Merge branch 'Kicksecure:master' into arp

changelog.upstream

@@ -1,3 +1,119 @@
+commit 7987a3914d364e674eb7479b15708c450041af02
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Nov 12 02:29:42 2024 -0500
+
+    deleted no longer used and out-commented `/etc/sudoers.d/xfce-security-misc` leftover
+
+commit 8c2e8e69798e5255529ab3dbee6ca07b8b293100
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Nov 12 01:41:12 2024 -0500
+
+    deleted no longer used and out-commented `etc/sudoers.d/pkexec-security-misc` leftover
+
+commit 65fc0419a84d62e07c61d7e37ef27d144b6b6794
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Nov 11 11:07:57 2024 +0000
+
+    bumped changelog version
+
+commit 50161f5d79eea2ab796863e4eb30eccc17e0b41d
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Nov 11 05:48:11 2024 -0500
+
+    moved /etc/dkms/framework.conf.d/30_security-misc.conf (renamed) to usability-misc
+
+commit 7c06e22c7d11c345428f3ad42ba43805ebc8d810
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Nov 11 05:43:25 2024 -0500
+
+    deleted `/usr/bin/pkexec.security-misc`
+    
+    This was not used anymore for anything. In the past, we used to `config-package-dev` `replace` `/usr/bin/pkexec` with `/usr/bin/pkexec.security-misc` for the purpose of:
+    
+    > Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid.
+    
+    * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
+    * https://forums.whonix.org/t/cannot-use-pkexec/8129
+    
+    This was a worthwhile effort, interesting approach but ultimately a dead-end.
+
+commit ef05b1a160b24d5aa42da9cc15009d94a37cf120
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Nov 11 05:40:41 2024 -0500
+
+    disable legacy matroxfb_base framebuffer driver
+    
+    fix typo matroxfb_bases -> matroxfb_base
+    
+    Thanks to @ArrayBolt3 for the bug report!
+
+commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Nov 11 05:36:41 2024 -0500
+
+    fix `panic-on-oops.service`
+    
+    remove `After=multi-user.target` because already using `WantedBy=multi-user.target`
+    
+    Thanks to @ArrayBolt3 for the bug report!
+
+commit 29ae5f5980d521f6a4b468f5bf41210f78fdf10a
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Nov 11 05:28:31 2024 -0500
+
+    fix optional opt-in `harden-module-loading.service`
+    
+    by making `/usr/libexec/security-misc/disable-kernel-module-loading` executable
+    
+    Thanks to @ArrayBolt3 for the bug report!
+
+commit 4c649577f053af12bcd02c20576bf2d8aec1476d
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sun Nov 10 11:52:42 2024 +0000
+
+    bumped changelog version
+
+commit 29b1f1ec5f3a4bf3991fc1b862751c8eb9769ecd
+Merge: 5bd0a27 238f32e
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sun Nov 10 06:32:30 2024 -0500
+
+    Merge remote-tracking branch 'github-kicksecure/master'
+
+commit 5bd0a277bf39812c6adf40a7a3ef6390935fa08e
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sun Nov 10 06:29:17 2024 -0500
+
+    fix permission-hardener issue "Removing capabilities failed. File: '/bin/ping'"
+    
+    no longer user end-of-options marker (`--`) for `setcap`
+    since setcap does not support it
+    
+    Fixes https://github.com/QubesOS/qubes-issues/issues/9569
+    
+    https://forums.whonix.org/t/permission-hardener-error/20719
+
+commit 238f32e81d835e5b9d3bc43a0654d05efa4c4313
+Merge: 3af2684 8107782
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Nov 8 07:39:40 2024 -0500
+
+    Merge pull request #280 from raja-grewal/ssbd
+    
+     Enable `ssbd=force-on`
+
+commit 8107782fa54ec0e21893e6bd4a6baabb71eb864b
+Author: raja-grewal <rg_public@proton.me>
+Date:   Fri Nov 8 15:36:04 2024 +1100
+
+     Enable `ssbd=force-on`
+
+commit 3af2684134279ba6f5b18b40986f02a50baa5604
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Oct 30 09:43:05 2024 +0000
+
+    bumped changelog version
+
 commit 71c58442ca6d57cd95b72a76ed87f8c248cdbd98
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Mon Oct 28 05:10:19 2024 -0400

debian/changelog

@@ -1,3 +1,21 @@
+security-misc (3:40.6-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Tue, 12 Nov 2024 09:11:57 +0000
+
+security-misc (3:40.5-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Mon, 11 Nov 2024 11:07:57 +0000
+
+security-misc (3:40.4-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Sun, 10 Nov 2024 11:52:42 +0000
+
 security-misc (3:40.3-1) unstable; urgency=medium
 
   * New upstream version (local package).

debian/security-misc.maintscript

@@ -81,3 +81,6 @@ rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg
 
 ## renamed to /etc/default/grub.d/41_quiet_boot.cfg
 rm_conffile /etc/default/grub.d/41_quiet.cfg
+
+## moved to usability-misc
+rm_conffile /etc/dkms/framework.conf.d/30_security-misc.conf

etc/default/grub.d/40_cpu_mitigations.cfg

@@ -47,10 +47,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
 
 ## Disable Speculative Store Bypass (Spectre Variant 4).
+## Unconditionally enable mitigation for both kernel and userspace.
 ##
 ## https://www.suse.com/support/kb/doc/?id=000019189
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on"
 
 ## Enable mitigations for the L1TF vulnerability through disabling SMT
 ## and L1D flush runtime control.

etc/dkms/framework.conf.d/30_security-misc.conf

@@ -1,20 +0,0 @@
-## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines.
-## This does not necessarily belong into security-misc.
-##
-## Example here:
-## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26
-##
-## This might no longer be possible in the future. See:
-## "Stop handling dkms.conf as a bash/shell script"
-## https://github.com/dell/dkms/issues/414
-ENOUGH_RAM="1950"
-total_ram="$(free -m | sed  -n -e '/^Mem:/s/^[^0-9]*\([0-9]*\) .*/\1/p')"
-if [ "$total_ram" -ge "$ENOUGH_RAM" ]; then
-   true "INFO: Enough RAM available. Not lowering compilation cores."
-else
-   true "INFO: Not enough RAM available. Lowering compilation cores to 1."
-   parallel_jobs=1
-fi

etc/modprobe.d/30_security-misc_disable.conf

@@ -262,7 +262,7 @@ install i810fb /usr/bin/disabled-framebuffer-by-security-misc
 install intelfb /usr/bin/disabled-framebuffer-by-security-misc
 install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
 install lxfb /usr/bin/disabled-framebuffer-by-security-misc
-install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc
+install matroxfb_base /usr/bin/disabled-framebuffer-by-security-misc
 install neofb /usr/bin/disabled-framebuffer-by-security-misc
 install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
 install pm2fb /usr/bin/disabled-framebuffer-by-security-misc

etc/sudoers.d/pkexec-security-misc

@@ -1,11 +0,0 @@
-## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## REVIEW: is it ok that users can find out the PATH setting of root?
-#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/echo-path
-
-## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be
-## set. Would otherwise error out with the following error message:
-## "This program must only be run through pkexec"
-## REVIEW: Can bad things be done by spoofing PKEXEC_UID?
-#Defaults:ALL env_keep += "PKEXEC_UID"

etc/sudoers.d/xfce-security-misc

@@ -1,19 +0,0 @@
-## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764
-## /usr/share/polkit-1/actions/org.xfce.power.policy
-
-## Feel free to out comment this if you are not using xfce4-power-manager or Xfce.
-
-#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]]
-#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]]
-#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]][[\:digit\:]]
-
-#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]]
-#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]]
-#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]][[\:digit\:]]
-
-## XXX: Should we allow this?
-#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --suspend
-#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --hibernate

usr/bin/permission-hardener

@@ -539,7 +539,12 @@ set_file_perms() {
       ## The value of the capability argument is not permitted for a file. Or
       ## the file is not a regular (non-symlink) file
       ## Therefore use echo_wrapper_ignore.
-      echo_wrapper_ignore verbose setcap -r -- "${fso}"
+      ##
+      ## NOTE: setcap does not support End-of-Options Marker ('--') yet.
+      ## setcap bug report:
+      ## setcap Command Does Not Support End-of-Options Marker ('--')
+      ## https://bugzilla.kernel.org/show_bug.cgi?id=219487
+      echo_wrapper_ignore verbose setcap -r "${fso}"
       getcap_output="$(getcap -- "${fso}")"
       if test -n "${getcap_output}"; then
         exit_code=205

usr/bin/pkexec.security-misc

@@ -1,132 +0,0 @@
-#!/bin/bash
-
-## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with
-## hidepid.
-## * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
-## * https://forums.whonix.org/t/cannot-use-pkexec/8129
-
-set -e
-
-my_real_path="$(realpath "$0")" || true
-identifier="$my_real_path wrapper"
-exec > >(systemd-cat --identifier="$identifier output by program:") 2>&1
-
-log_to_journal() {
-   echo "$@" | systemd-cat --identifier="$identifier output by wrapper:" || true
-}
-
-log_to_journal "$0 $@"
-log_to_journal "DISPLAY: '$DISPLAY'"
-my_pstree="$(pstree -p $$)" || true
-log_to_journal "my_pstree: '$my_pstree'"
-
-## If hidepid is not in use, just use pkexec normally.
-if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then
-   pkexec.security-misc-orig "$@"
-   exit $?
-fi
-
-switch_user=false
-
-original_args="$@"
-
-## Thanks to:
-## https://mywiki.wooledge.org/BashFAQ/035
-
-while :
-do
-      case $1 in
-         ## Should show 'pkexec --version' or fail?
-         --version)
-            shift
-            pkexec.security-misc-orig "$original_args"
-            exit $?
-            ;;
-         ## Should show 'pkexec --help' or fail?
-         --help)
-            shift
-            pkexec.security-misc-orig "$original_args"
-            exit $?
-            ;;
-         ## Drop --disable-internal-agent as not needed and breaking both,
-         ## lxqt-sudo and sudo.
-         --disable-internal-agent)
-            shift
-            ;;
-         --user)
-            ## lxqt-sudo does not support "--user".
-            ## We should not make this wrapper run something as root which
-            ## is supposed to run under a different user. Try using
-            ## "sudo -A --user user --set-home" instead.
-            user_pkexec_wrapper="$2"
-            if [ "$user_pkexec_wrapper" = "" ]; then
-               shift
-            else
-               shift 2
-            fi
-            switch_user=true
-            maybe_switch_to_user="--user $user_pkexec_wrapper"
-            ;;
-         --)
-            shift
-            break
-            ;;
-         *)
-            break
-            ;;
-      esac
-done
-
-## If there are input files (for example) that follow the options, they
-## will remain in the "$@" positional parameters.
-
-if [ "$PKEXEC_UID" = "" ]; then
-   if [ ! "$user_pkexec_wrapper" = "" ]; then
-      PKEXEC_UID="$user_pkexec_wrapper"
-   elif [ ! "$SUDO_USER" = "" ]; then
-      PKEXEC_UID="$SUDO_USER"
-   else
-      PKEXEC_UID="$(whoami)"
-   fi
-fi
-export PKEXEC_UID
-
-if [[ "$@" = "" ]]; then
-   ## Call original pkexec in case there are no arguments.
-   pkexec.security-misc-orig $original_args
-   exit $?
-fi
-
-exit_code=0
-
-## lxqt-sudo does not check /etc/sudoers / /etc/sudoers.d exceptions.
-## Therefore use 'sudo -l' to see if there is any already existing sudoers exception.
-## Did not work. 'sudo -l' will always exit with exit code '0'.
-# if sudo -l --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" ; then
-#    log_to_journal "sudoers exception: yes"
-#    sudo --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; };
-#    log_to_journal "sudo --user | exit_code: '$exit_code'"
-#    exit "$exit_code"
-# fi
-#
-# log_to_journal "sudoers exception: no"
-
-if [ "$switch_user" = "true" ]; then
-   ## 'sudo --user user' clears environment variables such as PATH.
-   lxqt-sudo sudo $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; };
-else
-   ## set PATH same as root
-   ## This is required for gdebi.
-   ## REVIEW: is it ok that users can find out the PATH setting of root?
-   ## lxqt-sudo does not clear environment variable PATH.
-   PATH="$(sudo --non-interactive /usr/libexec/security-misc/echo-path)"
-   export PATH
-   lxqt-sudo "$@" || { exit_code=$? ; true; };
-fi
-
-log_to_journal "exit_code: '$exit_code'"
-
-exit "$exit_code"

usr/lib/systemd/system/panic-on-oops.service

@@ -7,7 +7,6 @@ Documentation=https://github.com/Kicksecure/security-misc
 
 ConditionKernelCommandLine=!panic-on-oops=0
 
-After=multi-user.target
 After=graphical.target
 After=getty.target