rename keyword whitelist to exactwhitelist

add new keyword disablewhitelist refactoring
2025-01-09 22:57:53 +07:00 · 2019-12-23 02:29:47 -05:00 · 2019-12-23 02:29:47 -05:00 · 47ddcad0c0
commit 47ddcad0c0
parent 175d1c2845
2 changed files with 46 additions and 22 deletions
--- a/etc/permission-hardening.d/30_default.conf
+++ b/etc/permission-hardening.d/30_default.conf
@ -13,23 +13,27 @@
 ## To remove all SUID/SGID binaries in a directory, you can use the "nosuid"
 ## argument.

+######################################################################
+# SUID disablewhitelist
+######################################################################
+
 ######################################################################
 # SUID exact match whitelist
 ######################################################################

 ## TODO: white spaces inside file name untested

-/usr/bin/sudo whitelist
-/bin/sudo whitelist
-/usr/bin/bwrap whitelist
-/bin/bwrap whitelist
-/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper whitelist
-/usr/lib/chromium/chrome-sandbox whitelist
+/usr/bin/sudo exactwhitelist
+/bin/sudo exactwhitelist
+/usr/bin/bwrap exactwhitelist
+/bin/bwrap exactwhitelist
+/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist
+/usr/lib/chromium/chrome-sandbox exactwhitelist

 ## There is a controversy about firejail but those who choose to install it
 ## should be able to use it.
 ## https://www.whonix.org/wiki/Dev/Firejail#Security
-/usr/bin/firejail whitelist
+/usr/bin/firejail exactwhitelist

 ######################################################################
 # SUID exact match whitelist
--- a/usr/lib/security-misc/permission-hardening
+++ b/usr/lib/security-misc/permission-hardening
@ -147,11 +147,11 @@ add_nosuid_statoverride_entry() {
      ## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these?
      new_mode="744"

-      local is_whitelisted
-      is_whitelisted=""
-      for white_list_entry in $whitelist ; do
+      local is_exact_whitelisted
+      is_exact_whitelisted=""
+      for white_list_entry in $exact_white_list ; do
         if [ "$file_name" = "$white_list_entry" ]; then
-            is_whitelisted="true"
+            is_exact_whitelisted="true"
            ## Stop looping through the whitelist.
            break
         fi
@ -159,22 +159,36 @@ add_nosuid_statoverride_entry() {

      local is_match_whitelisted
      is_match_whitelisted=""
-      for matchwhite_list_entry in $matchwhitelist ; do
+      for matchwhite_list_entry in $match_white_list ; do
         if echo "$file_name" | grep -q "$matchwhite_list_entry" ; then
            is_match_whitelisted="true"
-            ## Stop looping through the matchwhitelist.
+            ## Stop looping through the match_white_list.
            break
         fi
      done

-      if [ "$is_whitelisted" = "true" ]; then
-         echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
-         continue
-      fi
+      local is_disable_whitelisted
+      is_disable_whitelisted=""
+      for disablematch_list_entry in $disable_white_list ; do
+         if [ "$file_name" = "$disablematch_list_entry" ]; then
+            is_disable_whitelisted="true"
+            ## Stop looping through the disablewhitelist.
+            break
+         fi
+      done

-      if [ "$is_match_whitelisted" = "true" ]; then
-         echo "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'"
+      if [ "$is_disable_whitelisted" = "true" ]; then
+         echo "INFO: white list disabled - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
         continue
+      else
+         if [ "$is_exact_whitelisted" = "true" ]; then
+            echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
+            continue
+         fi
+         if [ "$is_match_whitelisted" = "true" ]; then
+            echo "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'"
+            continue
+         fi
      fi

      echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'"
@ -248,15 +262,21 @@ set_file_perms() {
      local fso_without_trailing_slash
      fso_without_trailing_slash="${fso%/}"

-      if [ "$mode_from_config" = "whitelist" ]; then
+      if [ "$mode_from_config" = "disablewhitelist" ]; then
         ## TODO: test/add white spaces inside file name support
-         whitelist+="$fso_without_trailing_slash "
+         disable_white_list+="$fso "
+         continue
+      fi
+
+      if [ "$mode_from_config" = "exactwhitelist" ]; then
+         ## TODO: test/add white spaces inside file name support
+         exact_white_list+="$fso "
         continue
      fi

      if [ "$mode_from_config" = "matchwhitelist" ]; then
         ## TODO: test/add white spaces inside file name support
-         matchwhitelist+="$fso "
+         match_white_list+="$fso "
         continue
      fi