv6 Privacy Extensions. -## -## https://datatracker.ietf.org/doc/html/rfc4941 -## https://github.com/Kicksecure/security-misc/pull/145 -## https://github.com/Kicksecure/security-misc/issues/184 -## -## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. -## -#net.ipv6.conf.*.use_tempaddr=2 diff --git a/usr/lib/systemd/coredump.conf.d/30_security-misc.conf b/usr/lib/systemd/coredump.conf.d/30_security-misc.conf deleted file mode 100644 index 2d02bc9..0000000 --- a/usr/lib/systemd/coredump.conf.d/30_security-misc.conf +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Coredump] -Storage=none diff --git a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf deleted file mode 100644 index 5de38c4..0000000 --- a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf +++ /dev/null @@ -1,13 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. -## -## https://datatracker.ietf.org/doc/html/rfc4941 -## https://github.com/Kicksecure/security-misc/pull/145 -## https://github.com/Kicksecure/security-misc/issues/184 -## -## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. - -#[Network] -#IPv6PrivacyExtensions=kernel diff --git a/usr/lib/systemd/pstore.conf.d/30_security-misc.conf b/usr/lib/systemd/pstore.conf.d/30_security-misc.conf deleted file mode 100644 index 9e513c6..0000000 --- a/usr/lib/systemd/pstore.conf.d/30_security-misc.conf +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[PStore] -Storage=none diff --git a/usr/lib/systemd/system/harden-module-loading.service b/usr/lib/systemd/system/harden-module-loading.service deleted file mode 100644 index 8efea40..0000000 --- a/usr/lib/systemd/system/harden-module-loading.service +++ /dev/null @@ -1,24 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=Disable the loading of additional modules after systemd-modules-load.service -Documentation=https://github.com/Kicksecure/security-misc - -DefaultDependencies=no -Before=sysinit.target -Requires=local-fs.target -Requires=systemd-modules-load.service -After=local-fs.target -After=systemd-modules-load.service - -# This functionality is implemented with this and not directly in the sysctl config is -# to allow systemd-modules-load.service to load the modules with no problem but -# to disallow anyone else do the same after the system boots up. - -[Service] -Type=oneshot -ExecStart=/usr/libexec/security-misc/disable-kernel-module-loading - -[Install] -WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/panic-on-oops.service b/usr/lib/systemd/system/panic-on-oops.service deleted file mode 100644 index 6b10ddc..0000000 --- a/usr/lib/systemd/system/panic-on-oops.service +++ /dev/null @@ -1,20 +0,0 @@ -## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=Sets 'sysctl kernel.panic_on_oops=1' late during the boot process. -Documentation=https://github.com/Kicksecure/security-misc - -ConditionKernelCommandLine=!panic-on-oops=0 - -After=multi-user.target -After=graphical.target -After=getty.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/libexec/security-misc/panic-on-oops - -[Install] -WantedBy=multi-user.target diff --git a/usr/lib/systemd/system/permission-hardener.service b/usr/lib/systemd/system/permission-hardener.service deleted file mode 100644 index 109c9fd..0000000 --- a/usr/lib/systemd/system/permission-hardener.service +++ /dev/null @@ -1,19 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=Permission Hardener at Boot Time (opt-in in addition to security-misc package installation time hardening) -Documentation=https://github.com/Kicksecure/security-misc - -DefaultDependencies=no -Before=sysinit.target -Requires=local-fs.target -After=local-fs.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=permission-hardener enable - -[Install] -WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/remount-secure.service b/usr/lib/systemd/system/remount-secure.service deleted file mode 100644 index 2489d34..0000000 --- a/usr/lib/systemd/system/remount-secure.service +++ /dev/null @@ -1,32 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) -Documentation=https://github.com/Kicksecure/security-misc - -ConditionKernelCommandLine=!remountsecure=0 - -DefaultDependencies=no - -Before=sysinit-post.target -Before=basic.target -Before=multi-user.target -Before=graphical.target -Before=getty-pre.target -Before=network-pre.target - -After=local-fs.target -After=sysinit.target -After=qubes-sysinit.service - -Requires=local-fs.target -Requires=sysinit.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=remount-secure 3 - -[Install] -WantedBy=sysinit-post.target diff --git a/usr/lib/systemd/system/sysinit-post.target b/usr/lib/systemd/system/sysinit-post.target deleted file mode 100644 index c00e91e..0000000 --- a/usr/lib/systemd/system/sysinit-post.target +++ /dev/null @@ -1,12 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=sys-init.target by security-misc - -After=sysinit.target -Before=basic.target -Requires=sysinit.target - -[Install] -WantedBy=basic.target diff --git a/usr/lib/systemd/system/user@.service.d/sysfs.conf b/usr/lib/systemd/system/user@.service.d/sysfs.conf deleted file mode 100644 index 3a9129d..0000000 --- a/usr/lib/systemd/system/user@.service.d/sysfs.conf +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Service] -SupplementaryGroups=sysfs diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 9cbfd8e..39afd9c 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -1,44 +1,30 @@ #!/bin/bash -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## TODO: Move this to helper-scripts. - -set -o errexit -set -o nounset -set -o errtrace -set -o pipefail - -command -v start-stop-daemon >/dev/null -command -v timeout >/dev/null -command -v apt-get >/dev/null - -export LC_ALL=C -pidfile="/run/helper-scripts/security-misc-apt-get-update-pid" - sigterm_trap() { - /usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null + if [ "$lastpid" = "" ]; then + exit 143 + fi + ps -p "$lastpid" >/dev/null 2>&1 + if [ ! "$?" = "0" ]; then + ## Already terminated. + exit 143 + fi + kill -s sigterm "$lastpid" exit 143 } -## terminate potential previous invocations. -/usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null - trap "sigterm_trap" SIGTERM SIGINT -[[ -v timeout_after ]] || timeout_after="600" -[[ -v kill_after ]] || kill_after="10" +[ -n "$timeout_after" ] || timeout_after="600" +[ -n "$kill_after" ] || kill_after="10" -start-stop-daemon \ - --make-pidfile \ - --pidfile "$pidfile" \ - --exec /usr/bin/timeout \ - --start \ - -- \ - --kill-after="$kill_after" \ - "$timeout_after" \ - apt-get update --error-on=any "$@" & +timeout \ + --kill-after="$kill_after" \ + "$timeout_after" \ + apt-get update --error-on=any "$@" & lastpid="$!" wait "$lastpid" diff --git a/usr/libexec/security-misc/apt-get-update-sanity-test b/usr/libexec/security-misc/apt-get-update-sanity-test index a5b7709..d71e680 100755 --- a/usr/libexec/security-misc/apt-get-update-sanity-test +++ b/usr/libexec/security-misc/apt-get-update-sanity-test @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -x diff --git a/usr/libexec/security-misc/askpass b/usr/libexec/security-misc/askpass index 56ecffc..73f7d40 100755 --- a/usr/libexec/security-misc/askpass +++ b/usr/libexec/security-misc/askpass @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/disable-kernel-module-loading b/usr/libexec/security-misc/disable-kernel-module-loading deleted file mode 100755 index 80d3190..0000000 --- a/usr/libexec/security-misc/disable-kernel-module-loading +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -set -x -set -e - -sysctl -w kernel.modules_disabled=1 - -true "The loading of new modules to the kernel has been disabled by security-misc." diff --git a/usr/libexec/security-misc/echo-path b/usr/libexec/security-misc/echo-path index 3bcc2cd..9231d85 100755 --- a/usr/libexec/security-misc/echo-path +++ b/usr/libexec/security-misc/echo-path @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index acf24ef..b55441f 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -1,42 +1,24 @@ #!/bin/bash -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -set -o errexit -set -o nounset -set -o errtrace -set -o pipefail +set -e + +sysfs_whitelist=1 +cpuinfo_whitelist=1 + +## https://www.whonix.org/wiki/Security-misc#selinux +selinux=0 + shopt -s nullglob -run_cmd() { - echo "INFO: normal executing : $@" - "$@" -} - -run_cmd_whitelist() { - echo "INFO: whitelist executing: $@" - "$@" -} - -echo "$0: INFO: START" - -default_variables_set() { - sysfs_whitelist=1 - cpuinfo_whitelist=1 - sysfs=1 - ## https://www.kicksecure.com/wiki/Security-misc#selinux - selinux=0 -} - -parse_configuration() { - ## Allows for disabling the whitelist. - local i - for i in /usr/local/etc/hide-hardware-info.d/*.conf /etc/hide-hardware-info.d/*.conf ; do - bash -n "${i}" - source "${i}" - done -} +## Allows for disabling the whitelist. +for i in /etc/hide-hardware-info.d/*.conf +do + bash -n "${i}" + source "${i}" +done create_whitelist() { if [ "${1}" = "sysfs" ]; then @@ -52,17 +34,14 @@ create_whitelist() { ## Changing the permissions of /sys recursively ## causes errors as the permissions of /sys/kernel/debug ## and /sys/fs/cgroup cannot be changed. - run_cmd_whitelist chgrp --quiet --recursive "${1}" "${whitelist_path}" || true + chgrp -fR "${1}" "${whitelist_path}" || true - run_cmd_whitelist chmod o-rwx "${whitelist_path}" + chmod o-rwx "${whitelist_path}" else echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created." fi } -default_variables_set -parse_configuration - ## sysfs and debugfs expose a lot of information ## that should not be accessible by an unprivileged ## user which includes hardware info, debug info and @@ -70,27 +49,27 @@ parse_configuration ## and /proc/scsi to the root user only. This hides ## many hardware identifiers from ordinary users ## and increases security. -for i in /proc/cpuinfo /proc/bus /proc/scsi /sys ; do +for i in /proc/cpuinfo /proc/bus /proc/scsi /sys +do if [ -e "${i}" ]; then if [ "${i}" = "/sys" ]; then - if [ "${sysfs}" = "1" ]; then - ## Whitelist for /sys. - if [ "${sysfs_whitelist}" = "1" ]; then - create_whitelist sysfs - else - echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly. Full sysfs hardening..." - run_cmd chmod og-rwx /sys - fi + ## Whitelist for /sys. + if [ "${sysfs_whitelist}" = "1" ]; then + create_whitelist sysfs + else + chmod og-rwx /sys + echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." fi elif [ "${i}" = "/proc/cpuinfo" ]; then + ## Whitelist for /proc/cpuinfo. if [ "${cpuinfo_whitelist}" = "1" ]; then create_whitelist cpuinfo else - echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly. Full cpuinfo hardening..." - run_cmd chmod og-rwx /proc/cpuinfo + chmod og-rwx /proc/cpuinfo + echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly." fi else - run_cmd chmod og-rwx "${i}" + chmod og-rwx "${i}" fi else ## /proc/scsi doesn't exist on Debian so errors @@ -101,38 +80,29 @@ for i in /proc/cpuinfo /proc/bus /proc/scsi /sys ; do fi done - -if [ "${sysfs}" = "1" ]; then - ## restrict permissions on everything but - ## what is needed - for i in /sys/* /sys/fs/* ; do - ## Using '|| true': - ## https://github.com/Kicksecure/security-misc/pull/108 - if [ "${sysfs_whitelist}" = "1" ]; then - run_cmd chmod o-rwx "${i}" || true - else - run_cmd chmod og-rwx "${i}" || true - fi - done - - ## polkit needs stat access to /sys/fs/cgroup - ## to function properly - run_cmd chmod o+rx /sys /sys/fs - - ## on SELinux systems, at least /sys/fs/selinux - ## must be visible to unprivileged users, else - ## SELinux userspace utilities will not function - ## properly - if [ -d /sys/fs/selinux ]; then - echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" - echo "https://www.kicksecure.com/wiki/Security-misc#selinux" - if [ "${selinux}" = "1" ]; then - run_cmd chmod o+rx /sys /sys/fs /sys/fs/selinux - echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." - else - echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." - fi +## on SELinux systems, at least /sys/fs/selinux +## must be visible to unprivileged users, else +## SELinux userspace utilities will not function +## properly +if [ -d /sys/fs/selinux ]; then + echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" + echo "https://www.kicksecure.com/wiki/Security-misc#selinux" + if [ "${selinux}" = "1" ]; then + ## restrict permissions on everything but + ## what is needed + for i in /sys/* /sys/fs/* + do + ## Using '|| true': + ## https://github.com/Kicksecure/security-misc/pull/108 + if [ "${sysfs_whitelist}" = "1" ]; then + chmod o-rwx "${i}" || true + else + chmod og-rwx "${i}" || true + fi + done + chmod o+rx /sys /sys/fs /sys/fs/selinux + echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." + else + echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." fi fi - -echo "$0: INFO: END" diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index 25745c2..17482bf 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -1,6 +1,6 @@ #!/usr/bin/env bash -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This script enforces the maximum ASLR hardening settings for mmap, given the @@ -56,7 +56,7 @@ fi ## Generate a sysctl.d conf file. SYSCTL="\ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This file is automatically generated by: diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password index 35c2dd4..8e2a575 100755 --- a/usr/libexec/security-misc/pam-abort-on-locked-password +++ b/usr/libexec/security-misc/pam-abort-on-locked-password @@ -1,23 +1,23 @@ #!/bin/bash -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This is only a usability feature to avoid needlessly bumping pam_faillock ## counter. This is not a security feature. ## https://forums.whonix.org/t/restrict-root-access/7658/1 -passwd_bin="$(type -P -- "passwd")" +passwd_bin="$(type -P "passwd")" if ! test -x "$passwd_bin" ; then echo "\ $0: ERROR: passwd_bin \"$passwd_bin\" is not executable. -See https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2 +See https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2 ## Identifiable exit codes in case stdout / stderr is not logged in journal. exit 2 fi -if ! passwd_output="$("$passwd_bin" -S -- "$PAM_USER" 2>/dev/null)" ; then +if ! passwd_output="$("$passwd_bin" -S "$PAM_USER" 2>/dev/null)" ; then echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2 exit 3 fi diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 736e44f..de6a3e0 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## To enable debug log, run: @@ -21,9 +21,6 @@ true "$0: START PHASE 2" set -o pipefail -## Named constants. -pam_faillock_state_dir="/var/lib/security-misc/faillock" - ## Debugging. who_ami="$(whoami)" true "$0: who_ami: $who_ami" @@ -35,27 +32,27 @@ if [ "$PAM_USER" = "" ]; then exit 0 fi -grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" +grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" ## Check if grep matched something. if [ ! "$grep_result" = "" ]; then ## Yes, grep matched. ## Check if not out commented. - if ! printf '%s\n' "$grep_result" | grep --quiet -- "#" ; then + if ! echo "$grep_result" | grep -q "#" ; then ## Not out commented indeed. ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 - if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console"; then + if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console"; then console_allowed=true fi - if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console-unrestricted"; then + if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console-unrestricted"; then console_allowed=true fi if [ ! "$console_allowed" = "true" ]; then - printf '%s\n' "\ + echo "\ $0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console' To unlock, run the following command as superuser: (If you still have a sudo/root shell somewhere.) @@ -72,33 +69,15 @@ https://www.kicksecure.com/wiki/root#console fi fi -if [ "$PAM_USER" = 'sysmaint' ]; then - sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true - sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")" - if [ "${sysmaint_lock_info}" = 'L' ]; then - printf '%s\n' "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" - fi -fi - -if test -f /proc/cmdline; then - kernel_cmdline="$(cat -- /proc/cmdline)" -fi - -if [ "$PAM_USER" != 'sysmaint' ]; then - if [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then - printf '%s\n' "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" - fi -fi - ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 ## Does not work (yet) for login, pam_securetty runs before and aborts. ## Also this should only run for login since securetty covers only login. # if [ "$PAM_USER" = "root" ]; then # if [ -f /etc/securetty ]; then -# grep_result="$(grep -- "^[^#]" /etc/securetty)" +# grep_result="$(grep "^[^#]" /etc/securetty)" # if [ "$grep_result" = "" ]; then -# printf '%s\n' "\ +# echo "\ # $0: ERROR: Root login is disabled. # ERROR: This is because /etc/securetty is empty. # See also: @@ -109,23 +88,21 @@ fi # fi # fi -## under account "user" +## as user "user" ## /usr/sbin/faillock -u user ## faillock: Error opening /var/log/tallylog for update: Permission denied ## /usr/sbin/faillock: Authentication error ## -## xscreensaver runs under account "user", therefore pam_faillock cannot function. +## xscreensaver runs as user "user", therefore pam_faillock cannot function. ## xscreensaver has its own failed login counter. ## ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts ## -## https://web.archive.org/web/20200919221439/https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html +## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html ## ## Checking exit code to avoid breaking when read-only disk boot but ## without ro-mode-init or grub-live being used. -## -## end-of-options ("--") unsupported by faillock. -if ! pam_faillock_output="$(faillock --dir "$pam_faillock_state_dir" --user "$PAM_USER")" ; then +if ! pam_faillock_output="$(faillock --user "$PAM_USER")" ; then true "$0: faillock non-zero exit code." exit 0 fi @@ -146,7 +123,7 @@ fi ## Usage: faillock [--dir /path/to/tally-directory] [--user username] [--reset] ## Get first line. -#pam_faillock_output_first_line="$(printf '%s\n' "$pam_faillock_output" | head --lines=1)" +#pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head --lines=1)" while read -t 10 -r pam_faillock_output_first_line ; do break done <<< "$pam_faillock_output" @@ -155,30 +132,24 @@ true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'" ## example pam_faillock_output_first_line: ## user: -user_name="$(printf '%s\n' "$pam_faillock_output_first_line" | str_replace ":" "")" +user_name="$(echo "$pam_faillock_output_first_line" | LANG=C str_replace ":" "")" ## example user_name: ## user ## root -pam_faillock_output_count="$(printf '%s\n' "$pam_faillock_output" | wc -l)" +pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)" ## example pam_faillock_output_count: ## 2 ## example pam_faillock_output_count: ## 4 -## Do not count the first two informational textual output lines (starting with "user:" and "When") if present, +## Do not count the first two informational textual output lines +## (starting with "user:" and "When"). failed_login_counter=$(( pam_faillock_output_count - 2 )) ## example failed_login_counter: ## 2 -## Ensuring failed_login_counter is not set to a negative value. -## https://github.com/Kicksecure/security-misc/pull/305 -if [ "$failed_login_counter" -le "0" ]; then - true "$0: WARNING: Failed login counter is negative. Resetting to 0." - failed_login_counter=0 -fi - if [ "$failed_login_counter" = "0" ]; then true "$0: INFO: Failed login counter is 0, ok." exit 0 @@ -188,14 +159,14 @@ fi deny=3 if test -f /etc/security/faillock.conf ; then - deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =") - deny="$(printf '%s\n' "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")" + deny_line=$(grep --invert-match "#" /etc/security/faillock.conf | grep "deny =") + deny="$(echo "$deny_line" | LANG=C str_replace "=" "" | LANG=C str_replace "deny" "" | LANG=C str_replace " " "")" ## Example: #deny=50 fi if [[ "$deny" == *[!0-9]* ]]; then - printf '%s\n' "\ + echo "\ $0: ERROR: deny is not numeric. deny: '$deny' ERROR: Please report this bug. " >&2 @@ -205,12 +176,12 @@ fi remaining_attempts="$(( $deny - $failed_login_counter ))" if [ "$remaining_attempts" -le "0" ]; then - printf '%s\n' "\ + echo "\ $0: ERROR: Login blocked after $failed_login_counter attempts. To unlock, run the following command as superuser: (If you still have a sudo/root shell somewhere.) -faillock --dir $pam_faillock_state_dir --reset --user $PAM_USER +faillock --reset --user $PAM_USER However, most likely unlock procedure is required. First boot into recovery mode at grub boot menu and then run above command. @@ -220,14 +191,14 @@ https://www.kicksecure.com/wiki/root#unlock exit 0 fi -printf '%s\n' "\ +echo "\ $0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'. Login will be blocked after $deny attempts. You have $remaining_attempts more attempts before unlock procedure is required. " >&2 if [ "$PAM_SERVICE" = "su" ]; then - printf '%s\n' "\ + echo "\ $0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown. " >&2 fi diff --git a/usr/libexec/security-misc/pam_faillock_not_if_x b/usr/libexec/security-misc/pam_faillock_not_if_x index 433dca8..3fcf10f 100755 --- a/usr/libexec/security-misc/pam_faillock_not_if_x +++ b/usr/libexec/security-misc/pam_faillock_not_if_x @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/libexec/security-misc/pam_only_if_login b/usr/libexec/security-misc/pam_only_if_login index 568f037..11f56d4 100755 --- a/usr/libexec/security-misc/pam_only_if_login +++ b/usr/libexec/security-misc/pam_only_if_login @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/libexec/security-misc/pam_only_if_su b/usr/libexec/security-misc/pam_only_if_su deleted file mode 100755 index 604510f..0000000 --- a/usr/libexec/security-misc/pam_only_if_su +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Similar to: -## /usr/libexec/security-misc/pam_only_if_login - -set -x - -true "PAM_SERVICE: $PAM_SERVICE" - -if [ "$PAM_SERVICE" = "su" ]; then - exit 1 -else - exit 0 -fi diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 749eb3c..20365df 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e @@ -12,12 +12,7 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then source /usr/libexec/helper-scripts/pre.bsh fi -## Makes the kernel panic on oopses and warnings. This prevents the -## kernel from continuing to run a flawed processes. Many kernel -## exploits will also cause an oops, these settings will make the -## kernel kill the offending processes. -#sysctl kernel.panic=-1 +## Makes the kernel panic on oopses. This prevents the kernel +## from continuing to run a flawed processes. Many kernel exploits +## will also cause an oops which this will make the kernel kill. sysctl kernel.panic_on_oops=1 -sysctl kernel.panic_on_warn=1 -#sysctl kernel.oops_limit=1 -#sysctl kernel.warn_limit=1 diff --git a/usr/libexec/security-misc/permission-hardening b/usr/libexec/security-misc/permission-hardening new file mode 100755 index 0000000..16df8d0 --- /dev/null +++ b/usr/libexec/security-misc/permission-hardening @@ -0,0 +1,487 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## https://forums.whonix.org/t/disable-suid-binaries/7706 +## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 + +## To view previous modes and how these were changed: +## meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride + +## To undo: +## sudo /usr/libexec/security-misc/permission-hardening-undo + +#set -x +set -e +set -o pipefail + +exit_code=0 + +mkdir -p /var/lib/permission-hardening/existing_mode +mkdir -p /var/lib/permission-hardening/new_mode +dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode" +dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode" + +echo_wrapper_ignore() { + echo "run: $@" + "$@" 2>/dev/null || true +} + +echo_wrapper_silent_ignore() { + #echo "run: $@" + "$@" 2>/dev/null || true +} + +echo_wrapper_audit() { + echo "run: $@" + return_code=0 + "$@" || \ + { \ + return_code="$?" ; \ + exit_code=203 ; \ + echo "ERROR: above command failed with exit code '$return_code'! calling function name: '${FUNCNAME[1]}'" >&2 ; \ + }; +} + +echo_wrapper_silent_audit() { + #echo "run (debugging): $@" + return_code=0 + "$@" || \ + { \ + return_code="$?" ; \ + exit_code=204 ; \ + echo "ERROR: above command '$@' failed with exit code '$return_code'! calling function name: '${FUNCNAME[1]}'" >&2 ; \ + }; +} + +sanity_tests() { + echo_wrapper_silent_audit which \ + capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null +} + +add_nosuid_statoverride_entry() { + local fso_to_process + fso_to_process="$fso" + local should_be_counter + should_be_counter="$(find "$fso_to_process" -perm /u=s,g=s | wc -l)" || true + local counter_actual + counter_actual=0 + + local line + while read -r line; do + true "line: $line" + counter_actual="$(( counter_actual + 1 ))" + + local arr file_name existing_mode existing_owner existing_group + arr=($line) + file_name="${arr[0]}" + existing_mode="${arr[1]}" + existing_owner="${arr[2]}" + existing_group="${arr[3]}" + + if [ "$arr" = "" ]; then + echo "ERROR: arr is empty. line: '$line'" >&2 + continue + fi + if [ "$file_name" = "" ]; then + echo "ERROR: file_name is empty. line: '$line'" >&2 + continue + fi + if [ "$existing_mode" = "" ]; then + echo "ERROR: existing_mode is empty. line: '$line'" >&2 + continue + fi + if [ "$existing_owner" = "" ]; then + echo "ERROR: existing_owner is empty. line: '$line'" >&2 + continue + fi + if [ "$existing_group" = "" ]; then + echo "ERROR: existing_group is empty. line: '$line'" >&2 + continue + fi + + ## -h file True if file is a symbolic Link. + ## -u file True if file has its set-user-id bit set. + ## -g file True if file has its set-group-id bit set. + + if test -h "$file_name" ; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 + true "skip symlink: $file_name" + continue + fi + + if test -d "$file_name" ; then + true "skip directory: $file_name" + continue + fi + + local setuid setuid_output setsgid setsgid_output + setuid="" + setuid_output="" + if test -u "$file_name" ; then + setuid=true + setuid_output="set-user-id" + fi + setsgid="" + setsgid_output="" + if test -g "$file_name" ; then + setsgid=true + setsgid_output="set-group-id" + fi + + local setuid_or_setsgid + setuid_or_setsgid="" + if [ "$setuid" = "true" ] || [ "$setsgid" = "true" ]; then + setuid_or_setsgid=true + fi + if [ "$setuid_or_setsgid" = "" ]; then + continue + fi + + ## Remove suid / gid and execute permission for 'group' and 'others'. + ## Similar to: chmod og-ugx /path/to/filename + ## Removing execution permission is useful to make binaries such as 'su' fail closed rather + ## than fail open if suid was removed from these. + ## Do not remove read access since no security benefit and easier to manually undo for users. + ## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these? + new_mode="744" + + local is_exact_whitelisted + is_exact_whitelisted="" + for white_list_entry in $exact_white_list ; do + if [ "$file_name" = "$white_list_entry" ]; then + is_exact_whitelisted="true" + ## Stop looping through the whitelist. + break + fi + done + + local is_match_whitelisted + is_match_whitelisted="" + for matchwhite_list_entry in $match_white_list ; do + if echo "$file_name" | grep -q "$matchwhite_list_entry" ; then + is_match_whitelisted="true" + ## Stop looping through the match_white_list. + break + fi + done + + local is_disable_whitelisted + is_disable_whitelisted="" + for disablematch_list_entry in $disable_white_list ; do + if echo "$file_name" | grep -q "$disablematch_list_entry" ; then + is_disable_whitelisted="true" + ## Stop looping through the disablewhitelist. + break + fi + done + + if [ "$whitelists_disable_all" = "true" ]; then + true "INFO: whitelists_disable_all=true - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" + elif [ "$is_disable_whitelisted" = "true" ]; then + echo "INFO: white list disabled - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" + else + if [ "$is_exact_whitelisted" = "true" ]; then + echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" + continue + fi + if [ "$is_match_whitelisted" = "true" ]; then + echo "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'" + continue + fi + fi + + echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" + + if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$file_name" >/dev/null ; then + true "OK Existing mode already saved previously. No need to save again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$file_name" + fi + + ## No need to check "dpkg-statoverride --list" for existing entries. + ## If existing_mode was correct already, we would not have reached this point. + ## Since existing_mode is incorrect, remove from dpkg-statoverride and re-add. + + ## Remove from real database. + echo_wrapper_silent_ignore dpkg-statoverride --remove "$file_name" + + ## Remove from separate database. + echo_wrapper_silent_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" + + ## Add to real database and use --update to make changes on disk. + echo_wrapper_audit dpkg-statoverride --add --update "$existing_owner" "$existing_group" "$new_mode" "$file_name" + + ## Not using --update as this is only for recording. + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$existing_owner" "$existing_group" "$new_mode" "$file_name" + + ## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'. + ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 + done < <( find "$fso_to_process" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} ) + + ## Sanity test. + if [ ! "$should_be_counter" = "$counter_actual" ]; then + echo "INFO: fso_to_process: '$fso_to_process' | counter_actual : '$counter_actual'" + echo "INFO: fso_to_process: '$fso_to_process' | should_be_counter: '$should_be_counter'" + exit_code=202 + echo "ERROR: counter does not check out." >&2 + fi +} + +set_file_perms() { + echo "INFO: START parsing config_file: '$config_file'" + local line + while read -r line || [[ -n "${line}" ]]; do + if [ "$line" = "" ]; then + continue + fi + + if [[ "$line" =~ ^# ]]; then + continue + fi + + if [[ "$line" =~ [0-9a-zA-Z/] ]]; then + true "OK line contains only white listed characters." + else + exit_code=200 + echo "ERROR: cannot parse line with invalid character. line: '$line'" >&2 + ## Safer to exit with error in this case. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 + exit "$exit_code" + fi + + if [ "$line" = 'whitelists_disable_all=true' ]; then + whitelists_disable_all=true + echo "INFO: whitelists_disable_all=true - all whitelists disabled." + continue + fi + + #global fso + local mode_from_config owner_from_config group_from_config capability_from_config + if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then + exit_code=201 + echo "ERROR: cannot parse. line: '$line'" >&2 + ## Debugging. + du -hs /tmp || true + echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true + ## Safer to exit with error in this case. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 + exit "$exit_code" + fi + + local fso_without_trailing_slash + fso_without_trailing_slash="${fso%/}" + + if [ "$mode_from_config" = "disablewhitelist" ]; then + ## TODO: test/add white spaces inside file name support + disable_white_list+="$fso " + continue + fi + + if [ "$mode_from_config" = "exactwhitelist" ]; then + ## TODO: test/add white spaces inside file name support + exact_white_list+="$fso " + continue + fi + + if [ "$mode_from_config" = "matchwhitelist" ]; then + ## TODO: test/add white spaces inside file name support + match_white_list+="$fso " + continue + fi + + if [ ! -e "$fso" ]; then + echo "INFO: fso: '$fso' - does not exist. This is likely normal." + continue + fi + + ## Use dpkg-statoverride so permissions are not reset during upgrades. + + if [ "$mode_from_config" = "nosuid" ]; then + ## If mode_from_config is "nosuid" the config does not set owner and + ## group. Therefore do not enforce owner/group check. + + add_nosuid_statoverride_entry + else + local string_length_of_mode_from_config + string_length_of_mode_from_config="${#mode_from_config}" + if [ "$string_length_of_mode_from_config" -gt "4" ]; then + echo "ERROR: Mode '$mode_from_config' is invalid!" >&2 + continue + fi + if [ "$string_length_of_mode_from_config" -lt "3" ]; then + echo "ERROR: Mode '$mode_from_config' is invalid!" >&2 + continue + fi + + if ! echo "${passwd_file_contents}" | grep -q "^${owner_from_config}:" ; then + echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2 + continue + fi + + if ! echo "${group_file_contents}" | grep -q "^${group_from_config}:" ; then + echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2 + continue + fi + + local mode_for_grep + mode_for_grep="$mode_from_config" + first_character_of_mode_from_config="${mode_from_config::1}" + if [ "$first_character_of_mode_from_config" = "0" ]; then + ## Remove leading '0'. + mode_for_grep="${mode_from_config:1}" + fi + + local stat_output + stat_output="" + if ! stat_output="$(stat -c "%n %a %U %G" "$fso_without_trailing_slash")" ; then + echo "ERROR: failed to run 'stat' for fso_without_trailing_slash: '$fso_without_trailing_slash'!" >&2 + continue + fi + + local arr file_name existing_mode existing_owner existing_group + arr=($stat_output) + file_name="${arr[0]}" + existing_mode="${arr[1]}" + existing_owner="${arr[2]}" + existing_group="${arr[3]}" + + if [ "$arr" = "" ]; then + echo "ERROR: arr is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + if [ "$file_name" = "" ]; then + echo "ERROR: file_name is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + if [ "$existing_mode" = "" ]; then + echo "ERROR: existing_mode is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + if [ "$existing_owner" = "" ]; then + echo "ERROR: existing_owner is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + if [ "$existing_group" = "" ]; then + echo "ERROR: $existing_group is empty. stat_output: '$stat_output' | line: '$line'" >&2 + continue + fi + + ## Check there is an entry for the fso. + ## + ## example: dpkg-statoverride --list | grep /home + ## output: + ## root root 755 /home + ## + ## dpkg-statoverride does not show leading '0'. + local dpkg_statoverride_list_output="" + local dpkg_statoverride_list_exit_code=0 + dpkg_statoverride_list_output="$(dpkg-statoverride --list "$fso_without_trailing_slash")" || { dpkg_statoverride_list_exit_code=$? ; true; }; + + if [ "$dpkg_statoverride_list_exit_code" = "0" ]; then + true "There is an fso entry. Check if owner/group/mode match." + local grep_line + grep_line="$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash" + if echo "$dpkg_statoverride_list_output" | grep -q "$grep_line" ; then + true "OK The owner/group/mode matches. No further action required." + else + true "The owner/group/mode do not match, therefore remove and re-add the entry to update it." + ## fso_without_trailing_slash instead of fso to prevent + ## "dpkg-statoverride: warning: stripping trailing /" + + if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then + true "OK Existing mode already saved previously. No need to save again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" + fi + + echo_wrapper_silent_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$fso_without_trailing_slash" + + ## Remove from and add to real database. + echo_wrapper_silent_ignore dpkg-statoverride --remove "$fso_without_trailing_slash" + echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" + + ## Save in separate database. + ## Not using --update as this is only for saving. + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" + fi + else + true "There is no fso entry. Therefore add one." + + if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then + true "OK Existing mode already saved previously. No need to save again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" + fi + + ## Add to real database. + echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" + + ## Save in separate database. + ## Not using --update as this is only for saving. + echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" + fi + fi + if [ "$capability_from_config" = "" ]; then + continue + fi + + if [ "$capability_from_config" = "none" ]; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/45 + # sudo setcap -r /bin/ping 2>/dev/null + # Failed to set capabilities on file '/bin/ping' (No data available) + # The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file + ## Therefore use echo_wrapper_ignore. + echo_wrapper_ignore setcap -r "$fso" + getcap_output="$(getcap "$fso")" + if [ ! "$getcap_output" = "" ]; then + exit_code=205 + echo "ERROR: removing capabilities for fso '$fso' failed!" >&2 + continue + fi + else + if ! capsh --print | grep "Bounding set" | grep -q "$capability_from_config" ; then + echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2 + continue + fi + + ## feature request: dpkg-statoverride: support for capabilities + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 + echo_wrapper_audit setcap "${capability_from_config}+ep" "$fso" + fi + done < "$config_file" + echo "INFO: END parsing config_file: '$config_file'" +} + +parse_config_folder() { + # Query contents of password and group databases only once and buffer them + # + # If we don't buffer we sometimes get incorrect results when checking for entries using + # 'if getent passwd | grep -q '^root:'; ...' since 'grep' exits after the first match in + # this case causing 'getent' to receive SIGPIPE, which then fails the pipeline since + # 'set -o pipefail' is set for this script. + passwd_file_contents="$(getent passwd)" + group_file_contents="$(getent group)" + + shopt -s nullglob + for config_file in /etc/permission-hardening.d/*.conf /usr/local/etc/permission-hardening.d/*.conf; do + set_file_perms + done +} + +sanity_tests +parse_config_folder + +if [ ! "$exit_code" = "0" ]; then + echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2 +fi + +exit "$exit_code" diff --git a/usr/libexec/security-misc/permission-hardening-undo b/usr/libexec/security-misc/permission-hardening-undo new file mode 100755 index 0000000..981a2a6 --- /dev/null +++ b/usr/libexec/security-misc/permission-hardening-undo @@ -0,0 +1,136 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +#set -x +set -e +set -o pipefail + +if [ "$1" = "all" ]; then + remove_file="all" +elif [ ! "$1" = "" ]; then + remove_file="$1" +else + echo "ERROR: need to give parameter 'all' or a filename. + +examples: + +$0 all + +$0 /usr/bin/newgrp + " >&2 +fi + +exit_code=0 + +dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode" +dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode" + +undo_permission_hardening() { + if [ ! -f /var/lib/permission-hardening/existing_mode/statoverride ]; then + return 0 + fi + + local line + + while read -r line; do + ## example line: + ## root root 4755 /usr/lib/eject/dmcrypt-get-device + + local owner group mode file_name + if ! read -r owner group mode file_name <<< "$line" ; then + exit_code=201 + echo "ERROR: cannot parse line: $line" >&2 + continue + fi + true "owner: '$owner' group: '$group' mode: '$mode' file_name: '$file_name'" + + if [ "$remove_file" = "all" ]; then + do_proceed=true + verbose_maybe="" + else + if [ "$remove_file" = "$file_name" ]; then + do_proceed=true + verbose_maybe="--verbose" + remove_one=true + else + do_proceed=false + verbose_maybe="" + fi + fi + + if [ "$do_proceed" = "false" ]; then + continue + fi + + if [ "$remove_one" = "true" ]; then + set -x + fi + + if test -e "$file_name" ; then + chown $verbose_maybe "${owner}:${group}" "$file_name" || exit_code=202 + ## chmod need to be run after chown since chown removes suid. + ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature + chmod $verbose_maybe "$mode" "$file_name" || exit_code=203 + else + echo "INFO: file_name: '$file_name' - does not exist. This is likely normal." + fi + + dpkg-statoverride --remove "$file_name" &>/dev/null || true + dpkg-statoverride $dpkg_admindir_parameter_existing_mode --remove "$file_name" &>/dev/null || true + dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" &>/dev/null || true + + if [ "$remove_one" = "true" ]; then + set +x + break + fi + + done < "/var/lib/permission-hardening/existing_mode/statoverride" +} + +undo_permission_hardening + +if [ ! "$remove_file" = "all" ]; then + if [ ! "$remove_one" = "true" ]; then + echo "INFO: none removed. + +File '$remove_file' has not removed from SUID Disabler and Permission Hardener during this invocation of this program. + +Note: This is expected if already done earlier. + +Note: This program expects the full path to the file. Example: + +$0 /usr/bin/newgrp + +The following syntax will not work: + +$0 program-name + +The following example will not work: + +$0 newgrp + +To remove all: + +$0 all + +This change might not be permanent (because of the permission-hardening.service systemd unit). For full instructions, see: +https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener + +To view list of changed by SUID Disabler and Permission Hardener: +https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener + +For re-enabling any specific SUID binary: +https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries + +For completely disabling SUID Disabler and Permission Hardener: +https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" + fi +fi + +if [ ! "$exit_code" = "0" ]; then + echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2 +fi + +exit "$exit_code" diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 31aaee4..615bf6c 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Doing this for all users would create many issues. @@ -32,28 +32,35 @@ # /usr/libexec/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue" home_folder_access_rights_lockdown() { - mkdir --parents /var/cache/security-misc/state-files - local user - for user in $(dir /home); do ## lists directories only - if [ -f "/var/cache/security-misc/state-files/$user" ]; then + shopt -s nullglob + + ## Not using dotglob. + ## touch /var/cache/security-misc/state-files//home/.Trash + ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory + + local folder_name base_name + + for folder_name in /home/* ; do + base_name="$(basename "$folder_name")" + if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then continue fi - folder_name="/home/$user" - ## chmod: - ## The 'g' for 'group' is not needed. - ## Debian by default uses USERGROUPS=yes in /etc/adduser.conf. - ## The group which the user is being added to has the same name as the user. - ## If the username is user then the name of the group is also user. - ## Some background information here: - ## https://unix.stackexchange.com/questions/156473/reasons-behind-the-default-groups-and-users-on-linux - ## In short, this is useful for "file sharing". A if user1 wants to share data with user2 the command - ## required to run is sudo addgroup user1 user2. - ## See also: user private groups UPGs - ## https://wiki.debian.org/UserPrivateGroups + if [ ! -d "$folder_name" ]; then + continue + fi + if [ "$folder_name" = "/home/" ]; then + continue + fi + mkdir -p /var/cache/security-misc/state-files echo "$0: chmod o-rwx \"$folder_name\"" chmod o-rwx "$folder_name" - touch "/var/cache/security-misc/state-files/$user" + ## Create a state-file so we do this only once. + ## Therefore a user who will manually undo this, will not get + ## annoyed by this being done over and over again. + touch "/var/cache/security-misc/state-files/$base_name" done + + shopt -u nullglob } home_folder_access_rights_lockdown diff --git a/usr/libexec/security-misc/remount-secure b/usr/libexec/security-misc/remount-secure new file mode 100755 index 0000000..57a26ca --- /dev/null +++ b/usr/libexec/security-misc/remount-secure @@ -0,0 +1,130 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## noexec in /tmp and/or /home can break some malware but also legitimate +## applications. + +## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 + +set -x +set -e + +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then + ## pre.bsh would `source` the following folders: + ## /etc/remount-secure_pre.d/*.conf + ## /usr/local/etc/remount-secure_pre.d/*.conf + source /usr/libexec/helper-scripts/pre.bsh +fi + +if [ -e /etc/remount-disable ] || [ -e /usr/local/etc/remount-disable ]; then + echo "INFO: file /etc/remount-disable exists. Doing nothing." + exit 0 +fi + +if [ -e /etc/exec ] || [ -e /usr/local/etc/exec ]; then + noexec=false + echo "INFO: Will remount with exec because file /etc/exec or /usr/local/etc/exec exists." +else + if [ -e /etc/noexec ] || [ -e /usr/local/etc/noexec ]; then + noexec=true + echo "INFO: Will remount with noexec because file /etc/noexec or /usr/local/etc/noexec exists." + else + echo "INFO: Will not remount with noexec because file /etc/noexec or /usr/local/etc/noexec does not exist." + fi +fi + +mkdir --parents "/var/run/remount-secure" + +if [ "$noexec" = "true" ]; then + noexec_maybe=",noexec" +fi + +exit_code=0 + +mount_output="$(mount)" + +remount_secure() { + ## ${FUNCNAME[1]} is the name of the calling function. I.e. the function + ## which called this function. + status_file_name="${FUNCNAME[1]}" + ## example status_file_name: + ## _home + status_file_full_path="/var/run/remount-secure/${status_file_name}" + ## example status_file_full_path: + ## /var/run/remount-secure/_home + + ## LANG=C str_replace is provided by package helper-scripts. + mount_folder="$(echo "${status_file_name}" | LANG=C str_replace "_" "/")" + ## example mount_folder: + ## /home + + mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder ")" || true + + if echo "$mount_line_of_mount_folder" | grep -q "$new_mount_options" ; then + echo "INFO: $mount_folder has already intended mount options." + return 0 + fi + + if [ -e "$status_file_full_path" ]; then + echo "INFO: $mount_folder already remounted earlier. Not remounting again." + return 0 + fi + + ## BUG: echo: write error: Broken pipe + if echo "$mount_output" | grep -q "$mount_folder " ; then + ## Already mounted. Using remount. + echo mount -o "remount,${new_mount_options}" "$mount_folder" + mount -o "remount,${new_mount_options}" "$mount_folder" || exit_code=100 + else + ## Not yet mounted. Using mount bind. + echo mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" + mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 + fi + + touch "$status_file_full_path" +} + +_home() { + new_mount_options="nosuid,nodev${noexec_maybe}" + remount_secure "$@" +} + +_run() { + ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html + new_mount_options="nosuid,nodev${noexec_maybe}" + remount_secure "$@" +} + +_dev_shm() { + new_mount_options="nosuid,nodev${noexec_maybe}" + remount_secure "$@" +} + +_tmp() { + new_mount_options="nosuid,nodev${noexec_maybe}" + remount_secure "$@" +} + +## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 +# _lib() { +# ## Not using noexec on /lib. +# new_mount_options="nosuid,nodev" +# remount_secure "$@" +# } + +end() { + exit $exit_code +} + +main() { + _home "$@" + _run "$@" + _dev_shm "$@" + _tmp "$@" + #_lib "$@" + end "$@" +} + +main "$@" diff --git a/usr/libexec/security-misc/remove-system.map b/usr/libexec/security-misc/remove-system.map index 5b75f6d..a541222 100755 --- a/usr/libexec/security-misc/remove-system.map +++ b/usr/libexec/security-misc/remove-system.map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/usr/libexec/security-misc/virusforget b/usr/libexec/security-misc/virusforget index a5cb3ea..785d026 100755 --- a/usr/libexec/security-misc/virusforget +++ b/usr/libexec/security-misc/virusforget @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## VirusForget is inspired by Christopher Laprise. @@ -29,7 +29,7 @@ root_check() { parse_cmd_options() { ## Thanks to: - ## https://mywiki.wooledge.org/BashFAQ/035 + ## http://mywiki.wooledge.org/BashFAQ/035 while : do diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm deleted file mode 100644 index e02a087..0000000 --- a/usr/share/doc/security-misc/fstab-vm +++ /dev/null @@ -1,40 +0,0 @@ -# - -/dev/disk/by-uuid/26ada0c0-1165-4098-884d-aafd2220c2c6 / auto nofail,defaults,errors=remount-ro 0 1 - -proc /proc proc nofail,defaults 0 0 - -/dev /dev devtmpfs nofail,bind,remount,nosuid,noexec 0 0 -#udev /dev devtmpfs defaults,nosuid,noexec 0 0 - -## noexec optional -/dev/shm /dev/shm tmpfs nofail,nosuid,nodev,noexec 0 0 -#tmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec 0 0 - -## nodev,nosuid,noexec as per: -## https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html -## Commented out by default to prevent warning: -## mount: /mnt/cdrom: mount point does not exist. -#/dev/cdrom /mnt/cdrom iso9660 nofail,ro,users,nodev,nosuid,noexec 0 0 - -/boot /boot none nofail,bind,nosuid,nodev,noexec 0 0 - -## noexec optional -/tmp /tmp tmpfs nofail,bind,nosuid,nodev,noexec 0 0 -#tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec 0 0 - -/var /var none nofail,bind,nosuid,nodev 0 0 - -## noexec optional -/var/tmp /var/tmp none nofail,bind,nosuid,nodev,noexec 0 0 - -/var/log /var/log none nofail,bind,nosuid,nodev,noexec 0 0 - -## noexec optional -/run /run none nofail,bind,nosuid,nodev,noexec 0 0 - -## noexec optional -/home /home none nofail,bind,nosuid,nodev,noexec 0 0 - -## TODO: -#/sys diff --git a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override index 2f56805..2ee9098 100644 --- a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override +++ b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override @@ -1,5 +1,2 @@ -## Copyright (C) 2017 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - [org.gnome.nautilus.preferences] show-image-thumbnails="never" diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index 26c3c70..ba9a440 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -1,17 +1,11 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## The whole point of the package. -security-misc: package-contains-file-in-etc-skel [etc/skel/*] +security-misc: package-contains-file-in-etc-skel etc/skel/* ## Wrapper script. -security-misc: no-manual-page [usr/bin/pkexec.security-misc] +security-misc: no-manual-page usr/bin/pkexec.security-misc ## Non-ideal but still a good solution. -security-misc: file-in-unusual-dir [var/cache/security-misc/state-files/placeholder] - -## False-positive. Just a comment mentioning dpkg's folder. -security-misc: uses-dpkg-database-directly [usr/bin/remount-secure] - -## Special target to make sure this runs as non-parallelized as possible to avoid race conditions. -security-misc: systemd-service-file-refers-to-unusual-wantedby-target sysinit-post.target [usr/lib/systemd/system/remount-secure.service] +security-misc: file-in-unusual-dir var/cache/security-misc/state-files/placeholder diff --git a/usr/share/pam-configs/faillock-preauth-security-misc b/usr/share/pam-configs/faillock-security-misc similarity index 60% rename from usr/share/pam-configs/faillock-preauth-security-misc rename to usr/share/pam-configs/faillock-security-misc index f72826c..d337690 100644 --- a/usr/share/pam-configs/faillock-preauth-security-misc +++ b/usr/share/pam-configs/faillock-security-misc @@ -1,8 +1,11 @@ -Name: lock accounts after 50 failed authentication attempts (preauth component) (by package security-misc) +Name: lock accounts after 50 failed authentication attempts (part 1) (by package security-misc) Default: yes -Priority: 1024 +Priority: 290 Auth-Type: Primary Auth: optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-info [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x required pam_faillock.so preauth +Account-Type: Primary +Account: + requisite pam_faillock.so diff --git a/usr/share/pam-configs/faillock2-security-misc b/usr/share/pam-configs/faillock2-security-misc new file mode 100644 index 0000000..7bc5fb7 --- /dev/null +++ b/usr/share/pam-configs/faillock2-security-misc @@ -0,0 +1,8 @@ +Name: lock accounts after 50 failed authentication attempts (part 2) (by package security-misc) +Default: yes +Priority: 245 +Auth-Type: Primary +Auth: + [success=2 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + [default=die] pam_faillock.so authfail + sufficient pam_faillock.so authsucc diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc deleted file mode 100644 index b29e433..0000000 --- a/usr/share/pam-configs/umask-security-misc +++ /dev/null @@ -1,9 +0,0 @@ -Name: Restrict umask to 027 for non-root users (by package security-misc) -Default: yes -Priority: 100 -Session-Type: Additional -Session: - [success=1 default=ignore] pam_succeed_if.so uid eq 0 - optional pam_umask.so umask=027 - [success=1 default=ignore] pam_succeed_if.so uid ne 0 - optional pam_umask.so umask=022 diff --git a/usr/share/pam-configs/unix-faillock-security-misc b/usr/share/pam-configs/unix-faillock-security-misc deleted file mode 100644 index 876ffa8..0000000 --- a/usr/share/pam-configs/unix-faillock-security-misc +++ /dev/null @@ -1,20 +0,0 @@ -Name: Unix authentication with faillock (by package security-misc) -Default: yes -Priority: 384 -Auth-Type: Primary -Auth: - [success=3 default=ignore] pam_unix.so nullok try_first_pass - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x - [default=die] pam_faillock.so authfail - requisite pam_deny.so - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x - optional pam_faillock.so authsucc - required pam_permit.so -Auth-Initial: - [success=3 default=ignore] pam_unix.so nullok - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x - [default=die] pam_faillock.so authfail - requisite pam_deny.so - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x - optional pam_faillock.so authsucc - required pam_permit.so diff --git a/usr/share/pam-configs/wheel-security-misc b/usr/share/pam-configs/wheel-security-misc index eb8a9df..323ff72 100644 --- a/usr/share/pam-configs/wheel-security-misc +++ b/usr/share/pam-configs/wheel-security-misc @@ -1,7 +1,6 @@ Name: group sudo membership required to use su (by package security-misc) Default: yes -Priority: 1050 +Priority: 280 Auth-Type: Primary Auth: - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_only_if_su requisite pam_wheel.so group=sudo debug diff --git a/usr/share/security-misc/dolphinrc b/usr/share/security-misc/dolphinrc index 9028487..0d4b739 100644 --- a/usr/share/security-misc/dolphinrc +++ b/usr/share/security-misc/dolphinrc @@ -1,5 +1,6 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions [PreviewSettings] Plugins= + diff --git a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf index 150e06b..1336b2c 100644 --- a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf +++ b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## LKRG VirtualBox host configuration @@ -15,7 +15,7 @@ ## /etc/sysctl.d/30-lkrg-virtualbox.conf ## by package security-misc, files: ## /usr/share/security-misc/lkrg/lkrg-virtualbox -## /usr/lib/systemd/system/lkrg.service.d/40-virtualbox.conf +## /lib/systemd/system/lkrg.service.d/40-virtualbox.conf ## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/32 ## https://www.openwall.com/lists/lkrg-users/2020/01/24/2 @@ -24,7 +24,7 @@ ## https://github.com/openwall/lkrg/blob/main/scripts/bootup/lkrg.conf ## https://github.com/openwall/lkrg/blob/main/scripts/bootup/systemd/lkrg.service ## /etc/sysctl.d/30-lkrg-dkms.conf -## /usr/lib/systemd/system/lkrg.service +## /lib/systemd/system/lkrg.service ## https://github.com/openwall/lkrg/issues/82#issuecomment-886188999 lkrg.pcfi_validate = 1 diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox b/usr/share/security-misc/lkrg/lkrg-virtualbox index 4e1754c..022d2dc 100755 --- a/usr/share/security-misc/lkrg/lkrg-virtualbox +++ b/usr/share/security-misc/lkrg/lkrg-virtualbox @@ -1,19 +1,13 @@ #!/bin/bash -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -#set -x +set -x set -e -## provides function: pkg_installed -source /usr/libexec/helper-scripts/package_installed_check.bsh - -## Check if the VirtualBox host software is installed. if ! command -v vboxmanage &>/dev/null ; then - ## VirtualBox host software is not installed. if test -f /etc/sysctl.d/30-lkrg-virtualbox.conf ; then - ## Delete using '--verbose' so user is notified. rm --force --verbose /etc/sysctl.d/30-lkrg-virtualbox.conf fi exit 0 @@ -27,9 +21,4 @@ if ! test -f /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf ; then exit 0 fi -if ! pkg_installed "lkrg" ; then - exit 0 -fi - -## Delete using '--verbose' so user is notified. cp --verbose /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf /etc/sysctl.d/30-lkrg-virtualbox.conf diff --git a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded deleted file mode 100644 index d40c552..0000000 --- a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded +++ /dev/null @@ -1,36 +0,0 @@ -root root 644 /etc/passwd- -root root 755 /etc/cron.monthly -root root 755 /etc/sudoers.d -root shadow 2755 /usr/bin/expiry -root root 4755 /usr/bin/umount -root root 4755 /usr/bin/gpasswd -root root 755 /usr/lib/modules -root root 644 /etc/issue.net -root root 644 /etc/group- -root root 4755 /usr/bin/newgrp -root root 755 /etc/cron.weekly -root root 644 /etc/hosts.deny -root root 4755 /usr/bin/su -root root 644 /etc/hosts.allow -root root 700 /root -root root 755 /etc/cron.daily -root root 755 /bin/ping -root root 777 /etc/motd.kicksecure -root root 777 /etc/motd.whonix -root root 755 /boot -root root 755 /home -root shadow 2755 /usr/bin/chage -root root 4755 /usr/bin/chsh -root root 4755 /usr/bin/passwd -root root 4755 /usr/bin/chfn -root root 644 /etc/group -root root 755 /etc/permission-hardener.d -root root 644 /etc/passwd -root root 755 /usr/src -root root 4755 /usr/bin/mount -root root 777 /etc/issue.kicksecure -root root 777 /etc/issue.whonix -root root 755 /etc/cron.d -root root 4755 /usr/bin/sudo -root root 4755 /usr/bin/pkexec -root root 4755 /usr/lib/polkit-1/polkit-agent-helper-1 diff --git a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded deleted file mode 100644 index d1b3a80..0000000 --- a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded +++ /dev/null @@ -1,26 +0,0 @@ -root root 700 /etc/cron.monthly -root root 700 /etc/sudoers.d -root shadow 744 /usr/bin/expiry -root root 755 /usr/bin/umount -root root 744 /usr/bin/gpasswd -root root 700 /usr/lib/modules -root root 744 /usr/bin/newgrp -root root 700 /etc/cron.weekly -root root 744 /usr/bin/su -root root 700 /etc/cron.daily -root root 755 /bin/ping -root root 644 /etc/motd.kicksecure -root root 644 /etc/motd.whonix -root _ssh 744 /usr/bin/ssh-agent -root root 700 /boot -root shadow 744 /usr/bin/chage -root root 744 /usr/lib/openssh/ssh-keysign -root root 744 /usr/bin/chsh -root root 755 /usr/bin/passwd -root root 744 /usr/bin/chfn -root root 600 /etc/permission-hardener.d -root root 700 /usr/src -root root 755 /usr/bin/mount -root root 644 /etc/issue.kicksecure -root root 644 /etc/issue.whonix -root root 700 /etc/cron.d