[initcpio] [initramfs] Allow turning off CVE mitigations

- The mitigations are slightly intrusive, and may clash
   with other, similar mitigations (especially for initramfs,
   the recommended solution is to configure the system with
   the snippet outside of Calamares).
This commit is contained in:
Adriaan de Groot 2019-07-06 00:04:16 +02:00
parent a761bf0280
commit 940c990268
6 changed files with 42 additions and 12 deletions

View File

@ -59,12 +59,19 @@ InitcpioJob::exec()
{
CalamaresUtils::UMask m( CalamaresUtils::UMask::Safe );
QDir d( CalamaresUtils::System::instance()->targetPath( "/boot" ) );
if ( d.exists() )
if ( m_unsafe )
{
fixPermissions( d );
cDebug() << "Skipping mitigations for unsafe initramfs permissions.";
}
else
{
QDir d( CalamaresUtils::System::instance()->targetPath( "/boot" ) );
if ( d.exists() )
{
fixPermissions( d );
}
}
cDebug() << "Updating initramfs with kernel" << m_kernel;
auto r = CalamaresUtils::System::instance()->targetEnvCommand(
{ "mkinitcpio", "-p", m_kernel }, QString(), QString(), 0 );
@ -94,6 +101,8 @@ InitcpioJob::setConfigurationMap( const QVariantMap& configurationMap )
<< r.getExitCode() << r.getOutput();
}
}
m_unsafe = CalamaresUtils::getBool( configurationMap, "be_unsafe", false );
}
CALAMARES_PLUGIN_FACTORY_DEFINITION( InitcpioJobFactory, registerPlugin< InitcpioJob >(); )

View File

@ -42,6 +42,7 @@ public:
private:
QString m_kernel;
bool m_unsafe = false;
};
CALAMARES_PLUGIN_FACTORY_DECLARATION( InitcpioJobFactory )

View File

@ -16,3 +16,8 @@
#
# Note that "all" is probably not a good preset to use either.
kernel: linux312
# Set this to true to turn off mitigations for lax file
# permissions on initramfs (which, in turn, can compromise
# your LUKS encryption keys, CVS-2019-13179).
be_unsafe: false

View File

@ -44,16 +44,23 @@ InitramfsJob::exec()
CalamaresUtils::UMask m( CalamaresUtils::UMask::Safe );
cDebug() << "Updating initramfs with kernel" << m_kernel;
// First make sure we generate a safe initramfs with suitable permissions.
static const char confFile[] = "/etc/initramfs-tools/conf.d/calamares-safe-initramfs.conf";
static const char contents[] = "UMASK=0077\n";
if ( CalamaresUtils::System::instance()->createTargetFile( confFile, QByteArray( contents ) ).isEmpty() )
if ( m_unsafe )
{
cWarning() << Logger::SubEntry << "Could not configure safe UMASK for initramfs.";
// But continue anyway.
cDebug() << "Skipping mitigations for unsafe initramfs permissions.";
}
else
{
// First make sure we generate a safe initramfs with suitable permissions.
static const char confFile[] = "/etc/initramfs-tools/conf.d/calamares-safe-initramfs.conf";
static const char contents[] = "UMASK=0077\n";
if ( CalamaresUtils::System::instance()->createTargetFile( confFile, QByteArray( contents ) ).isEmpty() )
{
cWarning() << Logger::SubEntry << "Could not configure safe UMASK for initramfs.";
// But continue anyway.
}
}
// And then do the ACTUAL work.
auto r = CalamaresUtils::System::instance()->targetEnvCommand(
{ "update-initramfs", "-k", m_kernel, "-c", "-t" }, QString(), QString(), 0 );
@ -84,6 +91,8 @@ InitramfsJob::setConfigurationMap( const QVariantMap& configurationMap )
<< r.getExitCode() << r.getOutput();
}
}
m_unsafe = CalamaresUtils::getBool( configurationMap, "be_unsafe", false );
}
CALAMARES_PLUGIN_FACTORY_DEFINITION( InitramfsJobFactory, registerPlugin< InitramfsJob >(); )

View File

@ -42,6 +42,7 @@ public:
private:
QString m_kernel;
bool m_unsafe = false;
};
CALAMARES_PLUGIN_FACTORY_DECLARATION( InitramfsJobFactory )

View File

@ -29,3 +29,8 @@
# 3.2.9 and earlier which passed "all" as version.
kernel: "all"
# Set this to true to turn off mitigations for lax file
# permissions on initramfs (which, in turn, can compromise
# your LUKS encryption keys, CVS-2019-13179).
be_unsafe: false