Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Protecting /sys and /proc #277

Open
monsieuremre opened this issue Oct 19, 2024 · 3 comments
Open

Protecting /sys and /proc #277

monsieuremre opened this issue Oct 19, 2024 · 3 comments

Comments

@monsieuremre
Copy link
Contributor

We know have our own services to change permissions. I have come across a better and more clean implementation.

https://github.com/divestedcg/Brace/tree/master/brace/usr/lib/tmpfiles.d

Can this approach be used here too for our purposes?

@adrelanos
Copy link
Member

adrelanos commented Oct 20, 2024

That's an interesting repository which might have some goodies that have not been suggested here yet. Created,

for it.

That approach is blacklist based. Enumerating badness.

https://github.com/Kicksecure/security-misc/blob/master/usr/libexec/security-misc/hide-hardware-info approach is whitelist based. Hardening permissions for everything except whitelisted.

It also supports conditionals, configuration, is extensible, could be used to address the other related open issues in this repository one day.

@monsieuremre
Copy link
Contributor Author

The main difference to consider is that ours is a self created new service. This approach uses existing mechanisms and allows better control for the user (also for us).

https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html

We can implement the same whitelist approach also here, I think.

@adrelanos
Copy link
Member

I don't see much code issues with /usr/libexec/security-misc/hide-hardware-info.

It's currently easy to opt-in the hide-hardware-info.service systemd unit using sudo systemctl enable /hide-hardware-info.service.

How would opt-in enabling work?

This is what the script is currently doing:

sudo ./usr/libexec/security-misc/hide-hardware-info
./usr/libexec/security-misc/hide-hardware-info: INFO: START
INFO: whitelist executing: chgrp --quiet --recursive cpuinfo /proc/cpuinfo
INFO: whitelist executing: chmod o-rwx /proc/cpuinfo
INFO: normal executing   : chmod og-rwx /proc/bus
INFO: normal executing   : chmod og-rwx /proc/scsi
INFO: whitelist executing: chgrp --quiet --recursive sysfs /sys
INFO: whitelist executing: chmod o-rwx /sys
INFO: normal executing   : chmod o-rwx /sys/block
INFO: normal executing   : chmod o-rwx /sys/bus
INFO: normal executing   : chmod o-rwx /sys/class
INFO: normal executing   : chmod o-rwx /sys/dev
INFO: normal executing   : chmod o-rwx /sys/devices
INFO: normal executing   : chmod o-rwx /sys/firmware
INFO: normal executing   : chmod o-rwx /sys/fs
INFO: normal executing   : chmod o-rwx /sys/hypervisor
INFO: normal executing   : chmod o-rwx /sys/kernel
INFO: normal executing   : chmod o-rwx /sys/module
INFO: normal executing   : chmod o-rwx /sys/power
INFO: normal executing   : chmod o-rwx /sys/fs/bpf
INFO: normal executing   : chmod o-rwx /sys/fs/btrfs
INFO: normal executing   : chmod o-rwx /sys/fs/cgroup
INFO: normal executing   : chmod o-rwx /sys/fs/ext4
INFO: normal executing   : chmod o-rwx /sys/fs/fuse
INFO: normal executing   : chmod o-rwx /sys/fs/pstore
INFO: normal executing   : chmod o+rx /sys /sys/fs
./usr/libexec/security-misc/hide-hardware-info: INFO: END

Not a high priority for me to translate that to systemd-tmpfiles.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants