From c192644ee328ff8d5d244d10c082b3a871b151b1 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Sun, 8 Dec 2019 05:21:35 -0500
Subject: [PATCH] security-misc
 `/usr/share/pam-configs/permission-lockdown-security-misc` is no longer
 required, removed.

Thereby fix apparmor issue.

> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied

It is no longer required, because...

existing linux user accounts:

* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.

new linux user accounts (created at first boot):

* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
---
 debian/control                                          | 5 +++--
 usr/share/pam-configs/mkhomedir-security-misc           | 2 +-
 usr/share/pam-configs/permission-lockdown-security-misc | 6 ------
 3 files changed, 4 insertions(+), 9 deletions(-)
 delete mode 100644 usr/share/pam-configs/permission-lockdown-security-misc

diff --git a/debian/control b/debian/control
index 9faaba3f..43daa794 100644
--- a/debian/control
+++ b/debian/control
@@ -212,14 +212,15 @@ Description: enhances misc security settings
  Removes read, write and execute access for others for all users who have
  home folders under folder /home by running for example
  "chmod o-rwx /home/user"
- during package installation, upgrade or pam. This will be done only once per
+ during package installation, upgrade or pam mkhomedir. This will be done only
+ once per
  folder in folder /home so users who wish to relax file permissions are free to
  do so. This is to protect previously created files in user home folder which
  were previously created with lax file permissions prior installation of this
  package.
  debian/security-misc.postinst
- /usr/share/pam-configs/permission-lockdown-security-misc
  /usr/lib/security-misc/permission-lockdown
+ /usr/share/pam-configs/mkhomedir-security-misc
  .
  access rights relaxations:
  .
diff --git a/usr/share/pam-configs/mkhomedir-security-misc b/usr/share/pam-configs/mkhomedir-security-misc
index a2609269..326013c0 100644
--- a/usr/share/pam-configs/mkhomedir-security-misc
+++ b/usr/share/pam-configs/mkhomedir-security-misc
@@ -4,4 +4,4 @@ Priority: 100
 Session-Type: Additional
 Session-Interactive-Only: yes
 Session:
-	optional	pam_mkhomedir.so
+	optional	pam_mkhomedir.so umask=027
diff --git a/usr/share/pam-configs/permission-lockdown-security-misc b/usr/share/pam-configs/permission-lockdown-security-misc
deleted file mode 100644
index 65be498c..00000000
--- a/usr/share/pam-configs/permission-lockdown-security-misc
+++ /dev/null
@@ -1,6 +0,0 @@
-Name: prevent users from reading other users /home/user folders (by package security-misc)
-Default: yes
-Priority: 50
-Session-Type: Additional
-Session:
-	optional	pam_exec.so	debug stdout seteuid /usr/lib/security-misc/permission-lockdown