Download Kicksecure for VirtualBox:
This is a point release.
Upgrade
Alternatively, in-place release upgrade is possible upgrade using Kicksecure repository.
This release would not have been possible without the numerous supporters of Kicksecure!
Please Donate!
Please Contribute!
Major Changes
- usrmerge
- anon-apt-sources-list:
- allows only installation of Flatpak applications that are both,
verified
publishers andfloss
(Freedom Software) this is equivalent to theflatpak
--subset=verified_floss
option - enable Flathub repository by default
/etc/flatpak/remotes.d/flathub.flatpakrepo
source: https://flathub.org/repo/flathub.flatpakrepo FlatPak as a Software Source / flathub as a source of software - Development - Whonix Forum
- allows only installation of Flatpak applications that are both,
- apparmor-profile-torbrowser:
- Cannot Upload Files with Tor Browser - AppArmor Issue - Support - Whonix Forum fix uploads
- fontconfig fix
- grub-live:
- check if a supported initrd generator is installed before adding a live mode boot menu entry
- fix detection if initramfs-tools is installed Updating Kicksecure to 17.1.1.5 breaks grub-live Thanks to kivk for the bug report!
- helper-scripts:
- improved vanguards integration
- improved str_replace
- kicksecure-meta-packages:
- add usrmerge to kicksecure-dependencies-cli
- legacy-dist:
- set no longer required packages for auto removal apt-mark manual: pulseaudio-qubes, pulseaudio-utils, pulseaudio
- libvirt-dist:
- use template files for utm configs with ARCH and TARGET (Thanks to GavinPacini!)
- Merge branch ‘master’ into feat/utm-intel-amd64 (Thanks to GavinPacini!)
- fix GPU usage and Kicksecure UTM configs (Thanks to GavinPacini!)
- upgrade UTM configs and add configs for Intel_AMD64 (Thanks to GavinPacini!)
- ram-wipe:
- run inside VMs by default for simplified testing
- security-misc:
- Create proc group on install Fixes `proc-hidepid.service` fails if proc user does not exist · Issue #210 · Kicksecure/security-misc · GitHub (Thanks to wryMitts!)
proc-hidepid.service
addgid=proc
This allows users that are a member of theproc
group to be excluded fromhidepid
protections. `proc-hidepid.service`: Fixing Systemd related issues · Issue #208 · Kicksecure/security-misc · GitHub- fix panic-on-oops started every 10s in Qubes-Whonix by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach Thanks to @marmarek for the bug report! panic-on-oops started every 10s - Qubes-Whonix - Whonix Forum
- hide-hardware-information.service
- Add option to disable /sys hardening (Thanks to Daniel Winzen!)
- Allow access to /sys/fs for polkit (Thanks to Daniel Winzen!)
- Remove hardcoded
spec_rstack_overflow
setting (Thanks to raja-grewal!) - Control RAS overflow mitigation on AMD Zen CPUs (Thanks to raja-grewal!)
- Enable mitigations for RETBleed vulnerability and disable SMT (Thanks to raja-grewal!)
- Enable known mitigations for CPU vulnerabilities and disable SMT (Thanks to raja-grewal!)
- Add reference for kernel parameters (Thanks to raja-grewal!)
- use
interest-noawait
instead ofinterest-await
fixes automatic trigger of permission-hardener after APT package installation broken · Issue #196 · Kicksecure/security-misc · GitHub - use wildcards instead of outdated, incomplete list RPM packaging · Issue #160 · Kicksecure/security-misc · GitHub
- run permission hardener when new packages are install files to /usr or /opt (basically anywhere) fixes run permission-hardener after APT package installation · Issue #189 · Kicksecure/security-misc · GitHub
- README
- update permission-hardener.service Which is now only an additional opt-in systemd unit, because permission-hardener is run by default at security-misc package installation time. Clean permission-hardener by ben-grande · Pull Request #181 · Kicksecure/security-misc · GitHub
- delete legacy folder /etc/permission-hardening.d if empty Clean permission-hardener by ben-grande · Pull Request #181 · Kicksecure/security-misc · GitHub
- undo IPv6 privacy due to potential server issues MAC randomization breaks root server and VirtualBox DHCP / IPv6PrivacyExtensions might be problematic · Issue #184 · Kicksecure/security-misc · GitHub
- revert umask 027 by default because broken because this also happens for root while it should not Restrict umask to 027 except for sudo/root broken · Issue #185 · Kicksecure/security-misc · GitHub
- disable MAC randomization in Network Manager (NM) because it breaks VirtualBox DHCP MAC randomization breaks root server and VirtualBox DHCP / IPv6PrivacyExtensions might be problematic · Issue #184 · Kicksecure/security-misc · GitHub
- Clarify validity of disabling io_uring (Thanks to Raja Grewal!)
- SUID Disabler and Permission Hardener improvements (Thanks to Ben Grande!)
- Disable asynchronous I/O io_uring creation is disabled for all processes. io_uring_setup always fails with -EPERM. Existing io_uring instances can still be used. (Thanks to Raja Grewal!)
- swap-file-creator:
- skip on ISO
- fix VM detection to disable hibernation swap file size calculation considerations inside VMs
- tb-starter:
- add support for mullvad browser (Thanks to fyqwbdzsfjh!)
- tb-updater:
- fix: no longer hardcode user “user” in Qubes
- use
qubesdb-read /default-user
to get Qubes default user name - run /usr/libexec/tb-updater/tb-permission-fix in Qubes Template and App Qube to fix potential race condition
- improve arm64 support (Thanks to GavinPacini!)
- fail open by default inside chroot when Tor Browser cannot be installed
- usability-misc:
- Linux VirtualBox Installer:
- find out local usability-misc package version
- Partial fix for locale support (Thanks to grass!)
- fix detection of how many packages require upgrading ["SOLVED" i suppose] Debian 12 whonix-xfce-installer-cli reports packages can be upgraded although already upgraded - non-English language bug - Support - Whonix Forum
- Replace --destroy-all for --import-only=both (Thanks to grass!)
- Remove inconsistent .vbox state when asked (Thanks to grass!)
- avoid starting duplicate VirtualBox GUI if already running
- replace
--reimport
with--destroy-existing-guest
- If package upgrades are available allow proceeding anyhow if using
--noupdate
.
- Linux VirtualBox Installer:
- vm-config-dist:
- fix /etc/profile.d scripts be silent, do not output stderr in case systemd-detect-virt writes to stderr as this can break Qubes UpdatesProxy hide-hardware-information.service running in sys-whonix breaks APT and update-torbrowser - Qubes-Whonix - Whonix Forum
- derivative-maker:
- improve git submodule fetching
- sanity test: error out when attempting to build
--target virtualbox
on an architecture unsupported by VirtualBox - improve multiple architecture support
- lower debugging
- disable Qubes notify hook on build machine
- start using safe-rm
- implement deletion for
--target utm
- utm: add tar options towards reproducible builds
- consistently set
/etc/hostname
tolocalhost
during base image creation - fix: ISO: set Kicksecure
/etc/hostname
consistently tolocalhost
Kicksecure /etc/hostname /etc/hosts - Development - Whonix Forum - add /etc/hostname sanity test
- allow creation and use of cached raw image to speed up the build
- CI:
- Replace deprecated DigitalOcean api key for automated builder (Thanks to Rob Stringer!)
- work towards
trim
support useVBoxManage storageattach
with--nonrotational=on
--discard=on
Auto-trimming Workstation to shrink disk usage - Support - Whonix Forum