[initcpio] [initramfs] Allow turning off CVE mitigations

- The mitigations are slightly intrusive, and may clash
   with other, similar mitigations (especially for initramfs,
   the recommended solution is to configure the system with
   the snippet outside of Calamares).

src/modules/initcpio/InitcpioJob.cpp

@@ -59,11 +59,18 @@ InitcpioJob::exec()
 {
     CalamaresUtils::UMask m( CalamaresUtils::UMask::Safe );
 
+    if ( m_unsafe )
+    {
+        cDebug() << "Skipping mitigations for unsafe initramfs permissions.";
+    }
+    else
+    {
         QDir d( CalamaresUtils::System::instance()->targetPath( "/boot" ) );
         if ( d.exists() )
         {
             fixPermissions( d );
         }
+    }
 
     cDebug() << "Updating initramfs with kernel" << m_kernel;
     auto r = CalamaresUtils::System::instance()->targetEnvCommand(
@@ -94,6 +101,8 @@ InitcpioJob::setConfigurationMap( const QVariantMap& configurationMap )
                        << r.getExitCode() << r.getOutput();
         }
     }
+
+    m_unsafe = CalamaresUtils::getBool( configurationMap, "be_unsafe", false );
 }
 
 CALAMARES_PLUGIN_FACTORY_DEFINITION( InitcpioJobFactory, registerPlugin< InitcpioJob >(); )

src/modules/initcpio/InitcpioJob.h

@@ -42,6 +42,7 @@ public:
 
 private:
     QString m_kernel;
+    bool m_unsafe = false;
 };
 
 CALAMARES_PLUGIN_FACTORY_DECLARATION( InitcpioJobFactory )

src/modules/initcpio/initcpio.conf

@@ -16,3 +16,8 @@
 #
 # Note that "all" is probably not a good preset to use either.
 kernel: linux312
+
+# Set this to true to turn off mitigations for lax file
+# permissions on initramfs (which, in turn, can compromise
+# your LUKS encryption keys, CVS-2019-13179).
+be_unsafe: false

src/modules/initramfs/InitramfsJob.cpp

@@ -45,6 +45,12 @@ InitramfsJob::exec()
 
     cDebug() << "Updating initramfs with kernel" << m_kernel;
 
+    if ( m_unsafe )
+    {
+        cDebug() << "Skipping mitigations for unsafe initramfs permissions.";
+    }
+    else
+    {
         // First make sure we generate a safe initramfs with suitable permissions.
         static const char confFile[] = "/etc/initramfs-tools/conf.d/calamares-safe-initramfs.conf";
         static const char contents[] = "UMASK=0077\n";
@@ -53,6 +59,7 @@ InitramfsJob::exec()
             cWarning() << Logger::SubEntry << "Could not configure safe UMASK for initramfs.";
             // But continue anyway.
         }
+    }
 
     // And then do the ACTUAL work.
     auto r = CalamaresUtils::System::instance()->targetEnvCommand(
@@ -84,6 +91,8 @@ InitramfsJob::setConfigurationMap( const QVariantMap& configurationMap )
                        << r.getExitCode() << r.getOutput();
         }
     }
+
+    m_unsafe = CalamaresUtils::getBool( configurationMap, "be_unsafe", false );
 }
 
 CALAMARES_PLUGIN_FACTORY_DEFINITION( InitramfsJobFactory, registerPlugin< InitramfsJob >(); )

src/modules/initramfs/InitramfsJob.h

@@ -42,6 +42,7 @@ public:
 
 private:
     QString m_kernel;
+    bool m_unsafe = false;
 };
 
 CALAMARES_PLUGIN_FACTORY_DECLARATION( InitramfsJobFactory )

src/modules/initramfs/initramfs.conf

@@ -29,3 +29,8 @@
 # 3.2.9 and earlier which passed "all" as version.
 
 kernel: "all"
+
+# Set this to true to turn off mitigations for lax file
+# permissions on initramfs (which, in turn, can compromise
+# your LUKS encryption keys, CVS-2019-13179).
+be_unsafe: false