hardened malloc. networking + firewall. json based config.

scripts/boot_image.sh

@@ -4,5 +4,5 @@ cd ..
 disk="./outputs/boot_image.img"
 
 
-qemu-system-x86_64 -bios /usr/share/ovmf/OVMF.fd -drive if=none,format=raw,file=$disk,id=hd -device virtio-blk-pci,drive=hd -m 16G -smp 8 -vga none --display default,gl=off -usb -device virtio-tablet-pci -device virtio-keyboard-pci --device virtio-gpu-pci -usb -enable-kvm -machine type=pc-q35-3.1,accel=kvm,kernel_irqchip=on -netdev user,id=net0 -device virtio-net-pci,netdev=net0,mac=52:54:00:12:34:56
+qemu-system-x86_64 -bios /usr/share/ovmf/OVMF.fd -drive if=none,format=raw,file=$disk,id=hd -device virtio-blk-pci,drive=hd -m 16G -smp 8 -vga none --display default,gl=off -usb -device virtio-tablet-pci -device virtio-keyboard-pci --device virtio-gpu-pci -usb -enable-kvm -machine type=q35,accel=kvm,kernel_irqchip=on -netdev user,id=net0 -device virtio-net-pci,netdev=net0,mac=52:54:00:12:34:56
 #--display gtk,gl=off --device virtio-gpu

scripts/bootstrap_filesystem.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+if [ "$(id -u)" -ne 0 ]; then
+	echo "switching from $(id -un) to root"
+	exec sudo "$0" "$@"
+fi
+set -e
+cd "$(dirname "$0")"
+DIR="$(dirname "$0")"
+cd ..
+echo $PWD
+
+rm -rf './outputs/root'
+if [ ! -d ./outputs/root/bin ]; then
+    rm -rf './outputs/root'
+    mkdir -p ./outputs/root/
+    debootstrap questing ./outputs/root https://us.archive.ubuntu.com/ubuntu
+fi
+

scripts/build_filesystem.sh

@@ -1,21 +1,26 @@
 #!/bin/bash
+set -e
+set -x
 
+#downloading graphene malloc
+if [ ! -f  ./dependencies/hardened_malloc/Makefile ]; then
+   cd "$(dirname "$0")"
+   DIR="$(dirname "$0")"
+   cd ..
+   cd ./dependencies/
+   git clone https://github.com/GrapheneOS/hardened_malloc.git
+fi
+
+#switching to root to perform chroot
 if [ "$(id -u)" -ne 0 ]; then
 	echo "switching from $(id -un) to root"
 	exec sudo "$0" "$@"
 fi
-set -e
+
 cd "$(dirname "$0")"
 DIR="$(dirname "$0")"
 cd ..
 echo $PWD
-
-rm -rf './outputs/root'
-if [ ! -d ./outputs/root/bin ]; then
-    rm -rf './outputs/root'
-    mkdir -p ./outputs/root/
-    debootstrap questing ./outputs/root https://us.archive.ubuntu.com/ubuntu
-fi
 if mountpoint -q "./outputs/chroot/proc/"; then
   umount -lf "./outputs/chroot/proc/"
 fi
@@ -26,10 +31,48 @@ if mountpoint -q "./outputs/root/proc/"; then
 fi
 rsync -a ./outputs/root/ ./outputs/chroot/
 mkdir -p ./outputs/chroot/proc
+
+
 mount --bind /proc ./outputs/chroot/proc
 cp ./config/filesystem_chroot_install.sh ./outputs/chroot/filesystem_chroot_install.sh
+cp ./config/apply_initial_host_configuration.sh ./outputs/chroot/apply_initial_host_configuration.sh
+cp ./config/config.json ./outputs/chroot/config.json
+
+#copy opensnitch rules.
+echo "copying firewall rules"
+rsync -a ./config/settings/opensnitch/ ./outputs/chroot/usr/src/opensnitchd/
+
+#setup user skeleton
+sudo mkdir -p ./outputs/chroot/etc/skel/.config
+printf "yes" | tee ./outputs/chroot/etc/skel/.config/gnome-initial-setup-done
+cp ./config/settings/skel/bash_profile ./outputs/chroot/etc/skel/.bash_profile
+cp ./config/settings/skel/bashrc ./outputs/chroot/etc/skel/.bashrc
+cp ./config/settings/skel/profile ./outputs/chroot/etc/skel/.profile
+
+cp ./config/settings/skel/gnome_settings.sh ./outputs/chroot/usr/gnome_settings.sh
+chmod +x ./outputs/chroot/usr/gnome_settings.sh
+
+#installing hardened memory allocator if built
+if [ -f  ./dependencies/hardened_malloc/Makefile ]; then
+   rsync -a ./dependencies/hardened_malloc/ ./outputs/chroot/usr/src/hardened_malloc/
+fi
+
+cp ./config/settings/services/*.service ./outputs/chroot/etc/systemd/system/
+find ./config/settings/services/ -type f -name '*.sh' -exec chmod +x {} \;
+cp ./config/settings/services/*.sh ./outputs/chroot/usr/
+
+echo "installing system from within chroot"
 chmod +x ./outputs/chroot/filesystem_chroot_install.sh
+chmod +x ./outputs/chroot/apply_initial_host_configuration.sh
+mkdir -p ./outputs/chroot/lib/modules/
+
+echo "installing kernel modules"
+rsync -a ./dependencies/linux/modules/lib/modules/ ./outputs/chroot/lib/modules/
+
+echo "installing filesystem"
 chroot ./outputs/chroot /bin/bash -c "/filesystem_chroot_install.sh"
+chroot ./outputs/chroot /bin/bash -c "/apply_initial_host_configuration.sh"
+cp ./config/settings/skel/autorun.desktop ./outputs/chroot/etc/xdg/autostart/autorun.desktop
 
 cd $DIR
 cd ..

scripts/build_image.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 if [ "$(id -u)" -ne 0 ]; then
 	echo "switching from $(id -un) to root"
-	exec sudo "$0" "$@"
+	exec sudo ionice -c 3 "$0" "$@"
 fi
 set -e
 cd "$(dirname "$0")"

scripts/build_kernel.sh

@@ -6,7 +6,7 @@ mkdir -p ./dependencies
 rootdir=$(dirname "$0")
 dir=./$(dirname "$0")
 cd dependencies
-[[ -d ./linux ]] || git clone --depth 5 https://github.com/gregkh/linux.git ./linux
+[[ -d ./linux ]] || git clone --depth 1 https://github.com/torvalds/linux.git ./linux
 cd "$(dirname "$0")"
 cd ..
 echo $PWD

scripts/install_dependencies.sh

@@ -4,7 +4,7 @@ if [ "$(id -u)" -ne 0 ]; then
 	exec sudo "$0" "$@"
 fi
 set -e
-list="kpartx podman debootstrap "
+list="kpartx podman debootstrap qemu-system"
 apt update
 for item in $list; do
     apt install -y $item