Grsecurity had a feature that restricted access to /sys to root only. This would help hide most hardware information from ordinary users except information in /proc.
Can you please make sure this doesn’t break virt-detect that Whonixcheck uses to know if a hypervisor is supported? Also used for shared folder daemons.
Btw this can also be used to hide things like CPU info in /proc/cpuinfo or other stuff in /sys. Or we can use it to restrict hardware info to root by copying the file to a different location, changing the file’s permissions and then bind mounting it back to the original file.
I was under the impression that you couldn’t change the file permissions directly but I just tested it and it does work without overmounting.
In that case, we can just do chmod og-rwx -R /sys. Not only would this hide a whole load of hardware information, it would also prevent a bunch of security vulnerabilities as sysfs and debugfs add a lot of attack surface.
If it breaks XFCE it probably is breaking a ton of other things too. (GNOME, KDE, …?)
After $something starter is never great since this leaves room for race conditions where some daemon (for example web server) starts earlier than this.
Also since this is to prevent malware from getting root this might happen too late to help.
I’m thinking of making /sys owned by a sysfs group and making binaries that need /sys owned by the sysfs group and setgid so it would run with the permissions of the sysfs group.
I don’t really see this as a bug. There are many legitimate uses for /sys. If not, it wouldn’t be a thing in the first place.
It would break a ton of things.
The grsecurity devs even said it shouldn’t be used on desktops due to the amount of things that would break
I managed to fix XFCE just by installing the dbus-x11 package.
XFCE kept breaking with an error about /usr/bin/dbus-launch terminating but that didn’t exist so I installed the dbus-x11 package and it somehow worked. I have no idea why this fixed it.
Now whonixcheck is breaking as it tries to check if the network interface is up by running cat /sys/class/net/eth0/carrier. This can be fixed by just making whonixcheck do something like grep ip a output.
Grepping the whonixcheck source code shows that it also tries to do something with /sys/devices/system/clocksource/clocksource0/current_clocksource which would also break. Dunno how this could be fixed.
Now whonixcheck is breaking as it tries to check if the network interface is up by running cat /sys/class/net/eth0/carrier. This can be fixed by just making whonixcheck do something like grep ip a output.
Grepping the whonixcheck source code shows that it also tries to do something with /sys/devices/system/clocksource/clocksource0/current_clocksource which would also break. Dunno how this could be fixed.
How would hide-hardware-info.service be disabled by default? Is adding systemctl disable hide-hardware-info.service to debian/security-misc.postinst enough?
Consistency with other use of sudo in whonixcheck.
It’s in case sudoers exception file is modified by user or in future upgrade. Better to fail instantly and closed rather than having sudo wait forever for a password which will never be entered.
For now whonixcheck sudoers file is fairly stable but in past it got improved, more hardened. In future the way whonixcheck / sudo works may be improved. I was thinking user user should be able to run whonixcheck without sudo since it could show logs which might contain information which a user might not want to see. (Relatively minor since we probably don’t have many users following advice of Safely Use Root Commands) So changes to whonixcheck suoders file in future are possible. In past whonixcheck suoders file was modified by third parties (Qubes-VM-Hardening).