mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-10 07:06:43 +07:00
Code Issues Packages Projects Releases Wiki Activity

add matchwhitelist feature

Browse Source 
add "/usr/lib/virtualbox/ matchwhitelist"
This commit is contained in:
Patrick Schleizer 2019-12-20 12:57:24 -05:00
parent 3fab387669
commit 17e8605119
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
etc/permission-hardening.d/30_default.conf
View File

@ -13,7 +13,7 @@
## To remove all SUID/SGID binaries in a directory, you can use the "nosuid"
## argument.
## SUID whitelist.
## SUID exact match whitelist.
## TODO: white spaces inside file name untested
/usr/bin/sudo whitelist
/bin/sudo whitelist
@ -33,6 +33,10 @@
## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c
/usr/lib/qubes/qfile-unpacker whitelist
## SUID regex match whitelist.
## TODO: white spaces inside file name untested
/usr/lib/virtualbox/ matchwhitelist
## Permission hardening.
/home/ 0755 root root
/home/user/ 0700 user user

20
usr/lib/security-misc/permission-hardening
View File

@ -120,11 +120,25 @@ add_nosuid_statoverride_entry() {
fi
done
is_match_whitelisted=""
for matchwhite_list_entry in $matchwhitelist ; do
if echo "$file_name" | grep -q "$matchwhite_list_entry" ; then
is_match_whitelisted="true"
## Stop looping through the matchwhitelist.
break
fi
done
if [ "$is_whitelisted" = "true" ]; then
echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
continue
fi
if [ "$is_match_whitelisted" = "true" ]; then
echo "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'"
continue
fi
echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'"
## No need to check "dpkg-statoverride --list" for existing entries.
@ -181,6 +195,12 @@ set_file_perms() {
continue
fi
if [ "$mode_from_config" = "matchwhitelist" ]; then
## TODO: test/add white spaces inside file name support
matchwhitelist+="$fso "
continue
fi
if ! [ -e "$fso" ]; then
echo "INFO: fso: '$fso' - does not exist. This is likely normal."
continue