testsAndMisc/docs/superpowers/contracts/digital-wellbeing-bypass-hardening-2026-05.json
Krzysztof kuhy Rudnicki b96f6801b6 security: harden digital-wellbeing bypass vectors
- Screen locker: disable VT switching (Ctrl+Alt+Fn) via setxkbmap
  srvrkeys:none on startup; restore on close (production mode only).
  Gracefully skips if setxkbmap is not installed (shutil.which).
  Tests: 7 new tests, 100% branch coverage maintained.

- Midnight shutdown: restore real schedule values (Mon-Wed 21:00,
  Thu-Sun 22:00, morning end 05:00); re-enable the three commented-out
  leniency checks in check_schedule_protection(); self-lock script with
  chattr +i at end of enable_midnight_shutdown().

- Hosts install: add UNBLOCK_STATE_FILE tracking for whitelisted domains;
  check_unblock_entries_protection() blocks installation if the unblock
  list grows; save state after install; self-lock install.sh and
  generate_hosts_file.sh with chattr +i.
2026-05-16 15:41:40 +02:00

19 lines
1.5 KiB
JSON

{
"title": "Harden digital-wellbeing bypass vectors",
"objective": "Close three easy bypass vectors in the digital-wellbeing tooling: (1) screen locker bypassed by switching to a TTY with Ctrl+Alt+Fn, (2) midnight shutdown disabled by editing schedule constants or commenting out protection checks, (3) hosts-file unblock list silently expanded by adding sed commands. Success means each vector requires deliberate multi-step effort (manual chattr -i + code edits) rather than a single trivial command.",
"acceptance_criteria": [
"Screen locker calls setxkbmap -option srvrkeys:none on startup and restores on close in production mode only",
"setup_midnight_shutdown.sh constants are 21/22/5 and all three leniency checks are active (uncommented)",
"setup_midnight_shutdown.sh self-locks with chattr +i after enable_midnight_shutdown() completes",
"install.sh tracks whitelisted domains in /etc/hosts.unblock-entries.state (chattr +i) and blocks install if the list grows",
"install.sh and generate_hosts_file.sh self-lock with chattr +i after a successful install",
"screen_locker package maintains 100% branch coverage (311 tests pass)"
],
"out_of_scope": [
"Preventing root from bypassing chattr +i (requires kernel-level controls)",
"Changes to the actual blocked or unblocked domain list",
"Hardening against SIGKILL of the screen locker process"
],
"verifier": "pre-commit run --files <changed-files>; python -m pytest python_pkg/screen_locker/tests/ --cov=python_pkg.screen_locker --cov-branch"
}