harald/VerityBook
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

move everything configurable to /cfg and try selinux

Browse source
This commit is contained in:
Harald Hoyer 2018-09-17 17:32:13 +02:00
parent a95907fd97
commit 8dfaa0d4be
9 changed files with 172 additions and 120 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
clonedisk.sh
View file

@ -158,7 +158,7 @@ fi
mkdir -p boot mkdir -p boot
mount ${OUT}1 boot mount ${OUT}1 boot
mkdir -p boot/EFI/FedoraBook mkdir -p boot/EFI/FedoraBook
cp /efi/EFI/FedoraBook/bootx64.efi boot/EFI/FedoraBook/1.efi cp /efi/EFI/FedoraBook/1.efi boot/EFI/FedoraBook/1.efi
[[ -e /efi/Lockdown.efi ]] && cp /efi/Lockdown.efi boot [[ -e /efi/Lockdown.efi ]] && cp /efi/Lockdown.efi boot
[[ -e /efi/Shell.efi ]] && cp /efi/Lockdown.efi boot/EFI/Boot/bootx64.efi [[ -e /efi/Shell.efi ]] && cp /efi/Lockdown.efi boot/EFI/Boot/bootx64.efi

2
excludelist.txt
View file

@ -3,7 +3,5 @@ systemd-bootchart
grubby grubby
grub* grub*
plymouth plymouth
selinux-policy-targeted
libselinux-utils
httpd httpd
gnome-boxes gnome-boxes

9
mkimage.sh
View file

@ -169,12 +169,13 @@ mkdir -p "$MY_TMPDIR"/boot/EFI/Boot
mkdir -p "$MY_TMPDIR"/boot/EFI/FedoraBook mkdir -p "$MY_TMPDIR"/boot/EFI/FedoraBook
if [[ $USE_EFISHELL ]]; then if [[ $USE_EFISHELL ]]; then
[[ -e "${SOURCE}"/startup.nsh ]] && cp "${SOURCE}"/startup.nsh "$MY_TMPDIR"/boot/ [[ -e "${SOURCE}"/efi/startup.nsh ]] && cp "${SOURCE}"/efi/startup.nsh "$MY_TMPDIR"/boot/
[[ -e "${SOURCE}"/LockDown.efi ]] && cp "${SOURCE}"/LockDown.efi "$MY_TMPDIR"/boot/ [[ -e "${SOURCE}"/efi/LockDown.efi ]] && cp "${SOURCE}"/efi/LockDown.efi "$MY_TMPDIR"/boot/
cp "${SOURCE}"/Shell.efi "$MY_TMPDIR"/boot/EFI/Boot/bootx64.efi cp "${SOURCE}"/efi/Shell.efi "$MY_TMPDIR"/boot/EFI/Boot/bootx64.efi
cp "$SOURCE"/bootx64.efi "$MY_TMPDIR"/boot/EFI/FedoraBook/bootx64.efi cp "$SOURCE"/bootx64.efi "$MY_TMPDIR"/boot/EFI/FedoraBook/1.efi
else else
cp "$SOURCE"/bootx64.efi "$MY_TMPDIR"/boot/EFI/Boot/bootx64.efi cp "$SOURCE"/bootx64.efi "$MY_TMPDIR"/boot/EFI/Boot/bootx64.efi
cp "$SOURCE"/bootx64.efi "$MY_TMPDIR"/boot/EFI/FedoraBook/1.efi
fi fi
umount "$MY_TMPDIR"/boot umount "$MY_TMPDIR"/boot

31
mkrelease.sh
View file

@ -66,21 +66,24 @@ JSON="$(realpath -e $1)"
BASEDIR="${JSON%/*}" BASEDIR="${JSON%/*}"
IMAGE="${BASEDIR}/$(jq -r '.name' ${JSON})-$(jq -r '.version' ${JSON})" IMAGE="${BASEDIR}/$(jq -r '.name' ${JSON})-$(jq -r '.version' ${JSON})"
( pushd "$IMAGE"
cd "$IMAGE" if ! [[ $NOSIGN ]]; then
if ! [[ $NOSIGN ]]; then if ! [[ $DBKEY ]] || ! [[ $DBCRT ]]; then
if ! [[ $DBKEY ]] || ! [[ $DBCRT ]]; then echo "Need --dbkey KEY --dbcrt CRT options"
echo "Need --dbkey KEY --dbcrt CRT options" exit 1
exit 1
fi
if ! sbverify --cert "$DBCRT" bootx64.efi &>/dev/null ; then
sbsign --key "$DBKEY" --cert "$DBCRT" --output bootx64-signed.efi bootx64.efi
mv bootx64-signed.efi bootx64.efi
fi
fi fi
[[ -f sha512sum.txt ]] || sha512sum * > sha512sum.txt for i in $(find . -type f -name '*.efi'); do
[[ -f sha512sum.txt.sig ]] || gpg2 --detach-sign sha512sum.txt [[ -f "$i" ]] || continue
) if ! sbverify --cert "$DBCRT" "$i" &>/dev/null ; then
sbsign --key "$DBKEY" --cert "$DBCRT" --output "${i}signed" "$i"
mv "${i}signed" "$i"
fi
done
fi
[[ -f sha512sum.txt ]] || sha512sum $(find . -type f) > sha512sum.txt
[[ -f sha512sum.txt.sig ]] || gpg2 --detach-sign sha512sum.txt
popd
if ! [[ $NOTAR ]] && ! [[ -e "$IMAGE".tgz ]]; then if ! [[ $NOTAR ]] && ! [[ -e "$IMAGE".tgz ]]; then
tar cf - -C "${IMAGE%/*}" "${IMAGE##*/}" | pigz -c > "$IMAGE".tgz tar cf - -C "${IMAGE%/*}" "${IMAGE##*/}" | pigz -c > "$IMAGE".tgz

3
pkglist.txt
View file

@ -48,6 +48,7 @@ gobject-introspection-devel
gperf gperf
help2man help2man
iptables-devel iptables-devel
iputils
ipw2100-firmware ipw2100-firmware
ipw2200-firmware ipw2200-firmware
iscan-firmware iscan-firmware
@ -84,6 +85,8 @@ libseccomp-devel
libselinux-devel libselinux-devel
libvirt-daemon-config-network libvirt-daemon-config-network
libvirt-daemon-kvm libvirt-daemon-kvm
libvirt-client
libvirt-bash-completion
libxkbcommon-devel libxkbcommon-devel
libxslt libxslt
linux-firmware linux-firmware

31
pre-pivot.sh
View file

@ -21,7 +21,7 @@ get_disk() {
udevadm settle udevadm settle
BOOTDISK=$(get_disk $(bootdisk)) BOOTDISK=$(get_disk $(bootdisk))
[[ $BOOTDISK ]] || die "No boot disk found" [[ $BOOTDISK ]] || die "No boot disk found"
unset FOUND unset FOUND
@ -107,17 +107,24 @@ if [[ $(blkid -o value -s TYPE "$datadev") != "xfs" ]]; then
mkfs.xfs -f -L data "$datadev" mkfs.xfs -f -L data "$datadev"
fi fi
mount -o discard $datadev /sysroot/data || die "Failed to mount $datadev" mount -o discard $datadev /sysroot/mnt || die "Failed to mount $datadev"
[[ -d /sysroot/data/var ]] || mkdir /sysroot/data/var for i in var home cfg; do
[[ -d /sysroot/data/home ]] || mkdir /sysroot/data/home if ! [[ -d /sysroot/mnt/$i ]]; then
mkdir /sysroot/mnt/$i
mount -o bind /sysroot/data/var /sysroot/var FIRST_TIME=1
mount -o bind /sysroot/data/home /sysroot/home fi
for i in passwd shadow group gshadow subuid subgid; do
[[ -f /sysroot/var/$i ]] && continue
cp -a /sysroot/usr/share/factory/var/$i /sysroot/var/$i
done done
chroot /sysroot /usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev --exclude-prefix=/run --exclude-prefix=/tmp --exclude-prefix=/etc 2>&1 | vinfo mount -o bind /sysroot/mnt/var /sysroot/var
mount -o bind /sysroot/mnt/home /sysroot/home
mount -o bind /sysroot/mnt/cfg /sysroot/cfg
umount -l /sysroot/mnt
#for i in passwd shadow group gshadow subuid subgid; do
# [[ -f /sysroot/cfg/$i ]] && continue
# cp -a /sysroot/usr/share/factory/cfg/$i /sysroot/cfg/$i
#done
if [[ $FIRST_TIME ]]; then
chroot /sysroot bash -c '/usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev --exclude-prefix=/run --exclude-prefix=/tmp --exclude-prefix=/etc 2>&1; restorecon -R -v /cfg /var 2>&1'| vinfo
fi

128
prepare-root.sh
View file

@ -220,6 +220,11 @@ dnf -v --nogpgcheck \
jq \ jq \
gnupg2 \ gnupg2 \
veritysetup \ veritysetup \
policycoreutils \
selinux-policy-targeted \
selinux-policy-devel \
libselinux-utils \
audit \
$PKGLIST $PKGLIST
for i in passwd shadow group gshadow subuid subgid; do for i in passwd shadow group gshadow subuid subgid; do
@ -241,6 +246,8 @@ for i in passwd shadow group gshadow subuid subgid; do
chmod u+r "${BASEDIR}/${NAME}/$i" chmod u+r "${BASEDIR}/${NAME}/$i"
done done
# chroot "$sysroot" bash -i
cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/clonedisk cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/clonedisk
cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update
cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update
@ -267,7 +274,8 @@ chroot "$sysroot" \
dracut -N --kver $KVER --force \ dracut -N --kver $KVER --force \
--filesystems "squashfs vfat xfs" \ --filesystems "squashfs vfat xfs" \
--add-drivers "=drivers/char/tpm" \ --add-drivers "=drivers/char/tpm" \
-m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block udev-rules dracut-systemd base fs-lib shutdown terminfo resume verity" \ -m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block" \
-m "udev-rules dracut-systemd base fs-lib shutdown terminfo resume verity selinux" \
--install "clonedisk wipefs sfdisk dd mkfs.xfs mkswap chroot mountpoint mkdir stat openssl" \ --install "clonedisk wipefs sfdisk dd mkfs.xfs mkswap chroot mountpoint mkdir stat openssl" \
--install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2" \ --install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2" \
--install "cryptsetup tail sort pwmake mktemp swapon" \ --install "cryptsetup tail sort pwmake mktemp swapon" \
@ -289,7 +297,7 @@ rm -fr "$sysroot"/overlay
umount "$sysroot"/var/cache/dnf umount "$sysroot"/var/cache/dnf
mkdir -p "$sysroot"/usr/share/factory/{var/etc,home} mkdir -p "$sysroot"/usr/share/factory/{var,cfg}
chroot "$sysroot" update-ca-trust chroot "$sysroot" update-ca-trust
@ -319,21 +327,21 @@ ln -fsnr "$sysroot"/usr/lib/systemd/system/dbus-broker.service "$sysroot"/etc/sy
#--------------- #---------------
# ssh # ssh
if [[ -d "$sysroot"/etc/ssh ]]; then if [[ -d "$sysroot"/etc/ssh ]]; then
mv "$sysroot"/etc/ssh "$sysroot"/usr/share/factory/var/etc/ssh mv "$sysroot"/etc/ssh "$sysroot"/usr/share/factory/cfg/ssh
ln -sfnr "$sysroot"/var/etc/ssh "$sysroot"/etc/ssh ln -sfnr "$sysroot"/cfg/ssh "$sysroot"/etc/ssh
cat >> "$sysroot"/usr/lib/tmpfiles.d/ssh.conf <<EOF cat >> "$sysroot"/usr/lib/tmpfiles.d/ssh.conf <<EOF
C /var/etc/ssh - - - - - C /cfg/ssh - - - - -
EOF EOF
fi fi
#--------------- #---------------
# NetworkManager # NetworkManager
if [[ -d "$sysroot"/etc/NetworkManager ]]; then if [[ -d "$sysroot"/etc/NetworkManager ]]; then
mv "$sysroot"/etc/NetworkManager "$sysroot"/usr/share/factory/var/etc/ mv "$sysroot"/etc/NetworkManager "$sysroot"/usr/share/factory/cfg/
ln -fsnr "$sysroot"/var/etc/NetworkManager "$sysroot"/etc/NetworkManager ln -fsnr "$sysroot"/cfg/NetworkManager "$sysroot"/etc/NetworkManager
cat >> "$sysroot"/usr/lib/tmpfiles.d/NetworkManager.conf <<EOF cat >> "$sysroot"/usr/lib/tmpfiles.d/NetworkManager.conf <<EOF
d /var/lib/NetworkManager 0755 root root - - d /var/lib/NetworkManager 0755 root root - -
C /var/etc/NetworkManager - - - - - C /cfg/NetworkManager - - - - -
d /run/NetworkManager 0755 root root - - d /run/NetworkManager 0755 root root - -
EOF EOF
rm -fr "$sysroot"/etc/sysconfig/network-scripts rm -fr "$sysroot"/etc/sysconfig/network-scripts
@ -343,10 +351,10 @@ fi
#--------------- #---------------
# libvirt # libvirt
if [[ -d "$sysroot"/etc/libvirt ]]; then if [[ -d "$sysroot"/etc/libvirt ]]; then
mv "$sysroot"/etc/libvirt "$sysroot"/usr/share/factory/var/etc/ mv "$sysroot"/etc/libvirt "$sysroot"/usr/share/factory/cfg/
ln -fsnr "$sysroot"/var/etc/libvirt "$sysroot"/etc/libvirt ln -fsnr "$sysroot"/cfg/libvirt "$sysroot"/etc/libvirt
cat >> "$sysroot"/usr/lib/tmpfiles.d/libvirt.conf <<EOF cat >> "$sysroot"/usr/lib/tmpfiles.d/libvirt.conf <<EOF
C /var/etc/libvirt - - - - - C /cfg/libvirt - - - - -
EOF EOF
fi fi
@ -355,62 +363,63 @@ fi
ln -fsrn "$sysroot"/run/NetworkManager/resolv.conf "$sysroot"/etc/resolv.conf ln -fsrn "$sysroot"/run/NetworkManager/resolv.conf "$sysroot"/etc/resolv.conf
echo 'f /run/NetworkManager/resolv.conf 0755 root root - ' >> "$sysroot"/usr/lib/tmpfiles.d/resolv.conf echo 'f /run/NetworkManager/resolv.conf 0755 root root - ' >> "$sysroot"/usr/lib/tmpfiles.d/resolv.conf
#---------------
# hostname
ln -sfrn "$sysroot"/var/hostname "$sysroot"/etc/hostname
echo "FedoraBook" > "$sysroot"/usr/share/factory/var/hostname
#--------------- #---------------
# vconsole.conf # vconsole.conf
ln -fsnr "$sysroot"/var/vconsole.conf "$sysroot"/etc/vconsole.conf ln -fsnr "$sysroot"/cfg/vconsole.conf "$sysroot"/etc/vconsole.conf
echo -e 'FONT=latarcyrheb-sun16\nKEYMAP=us' > "$sysroot"/usr/share/factory/var/vconsole.conf echo -e 'FONT=latarcyrheb-sun16\nKEYMAP=us' > "$sysroot"/usr/share/factory/cfg/vconsole.conf
#--------------- #---------------
# locale.conf # locale.conf
ln -fsnr "$sysroot"/var/locale.conf "$sysroot"/etc/locale.conf ln -fsnr "$sysroot"/cfg/locale.conf "$sysroot"/etc/locale.conf
echo 'LANG=en_US.UTF-8' > "$sysroot"/usr/share/factory/var/locale.conf echo 'LANG=en_US.UTF-8' > "$sysroot"/usr/share/factory/cfg/locale.conf
#--------------- #---------------
# localtime # localtime
mv "$sysroot"/etc/localtime "$sysroot"/usr/share/factory/var/localtime mv "$sysroot"/etc/localtime "$sysroot"/usr/share/factory/cfg/localtime
ln -fsnr "$sysroot"/var/localtime "$sysroot"/etc/localtime ln -fsnr "$sysroot"/cfg/localtime "$sysroot"/etc/localtime
#--------------- #---------------
# machine-id # machine-id
rm -f "$sysroot"/etc/machine-id rm -f "$sysroot"/etc/machine-id
ln -fsnr "$sysroot"/var/machine-id "$sysroot"/etc/machine-id ln -fsnr "$sysroot"/cfg/machine-id "$sysroot"/etc/machine-id
#--------------- #---------------
# adjtime # adjtime
mv "$sysroot"/etc/adjtime "$sysroot"/usr/share/factory/var/adjtime mv "$sysroot"/etc/adjtime "$sysroot"/usr/share/factory/cfg/adjtime
ln -fsnr "$sysroot"/var/adjtime "$sysroot"/etc/adjtime ln -fsnr "$sysroot"/cfg/adjtime "$sysroot"/etc/adjtime
sed -i -e 's#/etc/locale.conf#/var/locale.conf#g;s#/etc/vconsole.conf#/var/vconsole.conf#g' "$sysroot"/usr/lib/systemd/systemd-localed sed -i -e 's#/etc/locale.conf#/cfg/locale.conf#g;s#/etc/vconsole.conf#/cfg/vconsole.conf#g;s#/etc/X11/xorg.conf.d#/cfg/X11/xorg.conf.d#g' \
sed -i -e 's#/etc/adjtime#/var/adjtime#g;s#/etc/localtime#/var/localtime#g' \ "$sysroot"/usr/lib/systemd/systemd-localed
sed -i -e 's#/etc/adjtime#/cfg/adjtime#g;s#/etc/localtime#/cfg/localtime#g' \
"$sysroot"/usr/lib/systemd/systemd-timedated \ "$sysroot"/usr/lib/systemd/systemd-timedated \
"$sysroot"/usr/lib/systemd/libsystemd-shared*.so \ "$sysroot"/usr/lib/systemd/libsystemd-shared*.so \
"$sysroot"/lib*/libc.so.* "$sysroot"/lib*/libc.so.*
sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' "$sysroot"/lib/systemd/system/systemd-localed.service sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/cfg#g' \
sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' "$sysroot"/lib/systemd/system/systemd-timedated.service "$sysroot"/lib/systemd/system/systemd-localed.service \
"$sysroot"/lib/systemd/system/systemd-timedated.service \
"$sysroot"/lib/systemd/system/systemd-hostnamed.service
cat >> "$sysroot"/usr/lib/tmpfiles.d/00-basics.conf <<EOF cat >> "$sysroot"/usr/lib/tmpfiles.d/00-basics.conf <<EOF
C /var/hostname - - - - - C /cfg/hostname - - - - -
C /var/vconsole.conf - - - - - C /cfg/vconsole.conf - - - - -
C /var/locale.conf - - - - - C /cfg/locale.conf - - - - -
C /var/localtime - - - - - C /cfg/localtime - - - - -
C /var/adjtime - - - - - C /cfg/adjtime - - - - -
Z /cfg 0755 root root - -
Z /var 0755 root root - -
EOF EOF
#--------------- #---------------
# X11 # X11
if [[ -d "$sysroot"/etc/X11/xorg.conf.d ]]; then if [[ -d "$sysroot"/etc/X11/xorg.conf.d ]]; then
mkdir -p "$sysroot"/usr/share/factory/var/etc mkdir -p "$sysroot"/usr/share/factory/cfg
mv "$sysroot"/etc/X11 "$sysroot"/usr/share/factory/var/etc/X11 mv "$sysroot"/etc/X11 "$sysroot"/usr/share/factory/cfg/X11
ln -fsnr "$sysroot"/var/etc/X11 "$sysroot"/etc/X11 ln -fsnr "$sysroot"/cfg/X11 "$sysroot"/etc/X11
cat >> "$sysroot"/usr/lib/tmpfiles.d/X11.conf <<EOF cat >> "$sysroot"/usr/lib/tmpfiles.d/X11.conf <<EOF
C /var/etc/X11 - - - - - C /cfg/X11 - - - - -
EOF EOF
fi fi
@ -442,16 +451,24 @@ cat > "$sysroot"/etc/sysctl.d/inotify.conf <<EOF
fs.inotify.max_user_watches = $((8192*10)) fs.inotify.max_user_watches = $((8192*10))
EOF EOF
cat >"$sysroot"/etc/fstab <<EOF #---------------
LABEL=data /data xfs defaults,discard 0 0 # gnome-initial-setup
/data/var /var - bind 0 0 > "$sysroot"/usr/share/gnome-initial-setup/vendor.conf
/data/home /home - bind 0 0
EOF
# ------------------------------------------------------------------------------
# selinux
sed -i -e 's#^SELINUX=.*#SELINUX=permissive#g' "$sysroot"/etc/selinux/config
chroot "$sysroot" semanage fcontext -a -e /etc /cfg
chroot "$sysroot" semanage fcontext -a -e /etc /usr/share/factory/etc
chroot "$sysroot" semanage fcontext -a -e /var /usr/share/factory/var
chroot "$sysroot" fixfiles -v -F -f relabel || :
chroot "$sysroot" restorecon -v -R /usr/share/factory/ || :
rm -fr "$sysroot"/var/lib/selinux
#--------------- #---------------
# var # var
rm -fr "$sysroot"/var/lib/rpm rm -fr "$sysroot"/var/lib/rpm
rm -fr "$sysroot"/var/lib/selinux
rm -fr "$sysroot"/var/log/dnf* rm -fr "$sysroot"/var/log/dnf*
rm -fr "$sysroot"/var/cache/*/* rm -fr "$sysroot"/var/cache/*/*
rm -fr "$sysroot"/var/tmp/* rm -fr "$sysroot"/var/tmp/*
@ -461,7 +478,9 @@ chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do grep " $i
cp -avxr "$sysroot"/var/* "$sysroot"/usr/share/factory/var/ cp -avxr "$sysroot"/var/* "$sysroot"/usr/share/factory/var/
rm -fr "$sysroot"/usr/share/factory/var/{run,lock} rm -fr "$sysroot"/usr/share/factory/var/{run,lock}
chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -maxdepth 2 -mindepth 1 -type d); do echo "C $i - - - - -"; done > /usr/lib/tmpfiles.d/var-quirk.conf; :' chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -maxdepth 2 -mindepth 1 -type d); do echo "C $i - - - - -"; done >> /usr/lib/tmpfiles.d/var-quirk.conf; :'
echo 'C /var/mail - - - - -' >> "$sysroot"/usr/lib/tmpfiles.d/var-quirk.conf
mv "$sysroot"/lib/tmpfiles.d-var.conf "$sysroot"/lib/tmpfiles.d/var.conf mv "$sysroot"/lib/tmpfiles.d-var.conf "$sysroot"/lib/tmpfiles.d/var.conf
sed -i -e "s#VERSION_ID=.*#VERSION_ID=$VERSION_ID#" "$sysroot"/etc/os-release sed -i -e "s#VERSION_ID=.*#VERSION_ID=$VERSION_ID#" "$sysroot"/etc/os-release
@ -470,6 +489,11 @@ sed -i -e "s#NAME=.*#NAME=$NAME#" "$sysroot"/etc/os-release
mv -v "$sysroot"/boot/*/*/initrd "$MY_TMPDIR"/ mv -v "$sysroot"/boot/*/*/initrd "$MY_TMPDIR"/
cp "$sysroot"/lib/modules/*/vmlinuz "$MY_TMPDIR"/linux cp "$sysroot"/lib/modules/*/vmlinuz "$MY_TMPDIR"/linux
if [[ -d "$sysroot"/boot/efi/EFI/fedora ]]; then
mkdir -p "$MY_TMPDIR"/efi/EFI
mv "$sysroot"/boot/efi/EFI/fedora "$MY_TMPDIR"/efi/EFI
fi
rm -fr "$sysroot"/{boot,root} rm -fr "$sysroot"/{boot,root}
ln -sfnr "$sysroot"/var/root "$sysroot"/root ln -sfnr "$sysroot"/var/root "$sysroot"/root
mkdir "$sysroot"/efi mkdir "$sysroot"/efi
@ -477,13 +501,12 @@ rm -fr "$sysroot"/var/*
rm -fr "$sysroot"/home/* rm -fr "$sysroot"/home/*
rm -f "$sysroot"/etc/yum.repos.d/* rm -f "$sysroot"/etc/yum.repos.d/*
mkdir -p "$sysroot"/home mkdir -p "$sysroot"/home
rm -fr "$sysroot"/etc/selinux mkdir -p "$sysroot"/cfg
mkdir "$sysroot"/data
for i in "$sysroot"/{dev,sys,proc,run}; do for i in "$sysroot"/{dev,sys,proc,run}; do
[[ -d "$i" ]] && mountpoint -q "$i" && umount "$i" [[ -d "$i" ]] && mountpoint -q "$i" && umount "$i"
done done
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# sysroot # sysroot
mksquashfs "$MY_TMPDIR"/sysroot "$MY_TMPDIR"/root.squashfs.img \ mksquashfs "$MY_TMPDIR"/sysroot "$MY_TMPDIR"/root.squashfs.img \
@ -504,7 +527,10 @@ IMAGE_SIZE=$(stat --printf '%s' "$MY_TMPDIR"/root.img)
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# make bootx64.efi # make bootx64.efi
echo -n "lockdown=1 quiet rd.shell=0 video=efifb:nobgrt audit=0 selinux=0 verity.imagesize=$IMAGE_SIZE verity.roothash=$ROOT_HASH verity.root=PARTUUID=$ROOT_UUID verity.hashoffset=$ROOT_SIZE raid=noautodetect root=/dev/mapper/root" > "$MY_TMPDIR"/options.txt echo -n "lockdown=1 quiet rd.shell=0 video=efifb:nobgrt "\
"verity.imagesize=$IMAGE_SIZE verity.roothash=$ROOT_HASH verity.root=PARTUUID=$ROOT_UUID " \
"verity.hashoffset=$ROOT_SIZE raid=noautodetect root=/dev/mapper/root" > "$MY_TMPDIR"/options.txt
echo -n "${NAME}-${VERSION_ID}" > "$MY_TMPDIR"/release.txt echo -n "${NAME}-${VERSION_ID}" > "$MY_TMPDIR"/release.txt
objcopy \ objcopy \
--add-section .release="$MY_TMPDIR"/release.txt --change-section-vma .release=0x20000 \ --add-section .release="$MY_TMPDIR"/release.txt --change-section-vma .release=0x20000 \
@ -525,9 +551,11 @@ mv "$MY_TMPDIR"/root-hash.txt \
"$MY_TMPDIR"/initrd \ "$MY_TMPDIR"/initrd \
"$OUTDIR" "$OUTDIR"
[[ -d "$MY_TMPDIR"/efi ]] && mv "$MY_TMPDIR"/efi "$OUTDIR"/efi
for i in LockDown.efi Shell.efi startup.nsh; do for i in LockDown.efi Shell.efi startup.nsh; do
[[ -e "${BASEDIR}"/$i ]] || continue [[ -e "${BASEDIR}"/$i ]] || continue
cp "$i" "$OUTDIR" cp "$i" "$OUTDIR"/efi
done done
chown -R "$USER" "$OUTDIR" chown -R "$USER" "$OUTDIR"

74
quirks/nss.sh
View file

@ -1,65 +1,73 @@
chroot "$sysroot" bash -c 'useradd -M -G wheel admin' #!/usr/bin/bash -ex
sed -i -e 's#^\(passwd:.*\) files#\1 files db altfile#g;s#^\(shadow:.*\) files#\1 files altfiles db#g;s#^\(group:.*\) files#\1 files altfiles db#g' \ sed -i -e 's#^\(passwd:.*\) files#\1 files db altfile#g;s#^\(shadow:.*\) files#\1 files altfiles db#g;s#^\(group:.*\) files#\1 files altfiles db#g' \
"$sysroot"/etc/nsswitch.conf "$sysroot"/etc/nsswitch.conf
mkdir -p "$sysroot"/usr/db mkdir -p "$sysroot"/usr/db
sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib64/libnss_db-2*.so "$sysroot"/var/db/Makefile sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib*/libnss_db-2*.so "$sysroot"/var/db/Makefile
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.admin egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.adm
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.adm
sed -i -e 's#:/root:#:/var/root:#g' "$sysroot"/etc/passwd sed -i -e 's#:/root:#:/var/root:#g' "$sysroot"/etc/passwd
sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow
chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /usr/db/gshadow.db /usr/db/group.db && mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow' chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /usr/db/gshadow.db /usr/db/group.db && mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
mv "$sysroot"/etc/group.admin "$sysroot"/etc/group mv "$sysroot"/etc/group.adm "$sysroot"/etc/group
mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow mv "$sysroot"/etc/gshadow.adm "$sysroot"/etc/gshadow
chmod 0000 "$sysroot"/etc/gshadow chmod 0000 "$sysroot"/etc/gshadow "$sysroot"/etc/shadow
chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin' mkdir -p "$sysroot"/usr/share/factory/cfg
chroot "$sysroot" bash -c 'passwd -e admin' mv "$sysroot"/etc/passwd \
"$sysroot"/etc/sub{u,g}id \
mkdir -p "$sysroot"/usr/share/factory/var "$sysroot"/etc/shadow \
mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var/ "$sysroot"/etc/group \
"$sysroot"/etc/gshadow \
"$sysroot"/usr/share/factory/cfg/
rm -f "$sysroot"/etc/shadow- "$sysroot"/etc/gshadow- rm -f "$sysroot"/etc/shadow- "$sysroot"/etc/gshadow-
sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
for i in passwd shadow group gshadow .pwd.lock subuid subgid; do for i in passwd shadow group gshadow .pwd.lock subuid subgid; do
ln -sfnr "$sysroot"/var/"$i" "$sysroot"/etc/"$i" ln -sfnr "$sysroot"/cfg/"$i" "$sysroot"/etc/"$i"
done done
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/npasswd#/var/npasswd#g' "$sysroot"/usr/lib64/security/pam_unix.so sed -i -e 's#/etc/passwd#/cfg/passwd#g;s#/etc/npasswd#/cfg/npasswd#g' \
sed -i -e 's#/etc/shadow#/var/shadow#g;s#/etc/nshadow#/var/nshadow#g' "$sysroot"/usr/lib64/security/pam_unix.so "$sysroot"/usr/lib*/security/pam_unix.so
sed -i -e 's#/etc/.pwdXXXXXX#/var/.pwdXXXXXX#g' "$sysroot"/usr/lib64/security/pam_unix.so
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/shadow#/var/shadow#g;s#/etc/gshadow#/var/gshadow#g;s#/etc/group#/var/group#g;s#/etc/subuid#/var/subuid#g;s#/etc/subgid#/var/subgid#g' "$sysroot"/usr/sbin/user{add,mod,del} "$sysroot"/usr/sbin/group{add,mod,del} sed -i -e 's#/etc/shadow#/cfg/shadow#g;s#/etc/nshadow#/cfg/nshadow#g' \
sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \ "$sysroot"/usr/lib*/security/pam_unix.so
sed -i -e 's#/etc/.pwdXXXXXX#/cfg/.pwdXXXXXX#g' \
"$sysroot"/usr/lib*/security/pam_unix.so
sed -i -e 's#/etc/passwd#/cfg/passwd#g;s#/etc/shadow#/cfg/shadow#g;s#/etc/gshadow#/cfg/gshadow#g;s#/etc/group#/cfg/group#g;s#/etc/subuid#/cfg/subuid#g;s#/etc/subgid#/cfg/subgid#g' \
"$sysroot"/usr/sbin/user{add,mod,del} \
"$sysroot"/usr/sbin/group{add,mod,del} \
"$sysroot"/usr/bin/newgidmap \
"$sysroot"/usr/bin/newuidmap \
"$sysroot"/usr/sbin/newusers
sed -i -e 's#/etc/.pwd.lock#/cfg/.pwd.lock#g' \
"$sysroot"/lib*/libc.so.* \ "$sysroot"/lib*/libc.so.* \
"$sysroot"/usr/lib/systemd/libsystemd-shared*.so "$sysroot"/usr/lib/systemd/libsystemd-shared*.so
[[ -e "$sysroot"/usr/lib*/librpmostree-1.so.1 ]] \ [[ -e "$sysroot"/usr/lib*/librpmostree-1.so.1 ]] \
&& sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \ && sed -i -e 's#/etc/.pwd.lock#/cfg/.pwd.lock#g' \
"$sysroot"/usr/lib*/librpmostree-1.so.1 "$sysroot"/usr/lib*/librpmostree-1.so.1
mkdir -p "$sysroot"/usr/share/factory/home
cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin
chown -R +1000.+1000 "$sysroot"/usr/share/factory/home/admin
mkdir -p "$sysroot"/usr/share/factory/var/root mkdir -p "$sysroot"/usr/share/factory/var/root
cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/var/root chown +0.+0 "$sysroot"/usr/share/factory/var/root
chown -R +0.+0 "$sysroot"/usr/share/factory/var/root
cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF
C /home/admin - - - - -
C /var/root - - - - - C /var/root - - - - -
C /var/passwd - - - - - C /cfg/passwd - - - - -
C /var/shadow - - - - - C /cfg/shadow - - - - -
C /var/group - - - - - C /cfg/group - - - - -
C /var/gshadow - - - - - C /cfg/gshadow - - - - -
C /var/subuid - - - - - C /cfg/subuid - - - - -
C /var/subgid - - - - - C /cfg/subgid - - - - -
EOF EOF

12
update.sh
View file

@ -184,9 +184,9 @@ if ! [[ $NO_CHECK ]]; then
while read _ file || [[ $file ]]; do while read _ file || [[ $file ]]; do
FILES["$file"]="1" FILES["$file"]="1"
done < sha512sum.txt done < sha512sum.txt
for i in $(ls -1); do for i in $(find . -type f); do
[[ $i == sha512sum.txt ]] && continue [[ $i == ./sha512sum.txt ]] && continue
[[ $i == sha512sum.txt.sig ]] && continue [[ $i == ./sha512sum.txt.sig ]] && continue
if ! [[ ${FILES["$i"]} ]]; then if ! [[ ${FILES["$i"]} ]]; then
echo "File $i not signed" echo "File $i not signed"
exit 1 exit 1
@ -210,6 +210,10 @@ sfdisk --part-uuid ${ROOT_DEV} ${NEW_ROOT_PARTNO} ${ROOT_UUID}
mkdir -p /efi/EFI/${NAME} mkdir -p /efi/EFI/${NAME}
cp bootx64.efi /efi/EFI/${NAME}/${NEW_ROOT_NUM}.efi cp bootx64.efi /efi/EFI/${NAME}/${NEW_ROOT_NUM}.efi
if [[ -d efi ]]; then
cp -vr efi/* /efi/
fi
mv /efi/EFI/${NAME}/${OLD_ROOT_NUM}.efi /efi/EFI/${NAME}/_${OLD_ROOT_NUM}.efi || : mv /efi/EFI/${NAME}/${OLD_ROOT_NUM}.efi /efi/EFI/${NAME}/_${OLD_ROOT_NUM}.efi || :
rm -f /efi/EFI/${NAME}/_${NEW_ROOT_NUM}.efi rm -f /efi/EFI/${NAME}/_${NEW_ROOT_NUM}.efi
@ -221,4 +225,4 @@ BOOT_ORDER=${BOOT_ORDER#,}
efibootmgr -o "FED${NEW_ROOT_NUM},FED$((${OLD_ROOT_NUM}+2)),$BOOT_ORDER" efibootmgr -o "FED${NEW_ROOT_NUM},FED$((${OLD_ROOT_NUM}+2)),$BOOT_ORDER"
echo "Update successful. Reboot your machine to use it." echo "Update successful. Reboot your machine to use it."