From 4cfdf2c65b57f410163653304871ee3eb1d3f6ea Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Fri, 20 Dec 2019 10:21:27 -0500
Subject: [PATCH] fix, re-enforce nosuid even if changed on the disk

---
 usr/lib/security-misc/permission-hardening | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening
index 9f023fc..302ccc9 100755
--- a/usr/lib/security-misc/permission-hardening
+++ b/usr/lib/security-misc/permission-hardening
@@ -110,14 +110,11 @@ add_nosuid_statoverride_entry() {
 
       echo "INFO: $setuid_output $setguid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'"
 
-      if dpkg-statoverride --list | grep -q "$file_name"; then
-        if ! dpkg-statoverride --list | grep -q "$owner $group $new_mode $file_name"; then
-          echo_wrapper dpkg-statoverride --remove "$file_name"
-          echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$new_mode" "$file_name"
-        fi
-      else
-        echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$new_mode" "$file_name"
-      fi
+      ## No need to check "dpkg-statoverride --list" for existing entries.
+      ## If existing_mode was correct already, we would not have reached this point.
+      ## Since existing_mode is incorrect, remove from dpkg-statoverride and re-add.
+      echo_wrapper dpkg-statoverride --remove "$file_name" || true
+      echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$new_mode" "$file_name"
     fi
 
   ## /lib will hit ARG_MAX.