diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 2ce2fd0..28da07c 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -13,7 +13,7 @@ ## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" ## argument. -## SUID whitelist. +## SUID exact match whitelist. ## TODO: white spaces inside file name untested /usr/bin/sudo whitelist /bin/sudo whitelist @@ -33,6 +33,10 @@ ## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c /usr/lib/qubes/qfile-unpacker whitelist +## SUID regex match whitelist. +## TODO: white spaces inside file name untested +/usr/lib/virtualbox/ matchwhitelist + ## Permission hardening. /home/ 0755 root root /home/user/ 0700 user user diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening index a58ffdf..cb598cc 100755 --- a/usr/lib/security-misc/permission-hardening +++ b/usr/lib/security-misc/permission-hardening @@ -120,11 +120,25 @@ add_nosuid_statoverride_entry() { fi done + is_match_whitelisted="" + for matchwhite_list_entry in $matchwhitelist ; do + if echo "$file_name" | grep -q "$matchwhite_list_entry" ; then + is_match_whitelisted="true" + ## Stop looping through the matchwhitelist. + break + fi + done + if [ "$is_whitelisted" = "true" ]; then echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" continue fi + if [ "$is_match_whitelisted" = "true" ]; then + echo "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'" + continue + fi + echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" ## No need to check "dpkg-statoverride --list" for existing entries. @@ -181,6 +195,12 @@ set_file_perms() { continue fi + if [ "$mode_from_config" = "matchwhitelist" ]; then + ## TODO: test/add white spaces inside file name support + matchwhitelist+="$fso " + continue + fi + if ! [ -e "$fso" ]; then echo "INFO: fso: '$fso' - does not exist. This is likely normal." continue