From 47ddcad0c0af27093f61cf77008224bf66572532 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon, 23 Dec 2019 02:29:47 -0500
Subject: [PATCH] rename keyword whitelist to exactwhitelist

add new keyword disablewhitelist

refactoring
---
 etc/permission-hardening.d/30_default.conf | 18 +++++---
 usr/lib/security-misc/permission-hardening | 50 +++++++++++++++-------
 2 files changed, 46 insertions(+), 22 deletions(-)

diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf
index 9b6eee7..b030e55 100644
--- a/etc/permission-hardening.d/30_default.conf
+++ b/etc/permission-hardening.d/30_default.conf
@@ -13,23 +13,27 @@
 ## To remove all SUID/SGID binaries in a directory, you can use the "nosuid"
 ## argument.
 
+######################################################################
+# SUID disablewhitelist
+######################################################################
+
 ######################################################################
 # SUID exact match whitelist
 ######################################################################
 
 ## TODO: white spaces inside file name untested
 
-/usr/bin/sudo whitelist
-/bin/sudo whitelist
-/usr/bin/bwrap whitelist
-/bin/bwrap whitelist
-/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper whitelist
-/usr/lib/chromium/chrome-sandbox whitelist
+/usr/bin/sudo exactwhitelist
+/bin/sudo exactwhitelist
+/usr/bin/bwrap exactwhitelist
+/bin/bwrap exactwhitelist
+/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist
+/usr/lib/chromium/chrome-sandbox exactwhitelist
 
 ## There is a controversy about firejail but those who choose to install it
 ## should be able to use it.
 ## https://www.whonix.org/wiki/Dev/Firejail#Security
-/usr/bin/firejail whitelist
+/usr/bin/firejail exactwhitelist
 
 ######################################################################
 # SUID exact match whitelist
diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening
index 663ddcd..d6335bc 100755
--- a/usr/lib/security-misc/permission-hardening
+++ b/usr/lib/security-misc/permission-hardening
@@ -147,11 +147,11 @@ add_nosuid_statoverride_entry() {
       ## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these?
       new_mode="744"
 
-      local is_whitelisted
-      is_whitelisted=""
-      for white_list_entry in $whitelist ; do
+      local is_exact_whitelisted
+      is_exact_whitelisted=""
+      for white_list_entry in $exact_white_list ; do
          if [ "$file_name" = "$white_list_entry" ]; then
-            is_whitelisted="true"
+            is_exact_whitelisted="true"
             ## Stop looping through the whitelist.
             break
          fi
@@ -159,22 +159,36 @@ add_nosuid_statoverride_entry() {
 
       local is_match_whitelisted
       is_match_whitelisted=""
-      for matchwhite_list_entry in $matchwhitelist ; do
+      for matchwhite_list_entry in $match_white_list ; do
          if echo "$file_name" | grep -q "$matchwhite_list_entry" ; then
             is_match_whitelisted="true"
-            ## Stop looping through the matchwhitelist.
+            ## Stop looping through the match_white_list.
             break
          fi
       done
 
-      if [ "$is_whitelisted" = "true" ]; then
-         echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
-         continue
-      fi
+      local is_disable_whitelisted
+      is_disable_whitelisted=""
+      for disablematch_list_entry in $disable_white_list ; do
+         if [ "$file_name" = "$disablematch_list_entry" ]; then
+            is_disable_whitelisted="true"
+            ## Stop looping through the disablewhitelist.
+            break
+         fi
+      done
 
-      if [ "$is_match_whitelisted" = "true" ]; then
-         echo "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'"
+      if [ "$is_disable_whitelisted" = "true" ]; then
+         echo "INFO: white list disabled - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
          continue
+      else
+         if [ "$is_exact_whitelisted" = "true" ]; then
+            echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
+            continue
+         fi
+         if [ "$is_match_whitelisted" = "true" ]; then
+            echo "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'"
+            continue
+         fi
       fi
 
       echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'"
@@ -248,15 +262,21 @@ set_file_perms() {
       local fso_without_trailing_slash
       fso_without_trailing_slash="${fso%/}"
 
-      if [ "$mode_from_config" = "whitelist" ]; then
+      if [ "$mode_from_config" = "disablewhitelist" ]; then
          ## TODO: test/add white spaces inside file name support
-         whitelist+="$fso_without_trailing_slash "
+         disable_white_list+="$fso "
+         continue
+      fi
+
+      if [ "$mode_from_config" = "exactwhitelist" ]; then
+         ## TODO: test/add white spaces inside file name support
+         exact_white_list+="$fso "
          continue
       fi
 
       if [ "$mode_from_config" = "matchwhitelist" ]; then
          ## TODO: test/add white spaces inside file name support
-         matchwhitelist+="$fso "
+         match_white_list+="$fso "
          continue
       fi