mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-10 15:17:57 +07:00
Code Issues Packages Projects Releases Wiki Activity

rename keyword whitelist to exactwhitelist

Browse Source 
add new keyword disablewhitelist

refactoring
This commit is contained in:
Patrick Schleizer 2019-12-23 02:29:47 -05:00
parent 175d1c2845
commit 47ddcad0c0
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 46 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
etc/permission-hardening.d/30_default.conf
View File

@ -13,23 +13,27 @@
## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" ## To remove all SUID/SGID binaries in a directory, you can use the "nosuid"
## argument. ## argument.
######################################################################
# SUID disablewhitelist
######################################################################
###################################################################### ######################################################################
# SUID exact match whitelist # SUID exact match whitelist
###################################################################### ######################################################################
## TODO: white spaces inside file name untested ## TODO: white spaces inside file name untested
/usr/bin/sudo whitelist /usr/bin/sudo exactwhitelist
/bin/sudo whitelist /bin/sudo exactwhitelist
/usr/bin/bwrap whitelist /usr/bin/bwrap exactwhitelist
/bin/bwrap whitelist /bin/bwrap exactwhitelist
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper whitelist /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist
/usr/lib/chromium/chrome-sandbox whitelist /usr/lib/chromium/chrome-sandbox exactwhitelist
## There is a controversy about firejail but those who choose to install it ## There is a controversy about firejail but those who choose to install it
## should be able to use it. ## should be able to use it.
## https://www.whonix.org/wiki/Dev/Firejail#Security ## https://www.whonix.org/wiki/Dev/Firejail#Security
/usr/bin/firejail whitelist /usr/bin/firejail exactwhitelist
###################################################################### ######################################################################
# SUID exact match whitelist # SUID exact match whitelist

50
usr/lib/security-misc/permission-hardening
View File

@ -147,11 +147,11 @@ add_nosuid_statoverride_entry() {
## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these? ## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these?
new_mode="744" new_mode="744"
local is_whitelisted local is_exact_whitelisted
is_whitelisted="" is_exact_whitelisted=""
for white_list_entry in $whitelist ; do for white_list_entry in $exact_white_list ; do
if [ "$file_name" = "$white_list_entry" ]; then if [ "$file_name" = "$white_list_entry" ]; then
is_whitelisted="true" is_exact_whitelisted="true"
## Stop looping through the whitelist. ## Stop looping through the whitelist.
break break
fi fi
@ -159,22 +159,36 @@ add_nosuid_statoverride_entry() {
local is_match_whitelisted local is_match_whitelisted
is_match_whitelisted="" is_match_whitelisted=""
for matchwhite_list_entry in $matchwhitelist ; do for matchwhite_list_entry in $match_white_list ; do
if echo "$file_name" | grep -q "$matchwhite_list_entry" ; then if echo "$file_name" | grep -q "$matchwhite_list_entry" ; then
is_match_whitelisted="true" is_match_whitelisted="true"
## Stop looping through the matchwhitelist. ## Stop looping through the match_white_list.
break break
fi fi
done done
if [ "$is_whitelisted" = "true" ]; then local is_disable_whitelisted
echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" is_disable_whitelisted=""
continue for disablematch_list_entry in $disable_white_list ; do
fi if [ "$file_name" = "$disablematch_list_entry" ]; then
is_disable_whitelisted="true"
## Stop looping through the disablewhitelist.
break
fi
done
if [ "$is_match_whitelisted" = "true" ]; then if [ "$is_disable_whitelisted" = "true" ]; then
echo "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'" echo "INFO: white list disabled - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
continue continue
else
if [ "$is_exact_whitelisted" = "true" ]; then
echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
continue
fi
if [ "$is_match_whitelisted" = "true" ]; then
echo "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'"
continue
fi
fi fi
echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'"
@ -248,15 +262,21 @@ set_file_perms() {
local fso_without_trailing_slash local fso_without_trailing_slash
fso_without_trailing_slash="${fso%/}" fso_without_trailing_slash="${fso%/}"
if [ "$mode_from_config" = "whitelist" ]; then if [ "$mode_from_config" = "disablewhitelist" ]; then
## TODO: test/add white spaces inside file name support ## TODO: test/add white spaces inside file name support
whitelist+="$fso_without_trailing_slash " disable_white_list+="$fso "
continue
fi
if [ "$mode_from_config" = "exactwhitelist" ]; then
## TODO: test/add white spaces inside file name support
exact_white_list+="$fso "
continue continue
fi fi
if [ "$mode_from_config" = "matchwhitelist" ]; then if [ "$mode_from_config" = "matchwhitelist" ]; then
## TODO: test/add white spaces inside file name support ## TODO: test/add white spaces inside file name support
matchwhitelist+="$fso " match_white_list+="$fso "
continue continue
fi fi