From c031f22995a1e073bd81189ee97a3de32a2b278f Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Tue, 1 Dec 2020 05:14:48 -0500
Subject: [PATCH] SUID Disabler and Permission Hardener: introduce
 configuration option to disable all whitelists

`whitelists_disable_all=true`
---
 etc/permission-hardening.d/30_default.conf |  6 ++++++
 usr/lib/security-misc/permission-hardening | 10 +++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf
index 4e86fc1..2557b2d 100644
--- a/etc/permission-hardening.d/30_default.conf
+++ b/etc/permission-hardening.d/30_default.conf
@@ -15,6 +15,12 @@
 
 ## TODO: white spaces inside file name untested and probably will not work.
 
+######################################################################
+# Global Settings
+######################################################################
+
+#whitelists_disable_all=true
+
 ######################################################################
 # SUID disablewhitelist
 ######################################################################
diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening
index 530d975..cc4403c 100755
--- a/usr/lib/security-misc/permission-hardening
+++ b/usr/lib/security-misc/permission-hardening
@@ -177,7 +177,9 @@ add_nosuid_statoverride_entry() {
          fi
       done
 
-      if [ "$is_disable_whitelisted" = "true" ]; then
+      if [ "$whitelists_disable_all" = "true" ]; then
+         true "INFO: whitelists_disable_all=true - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
+      elif [ "$is_disable_whitelisted" = "true" ]; then
          echo "INFO: white list disabled - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'"
       else
          if [ "$is_exact_whitelisted" = "true" ]; then
@@ -252,6 +254,12 @@ set_file_perms() {
          exit "$exit_code"
       fi
 
+      if [ "$line" = 'whitelists_disable_all=true' ]; then
+         whitelists_disable_all=true
+         echo "INFO: whitelists_disable_all=true - all whitelists disabled."
+         continue
+      fi
+
       #global fso
       local mode_from_config owner_from_config group_from_config capability_from_config
       if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then