/
30_default.conf
146 lines (116 loc) · 4.88 KB
/
30_default.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Please use "/etc/permission-hardening.d/20_user.conf" or
## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom
## configuration. When security-misc is updated, this file may be overwritten.
## File permission hardening.
##
## Syntax:
## [filename] [mode] [owner] [group] [capability]
##
## To remove all SUID/SGID binaries in a directory, you can use the "nosuid"
## argument.
## TODO: white spaces inside file name untested and probably will not work.
######################################################################
# SUID disablewhitelist
######################################################################
## disablewhitelist disables below (or in lexically higher) files
## exactwhitelist and matchwhitelist. Add these here (discouraged) or better
## in file "/etc/permission-hardening.d/20_user.conf".
## For example, if you are not using SELinux the following might make sense to
## enable. TODO: research
#/utempter/utempter disablewhitelist
## If you are not going to use AppImages such as electrum Bitcoin wallet.
#/fusermount disablewhitelist
######################################################################
# SUID exact match whitelist
######################################################################
/usr/bin/sudo exactwhitelist
/bin/sudo exactwhitelist
/usr/bin/bwrap exactwhitelist
/bin/bwrap exactwhitelist
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist
/usr/lib/chromium/chrome-sandbox exactwhitelist
## https://forums.whonix.org/t/disable-suid-binaries/7706/61
## Protect from 'chmod -x' (and SUID removal).
## SUID will be removed below in separate step.
/bin/mount exactwhitelist
/usr/bin/mount exactwhitelist
## There is a controversy about firejail but those who choose to install it
## should be able to use it.
## https://www.whonix.org/wiki/Dev/Firejail#Security
/usr/bin/firejail exactwhitelist
## In case you need to use 'su'. See also:
## https://www.whonix.org/wiki/root#su
#/bin/su exactwhitelist
#/usr/bin/su exactwhitelist
######################################################################
# SUID exact match whitelist
######################################################################
## https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html
## https://lwn.net/Articles/590315/
## http://forums.whonix.org/t/permission-hardening/8655/25
#/usr/lib/xorg/Xorg.wrap whitelist
######################################################################
# SUID regex match whitelist - research required
######################################################################
/usr/lib/virtualbox/ matchwhitelist
## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c
## match both:
#/usr/lib/qubes/qfile-unpacker whitelist
#/lib/qubes/qfile-unpacker
/qubes/qfile-unpacker matchwhitelist
## match both:
#/usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist
#/lib/policykit-1/polkit-agent-helper-1
polkit-agent-helper-1 matchwhitelist
######################################################################
# SUID regex match whitelist
######################################################################
dbus-daemon-launch-helper matchwhitelist
/utempter/utempter matchwhitelist
## required for AppImages such as electrum Bitcoin wallet
## https://forums.whonix.org/t/disable-suid-binaries/7706/57
/fusermount matchwhitelist
######################################################################
# Permission Hardening
######################################################################
## Remove SUID from 'mount' but keep executable.
## https://forums.whonix.org/t/disable-suid-binaries/7706/61
/bin/mount 745 root root
/usr/bin/mount 745 root root
/home/ 0755 root root
/home/user/ 0700 user user
/root/ 0700 root root
/boot/ 0700 root root
/etc/permission-hardening.d 0600 root root
/usr/local/etc/permission-hardening.d 0600 root root
/lib/modules/ 0700 root root
######################################################################
# SUID/SGID Removal
######################################################################
## Remove all SUID/SGID binaries/libraries.
/bin/ nosuid
/usr/bin/ nosuid
/usr/local/bin/ nosuid
/sbin/ nosuid
/usr/sbin/ nosuid
/usr/local/sbin/ nosuid
/lib/ nosuid
/lib32/ nosuid
/lib64/ nosuid
/usr/lib/ nosuid
/usr/lib32/ nosuid
/usr/lib64/ nosuid
/usr/local/lib/ nosuid
/usr/local/lib32/ nosuid
/usr/local/lib64/ nosuid
######################################################################
# Capability Removal
######################################################################
## Ping doesn't work with Tor anyway so its capabilities are removed to
## reduce attack surface.
## anon-apps-config does this.
#/bin/ping 0744 root root none
## TODO: research
#/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper 0744 root root none