From 2c44ee4e68a86d819a81ccbd30ce7bba2a949d07 Mon Sep 17 00:00:00 2001 From: mustard Date: Mon, 15 Sep 2025 21:58:04 +0200 Subject: [PATCH] wip: bugfixed and performance improvements --- fedora-42-gnome.yaml | 19 ++-- remove_suid.sh | 93 +++++++++++++++++++ .../arkenfox/templates/userjs-override.js.j2 | 6 ++ roles/baseline/tasks/main.yaml | 8 +- 4 files changed, 113 insertions(+), 13 deletions(-) create mode 100755 remove_suid.sh diff --git a/fedora-42-gnome.yaml b/fedora-42-gnome.yaml index 1f65559..4856e25 100644 --- a/fedora-42-gnome.yaml +++ b/fedora-42-gnome.yaml @@ -8,8 +8,9 @@ vars: umask_changes: true manage_network: true - allow_ptrace: false # turn off for gvisor - + allow_ptrace: false + use_hardened_malloc: true + - name: 'Gnome package stuff' ansible.builtin.include_role: name: gnome @@ -21,6 +22,8 @@ - name: 'Setup arkenfox' ansible.builtin.include_role: name: arkenfox + vars: + enable_webgl: false - name: 'Install wireguard-tools and neovim' ansible.builtin.dnf5: @@ -29,14 +32,6 @@ - neovim state: 'present' - - name: 'Install devtools' - ansible.builtin.include_role: - name: devtools - - name: 'Handle SUID binaries' - ansible.builtin.include_role: - name: suid_role - vars: - allow_run0: true - - + ansible.builtin.script: + name: ./remove_suid.sh diff --git a/remove_suid.sh b/remove_suid.sh new file mode 100755 index 0000000..1caf5d5 --- /dev/null +++ b/remove_suid.sh @@ -0,0 +1,93 @@ +#!/usr/bin/env bash + +# Copied from The Secureblue Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed under the License is +# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and limitations under the License. + +set -oue pipefail + +# Reference: https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#usrbinchage + +whitelist=( + # Required for nvidia closed driver images + "/usr/bin/nvidia-modprobe" + # https://gitlab.freedesktop.org/polkit/polkit/-/issues/168 + "/usr/lib/polkit-1/polkit-agent-helper-1" + # https://github.com/secureblue/secureblue/issues/119 + # Required for hardened_malloc to be used by suid-root processes + "/usr/lib64/libhardened_malloc-light.so" + "/usr/lib64/libhardened_malloc-pkey.so" + "/usr/lib64/libhardened_malloc.so" + "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-light.so" + "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-pkey.so" + "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc.so" + "/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-light.so" + "/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-pkey.so" + "/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc.so" + "/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-light.so" + "/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-pkey.so" + "/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so" + "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-light.so" + "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-pkey.so" + "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc.so" +) + + +is_in_whitelist() { + local binary="$1" + for allowed_binary in "${whitelist[@]}"; do + if [ "$binary" = "$allowed_binary" ]; then + return 0 + fi + done + return 1 +} + +sudo passwd -l root +sudo dnf remove sudo-python-plugin + +find /usr -type f -perm /4000 | + while IFS= read -r binary; do + if ! is_in_whitelist "$binary"; then + echo "Removing SUID bit from $binary" + chmod u-s "$binary" + echo "Removed SUID bit from $binary" + fi + done + +find /usr -type f -perm /2000 | + while IFS= read -r binary; do + if ! is_in_whitelist "$binary"; then + echo "Removing SGID bit from $binary" + chmod g-s "$binary" + echo "Removed SGID bit from $binary" + fi + done + +rm -f /usr/bin/chsh +rm -f /usr/bin/chfn +rm -f /usr/bin/pkexec +rm -f /usr/bin/sudo +rm -f /usr/bin/su + +set_caps_if_present() { + local caps="$1" + local binary_path="$2" + if [ -f "$binary_path" ]; then + echo "Setting caps $caps on $binary_path" + setcap "$caps" "$binary_path" + echo "Set caps $caps on $binary_path" + fi +} + +set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/bin/chage" +set_caps_if_present "cap_sys_admin=ep" "/usr/bin/fusermount3" +set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/sbin/unix_chkpwd" diff --git a/roles/arkenfox/templates/userjs-override.js.j2 b/roles/arkenfox/templates/userjs-override.js.j2 index 0af2642..84e69bb 100644 --- a/roles/arkenfox/templates/userjs-override.js.j2 +++ b/roles/arkenfox/templates/userjs-override.js.j2 @@ -10,4 +10,10 @@ pref("browser.startup.page", 1); pref("browser.startup.homepage", "about:home"); pref("browser.newtabpage.enabled", true); +{% if enable_webgl %} pref("webgl.disabled", false); +{% else %} +pref("webgl.disabled", true); +{% endif %} + + diff --git a/roles/baseline/tasks/main.yaml b/roles/baseline/tasks/main.yaml index 780c91a..9a94d66 100644 --- a/roles/baseline/tasks/main.yaml +++ b/roles/baseline/tasks/main.yaml @@ -134,7 +134,7 @@ ansible.builtin.dnf5: name: 'hardened_malloc' state: 'present' - + when: use_hardened_malloc == true - name: Install custom packages ansible.builtin.dnf5: name: @@ -149,10 +149,16 @@ src: 'etc/ld.so.preload' dest: '/etc/ld.so.preload' mode: '0644' + when: use_hardened_malloc == true + - name: Enable hardened_malloc for system wide flatpak shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' + when: use_hardened_malloc == true + - name: Enable hardened_malloc for user flatpak # has to be run per APP VM shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' + when: use_hardened_malloc == true + - name: Setup dnf repos ansible.builtin.copy: src: 'etc/dnf/dnf.conf'