From 6b78dbcd07a9d2361c5ab41f5151e24a80309e13 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Tue, 15 Oct 2019 20:57:02 +0000 Subject: [PATCH 1/6] Add way to whitelist things --- usr/lib/security-misc/hide-hardware-info | 45 +++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/usr/lib/security-misc/hide-hardware-info b/usr/lib/security-misc/hide-hardware-info index 4a1eec0..0875ddb 100755 --- a/usr/lib/security-misc/hide-hardware-info +++ b/usr/lib/security-misc/hide-hardware-info @@ -3,6 +3,33 @@ ## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +sysfs_whitelist=1 +cpuinfo_whitelist=1 + +## Allows for disabling the whitelist. +for i in /etc/hide-hardware-info.d/*.conf +do + source "${i}" +done + +create_whitelist() { + if [ "${1}" = "sysfs" ]; then + whitelist_path="/sys" + elif [ "${1}" = "cpuinfo" ]; then + whitelist_path="/proc/cpuinfo" + else + echo "ERROR: ${1} is not a correct parameter." + exit 1 + fi + + if grep -q "${1}" /etc/group; then + chmod o-rwx "${whitelist_path}" + chgrp -fR "${1}" "${whitelist_path}" + else + echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created." + fi +} + ## sysfs and debugfs expose a lot of information ## that should not be accessible by an unprivileged ## user which includes hardware info, debug info and @@ -13,7 +40,23 @@ for i in /proc/cpuinfo /proc/bus /proc/scsi /sys do if [ -e "${i}" ]; then - chmod og-rwx "${i}" + if [ "${i}" = "/sys" ]; then + ## Whitelist for /sys. + if [ "${sysfs_whitelist}" = "1" ]; then + create_whitelist sysfs + else + echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." + fi + elif [ "${i}" = "/proc/cpuinfo" ]; then + ## Whitelist for /proc/cpuinfo. + if [ "${cpuinfo_whitelist}" = "1" ]; then + create_whitelist cpuinfo + else + echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly." + fi + else + chmod og-rwx "${i}" + fi else ## /proc/scsi doesn't exist on Debian so errors ## are expected here. From a47a2fca8bcdf8ff480cea879720b9599c491358 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Tue, 15 Oct 2019 20:58:58 +0000 Subject: [PATCH 2/6] Create 30_whitelist.conf --- etc/hide-hardware-info.d/30_whitelist.conf | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 etc/hide-hardware-info.d/30_whitelist.conf diff --git a/etc/hide-hardware-info.d/30_whitelist.conf b/etc/hide-hardware-info.d/30_whitelist.conf new file mode 100644 index 0000000..9a0754d --- /dev/null +++ b/etc/hide-hardware-info.d/30_whitelist.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Disable the /sys whitelist. +#sysfs_whitelist=0 + +## Disable the /proc/cpuinfo whitelist. +#cpuinfo_whitelist=0 From 42c1701d5ca446da37a493b27c125b78bd8d183d Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Tue, 15 Oct 2019 21:00:03 +0000 Subject: [PATCH 3/6] Whitelist user@.service --- lib/systemd/system/user@.service.d/sysfs.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 lib/systemd/system/user@.service.d/sysfs.conf diff --git a/lib/systemd/system/user@.service.d/sysfs.conf b/lib/systemd/system/user@.service.d/sysfs.conf new file mode 100644 index 0000000..e0cf3a7 --- /dev/null +++ b/lib/systemd/system/user@.service.d/sysfs.conf @@ -0,0 +1,2 @@ +[Service] +SupplementaryGroups=sysfs From af607d5eb233d85d493d796afde76728f0e0e3cd Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Tue, 15 Oct 2019 21:02:03 +0000 Subject: [PATCH 4/6] Create sysfs and cpuinfo groups --- debian/security-misc.postinst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 464429a..6b45661 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -30,6 +30,8 @@ case "$1" in esac addgroup root sudo +addgroup --system sysfs +addgroup --system cpuinfo pam-auth-update --package From f08c03ab21126b2d3ef5d4c2e4e3f0eae14fa5c0 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 16 Oct 2019 15:39:23 +0000 Subject: [PATCH 5/6] Restrict sysfs/cpuinfo if the whitelist is disabled --- usr/lib/security-misc/hide-hardware-info | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/security-misc/hide-hardware-info b/usr/lib/security-misc/hide-hardware-info index 0875ddb..6641c18 100755 --- a/usr/lib/security-misc/hide-hardware-info +++ b/usr/lib/security-misc/hide-hardware-info @@ -45,6 +45,7 @@ do if [ "${sysfs_whitelist}" = "1" ]; then create_whitelist sysfs else + chmod og-rwx /sys echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." fi elif [ "${i}" = "/proc/cpuinfo" ]; then @@ -52,6 +53,7 @@ do if [ "${cpuinfo_whitelist}" = "1" ]; then create_whitelist cpuinfo else + chmod og-rwx /proc/cpuinfo echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly." fi else From 61f742304d26e73df8433bd6fa03d33d39e39625 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 16 Oct 2019 19:46:59 +0000 Subject: [PATCH 6/6] return 0 --- usr/lib/security-misc/hide-hardware-info | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/usr/lib/security-misc/hide-hardware-info b/usr/lib/security-misc/hide-hardware-info index 6641c18..93e6ea7 100755 --- a/usr/lib/security-misc/hide-hardware-info +++ b/usr/lib/security-misc/hide-hardware-info @@ -25,6 +25,15 @@ create_whitelist() { if grep -q "${1}" /etc/group; then chmod o-rwx "${whitelist_path}" chgrp -fR "${1}" "${whitelist_path}" + + ## Changing the permissions of /sys recursively + ## causes errors as the permissions of /sys/kernel/debug + ## and /sys/fs/cgroup cannot be changed which makes + ## systemd say the service has failed even though + ## everything has completed successfully. So, this + ## returns "0" instead which makes systemd say the + ## service has succeeded. + return 0 else echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created." fi