mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-10 15:17:57 +07:00
Code Issues Packages Projects Releases Wiki Activity

output

Browse Source
This commit is contained in:
Patrick Schleizer 2019-12-20 11:03:22 -05:00
parent c0ddb76d74
commit cd8efe5800
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
usr/lib/security-misc/permission-hardening
View File

@ -11,7 +11,12 @@ set -e
exit_code=0 exit_code=0
echo_wrapper() { echo_wrapper_ignore() {
echo "run: $@"
"$@" || true
}
echo_wrapper_audit() {
echo "run: $@" echo "run: $@"
"$@" || echo "ERROR: above command failed!" >&2 "$@" || echo "ERROR: above command failed!" >&2
} }
@ -113,8 +118,8 @@ add_nosuid_statoverride_entry() {
## No need to check "dpkg-statoverride --list" for existing entries. ## No need to check "dpkg-statoverride --list" for existing entries.
## If existing_mode was correct already, we would not have reached this point. ## If existing_mode was correct already, we would not have reached this point.
## Since existing_mode is incorrect, remove from dpkg-statoverride and re-add. ## Since existing_mode is incorrect, remove from dpkg-statoverride and re-add.
echo_wrapper dpkg-statoverride --remove "$file_name" || true echo_wrapper_ignore dpkg-statoverride --remove "$file_name"
echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$new_mode" "$file_name" echo_wrapper_audit dpkg-statoverride --add --update "$owner" "$group" "$new_mode" "$file_name"
fi fi
## /lib will hit ARG_MAX. ## /lib will hit ARG_MAX.
@ -221,12 +226,12 @@ set_file_perms() {
## The owner/group/mode do not match, therefore remove and re-add the entry to update it. ## The owner/group/mode do not match, therefore remove and re-add the entry to update it.
## fso_without_trailing_slash instead of fso to prevent ## fso_without_trailing_slash instead of fso to prevent
## "dpkg-statoverride: warning: stripping trailing /" ## "dpkg-statoverride: warning: stripping trailing /"
echo_wrapper dpkg-statoverride --remove "$fso_without_trailing_slash" echo_wrapper_audit dpkg-statoverride --remove "$fso_without_trailing_slash"
echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$mode_from_config" "$fso_without_trailing_slash" echo_wrapper_audit dpkg-statoverride --add --update "$owner" "$group" "$mode_from_config" "$fso_without_trailing_slash"
fi fi
else else
## There is no fso entry. Therefore add one. ## There is no fso entry. Therefore add one.
echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$mode_from_config" "$fso_without_trailing_slash" echo_wrapper_audit dpkg-statoverride --add --update "$owner" "$group" "$mode_from_config" "$fso_without_trailing_slash"
fi fi
fi fi
@ -235,14 +240,14 @@ set_file_perms() {
fi fi
if [ "$capability" = "none" ]; then if [ "$capability" = "none" ]; then
echo_wrapper setcap -r "$fso" echo_wrapper_audit setcap -r "$fso"
else else
if ! capsh --print | grep "Bounding set" | grep -q "$capability"; then if ! capsh --print | grep "Bounding set" | grep -q "$capability"; then
echo "ERROR: Capability '$capability' does not exist!" >&2 echo "ERROR: Capability '$capability' does not exist!" >&2
continue continue
fi fi
echo_wrapper setcap "${capability}+ep" "$fso" echo_wrapper_audit setcap "${capability}+ep" "$fso"
fi fi
done < "$config_file" done < "$config_file"
} }