scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-04 12:28:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add ujust command to lock bash environment files to mitigate LD… (#365)

Browse Source
This commit is contained in:
qoijjj
2024-08-09 16:14:44 -07:00
committed by GitHub
parent 3e9bfa81a9
commit 872cb784ef
2 changed files with 59 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -49,6 +49,7 @@ The following are not in scope:
- Set all default container policies to `reject`, `signedBy`, or `sigstoreSigned` - Set all default container policies to `reject`, `signedBy`, or `sigstoreSigned`
- Remove SUID-root from [numerous binaries](https://github.com/secureblue/secureblue/blob/live/files/scripts/removesuid.sh) and replace functionality [using capabilities](https://github.com/secureblue/secureblue/blob/live/files/system/usr/bin/setcapsforunsuidbinaries) - Remove SUID-root from [numerous binaries](https://github.com/secureblue/secureblue/blob/live/files/scripts/removesuid.sh) and replace functionality [using capabilities](https://github.com/secureblue/secureblue/blob/live/files/system/usr/bin/setcapsforunsuidbinaries)
- Disable Xwayland by default (for GNOME, Plasma, and Sway images) - Disable Xwayland by default (for GNOME, Plasma, and Sway images)
- Mitigation of [LD_PRELOAD attacks](https://github.com/Aishou/wayland-keylogger) via `ujust toggle-bash-environment-lockdown`
- (Non-userns variants) Disabling unprivileged user namespaces - (Non-userns variants) Disabling unprivileged user namespaces
- (Non-userns variants) Replacing bubblewrap with bubblewrap-suid so flatpak can be used without unprivileged user namespaces - (Non-userns variants) Replacing bubblewrap with bubblewrap-suid so flatpak can be used without unprivileged user namespaces

58
files/system/usr/share/ublue-os/just/60-custom.just
View File

@@ -264,3 +264,61 @@ toggle-xwayland ACTION="prompt":
fi fi
fi fi
# Toggle bash environment lockdown (mitigates LD_PRELOAD attacks)
toggle-bash-environment-lockdown:
#!/usr/bin/bash
BASH_ENV_FILES=("$HOME/.bashrc" "$HOME/.bash_profile")
echo "${b}WARNING${n} This will overwrite your .bashrc and .bash_profile."
echo "This is needed to ensure the mitigation is effective."
echo "Do you understand?"
echo "Please type in \"YES I UNDERSTAND\" and press enter"
read ACCEPT
if [ "$ACCEPT" == "YES I UNDERSTAND" ]; then
if lsattr "${BASH_ENV_FILES[0]}" 2>/dev/null | grep -q 'i'; then
echo "Bash environment '(${BASH_ENV_FILES[@]})' is locked down. Unlocking it."
for file in "${BASH_ENV_FILES[@]}"; do
pkexec chattr -i "$file"
done
else
echo "Bash environment '(${BASH_ENV_FILES[@]})' is unlocked. Locking it."
echo "
# .bashrc
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
# User specific environment
if ! [[ "\$PATH" =~ "\$HOME/.local/bin:\$HOME/bin:" ]]; then
PATH="\$HOME/.local/bin:\$HOME/bin:\$PATH"
fi
export PATH
# Uncomment the following line if you don't like systemctl's auto-paging feature:
# export SYSTEMD_PAGER=
unset rc
" > ~/.bashrc
echo "
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
" > ~/.bash_profile
for file in "${BASH_ENV_FILES[@]}"; do
pkexec chattr +i "$file"
done
fi
else
echo "Capitalization matters when you type \"YES I UNDERSTAND\""
fi