From 060d7d890a0292addaa1e85bb1b2ff7eece23378 Mon Sep 17 00:00:00 2001
From: 0xC0ncord <me@concord.sh>
Date: Fri, 8 Oct 2021 22:11:58 -0400
Subject: [PATCH] hide-hardware-info: re-enable restrictions on sysfs when
 using SELinux

When using SELinux, restrict the parts of sysfs explicitly to ensure
restrictions are working as expected.
---
 usr/libexec/security-misc/hide-hardware-info | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info
index 59850ae..bd76367 100755
--- a/usr/libexec/security-misc/hide-hardware-info
+++ b/usr/libexec/security-misc/hide-hardware-info
@@ -88,6 +88,16 @@ done
 ## properly
 if [ -d /sys/fs/selinux ]; then
     if [ "${selinux}" = "1" ]; then
+        ## restrict permissions on everything but
+        ## what is needed
+        for i in /sys/* /sys/fs/*
+        do
+          if [ "${sysfs_whitelist}" = "1" ]; then
+            chmod o-rwx "${i}"
+          else
+            chmod og-rwx "${i}"
+          fi
+        done
         chmod o+rx /sys /sys/fs /sys/fs/selinux
         echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function."
     else