security-misc/etc/permission-hardener.d/25_default_whitelist_qubes.conf

## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Please use "/etc/permission-hardener.d/20_user.conf" or
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
## configuration. When security-misc is updated, this file may be overwritten.

## TODO: research
## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c
##
## Qubes upstream security issue:
## qfile-unpacker allows unprivileged users in VMs to gain root privileges
## https://github.com/QubesOS/qubes-issues/issues/8633
##
## match both:
#/usr/lib/qubes/qfile-unpacker whitelist
#/lib/qubes/qfile-unpacker
qfile-unpacker matchwhitelist
Update Copyright (C) to 2024 2024-05-11 10:18:36 +07:00			`## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>`
simplify disabling of SUID Disabler and Permission Hardener whitelist split `/etc/permission-hardening.d/30_default.conf` into multiple files `/etc/permission-hardening.d/40_default_whitelist_[...].conf` therefore make it easier to delete any whitelisted SUID binaries 2020-12-01 16:28:15 +07:00			`## See the file COPYING for copying conditions.`

Rename file permission hardening script Hardener as the script is the agent that is hardening the file permissions. 2024-01-02 19:34:29 +07:00			`## Please use "/etc/permission-hardener.d/20_user.conf" or`
			`## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom`
simplify disabling of SUID Disabler and Permission Hardener whitelist split `/etc/permission-hardening.d/30_default.conf` into multiple files `/etc/permission-hardening.d/40_default_whitelist_[...].conf` therefore make it easier to delete any whitelisted SUID binaries 2020-12-01 16:28:15 +07:00			`## configuration. When security-misc is updated, this file may be overwritten.`

			`## TODO: research`
			`## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c`
comments 2023-11-07 04:40:22 +07:00			`##`
			`## Qubes upstream security issue:`
			`## qfile-unpacker allows unprivileged users in VMs to gain root privileges`
exclude qfile-unpacker from permission hardener 2023-11-06 04:03:36 +07:00			`## https://github.com/QubesOS/qubes-issues/issues/8633`
comments 2023-11-07 04:40:22 +07:00			`##`
simplify disabling of SUID Disabler and Permission Hardener whitelist split `/etc/permission-hardening.d/30_default.conf` into multiple files `/etc/permission-hardening.d/40_default_whitelist_[...].conf` therefore make it easier to delete any whitelisted SUID binaries 2020-12-01 16:28:15 +07:00			`## match both:`
			`#/usr/lib/qubes/qfile-unpacker whitelist`
			`#/lib/qubes/qfile-unpacker`
exclude qfile-unpacker from permission hardener 2023-11-06 04:03:36 +07:00			`qfile-unpacker matchwhitelist`