#!/usr/bin/env bash # Copied from The Secureblue Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software distributed under the License is # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and limitations under the License. set -oue pipefail # Reference: https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#usrbinchage whitelist=( # Need to allowlist qrexec binaries to ensure qubes templates (hopefully) don't break, not sure why they're duplicated in /usr/bin and /usr/sbin "/usr/bin/qfile-unpacker" "/usr/sbin/qfile-unpacker" "/usr/lib/qubes/qfile-unpacker" "/usr/bin/qrexec-client-vm" "/usr/sbin/qrexec-client-vm" "/usr/bin/qrexec-fork-server" "/usr/sbin/qrexec-fork-server" "/usr/bin/qrexec-legacy-convert" "/usr/sbin/qrexec-legacy-convert" "/usr/bin/qrexec-policy" "/usr/sbin/qrexec-policy" "/usr/bin/qrexec-policy-agent" "/usr/sbin/qrexec-policy-agent" "/usr/bin/qrexec-policy-daemon" "/usr/sbin/qrexec-policy-daemon" "/usr/bin/qrexec-policy-exec" "/usr/sbin/qrexec-policy-exec" "/usr/bin/qrexec-policy-graph" "/usr/sbin/qrexec-policy-graph" "/usr/bin/qrexec-policy-restore" "/usr/sbin/qrexec-policy-restore" # Required for nvidia closed driver images "/usr/bin/nvidia-modprobe" # https://gitlab.freedesktop.org/polkit/polkit/-/issues/168 "/usr/lib/polkit-1/polkit-agent-helper-1" # https://github.com/secureblue/secureblue/issues/119 # Required for hardened_malloc to be used by suid-root processes "/usr/lib64/libhardened_malloc-light.so" "/usr/lib64/libhardened_malloc-pkey.so" "/usr/lib64/libhardened_malloc.so" "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-light.so" "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-pkey.so" "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc.so" "/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-light.so" "/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-pkey.so" "/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc.so" "/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-light.so" "/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-pkey.so" "/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so" "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-light.so" "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-pkey.so" "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc.so" ) is_in_whitelist() { local binary="$1" for allowed_binary in "${whitelist[@]}"; do if [ "$binary" = "$allowed_binary" ]; then return 0 fi done return 1 } passwd -l root dnf remove sudo-python-plugin find /usr -type f -perm /4000 | while IFS= read -r binary; do if ! is_in_whitelist "$binary"; then echo "Removing SUID bit from $binary" chmod u-s "$binary" echo "Removed SUID bit from $binary" fi done find /usr -type f -perm /2000 | while IFS= read -r binary; do if ! is_in_whitelist "$binary"; then echo "Removing SGID bit from $binary" chmod g-s "$binary" echo "Removed SGID bit from $binary" fi done rm -f /usr/bin/chsh rm -f /usr/bin/chfn rm -f /usr/bin/pkexec rm -f /usr/bin/sudo rm -f /usr/bin/su rm -f /usr/bin/run0 set_caps_if_present() { local caps="$1" local binary_path="$2" if [ -f "$binary_path" ]; then echo "Setting caps $caps on $binary_path" setcap "$caps" "$binary_path" echo "Set caps $caps on $binary_path" fi } set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/bin/chage" set_caps_if_present "cap_sys_admin=ep" "/usr/bin/fusermount3" set_caps_if_present "cap_dac_read_search,cap_audit_write=ep" "/usr/sbin/unix_chkpwd"