From 060d7d890a0292addaa1e85bb1b2ff7eece23378 Mon Sep 17 00:00:00 2001
From: 0xC0ncord <me@concord.sh>
Date: Fri, 8 Oct 2021 22:11:58 -0400
Subject: [PATCH 1/3] hide-hardware-info: re-enable restrictions on sysfs when
 using SELinux

When using SELinux, restrict the parts of sysfs explicitly to ensure
restrictions are working as expected.
---
 usr/libexec/security-misc/hide-hardware-info | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info
index 59850ae..bd76367 100755
--- a/usr/libexec/security-misc/hide-hardware-info
+++ b/usr/libexec/security-misc/hide-hardware-info
@@ -88,6 +88,16 @@ done
 ## properly
 if [ -d /sys/fs/selinux ]; then
     if [ "${selinux}" = "1" ]; then
+        ## restrict permissions on everything but
+        ## what is needed
+        for i in /sys/* /sys/fs/*
+        do
+          if [ "${sysfs_whitelist}" = "1" ]; then
+            chmod o-rwx "${i}"
+          else
+            chmod og-rwx "${i}"
+          fi
+        done
         chmod o+rx /sys /sys/fs /sys/fs/selinux
         echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function."
     else

From 4172232eb75aaca301e51529e49df76ca86b93b3 Mon Sep 17 00:00:00 2001
From: 0xC0ncord <me@concord.sh>
Date: Fri, 8 Oct 2021 22:17:12 -0400
Subject: [PATCH 2/3] hide-hardware-info: make indentation consistent

---
 usr/libexec/security-misc/hide-hardware-info | 32 ++++++++++----------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info
index bd76367..45bddb8 100755
--- a/usr/libexec/security-misc/hide-hardware-info
+++ b/usr/libexec/security-misc/hide-hardware-info
@@ -87,20 +87,20 @@ done
 ## SELinux userspace utilities will not function
 ## properly
 if [ -d /sys/fs/selinux ]; then
-    if [ "${selinux}" = "1" ]; then
-        ## restrict permissions on everything but
-        ## what is needed
-        for i in /sys/* /sys/fs/*
-        do
-          if [ "${sysfs_whitelist}" = "1" ]; then
-            chmod o-rwx "${i}"
-          else
-            chmod og-rwx "${i}"
-          fi
-        done
-        chmod o+rx /sys /sys/fs /sys/fs/selinux
-        echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function."
-    else
-        echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly."
-    fi
+  if [ "${selinux}" = "1" ]; then
+    ## restrict permissions on everything but
+    ## what is needed
+    for i in /sys/* /sys/fs/*
+    do
+      if [ "${sysfs_whitelist}" = "1" ]; then
+        chmod o-rwx "${i}"
+      else
+        chmod og-rwx "${i}"
+      fi
+    done
+    chmod o+rx /sys /sys/fs /sys/fs/selinux
+    echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function."
+  else
+    echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly."
+  fi
 fi

From 93efa506dac6135f1a5c260ec95d985e7fedc53d Mon Sep 17 00:00:00 2001
From: 0xC0ncord <me@concord.sh>
Date: Thu, 17 Mar 2022 11:41:57 -0400
Subject: [PATCH 3/3] hide-hardware-info: disable selinux whitelist by default

---
 usr/libexec/security-misc/hide-hardware-info | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info
index 45bddb8..849e561 100755
--- a/usr/libexec/security-misc/hide-hardware-info
+++ b/usr/libexec/security-misc/hide-hardware-info
@@ -9,7 +9,7 @@ sysfs_whitelist=1
 cpuinfo_whitelist=1
 
 ## https://www.whonix.org/wiki/Security-misc#selinux
-selinux=1
+selinux=0
 
 shopt -s nullglob