matt/patronageos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hardenend malloc. json config. networking + default firewalling.

Browse Source
This commit is contained in:
matt
2026-02-08 12:27:14 -07:00
parent 5b7a3ccd9b
commit 0eeb969981
2 changed files with 19 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
config/filesystem_chroot_install.sh
View File

@@ -33,10 +33,6 @@ chmod u+s /usr/bin/ping
mkdir -p ~/.config mkdir -p ~/.config
touch ~/.config/gnome-initial-setup-done touch ~/.config/gnome-initial-setup-done
#configure permissions for opensnitch firewall
chown -R root:root /etc/opensnitchd/
chmod 777 /etc/opensnitchd/settings.conf
#enable services #enable services
systemctl enable systemd-resolved systemctl enable systemd-resolved
systemctl enable systemd-networkd systemctl enable systemd-networkd
@@ -51,3 +47,8 @@ curl -fsSLo /etc/apt/sources.list.d/brave-browser-release.sources https://brave-
apt update apt update
apt install -y brave-browser apt install -y brave-browser
#configure permissions for opensnitch firewall
rsync -a /usr/src/opensnitchd/ /etc/opensnitchd/
chown -R root:root /etc/opensnitchd/
chmod 777 /etc/opensnitchd/settings.conf

19
scripts/build_filesystem.sh
View File

@@ -1,11 +1,22 @@
#!/bin/bash #!/bin/bash
set -e set -e
set -x set -x
#downloading graphene malloc
if [ ! -f ./dependencies/hardened_malloc/Makefile ]; then
cd "$(dirname "$0")"
DIR="$(dirname "$0")"
cd ..
cd ./dependencies/
git clone https://github.com/GrapheneOS/hardened_malloc.git
fi
#switching to root to perform chroot
if [ "$(id -u)" -ne 0 ]; then if [ "$(id -u)" -ne 0 ]; then
echo "switching from $(id -un) to root" echo "switching from $(id -un) to root"
exec sudo "$0" "$@" exec sudo "$0" "$@"
fi fi
set -e
cd "$(dirname "$0")" cd "$(dirname "$0")"
DIR="$(dirname "$0")" DIR="$(dirname "$0")"
cd .. cd ..
@@ -21,6 +32,7 @@ fi
rsync -a ./outputs/root/ ./outputs/chroot/ rsync -a ./outputs/root/ ./outputs/chroot/
mkdir -p ./outputs/chroot/proc mkdir -p ./outputs/chroot/proc
mount --bind /proc ./outputs/chroot/proc mount --bind /proc ./outputs/chroot/proc
cp ./config/filesystem_chroot_install.sh ./outputs/chroot/filesystem_chroot_install.sh cp ./config/filesystem_chroot_install.sh ./outputs/chroot/filesystem_chroot_install.sh
cp ./config/apply_initial_host_configuration.sh ./outputs/chroot/apply_initial_host_configuration.sh cp ./config/apply_initial_host_configuration.sh ./outputs/chroot/apply_initial_host_configuration.sh
@@ -28,9 +40,7 @@ cp ./config/config.json ./outputs/chroot/config.json
#copy opensnitch rules. #copy opensnitch rules.
echo "copying firewall rules" echo "copying firewall rules"
mkdir -p ./outputs/chroot/etc/ rsync -a ./config/settings/opensnitch/ ./outputs/chroot/usr/src/opensnitchd/
mkdir -p ./outputs/chroot/etc/opensnitchd/
rsync -a ./config/settings/opensnitch/ ./outputs/chroot/etc/opensnitchd/
#setup user skeleton #setup user skeleton
sudo mkdir -p ./outputs/chroot/etc/skel/.config sudo mkdir -p ./outputs/chroot/etc/skel/.config
@@ -64,7 +74,6 @@ chroot ./outputs/chroot /bin/bash -c "/filesystem_chroot_install.sh"
chroot ./outputs/chroot /bin/bash -c "/apply_initial_host_configuration.sh" chroot ./outputs/chroot /bin/bash -c "/apply_initial_host_configuration.sh"
cp ./config/settings/skel/autorun.desktop ./outputs/chroot/etc/xdg/autostart/autorun.desktop cp ./config/settings/skel/autorun.desktop ./outputs/chroot/etc/xdg/autostart/autorun.desktop
cd $DIR cd $DIR
cd .. cd ..
if mountpoint -q "./outputs/chroot/proc/"; then if mountpoint -q "./outputs/chroot/proc/"; then