feat: add ujust command to lock bash environment files to mitigate LD… (#365)

2025-11-03 20:07:53 +00:00 · 2024-08-09 16:14:44 -07:00
parent 3e9bfa81a9
commit 872cb784ef
2 changed files with 59 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -49,6 +49,7 @@ The following are not in scope:
 - Set all default container policies to `reject`, `signedBy`, or `sigstoreSigned`
 - Remove SUID-root from [numerous binaries](https://github.com/secureblue/secureblue/blob/live/files/scripts/removesuid.sh) and replace functionality [using capabilities](https://github.com/secureblue/secureblue/blob/live/files/system/usr/bin/setcapsforunsuidbinaries)
 - Disable Xwayland by default (for GNOME, Plasma, and Sway images)
+- Mitigation of [LD_PRELOAD attacks](https://github.com/Aishou/wayland-keylogger) via `ujust toggle-bash-environment-lockdown`
 - (Non-userns variants) Disabling unprivileged user namespaces
 - (Non-userns variants) Replacing bubblewrap with bubblewrap-suid so flatpak can be used without unprivileged user namespaces

--- a/files/system/usr/share/ublue-os/just/60-custom.just
+++ b/files/system/usr/share/ublue-os/just/60-custom.just
@@ -264,3 +264,61 @@ toggle-xwayland ACTION="prompt":
      fi
    fi

+# Toggle bash environment lockdown (mitigates LD_PRELOAD attacks)
+toggle-bash-environment-lockdown:
+    #!/usr/bin/bash
+    BASH_ENV_FILES=("$HOME/.bashrc" "$HOME/.bash_profile")
+    echo "${b}WARNING${n} This will overwrite your .bashrc and .bash_profile."
+    echo "This is needed to ensure the mitigation is effective."
+    echo "Do you understand?"
+    echo "Please type in \"YES I UNDERSTAND\" and press enter"
+    read ACCEPT
+    if [ "$ACCEPT" == "YES I UNDERSTAND" ]; then
+      if lsattr "${BASH_ENV_FILES[0]}" 2>/dev/null | grep -q 'i'; then
+        echo "Bash environment '(${BASH_ENV_FILES[@]})' is locked down. Unlocking it."
+        for file in "${BASH_ENV_FILES[@]}"; do
+            pkexec chattr -i "$file"
+        done
+      else
+        echo "Bash environment '(${BASH_ENV_FILES[@]})' is unlocked. Locking it."
+        echo "
+    # .bashrc
+
+    # Source global definitions
+    if [ -f /etc/bashrc ]; then
+        . /etc/bashrc
+    fi
+
+    # User specific environment
+    if ! [[ "\$PATH" =~ "\$HOME/.local/bin:\$HOME/bin:" ]]; then
+        PATH="\$HOME/.local/bin:\$HOME/bin:\$PATH"
+    fi
+    export PATH
+
+    # Uncomment the following line if you don't like systemctl's auto-paging feature:
+    # export SYSTEMD_PAGER=
+
+    unset rc
+          " > ~/.bashrc
+
+        echo "
+    # .bash_profile
+
+    # Get the aliases and functions
+    if [ -f ~/.bashrc ]; then
+        . ~/.bashrc
+    fi
+
+    # User specific environment and startup programs
+        " > ~/.bash_profile
+
+        for file in "${BASH_ENV_FILES[@]}"; do
+            pkexec chattr +i "$file"
+        done
+      fi
+    else
+      echo "Capitalization matters when you type \"YES I UNDERSTAND\""
+    fi
+
+    
+