From 07786de03953b91310588e0b37b9e150bf1b4736 Mon Sep 17 00:00:00 2001
From: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Sun, 12 Jan 2025 19:34:41 -0600
Subject: [PATCH 1/4] Enable smooth migration from permission-hardener-v1 to
 permission-hardener-v2

---
 debian/control                 |  3 +-
 debian/po/POTFILES.in          |  1 +
 debian/po/templates.pot        | 34 ++++++++++++++++++
 debian/security-misc.config    | 64 ++++++++++++++++++++++++++++++++++
 debian/security-misc.postinst  | 62 ++++++++++++++++++++++++++++++--
 debian/security-misc.templates |  7 ++++
 6 files changed, 167 insertions(+), 4 deletions(-)
 create mode 100644 debian/po/POTFILES.in
 create mode 100644 debian/po/templates.pot
 create mode 100644 debian/security-misc.config
 create mode 100644 debian/security-misc.templates

diff --git a/debian/control b/debian/control
index 4909511..d45f96d 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,8 @@ Maintainer: Patrick Schleizer <adrelanos@kicksecure.com>
 Build-Depends: config-package-dev,
                debhelper (>= 13),
                debhelper-compat (= 13),
-               dh-apparmor
+               dh-apparmor,
+               po-debconf
 Homepage: https://www.kicksecure.com/wiki/Security-misc
 Vcs-Browser: https://github.com/Kicksecure/security-misc
 Vcs-Git: https://github.com/Kicksecure/security-misc.git
diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in
new file mode 100644
index 0000000..435938f
--- /dev/null
+++ b/debian/po/POTFILES.in
@@ -0,0 +1 @@
+[type: gettext/rfc822deb] security-misc.templates
diff --git a/debian/po/templates.pot b/debian/po/templates.pot
new file mode 100644
index 0000000..3ebab2d
--- /dev/null
+++ b/debian/po/templates.pot
@@ -0,0 +1,34 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the security-misc package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: security-misc\n"
+"Report-Msgid-Bugs-To: security-misc@packages.debian.org\n"
+"POT-Creation-Date: 2025-01-12 19:28-0600\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: note
+#. Description
+#: ../security-misc.templates:1001
+msgid "Manual intervention may be required for permission-hardener update"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../security-misc.templates:1001
+msgid ""
+"permission-hardener is being updated to correct a bug that caused state file "
+"corruption. If you installed your own custom permission-hardener "
+"configuration, some manual intervention may be required. See https://www."
+"kicksecure.com/wiki/Permission-hardener#Fixing_state_files"
+msgstr ""
diff --git a/debian/security-misc.config b/debian/security-misc.config
new file mode 100644
index 0000000..86722de
--- /dev/null
+++ b/debian/security-misc.config
@@ -0,0 +1,64 @@
+#!/bin/bash
+
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+source /usr/share/debconf/confmodule
+
+check_migrate_permission_hardener_state() {
+   local orig_hardening_arr custom_hardening_arr config_file
+   if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
+     return 0
+   fi
+   mkdir --parents '/var/lib/security-misc/do_once'
+
+   # TODO: Is there some way to autogenerate this list at runtime?
+   orig_hardening_arr=(
+      '/usr/lib/permission-hardener.d/25_default_sudo.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf'
+      '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
+      '/usr/lib/permission-hardener.d/30_ping.conf'
+      '/usr/lib/permission-hardener.d/30_default.conf'
+   )
+   readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }')
+
+   for config_file in \
+      /usr/lib/permission-hardener.d/*.conf \
+      /etc/permission-hardener.d/*.conf \
+      /usr/local/etc/permission-hardener.d/*.conf \
+      /etc/permission-hardening.d/*.conf \
+      /usr/local/etc/permission-hardening.d/*.conf
+   do
+      # shellcheck disable=SC2076
+      if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then
+         custom_hardening_arr+=( "${config_file}" )
+      fi
+   done
+
+   if [ "${#custom_hardening_arr[@]}" != '0' ]; then
+      db_input critical security-misc/alert-on-permission-hardener-v2-upgrade
+      # shellcheck disable=SC2119
+      db_go
+   fi
+
+   touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
+}
+
+check_migrate_permission_hardener_state
\ No newline at end of file
diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst
index d62cebc..5866b7b 100644
--- a/debian/security-misc.postinst
+++ b/debian/security-misc.postinst
@@ -7,11 +7,15 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
    source /usr/libexec/helper-scripts/pre.bsh
 fi
 
+## Required since this package uses debconf - this is mandatory even though
+## the postinst itself does not use debconf commands.
+source /usr/share/debconf/confmodule
+
 set -e
 
 true "
 #####################################################################
-## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
 #####################################################################
 "
 
@@ -33,6 +37,55 @@ permission_hardening() {
     echo "$0: INFO: Permission hardening success."
 }
 
+migrate_permission_hardener_state() {
+   local v2_state_file
+
+   if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
+     return 0
+   fi
+   mkdir --parents '/var/lib/security-misc/do_once'
+
+   ## This has to be stored in the postinst rather than installed by the
+   ## package, because permission-hardener *will* change it and we *cannot*
+   ## allow future package updates to overwrite it.
+   v2_state_file="root root 644 /etc/passwd-
+root root 755 /etc/cron.monthly
+root root 755 /etc/sudoers.d
+root shadow 2755 /usr/bin/expiry
+root root 4755 /usr/bin/umount
+root root 4755 /usr/bin/gpasswd
+root root 755 /usr/lib/modules
+root root 644 /etc/issue.net
+root root 644 /etc/group-
+root root 4755 /usr/bin/newgrp
+root root 755 /etc/cron.weekly
+root root 644 /etc/hosts.deny
+root root 4755 /usr/bin/su
+root root 644 /etc/hosts.allow
+root root 700 /root
+root root 755 /etc/cron.daily
+root root 755 /bin/ping
+root root 777 /etc/motd
+root root 755 /boot
+root root 755 /home
+root shadow 2755 /usr/bin/chage
+root root 4755 /usr/bin/chsh
+root root 4755 /usr/bin/passwd
+root root 4755 /usr/bin/chfn
+root root 644 /etc/group
+root root 755 /etc/permission-hardener.d
+root root 644 /etc/passwd
+root root 755 /usr/src
+root root 4755 /usr/bin/mount
+root root 777 /etc/issue
+root root 755 /etc/cron.d"
+
+   ## Not using sponge since moreutils might not be installed at this point.
+   mkdir --parents '/var/lib/permission-hardener-v2/existing_mode'
+   echo "${v2_state_file}" > '/var/lib/permission-hardener-v2/existing_mode/statoverride'
+   touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
+}
+
 case "$1" in
     configure)
         if [ -d /etc/skel/.gnupg ]; then
@@ -45,13 +98,16 @@ case "$1" in
 
         ## state dir for faillock
         mkdir -p /var/lib/security-misc/faillock
+
+        ## migrate permission_hardener state to v2 if applicable
+        migrate_permission_hardener_state
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
     ;;
 
     triggered)
-      echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'"
+      echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\*: '$*' 2: '$2'"
       /usr/share/security-misc/lkrg/lkrg-virtualbox || true
       /usr/libexec/security-misc/mmap-rnd-bits || true
       permission_hardening
@@ -94,7 +150,7 @@ permission_hardening_legacy_config_folder
 
 true "
 #####################################################################
-## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
 #####################################################################
 "
 
diff --git a/debian/security-misc.templates b/debian/security-misc.templates
new file mode 100644
index 0000000..53b2ed3
--- /dev/null
+++ b/debian/security-misc.templates
@@ -0,0 +1,7 @@
+Template: security-misc/alert-on-permission-hardener-v2-upgrade
+Type: note
+_Description: Manual intervention may be required for permission-hardener update
+ permission-hardener is being updated to correct a bug that caused state file
+ corruption. If you installed your own custom permission-hardener configuration,
+ some manual intervention may be required. See
+ https://www.kicksecure.com/wiki/Permission-hardener#Fixing_state_files

From 5570d3e5b9f97f14c772facff16dc45df66d42e9 Mon Sep 17 00:00:00 2001
From: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Sun, 12 Jan 2025 20:40:41 -0600
Subject: [PATCH 2/4] Add a forgotten set -e

---
 debian/security-misc.config | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/debian/security-misc.config b/debian/security-misc.config
index 86722de..3880207 100644
--- a/debian/security-misc.config
+++ b/debian/security-misc.config
@@ -5,6 +5,8 @@
 
 source /usr/share/debconf/confmodule
 
+set -e
+
 check_migrate_permission_hardener_state() {
    local orig_hardening_arr custom_hardening_arr config_file
    if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
@@ -61,4 +63,4 @@ check_migrate_permission_hardener_state() {
    touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
 }
 
-check_migrate_permission_hardener_state
\ No newline at end of file
+check_migrate_permission_hardener_state

From a9e87e9d308f5e61a2d2054fa038dae6faadad3a Mon Sep 17 00:00:00 2001
From: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Sun, 12 Jan 2025 21:13:43 -0600
Subject: [PATCH 3/4] Prevent installation failures when installing
 non-interactively

---
 debian/security-misc.config | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/debian/security-misc.config b/debian/security-misc.config
index 3880207..29d0992 100644
--- a/debian/security-misc.config
+++ b/debian/security-misc.config
@@ -55,9 +55,12 @@ check_migrate_permission_hardener_state() {
    done
 
    if [ "${#custom_hardening_arr[@]}" != '0' ]; then
-      db_input critical security-misc/alert-on-permission-hardener-v2-upgrade
+      ## db_input will return code 30 if the message won't be displayed, which
+      ## causes a non-interactive install to error out if you don't use || true
+      db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true
+      ## db_go can return code 30 too in some instances, we don't care here
       # shellcheck disable=SC2119
-      db_go
+      db_go || true
    fi
 
    touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"

From de9ebabd46798ff2afa259907b6a7b976070e7f0 Mon Sep 17 00:00:00 2001
From: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Mon, 13 Jan 2025 21:57:10 -0600
Subject: [PATCH 4/4] Fix minor migration bugs, don't run the migration code on
 new image builds

---
 debian/make-helper-overrides.bsh              |   2 +-
 debian/security-misc.config                   | 130 +++++++++++-------
 debian/security-misc.postinst                 |  43 +-----
 ...on-hardener-existing-mode-legacy-hardcoded |  33 +++++
 4 files changed, 122 insertions(+), 86 deletions(-)
 create mode 100644 usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded

diff --git a/debian/make-helper-overrides.bsh b/debian/make-helper-overrides.bsh
index dda635e..4804b3e 100755
--- a/debian/make-helper-overrides.bsh
+++ b/debian/make-helper-overrides.bsh
@@ -4,4 +4,4 @@
 ## See the file COPYING for copying conditions.
 
 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24
-genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file"
+genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file --suppress-tags no-complete-debconf-translation"
diff --git a/debian/security-misc.config b/debian/security-misc.config
index 29d0992..8513add 100644
--- a/debian/security-misc.config
+++ b/debian/security-misc.config
@@ -8,61 +8,99 @@ source /usr/share/debconf/confmodule
 set -e
 
 check_migrate_permission_hardener_state() {
-   local orig_hardening_arr custom_hardening_arr config_file
+   local orig_hardening_arr custom_hardening_arr config_file custom_config_file
    if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
      return 0
    fi
    mkdir --parents '/var/lib/security-misc/do_once'
 
-   # TODO: Is there some way to autogenerate this list at runtime?
-   orig_hardening_arr=(
-      '/usr/lib/permission-hardener.d/25_default_sudo.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
-      '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf'
-      '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
-      '/usr/lib/permission-hardener.d/30_ping.conf'
-      '/usr/lib/permission-hardener.d/30_default.conf'
-   )
-   readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }')
+   if [ -d '/var/lib/permission-hardener' ]; then
+      orig_hardening_arr=(
+         '/usr/lib/permission-hardener.d/25_default_passwd.conf'
+         '/usr/lib/permission-hardener.d/25_default_sudo.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
+         '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf'
+         '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
+         '/usr/lib/permission-hardener.d/30_ping.conf'
+         '/usr/lib/permission-hardener.d/30_default.conf'
+         '/etc/permission-hardener.d/25_default_passwd.conf'
+         '/etc/permission-hardener.d/25_default_sudo.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_chromium.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_dbus.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_firejail.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_fuse.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_mount.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_pam.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_passwd.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_policykit.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_postfix.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_qubes.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_selinux.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_spice.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_ssh.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_sudo.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
+         '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf'
+         '/etc/permission-hardener.d/20_user-sysmaint-split.conf'
+         '/etc/permission-hardener.d/30_ping.conf'
+         '/etc/permission-hardener.d/30_default.conf'
+      )
 
-   for config_file in \
-      /usr/lib/permission-hardener.d/*.conf \
-      /etc/permission-hardener.d/*.conf \
-      /usr/local/etc/permission-hardener.d/*.conf \
-      /etc/permission-hardening.d/*.conf \
-      /usr/local/etc/permission-hardening.d/*.conf
-   do
-      # shellcheck disable=SC2076
-      if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then
-         custom_hardening_arr+=( "${config_file}" )
+      readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }')
+      ## If the above `dpkg -V` command doesn't return any permission-hardener
+      ## related lines, the array will contain no meaningful info, just a single
+      ## blank element at the start. Set the array to be explicitly empty in
+      ## this scenario.
+      if [ -z "${custom_hardening_arr[0]}" ]; then
+         custom_hardening_arr=()
+      fi
+
+      for config_file in \
+         /usr/lib/permission-hardener.d/*.conf \
+         /etc/permission-hardener.d/*.conf \
+         /usr/local/etc/permission-hardener.d/*.conf \
+         /etc/permission-hardening.d/*.conf \
+         /usr/local/etc/permission-hardening.d/*.conf
+      do
+         # shellcheck disable=SC2076
+         if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then
+            if [ -f "${config_file}" ]; then
+               custom_hardening_arr+=( "${config_file}" )
+            fi
+         fi
+      done
+
+      if [ "${#custom_hardening_arr[@]}" != '0' ]; then
+         for custom_config_file in "${custom_hardening_arr[@]}"; do
+            echo "INFO: Possible custom configuration file found: '${custom_config_file}'"
+         done
+         ## db_input will return code 30 if the message won't be displayed, which
+         ## causes a non-interactive install to error out if you don't use || true
+         db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true
+         ## db_go can return code 30 too in some instances, we don't care here
+         # shellcheck disable=SC2119
+         db_go || true
       fi
-   done
 
-   if [ "${#custom_hardening_arr[@]}" != '0' ]; then
-      ## db_input will return code 30 if the message won't be displayed, which
-      ## causes a non-interactive install to error out if you don't use || true
-      db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true
-      ## db_go can return code 30 too in some instances, we don't care here
-      # shellcheck disable=SC2119
-      db_go || true
    fi
-
    touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
 }
 
diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst
index 5866b7b..4240d6f 100644
--- a/debian/security-misc.postinst
+++ b/debian/security-misc.postinst
@@ -38,51 +38,16 @@ permission_hardening() {
 }
 
 migrate_permission_hardener_state() {
-   local v2_state_file
-
    if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
      return 0
    fi
    mkdir --parents '/var/lib/security-misc/do_once'
 
-   ## This has to be stored in the postinst rather than installed by the
-   ## package, because permission-hardener *will* change it and we *cannot*
-   ## allow future package updates to overwrite it.
-   v2_state_file="root root 644 /etc/passwd-
-root root 755 /etc/cron.monthly
-root root 755 /etc/sudoers.d
-root shadow 2755 /usr/bin/expiry
-root root 4755 /usr/bin/umount
-root root 4755 /usr/bin/gpasswd
-root root 755 /usr/lib/modules
-root root 644 /etc/issue.net
-root root 644 /etc/group-
-root root 4755 /usr/bin/newgrp
-root root 755 /etc/cron.weekly
-root root 644 /etc/hosts.deny
-root root 4755 /usr/bin/su
-root root 644 /etc/hosts.allow
-root root 700 /root
-root root 755 /etc/cron.daily
-root root 755 /bin/ping
-root root 777 /etc/motd
-root root 755 /boot
-root root 755 /home
-root shadow 2755 /usr/bin/chage
-root root 4755 /usr/bin/chsh
-root root 4755 /usr/bin/passwd
-root root 4755 /usr/bin/chfn
-root root 644 /etc/group
-root root 755 /etc/permission-hardener.d
-root root 644 /etc/passwd
-root root 755 /usr/src
-root root 4755 /usr/bin/mount
-root root 777 /etc/issue
-root root 755 /etc/cron.d"
+   if [ -d '/var/lib/permission-hardener' ]; then
+      mkdir --parents '/var/lib/permission-hardener-v2/existing_mode'
+      cp '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride'
+   fi
 
-   ## Not using sponge since moreutils might not be installed at this point.
-   mkdir --parents '/var/lib/permission-hardener-v2/existing_mode'
-   echo "${v2_state_file}" > '/var/lib/permission-hardener-v2/existing_mode/statoverride'
    touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
 }
 
diff --git a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded
new file mode 100644
index 0000000..e8a4bbe
--- /dev/null
+++ b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded
@@ -0,0 +1,33 @@
+root root 644 /etc/passwd-
+root root 755 /etc/cron.monthly
+root root 755 /etc/sudoers.d
+root shadow 2755 /usr/bin/expiry
+root root 4755 /usr/bin/umount
+root root 4755 /usr/bin/gpasswd
+root root 755 /usr/lib/modules
+root root 644 /etc/issue.net
+root root 644 /etc/group-
+root root 4755 /usr/bin/newgrp
+root root 755 /etc/cron.weekly
+root root 644 /etc/hosts.deny
+root root 4755 /usr/bin/su
+root root 644 /etc/hosts.allow
+root root 700 /root
+root root 755 /etc/cron.daily
+root root 755 /bin/ping
+root root 777 /etc/motd
+root root 755 /boot
+root root 755 /home
+root shadow 2755 /usr/bin/chage
+root root 4755 /usr/bin/chsh
+root root 4755 /usr/bin/passwd
+root root 4755 /usr/bin/chfn
+root root 644 /etc/group
+root root 755 /etc/permission-hardener.d
+root root 644 /etc/passwd
+root root 755 /usr/src
+root root 4755 /usr/bin/mount
+root root 777 /etc/issue
+root root 755 /etc/cron.d
+root root 4755 /usr/bin/sudo
+root root 4755 /usr/bin/pkexec