Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-02-11 03:28:28 -05:00
Code Issues Packages Projects Releases Wiki Activity
security-misc/debian/security-misc.postinst
Patrick Schleizer 420cb3f86f
refactoring
2025-01-14 03:19:21 -05:00

127 lines
3.9 KiB
Bash
Raw Blame History

#!/bin/bash
## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
source /usr/libexec/helper-scripts/pre.bsh
fi
## Required since this package uses debconf - this is mandatory even though
## the postinst itself does not use debconf commands.
source /usr/share/debconf/confmodule
set -e
true "
#####################################################################
## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
#####################################################################
"
permission_hardening_legacy_config_folder() {
if ! test -d /etc/permission-hardening.d ; then
return 0
fi
rmdir --verbose --ignore-fail-on-non-empty /etc/permission-hardening.d || true
}
permission_hardening() {
echo "Running SUID Disabler and Permission Hardener... See also:"
echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener"
echo "$0: INFO: running: permission-hardener enable"
if ! permission-hardener enable ; then
echo "$0: ERROR: Permission hardening failed." >&2
return 0
fi
echo "$0: INFO: Permission hardening success."
}
migrate_permission_hardener_state() {
## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded.
if [ ! -d '/var/lib/permission-hardener' ]; then
return 0
fi
if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
return 0
fi
mkdir --parents '/var/lib/security-misc/do_once'
mkdir --parents '/var/lib/permission-hardener-v2/existing_mode'
cp '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride'
touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
}
case "$1" in
configure)
if [ -d /etc/skel/.gnupg ]; then
## Lintian warns against use of chmod --recursive.
chmod 700 /etc/skel/.gnupg
fi
## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override
glib-compile-schemas /usr/share/glib-2.0/schemas || true
## state dir for faillock
mkdir -p /var/lib/security-misc/faillock
## migrate permission_hardener state to v2 if applicable
migrate_permission_hardener_state
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
triggered)
echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\*: '$*' 2: '$2'"
/usr/share/security-misc/lkrg/lkrg-virtualbox || true
/usr/libexec/security-misc/mmap-rnd-bits || true
permission_hardening
exit 0
;;
*)
echo "$DPKG_MAINTSCRIPT_NAME called with unknown argument \`$1'" >&2
exit 1
;;
esac
pam-auth-update --package
/usr/libexec/security-misc/permission-lockdown
permission_hardening
## https://phabricator.whonix.org/T377
## Debian has no update-grub trigger yet:
## https://bugs.debian.org/481542
if command -v update-grub >/dev/null 2>&1; then
update-grub || \
echo "$DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME ERROR: Running \
'update-grub' failed with exit code $?. $DPKG_MAINTSCRIPT_PACKAGE is most \
likely only the trigger, not the cause. Unless you know this is not an issue, \
you should fix running 'update-grub', otherwise your system might no longer \
boot." >&2
fi
/usr/libexec/security-misc/mmap-rnd-bits || true
true "INFO: debhelper beginning here."
#DEBHELPER#
true "INFO: Done with debhelper."
permission_hardening_legacy_config_folder
true "
#####################################################################
## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
#####################################################################
"
## Explicitly "exit 0", so eventually trapped errors can be ignored.
exit 0
Reference in New Issue View Git Blame Copy Permalink