JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.

**too  much whitespace**
This is unnecessary whitespace from the html line:
  <h5 id="siteSub" class="subtitle"></h5>
which shows nothing + padding all h5's get.
The proper way, I presume, is to tell mediawiki to not display "subtitle", whatever that is. It seems to be similar to "tagline" which is set to "From Whonix" and outputted in html but set to hidden via css (dumb but whatever).

JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.

**clickable expand button inside text**
Done. Check: https://www.whonix.org/wiki/Template:Reload_Tor

In T868#19258, @JasonJAyalaP wrote:

replace Menu bar with hardcoded links
Isn't this a mediawiki configuration option? It should have basic nav choices.

In T868#19257, @JasonJAyalaP wrote:

two separate pre tags get intermingled and shown as one box
Can you link me to an example (or create a page with one)?

clickable expand button inside text

replace Menu bar with hardcoded links
Isn't this a mediawiki configuration option? It should have basic nav choices.

two separate pre tags get intermingled and shown as one box
Can you link me to an example (or create a page with one)?

too much whitespace
This is unnecessary whitespace from the html line:

In T950#19249, @Patrick wrote:

The loader of tirdad is currently using dmesg.

An interesting product that triggers a system wipe if the cable is pulled:

The loader of tirdad is currently using dmesg.

In T950#19231, @madaidan wrote:

quiet

This just prevents writing to /dev/kmsg. It doesn't stop kernel logs being displayed during boot.

Still wondering if initramfs modification this can be avoided... Still wondering if kernel.printk can be set through a kernel parameter. Looking again at https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/kernel-parameters.txt...

Sounds good.

https://github.com/Whonix/security-misc/pull/51

We can use a sysctl.d drop-in and an initramfs hook in security-misc so non-initramfs users will still be mostly protected.

Any attempted access of /boot would be logged the same way anyway although it might be good to use that to stop it from showing up in aa-logprof.

Would an audit denyrule for /boot be useful for the sake of audit?

I guess because a sysctl.d drop-in config file is easy and catches most.
initramfs hook covers only initramfs users. Not dracut. But
security-misc initramfs hook sounds good enough. dracut support can
come later, if ever. Please implement.

Why not use an initramfs hook in security-misc? Not everyone will have security-misc and apparmor-profile-everything installed. Users with just security-misc installed will still have some kernel logs shown during early boot.

/boot isn't allowed in init-systemd anyway so we don't need to add it to dangerous-files. Apparmor denies access to files that aren't explicitly allowed. The only reason we need to blacklist /lib/modules and not /boot is because we give access to all libraries.

Still need to add /boot to https://github.com/Whonix/apparmor-profile-everything/blob/master/etc/apparmor.d/abstractions/dangerous-files? Currently cannot find it there.

https://github.com/Whonix/security-misc/commit/ede536913daa0c7ddfe55e20c93d7b752daa5de3

Yes. Probably both. initramfs for apparmor-profile-everything users and
/etc/sysctl.d/ security-misc.

https://github.com/Whonix/security-misc/pull/50

/boot/ is already unreadable.

Should this be set in the initramfs?

That worked.

We should be able to create a drop-in file at /lib/systemd/system/user-.slice.d/ and add something such as