wip: bugfixed and performance improvements

2025-09-15 21:58:04 +02:00 · 2025-09-15 21:58:04 +02:00 · 2c44ee4e68
commit 2c44ee4e68
parent 469c3f0441
4 changed files with 113 additions and 13 deletions
--- a/fedora-42-gnome.yaml
+++ b/fedora-42-gnome.yaml
@ -8,8 +8,9 @@
      vars:
        umask_changes: true
        manage_network: true
-        allow_ptrace: false # turn off for gvisor
-
+        allow_ptrace: false 
+        use_hardened_malloc: true
+  
    - name: 'Gnome package stuff'
      ansible.builtin.include_role:
        name: gnome
@ -21,6 +22,8 @@
    - name: 'Setup arkenfox'
      ansible.builtin.include_role:
        name: arkenfox
+        vars:
+          enable_webgl: false

    - name: 'Install wireguard-tools and neovim'
      ansible.builtin.dnf5:
@ -29,14 +32,6 @@
          - neovim
        state: 'present'
  
-    - name: 'Install devtools'
-      ansible.builtin.include_role:
-        name: devtools
-
    - name: 'Handle SUID binaries'
-      ansible.builtin.include_role:
-        name: suid_role
-      vars:
-        allow_run0: true
-
-
+      ansible.builtin.script:
+        name: ./remove_suid.sh
--- a/remove_suid.sh
+++ b/remove_suid.sh
@ -0,0 +1,93 @@
+#!/usr/bin/env bash
+
+# Copied from The Secureblue Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and limitations under the License.
+
+set -oue pipefail
+
+# Reference: https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#usrbinchage
+
+whitelist=(
+    # Required for nvidia closed driver images
+    "/usr/bin/nvidia-modprobe"
+    # https://gitlab.freedesktop.org/polkit/polkit/-/issues/168
+    "/usr/lib/polkit-1/polkit-agent-helper-1"
+    # https://github.com/secureblue/secureblue/issues/119
+    # Required for hardened_malloc to be used by suid-root processes
+    "/usr/lib64/libhardened_malloc-light.so"
+    "/usr/lib64/libhardened_malloc-pkey.so"
+    "/usr/lib64/libhardened_malloc.so"
+    "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-light.so"
+    "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-pkey.so"
+    "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc.so"
+    "/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-light.so"
+    "/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-pkey.so"
+    "/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc.so"
+    "/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-light.so"
+    "/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-pkey.so"
+    "/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so"
+    "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-light.so"
+    "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-pkey.so"
+    "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc.so"
+)
+
+
+is_in_whitelist() {
+    local binary="$1"
+    for allowed_binary in "${whitelist[@]}"; do
+        if [ "$binary" = "$allowed_binary" ]; then
+            return 0
+        fi
+    done
+    return 1
+}
+
+sudo passwd -l root
+sudo dnf remove sudo-python-plugin
+
+find /usr -type f -perm /4000 |
+    while IFS= read -r binary; do
+        if ! is_in_whitelist "$binary"; then
+            echo "Removing SUID bit from $binary"
+            chmod u-s "$binary"
+            echo "Removed SUID bit from $binary"
+        fi
+    done
+
+find /usr -type f -perm /2000 |
+    while IFS= read -r binary; do
+        if ! is_in_whitelist "$binary"; then
+            echo "Removing SGID bit from $binary"
+            chmod g-s "$binary"
+            echo "Removed SGID bit from $binary"
+        fi
+    done
+
+rm -f /usr/bin/chsh
+rm -f /usr/bin/chfn
+rm -f /usr/bin/pkexec
+rm -f /usr/bin/sudo
+rm -f /usr/bin/su
+
+set_caps_if_present() {
+    local caps="$1"
+    local binary_path="$2"
+    if [ -f "$binary_path" ]; then
+        echo "Setting caps $caps on $binary_path"
+        setcap "$caps" "$binary_path"
+        echo "Set caps $caps on $binary_path"
+    fi
+}
+
+set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/bin/chage"
+set_caps_if_present "cap_sys_admin=ep" "/usr/bin/fusermount3"
+set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/sbin/unix_chkpwd"
--- a/roles/arkenfox/templates/userjs-override.js.j2
+++ b/roles/arkenfox/templates/userjs-override.js.j2
@ -10,4 +10,10 @@ pref("browser.startup.page", 1);
 pref("browser.startup.homepage", "about:home");
 pref("browser.newtabpage.enabled", true);

+{% if enable_webgl %}
 pref("webgl.disabled", false);
+{% else %}
+pref("webgl.disabled", true);
+{% endif %}
+
+
--- a/roles/baseline/tasks/main.yaml
+++ b/roles/baseline/tasks/main.yaml
@ -134,7 +134,7 @@
  ansible.builtin.dnf5:
    name: 'hardened_malloc'
    state: 'present'
-
+  when: use_hardened_malloc == true
 - name: Install custom packages
  ansible.builtin.dnf5:
    name:
@ -149,10 +149,16 @@
    src: 'etc/ld.so.preload'
    dest: '/etc/ld.so.preload'
    mode: '0644'
+  when: use_hardened_malloc == true
+
 - name: Enable hardened_malloc for system wide flatpak
  shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
+  when: use_hardened_malloc == true
+
 - name: Enable hardened_malloc for user flatpak # has to be run per APP VM
  shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
+  when: use_hardened_malloc == true
+
 - name: Setup dnf repos
  ansible.builtin.copy:
    src: 'etc/dnf/dnf.conf'