diff --git a/src/modules/initcpio/InitcpioJob.cpp b/src/modules/initcpio/InitcpioJob.cpp index d0d825cbf..38017d83e 100644 --- a/src/modules/initcpio/InitcpioJob.cpp +++ b/src/modules/initcpio/InitcpioJob.cpp @@ -59,12 +59,19 @@ InitcpioJob::exec() { CalamaresUtils::UMask m( CalamaresUtils::UMask::Safe ); - QDir d( CalamaresUtils::System::instance()->targetPath( "/boot" ) ); - if ( d.exists() ) + if ( m_unsafe ) { - fixPermissions( d ); + cDebug() << "Skipping mitigations for unsafe initramfs permissions."; } - + else + { + QDir d( CalamaresUtils::System::instance()->targetPath( "/boot" ) ); + if ( d.exists() ) + { + fixPermissions( d ); + } + } + cDebug() << "Updating initramfs with kernel" << m_kernel; auto r = CalamaresUtils::System::instance()->targetEnvCommand( { "mkinitcpio", "-p", m_kernel }, QString(), QString(), 0 ); @@ -94,6 +101,8 @@ InitcpioJob::setConfigurationMap( const QVariantMap& configurationMap ) << r.getExitCode() << r.getOutput(); } } + + m_unsafe = CalamaresUtils::getBool( configurationMap, "be_unsafe", false ); } CALAMARES_PLUGIN_FACTORY_DEFINITION( InitcpioJobFactory, registerPlugin< InitcpioJob >(); ) diff --git a/src/modules/initcpio/InitcpioJob.h b/src/modules/initcpio/InitcpioJob.h index 7c0bcf2df..11358d749 100644 --- a/src/modules/initcpio/InitcpioJob.h +++ b/src/modules/initcpio/InitcpioJob.h @@ -42,6 +42,7 @@ public: private: QString m_kernel; + bool m_unsafe = false; }; CALAMARES_PLUGIN_FACTORY_DECLARATION( InitcpioJobFactory ) diff --git a/src/modules/initcpio/initcpio.conf b/src/modules/initcpio/initcpio.conf index 487a0289d..8ad71e9f5 100644 --- a/src/modules/initcpio/initcpio.conf +++ b/src/modules/initcpio/initcpio.conf @@ -16,3 +16,8 @@ # # Note that "all" is probably not a good preset to use either. kernel: linux312 + +# Set this to true to turn off mitigations for lax file +# permissions on initramfs (which, in turn, can compromise +# your LUKS encryption keys, CVS-2019-13179). +be_unsafe: false diff --git a/src/modules/initramfs/InitramfsJob.cpp b/src/modules/initramfs/InitramfsJob.cpp index c96bbb059..01d400443 100644 --- a/src/modules/initramfs/InitramfsJob.cpp +++ b/src/modules/initramfs/InitramfsJob.cpp @@ -44,16 +44,23 @@ InitramfsJob::exec() CalamaresUtils::UMask m( CalamaresUtils::UMask::Safe ); cDebug() << "Updating initramfs with kernel" << m_kernel; - - // First make sure we generate a safe initramfs with suitable permissions. - static const char confFile[] = "/etc/initramfs-tools/conf.d/calamares-safe-initramfs.conf"; - static const char contents[] = "UMASK=0077\n"; - if ( CalamaresUtils::System::instance()->createTargetFile( confFile, QByteArray( contents ) ).isEmpty() ) + + if ( m_unsafe ) { - cWarning() << Logger::SubEntry << "Could not configure safe UMASK for initramfs."; - // But continue anyway. + cDebug() << "Skipping mitigations for unsafe initramfs permissions."; } - + else + { + // First make sure we generate a safe initramfs with suitable permissions. + static const char confFile[] = "/etc/initramfs-tools/conf.d/calamares-safe-initramfs.conf"; + static const char contents[] = "UMASK=0077\n"; + if ( CalamaresUtils::System::instance()->createTargetFile( confFile, QByteArray( contents ) ).isEmpty() ) + { + cWarning() << Logger::SubEntry << "Could not configure safe UMASK for initramfs."; + // But continue anyway. + } + } + // And then do the ACTUAL work. auto r = CalamaresUtils::System::instance()->targetEnvCommand( { "update-initramfs", "-k", m_kernel, "-c", "-t" }, QString(), QString(), 0 ); @@ -84,6 +91,8 @@ InitramfsJob::setConfigurationMap( const QVariantMap& configurationMap ) << r.getExitCode() << r.getOutput(); } } + + m_unsafe = CalamaresUtils::getBool( configurationMap, "be_unsafe", false ); } CALAMARES_PLUGIN_FACTORY_DEFINITION( InitramfsJobFactory, registerPlugin< InitramfsJob >(); ) diff --git a/src/modules/initramfs/InitramfsJob.h b/src/modules/initramfs/InitramfsJob.h index 63aed4136..9eeb81fea 100644 --- a/src/modules/initramfs/InitramfsJob.h +++ b/src/modules/initramfs/InitramfsJob.h @@ -42,6 +42,7 @@ public: private: QString m_kernel; + bool m_unsafe = false; }; CALAMARES_PLUGIN_FACTORY_DECLARATION( InitramfsJobFactory ) diff --git a/src/modules/initramfs/initramfs.conf b/src/modules/initramfs/initramfs.conf index 4e5eda202..a989d83c3 100644 --- a/src/modules/initramfs/initramfs.conf +++ b/src/modules/initramfs/initramfs.conf @@ -29,3 +29,8 @@ # 3.2.9 and earlier which passed "all" as version. kernel: "all" + +# Set this to true to turn off mitigations for lax file +# permissions on initramfs (which, in turn, can compromise +# your LUKS encryption keys, CVS-2019-13179). +be_unsafe: false