JasonJAyalaP (Jason J. Ayala P.):
JasonJAyalaP added a comment.
**too much whitespace** This is unnecessary whitespace from the html line: <h5 id="siteSub" class="subtitle"></h5> which shows nothing + padding all h5's get. The proper way, I presume, is to tell mediawiki to not display "subtitle", whatever that is. It seems to be similar to "tagline" which is set to "From Whonix" and outputted in html but set to hidden via css (dumb but whatever).
JasonJAyalaP (Jason J. Ayala P.):
JasonJAyalaP added a comment.
**clickable expand button inside text** Done. Check: https://www.whonix.org/wiki/Template:Reload_Tor
In T868#19258, @JasonJAyalaP wrote:replace Menu bar with hardcoded links
Isn't this a mediawiki configuration option? It should have basic nav choices.
In T868#19257, @JasonJAyalaP wrote:two separate pre tags get intermingled and shown as one box
Can you link me to an example (or create a page with one)?
clickable expand button inside text
replace Menu bar with hardcoded links
Isn't this a mediawiki configuration option? It should have basic nav choices.
two separate pre tags get intermingled and shown as one box
Can you link me to an example (or create a page with one)?
too much whitespace
This is unnecessary whitespace from the html line:
In T950#19249, @Patrick wrote:
An interesting product that triggers a system wipe if the cable is pulled:
In T950#19231, @madaidan wrote:quiet
This just prevents writing to /dev/kmsg. It doesn't stop kernel logs being displayed during boot.
Still wondering if initramfs modification this can be avoided... Still wondering if kernel.printk can be set through a kernel parameter. Looking again at https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/kernel-parameters.txt...
Sounds good.
We can use a sysctl.d drop-in and an initramfs hook in security-misc so non-initramfs users will still be mostly protected.
Any attempted access of /boot would be logged the same way anyway although it might be good to use that to stop it from showing up in aa-logprof.
Would an audit denyrule for /boot be useful for the sake of audit?
I guess because a sysctl.d drop-in config file is easy and catches most.
initramfs hook covers only initramfs users. Not dracut. But
security-misc initramfs hook sounds good enough. dracut support can
come later, if ever. Please implement.
Why not use an initramfs hook in security-misc? Not everyone will have security-misc and apparmor-profile-everything installed. Users with just security-misc installed will still have some kernel logs shown during early boot.
/boot isn't allowed in init-systemd anyway so we don't need to add it to dangerous-files. Apparmor denies access to files that aren't explicitly allowed. The only reason we need to blacklist /lib/modules and not /boot is because we give access to all libraries.
Still need to add /boot to https://github.com/Whonix/apparmor-profile-everything/blob/master/etc/apparmor.d/abstractions/dangerous-files? Currently cannot find it there.
Yes. Probably both. initramfs for apparmor-profile-everything users and
/etc/sysctl.d/ security-misc.
/boot/ is already unreadable.
Should this be set in the initramfs?
That worked.
We should be able to create a drop-in file at /lib/systemd/system/user-.slice.d/ and add something such as
It looks like bpfilter is in rather early stages, and it's few years until we'll see it in Debian.
Or skip nftables and use Berkeley Packet Filter (BPF)?
Awesome!
I created the issue:
Could you add to git please?
Works.
Try adding:
Good enough.
Not a problem anymore.