Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict /proc/cpuinfo, /proc/bus, /proc/scsi and /sys to root #31

Merged
merged 7 commits into from Oct 5, 2019
Merged

Restrict /proc/cpuinfo, /proc/bus, /proc/scsi and /sys to root #31

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
9449f50
Create hide-hardware-info
madaidan Oct 3, 2019
ce97e5e
Create hide-hardware-info.service
madaidan Oct 3, 2019
ec5fcf8
Update control
madaidan Oct 3, 2019
b06ab91
Add licensing
madaidan Oct 3, 2019
87917d2
Add licensing
madaidan Oct 3, 2019
e06eeec
Disable hide-hardware-info.service by default
madaidan Oct 3, 2019
7345287
Use sysinit.target instead
madaidan Oct 4, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
7 changes: 7 additions & 0 deletions debian/control
View file
Open in desktop
Expand Up @@ -84,6 +84,13 @@ Description: enhances misc security settings
* Bluetooth is blacklisted to reduce attack surface. Bluetooth also has
a history of security concerns.
https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
.
* A systemd service restricts /proc/cpuinfo, /proc/bus, /proc/scsi and
/sys to the root user only. This hides a lot of hardware identifiers from
unprivileged users and increases security as /sys exposes a lot of information
that shouldn't be accessible to unprivileged users. As this will break many
things, it is disabled by default and can optionally be enabled by running
`systemctl enable hide-hardware-info.service` as root.
.
Uncommon network protocols are blacklisted:
These are rarely used and may have unknown vulnerabilities.
Expand Down
4 changes: 4 additions & 0 deletions lib/systemd/system-preset/50-security-misc.preset
View file
Open in desktop
@@ -0,0 +1,4 @@
## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

disable hide-hardware-info.service
17 changes: 17 additions & 0 deletions lib/systemd/system/hide-hardware-info.service
View file
Open in desktop
@@ -0,0 +1,17 @@
## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

[Unit]
Description=Hide hardware information to unprivileged users
Documentation=https://github.com/Whonix/security-misc
DefaultDependencies=no
Before=sysinit.target
Requires=local-fs.target
After=local-fs.target

[Service]
Type=oneshot
ExecStart=/usr/lib/security-misc/hide-hardware-info

[Install]
WantedBy=sysinit.target
24 changes: 24 additions & 0 deletions usr/lib/security-misc/hide-hardware-info
View file
Open in desktop
@@ -0,0 +1,24 @@
#!/bin/bash

## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

## sysfs and debugfs expose a lot of information
## that should not be accessible by an unprivileged
## user which includes hardware info, debug info and
## more. This restricts /sys, /proc/cpuinfo, /proc/bus
## and /proc/scsi to the root user only. This hides
## many hardware identifiers from ordinary users
## and increases security.
for i in /proc/cpuinfo /proc/bus /proc/scsi /sys
do
if [ -e "${i}" ]; then
chmod og-rwx "${i}"
else
## /proc/scsi doesn't exist on Debian so errors
## are expected here.
if ! [ "${i}" = "/proc/scsi" ]; then
echo "ERROR: ${i} could not be found."
fi
fi
done