Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-migrate'

debian/control

@@ -8,7 +8,8 @@ Maintainer: Patrick Schleizer <adrelanos@kicksecure.com>
 Build-Depends: config-package-dev,
                debhelper (>= 13),
                debhelper-compat (= 13),
-               dh-apparmor
+               dh-apparmor,
+               po-debconf
 Homepage: https://www.kicksecure.com/wiki/Security-misc
 Vcs-Browser: https://github.com/Kicksecure/security-misc
 Vcs-Git: https://github.com/Kicksecure/security-misc.git

debian/make-helper-overrides.bsh

@@ -4,4 +4,4 @@
 ## See the file COPYING for copying conditions.
 
 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24
-genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file"
+genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file --suppress-tags no-complete-debconf-translation"

debian/po/POTFILES.in

@@ -0,0 +1 @@
+[type: gettext/rfc822deb] security-misc.templates

debian/po/templates.pot

@@ -0,0 +1,34 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the security-misc package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: security-misc\n"
+"Report-Msgid-Bugs-To: security-misc@packages.debian.org\n"
+"POT-Creation-Date: 2025-01-12 19:28-0600\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: note
+#. Description
+#: ../security-misc.templates:1001
+msgid "Manual intervention may be required for permission-hardener update"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../security-misc.templates:1001
+msgid ""
+"permission-hardener is being updated to correct a bug that caused state file "
+"corruption. If you installed your own custom permission-hardener "
+"configuration, some manual intervention may be required. See https://www."
+"kicksecure.com/wiki/Permission-hardener#Fixing_state_files"
+msgstr ""

debian/security-misc.config

@@ -0,0 +1,107 @@
+#!/bin/bash
+
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+source /usr/share/debconf/confmodule
+
+set -e
+
+check_migrate_permission_hardener_state() {
+   local orig_hardening_arr custom_hardening_arr config_file custom_config_file
+   if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
+     return 0
+   fi
+   mkdir --parents '/var/lib/security-misc/do_once'
+
+   if [ -d '/var/lib/permission-hardener' ]; then
+      orig_hardening_arr=(
+         '/usr/lib/permission-hardener.d/25_default_passwd.conf'
+         '/usr/lib/permission-hardener.d/25_default_sudo.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf'
+         '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
+         '/usr/lib/permission-hardener.d/30_ping.conf'
+         '/usr/lib/permission-hardener.d/30_default.conf'
+         '/etc/permission-hardener.d/25_default_passwd.conf'
+         '/etc/permission-hardener.d/25_default_sudo.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_chromium.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_dbus.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_firejail.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_fuse.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_mount.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_pam.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_passwd.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_policykit.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_postfix.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_qubes.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_selinux.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_spice.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_ssh.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_sudo.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf'
+         '/etc/permission-hardener.d/20_user-sysmaint-split.conf'
+         '/etc/permission-hardener.d/30_ping.conf'
+         '/etc/permission-hardener.d/30_default.conf'
+      )
+
+      readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }')
+      ## If the above `dpkg -V` command doesn't return any permission-hardener
+      ## related lines, the array will contain no meaningful info, just a single
+      ## blank element at the start. Set the array to be explicitly empty in
+      ## this scenario.
+      if [ -z "${custom_hardening_arr[0]}" ]; then
+         custom_hardening_arr=()
+      fi
+
+      for config_file in \
+         /usr/lib/permission-hardener.d/*.conf \
+         /etc/permission-hardener.d/*.conf \
+         /usr/local/etc/permission-hardener.d/*.conf \
+         /etc/permission-hardening.d/*.conf \
+         /usr/local/etc/permission-hardening.d/*.conf
+      do
+         # shellcheck disable=SC2076
+         if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then
+            if [ -f "${config_file}" ]; then
+               custom_hardening_arr+=( "${config_file}" )
+            fi
+         fi
+      done
+
+      if [ "${#custom_hardening_arr[@]}" != '0' ]; then
+         for custom_config_file in "${custom_hardening_arr[@]}"; do
+            echo "INFO: Possible custom configuration file found: '${custom_config_file}'"
+         done
+         ## db_input will return code 30 if the message won't be displayed, which
+         ## causes a non-interactive install to error out if you don't use || true
+         db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true
+         ## db_go can return code 30 too in some instances, we don't care here
+         # shellcheck disable=SC2119
+         db_go || true
+      fi
+
+   fi
+   touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
+}
+
+check_migrate_permission_hardener_state

debian/security-misc.postinst

@@ -7,11 +7,15 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
    source /usr/libexec/helper-scripts/pre.bsh
 fi
 
+## Required since this package uses debconf - this is mandatory even though
+## the postinst itself does not use debconf commands.
+source /usr/share/debconf/confmodule
+
 set -e
 
 true "
 #####################################################################
-## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
 #####################################################################
 "
 
@@ -33,6 +37,20 @@ permission_hardening() {
     echo "$0: INFO: Permission hardening success."
 }
 
+migrate_permission_hardener_state() {
+   if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
+     return 0
+   fi
+   mkdir --parents '/var/lib/security-misc/do_once'
+
+   if [ -d '/var/lib/permission-hardener' ]; then
+      mkdir --parents '/var/lib/permission-hardener-v2/existing_mode'
+      cp '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride'
+   fi
+
+   touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
+}
+
 case "$1" in
     configure)
         if [ -d /etc/skel/.gnupg ]; then
@@ -45,13 +63,16 @@ case "$1" in
 
         ## state dir for faillock
         mkdir -p /var/lib/security-misc/faillock
+
+        ## migrate permission_hardener state to v2 if applicable
+        migrate_permission_hardener_state
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
     ;;
 
     triggered)
-      echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'"
+      echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\*: '$*' 2: '$2'"
       /usr/share/security-misc/lkrg/lkrg-virtualbox || true
       /usr/libexec/security-misc/mmap-rnd-bits || true
       permission_hardening
@@ -94,7 +115,7 @@ permission_hardening_legacy_config_folder
 
 true "
 #####################################################################
-## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
 #####################################################################
 "
 

debian/security-misc.templates

@@ -0,0 +1,7 @@
+Template: security-misc/alert-on-permission-hardener-v2-upgrade
+Type: note
+_Description: Manual intervention may be required for permission-hardener update
+ permission-hardener is being updated to correct a bug that caused state file
+ corruption. If you installed your own custom permission-hardener configuration,
+ some manual intervention may be required. See
+ https://www.kicksecure.com/wiki/Permission-hardener#Fixing_state_files

usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded

@@ -0,0 +1,33 @@
+root root 644 /etc/passwd-
+root root 755 /etc/cron.monthly
+root root 755 /etc/sudoers.d
+root shadow 2755 /usr/bin/expiry
+root root 4755 /usr/bin/umount
+root root 4755 /usr/bin/gpasswd
+root root 755 /usr/lib/modules
+root root 644 /etc/issue.net
+root root 644 /etc/group-
+root root 4755 /usr/bin/newgrp
+root root 755 /etc/cron.weekly
+root root 644 /etc/hosts.deny
+root root 4755 /usr/bin/su
+root root 644 /etc/hosts.allow
+root root 700 /root
+root root 755 /etc/cron.daily
+root root 755 /bin/ping
+root root 777 /etc/motd
+root root 755 /boot
+root root 755 /home
+root shadow 2755 /usr/bin/chage
+root root 4755 /usr/bin/chsh
+root root 4755 /usr/bin/passwd
+root root 4755 /usr/bin/chfn
+root root 644 /etc/group
+root root 755 /etc/permission-hardener.d
+root root 644 /etc/passwd
+root root 755 /usr/src
+root root 4755 /usr/bin/mount
+root root 777 /etc/issue
+root root 755 /etc/cron.d
+root root 4755 /usr/bin/sudo
+root root 4755 /usr/bin/pkexec