fix: move custom kicksecure settings to dev state

Fixes: #12 Fixes: #14 Fixes: #15
ben-grande · Feb 2, 2024 · 9ee9b04 · 9ee9b04
1 parent 4b87d93
commit 9ee9b04
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 20 deletions.
diff --git a/salt/kicksecure-minimal/README.md b/salt/kicksecure-minimal/README.md
@@ -42,3 +42,27 @@ qubesctl --skip-dom0 --targets=kicksecure-17-minimal state.apply kicksecure-mini
 ## Usage
 
 AppVMs and StandaloneVMs can be based on this template.
+
+### Kicksecure Developers
+
+This is intended for Kicksecure Developers to test known to be broken
+hardening measures. It is not intended for other developers or users.
+
+After you have ran the developers SaltFile, when reporting bugs upstream,
+share the following information of the customizations made by this formula:
+
+- `hardened-malloc`:
+```
+libhardened_malloc.so
+```
+
+- `hide-hardware-info`:
+```
+sysfs_whitelist=0
+cpuionfo_whitelist=0
+```
+
+- `permission-hardener`:
+```
+whitelists_disable_all=true
+```
diff --git a/salt/kicksecure-minimal/install-developers.sls b/salt/kicksecure-minimal/install-developers.sls
@@ -24,6 +24,28 @@ include:
       - lkrg
       - tirdad
 
+## Breaks browsers.
+"{{ slsdotpath }}-hardened-malloc-preload":
+  file.managed:
+    - require:
+      - pkg: "{{ slsdotpath }}-installed"
+    - name: /etc/ld.so.preload
+    - source: salt://{{ slsdotpath }}/files/template/ld.so.preload
+    - mode: '0644'
+    - user: root
+    - group: root
+    - makedirs: True
+
+## Does not break (maybe), present here because it is not the default.
+"{{ slsdotpath }}-permission-hardener-conf":
+  file.managed:
+    - name: /etc/permission-hardener.d/40_qusal.conf
+    - source: salt://{{ slsdotpath }}/files/template/permission-hardener.d/40_qusal.conf
+    - mode: '0600'
+    - user: root
+    - group: root
+    - makedirs: True
+
 ## Breaks systemd service qubes-gui-agent
 "{{ slsdotpath }}-proc-hidepid-enabled":
   service.enabled:

diff --git a/salt/kicksecure-minimal/install.sls b/salt/kicksecure-minimal/install.sls
@@ -43,26 +43,6 @@ include:
     - regex: "^\s*deb"
     - ignore_missing: True
 
-"{{ slsdotpath }}-permission-hardener-conf":
-  file.managed:
-    - name: /etc/permission-hardener.d/40_qusal.conf
-    - source: salt://{{ slsdotpath }}/files/template/permission-hardener.d/40_qusal.conf
-    - mode: '0600'
-    - user: root
-    - group: root
-    - makedirs: True
-
-"{{ slsdotpath }}-hardened-malloc-preload":
-  file.managed:
-    - require:
-      - pkg: "{{ slsdotpath }}-installed"
-    - name: /etc/ld.so.preload
-    - source: salt://{{ slsdotpath }}/files/template/ld.so.preload
-    - mode: '0644'
-    - user: root
-    - group: root
-    - makedirs: True
-
 "{{ slsdotpath }}-distribution-kernel":
   cmd.run:
     - require: