wip: bugfixed and performance improvements
This commit is contained in:
		
							parent
							
								
									469c3f0441
								
							
						
					
					
						commit
						2c44ee4e68
					
				
					 4 changed files with 113 additions and 13 deletions
				
			
		|  | @ -8,7 +8,8 @@ | ||||||
|       vars: |       vars: | ||||||
|         umask_changes: true |         umask_changes: true | ||||||
|         manage_network: true |         manage_network: true | ||||||
|         allow_ptrace: false # turn off for gvisor |         allow_ptrace: false  | ||||||
|  |         use_hardened_malloc: true | ||||||
|    |    | ||||||
|     - name: 'Gnome package stuff' |     - name: 'Gnome package stuff' | ||||||
|       ansible.builtin.include_role: |       ansible.builtin.include_role: | ||||||
|  | @ -21,6 +22,8 @@ | ||||||
|     - name: 'Setup arkenfox' |     - name: 'Setup arkenfox' | ||||||
|       ansible.builtin.include_role: |       ansible.builtin.include_role: | ||||||
|         name: arkenfox |         name: arkenfox | ||||||
|  |         vars: | ||||||
|  |           enable_webgl: false | ||||||
| 
 | 
 | ||||||
|     - name: 'Install wireguard-tools and neovim' |     - name: 'Install wireguard-tools and neovim' | ||||||
|       ansible.builtin.dnf5: |       ansible.builtin.dnf5: | ||||||
|  | @ -29,14 +32,6 @@ | ||||||
|           - neovim |           - neovim | ||||||
|         state: 'present' |         state: 'present' | ||||||
|    |    | ||||||
|     - name: 'Install devtools' |  | ||||||
|       ansible.builtin.include_role: |  | ||||||
|         name: devtools |  | ||||||
| 
 |  | ||||||
|     - name: 'Handle SUID binaries' |     - name: 'Handle SUID binaries' | ||||||
|       ansible.builtin.include_role: |       ansible.builtin.script: | ||||||
|         name: suid_role |         name: ./remove_suid.sh | ||||||
|       vars: |  | ||||||
|         allow_run0: true |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
|  |  | ||||||
							
								
								
									
										93
									
								
								remove_suid.sh
									
										
									
									
									
										Executable file
									
								
							
							
						
						
									
										93
									
								
								remove_suid.sh
									
										
									
									
									
										Executable file
									
								
							|  | @ -0,0 +1,93 @@ | ||||||
|  | #!/usr/bin/env bash | ||||||
|  | 
 | ||||||
|  | # Copied from The Secureblue Authors | ||||||
|  | # | ||||||
|  | # Licensed under the Apache License, Version 2.0 (the "License"); | ||||||
|  | # you may not use this file except in compliance with the License. | ||||||
|  | # You may obtain a copy of the License at | ||||||
|  | # | ||||||
|  | #     http://www.apache.org/licenses/LICENSE-2.0 | ||||||
|  | # | ||||||
|  | # Unless required by applicable law or agreed to in writing, software distributed under the License is | ||||||
|  | # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||||
|  | # See the License for the specific language governing permissions and limitations under the License. | ||||||
|  | 
 | ||||||
|  | set -oue pipefail | ||||||
|  | 
 | ||||||
|  | # Reference: https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#usrbinchage | ||||||
|  | 
 | ||||||
|  | whitelist=( | ||||||
|  |     # Required for nvidia closed driver images | ||||||
|  |     "/usr/bin/nvidia-modprobe" | ||||||
|  |     # https://gitlab.freedesktop.org/polkit/polkit/-/issues/168 | ||||||
|  |     "/usr/lib/polkit-1/polkit-agent-helper-1" | ||||||
|  |     # https://github.com/secureblue/secureblue/issues/119 | ||||||
|  |     # Required for hardened_malloc to be used by suid-root processes | ||||||
|  |     "/usr/lib64/libhardened_malloc-light.so" | ||||||
|  |     "/usr/lib64/libhardened_malloc-pkey.so" | ||||||
|  |     "/usr/lib64/libhardened_malloc.so" | ||||||
|  |     "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-light.so" | ||||||
|  |     "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-pkey.so" | ||||||
|  |     "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc.so" | ||||||
|  |     "/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-light.so" | ||||||
|  |     "/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-pkey.so" | ||||||
|  |     "/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc.so" | ||||||
|  |     "/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-light.so" | ||||||
|  |     "/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-pkey.so" | ||||||
|  |     "/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so" | ||||||
|  |     "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-light.so" | ||||||
|  |     "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-pkey.so" | ||||||
|  |     "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc.so" | ||||||
|  | ) | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | is_in_whitelist() { | ||||||
|  |     local binary="$1" | ||||||
|  |     for allowed_binary in "${whitelist[@]}"; do | ||||||
|  |         if [ "$binary" = "$allowed_binary" ]; then | ||||||
|  |             return 0 | ||||||
|  |         fi | ||||||
|  |     done | ||||||
|  |     return 1 | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | sudo passwd -l root | ||||||
|  | sudo dnf remove sudo-python-plugin | ||||||
|  | 
 | ||||||
|  | find /usr -type f -perm /4000 | | ||||||
|  |     while IFS= read -r binary; do | ||||||
|  |         if ! is_in_whitelist "$binary"; then | ||||||
|  |             echo "Removing SUID bit from $binary" | ||||||
|  |             chmod u-s "$binary" | ||||||
|  |             echo "Removed SUID bit from $binary" | ||||||
|  |         fi | ||||||
|  |     done | ||||||
|  | 
 | ||||||
|  | find /usr -type f -perm /2000 | | ||||||
|  |     while IFS= read -r binary; do | ||||||
|  |         if ! is_in_whitelist "$binary"; then | ||||||
|  |             echo "Removing SGID bit from $binary" | ||||||
|  |             chmod g-s "$binary" | ||||||
|  |             echo "Removed SGID bit from $binary" | ||||||
|  |         fi | ||||||
|  |     done | ||||||
|  | 
 | ||||||
|  | rm -f /usr/bin/chsh | ||||||
|  | rm -f /usr/bin/chfn | ||||||
|  | rm -f /usr/bin/pkexec | ||||||
|  | rm -f /usr/bin/sudo | ||||||
|  | rm -f /usr/bin/su | ||||||
|  | 
 | ||||||
|  | set_caps_if_present() { | ||||||
|  |     local caps="$1" | ||||||
|  |     local binary_path="$2" | ||||||
|  |     if [ -f "$binary_path" ]; then | ||||||
|  |         echo "Setting caps $caps on $binary_path" | ||||||
|  |         setcap "$caps" "$binary_path" | ||||||
|  |         echo "Set caps $caps on $binary_path" | ||||||
|  |     fi | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/bin/chage" | ||||||
|  | set_caps_if_present "cap_sys_admin=ep" "/usr/bin/fusermount3" | ||||||
|  | set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/sbin/unix_chkpwd" | ||||||
|  | @ -10,4 +10,10 @@ pref("browser.startup.page", 1); | ||||||
| pref("browser.startup.homepage", "about:home"); | pref("browser.startup.homepage", "about:home"); | ||||||
| pref("browser.newtabpage.enabled", true); | pref("browser.newtabpage.enabled", true); | ||||||
| 
 | 
 | ||||||
|  | {% if enable_webgl %} | ||||||
| pref("webgl.disabled", false); | pref("webgl.disabled", false); | ||||||
|  | {% else %} | ||||||
|  | pref("webgl.disabled", true); | ||||||
|  | {% endif %} | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  |  | ||||||
|  | @ -134,7 +134,7 @@ | ||||||
|   ansible.builtin.dnf5: |   ansible.builtin.dnf5: | ||||||
|     name: 'hardened_malloc' |     name: 'hardened_malloc' | ||||||
|     state: 'present' |     state: 'present' | ||||||
| 
 |   when: use_hardened_malloc == true | ||||||
| - name: Install custom packages | - name: Install custom packages | ||||||
|   ansible.builtin.dnf5: |   ansible.builtin.dnf5: | ||||||
|     name: |     name: | ||||||
|  | @ -149,10 +149,16 @@ | ||||||
|     src: 'etc/ld.so.preload' |     src: 'etc/ld.so.preload' | ||||||
|     dest: '/etc/ld.so.preload' |     dest: '/etc/ld.so.preload' | ||||||
|     mode: '0644' |     mode: '0644' | ||||||
|  |   when: use_hardened_malloc == true | ||||||
|  | 
 | ||||||
| - name: Enable hardened_malloc for system wide flatpak | - name: Enable hardened_malloc for system wide flatpak | ||||||
|   shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' |   shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' | ||||||
|  |   when: use_hardened_malloc == true | ||||||
|  | 
 | ||||||
| - name: Enable hardened_malloc for user flatpak # has to be run per APP VM | - name: Enable hardened_malloc for user flatpak # has to be run per APP VM | ||||||
|   shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' |   shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so' | ||||||
|  |   when: use_hardened_malloc == true | ||||||
|  | 
 | ||||||
| - name: Setup dnf repos | - name: Setup dnf repos | ||||||
|   ansible.builtin.copy: |   ansible.builtin.copy: | ||||||
|     src: 'etc/dnf/dnf.conf' |     src: 'etc/dnf/dnf.conf' | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue
	
	 mustard
						mustard