From 5b7a3ccd9b4cebebf88eb036c0a0b6ea456187eb Mon Sep 17 00:00:00 2001 From: matt Date: Sun, 8 Feb 2026 08:49:55 -0700 Subject: [PATCH] hardened malloc, working firewall. --- config/apply_initial_host_configuration.sh | 4 ++ config/container_cmd.sh | 2 + config/filesystem_chroot_install.sh | 29 ++++++------ config/kernel_options.json | 5 +- .../settings/opensnitch/default-config.json | 37 +++++++++++++++ .../allow-always-list-usr-changelog.json | 26 ++++++++++ .../rules/allow-always-list-usr-dot.json | 33 +++++++++++++ ...owser-apt-release-s3-brave-com-443-42.json | 47 +++++++++++++++++++ ...rowser-apt-release-s3-brave-com-53-42.json | 47 +++++++++++++++++++ ...rowser-apt-release-s3-brave-com-53-42.json | 47 +++++++++++++++++++ ...lib-apt-methods-http-ubuntu-com-53-42.json | 47 +++++++++++++++++++ ...lib-apt-methods-http-ubuntu-com-80-42.json | 47 +++++++++++++++++++ ...-lib-snapd-snapd-api-snapcraft-io-443.json | 40 ++++++++++++++++ ...r-lib-snapd-snapd-api-snapcraft-io-53.json | 40 ++++++++++++++++ ...napd-snapd-dashboard-snapcraft-io-443.json | 40 ++++++++++++++++ ...snapd-snapd-dashboard-snapcraft-io-53.json | 40 ++++++++++++++++ ...-snapd-snapd-snapcraftcontent-com-443.json | 40 ++++++++++++++++ ...b-snapd-snapd-snapcraftcontent-com-53.json | 40 ++++++++++++++++ ...llow-always-list-usr-sbin-chronyd-123.json | 40 ++++++++++++++++ ...-usr-sbin-chronyd-4-ntp-ubuntu-com-53.json | 40 ++++++++++++++++ ...low-always-list-usr-sbin-chronyd-4460.json | 33 +++++++++++++ ...n-chronyd-ntp-bootstrap-ubuntu-com-53.json | 40 ++++++++++++++++ ...er-connectivity-check-ubuntu-com-80-0.json | 47 +++++++++++++++++++ ...com-brave-brave-224-0-0-251-5353-1000.json | 47 +++++++++++++++++++ ...-com-brave-brave-239-255-255-250-1900.json | 40 ++++++++++++++++ ...st-usr-bin-python3-13-239-255-255-250.json | 33 +++++++++++++ ...-colord-sane-239-255-255-250-3702-118.json | 47 +++++++++++++++++++ ...sr-sbin-avahi-daemon-224-0-0-251-5353.json | 26 ++++++++++ ...-usr-sbin-chronyd-3-ntp-ubuntu-com-53.json | 40 ++++++++++++++++ .../rules/deny-always-simple-usr-geoclue.json | 18 +++++++ ...y-always-simple-usr-sbin-cups-browsed.json | 18 +++++++ config/settings/opensnitch/settings.conf | 0 config/settings/services/mem-alloc.service | 13 +++++ config/settings/services/mem_alloc.sh | 11 +++++ config/settings/skel/autorun.desktop | 6 +++ config/settings/skel/gnome_settings.sh | 3 ++ config/settings/skel/profile | 9 ++++ scripts/boot_image.sh | 2 +- scripts/build_filesystem.sh | 33 ++++++++++++- scripts/build_image.sh | 2 +- scripts/install_dependencies.sh | 2 +- 41 files changed, 1141 insertions(+), 20 deletions(-) create mode 100755 config/settings/opensnitch/default-config.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-changelog.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-dot.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-443-42.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-53-42.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-https-tcp-brave-browser-apt-release-s3-brave-com-53-42.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-53-42.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-80-42.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-443.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-53.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-443.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-53.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-443.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-53.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-123.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4-ntp-ubuntu-com-53.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4460.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-ntp-bootstrap-ubuntu-com-53.json create mode 100755 config/settings/opensnitch/rules/allow-always-list-usr-sbin-networkmanager-connectivity-check-ubuntu-com-80-0.json create mode 100755 config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-224-0-0-251-5353-1000.json create mode 100755 config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-239-255-255-250-1900.json create mode 100755 config/settings/opensnitch/rules/deny-always-list-usr-bin-python3-13-239-255-255-250.json create mode 100755 config/settings/opensnitch/rules/deny-always-list-usr-libexec-colord-sane-239-255-255-250-3702-118.json create mode 100755 config/settings/opensnitch/rules/deny-always-list-usr-sbin-avahi-daemon-224-0-0-251-5353.json create mode 100755 config/settings/opensnitch/rules/deny-always-list-usr-sbin-chronyd-3-ntp-ubuntu-com-53.json create mode 100755 config/settings/opensnitch/rules/deny-always-simple-usr-geoclue.json create mode 100755 config/settings/opensnitch/rules/deny-always-simple-usr-sbin-cups-browsed.json mode change 100644 => 100755 config/settings/opensnitch/settings.conf create mode 100644 config/settings/services/mem-alloc.service create mode 100755 config/settings/services/mem_alloc.sh create mode 100644 config/settings/skel/autorun.desktop create mode 100644 config/settings/skel/gnome_settings.sh diff --git a/config/apply_initial_host_configuration.sh b/config/apply_initial_host_configuration.sh index 515ada0..c8cd056 100644 --- a/config/apply_initial_host_configuration.sh +++ b/config/apply_initial_host_configuration.sh @@ -48,3 +48,7 @@ jq --compact-output -r '.users[]' config.json | while read -r line; do user_mod "$line" done echo "Configuration applied." + +rm /config.json +rm /apply_initial_host_configuration.sh +rm /filesystem_chroot_install.sh diff --git a/config/container_cmd.sh b/config/container_cmd.sh index 8cb10dd..dcf270b 100755 --- a/config/container_cmd.sh +++ b/config/container_cmd.sh @@ -7,3 +7,5 @@ cat ./.config | python3 /update_kernel_make_config.py --file /linux/kernel_optio cat ./.config | python3 /update_kernel_make_config.py --file /linux/kernel_options.json > ./.config /usr/bin/make olddefconfig /usr/bin/make -j ${cores} +mkdir -p /linux/modules +/usr/bin/make modules_install INSTALL_MOD_PATH=/linux/modules diff --git a/config/filesystem_chroot_install.sh b/config/filesystem_chroot_install.sh index ac1757d..4b9521c 100644 --- a/config/filesystem_chroot_install.sh +++ b/config/filesystem_chroot_install.sh @@ -7,11 +7,12 @@ echo "deb https://archive.ubuntu.com/ubuntu questing-backports main restricted u echo "deb https://security.ubuntu.com/ubuntu questing-security main restricted universe multiverse" >> /etc/apt/sources.list apt update apt upgrade -y +apt install -y jq bubblewrap curl make build-essential git libselinux1 iptables nftables libnetfilter-queue-dev #install base system packages -apt install -y --install-recommends --install-suggests systemd -apt install -y --no-install-recommends gnome-core -apt install -y jq git rlwrap dnsutils curl systemd-resolved ufw nano htop ipset lm-sensors net-tools iputils-ping python3-pip bpfcc-tools gnome-shell-extension-ubuntu-dock gnome-shell-extension-ubuntu-tiling-assistant gnome-shell-extension-appindicator keepassxc libnetfilter-queue-dev libpcap-dev protobuf-compiler bpftool golang ufw +apt install -y --install-recommends --install-suggests systemd +apt install -y vanilla-gnome-desktop vanilla-gnome-default-settings gdm3 gnome-shell-extension-appindicator gnome-shell-extension-ubuntu-dock gnome-shell-extension-ubuntu-tiling-assistant +apt install -y rlwrap dnsutils systemd-resolved ufw nano htop ipset lm-sensors net-tools iputils-ping python3-pip keepassxc ufw opensnitch #install packages from config jq -r '.packages | .[]' config.json | while read -r item; do @@ -24,29 +25,29 @@ echo "$locale" locale-gen "$locale" echo "LANG=$locale" > /etc/default/locale -#install python systemwide -#pip install --break-system-packages dnslib psutil - #add setuid for some applications chmod u+s /usr/bin/bwrap chmod u+s /usr/bin/ping -#install firewall -#mkdir -p /usr/local/src/ -#cd /usr/local/src/ -#git clone https://git.patronage.systems/matt/dnsf.git -#chmod +x /usr/local/src/dnsf/dnsf_install.sh -#/bin/bash -c /usr/local/src/dnsf/dnsf_install.sh +#disable setup screen config +mkdir -p ~/.config +touch ~/.config/gnome-initial-setup-done + +#configure permissions for opensnitch firewall +chown -R root:root /etc/opensnitchd/ +chmod 777 /etc/opensnitchd/settings.conf #enable services systemctl enable systemd-resolved systemctl enable systemd-networkd +systemctl enable mem-alloc -#ui changes -gsettings set org.gnome.desktop.interface color-scheme 'prefer-dark' +#firewall enable (inbound block) +ufw enable #install brave browser curl -fsSLo /usr/share/keyrings/brave-browser-archive-keyring.gpg https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg curl -fsSLo /etc/apt/sources.list.d/brave-browser-release.sources https://brave-browser-apt-release.s3.brave.com/brave-browser.sources apt update apt install -y brave-browser + diff --git a/config/kernel_options.json b/config/kernel_options.json index 78a8853..6252afe 100644 --- a/config/kernel_options.json +++ b/config/kernel_options.json @@ -1,5 +1,5 @@ { - "CONFIG_IKCONFIG":"m", + "CONFIG_IKCONFIG":"y", "CONFIG_IKCONFIG_PROC":"y", "CONFIG_104_QUAD_8": "m", "CONFIG_60XX_WDT": "m", @@ -2910,6 +2910,8 @@ "CONFIG_HDC100X": "m", "CONFIG_HDC2010": "m", "CONFIG_HDC3020": "m", + "CONFIG_BPF_SUPPORT_RAW_CT":"y", + "CONFIG_NFT_DNS":"y", "CONFIG_HDLC": "m", "CONFIG_HDLC_CISCO": "m", "CONFIG_HDLC_FR": "m", @@ -5031,6 +5033,7 @@ "CONFIG_NETFILTER_XT_MATCH_U32": "y", "CONFIG_NETFILTER_XT_NAT": "y", "CONFIG_NETFILTER_XT_SET": "y", + "CONFIG_NETFILTER_XT_TARGET_BPF": "y", "CONFIG_NETFILTER_XT_TARGET_AUDIT": "y", "CONFIG_NETFILTER_XT_TARGET_CHECKSUM": "y", "CONFIG_NETFILTER_XT_TARGET_CLASSIFY": "y", diff --git a/config/settings/opensnitch/default-config.json b/config/settings/opensnitch/default-config.json new file mode 100755 index 0000000..f8675b4 --- /dev/null +++ b/config/settings/opensnitch/default-config.json @@ -0,0 +1,37 @@ +{ + "Server": { + "Address": "unix:///tmp/osui.sock", + "LogFile": "/var/log/opensnitchd.log", + "Authentication": { + "Type": "simple", + "TLSOptions": { + "CACert": "", + "ServerCert": "", + "ClientCert": "", + "ClientKey": "", + "SkipVerify": false, + "ClientAuthType": "no-client-cert" + } + } + }, + "DefaultAction": "deny", + "DefaultDuration": "once", + "InterceptUnknown": false, + "ProcMonitorMethod": "ebpf", + "LogLevel": 2, + "LogUTC": true, + "LogMicro": false, + "Firewall": "nftables", + "Rules": { + "Path": "/etc/opensnitchd/rules/" + }, + "Stats": { + "MaxEvents": 150, + "MaxStats": 25, + "Workers": 6 + }, + "Internal": { + "GCPercent": 100, + "FlushConnsOnStart": false + } +} diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-changelog.json b/config/settings/opensnitch/rules/allow-always-list-usr-changelog.json new file mode 100755 index 0000000..8fceed0 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-changelog.json @@ -0,0 +1,26 @@ +{ + "created": "2026-01-28T11:11:49-07:00", + "updated": "2026-01-28T11:11:49-07:00", + "name": "allow-always-list-usr-changelog", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "changelogs.ubuntu.com", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-dot.json b/config/settings/opensnitch/rules/allow-always-list-usr-dot.json new file mode 100755 index 0000000..e040700 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-dot.json @@ -0,0 +1,33 @@ +{ + "created": "2026-01-28T11:10:32-07:00", + "updated": "2026-01-28T11:10:32-07:00", + "name": "allow-always-list-usr-lib-systemd-systemd-resolved-853", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.port", + "data": "853", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/systemd/systemd-resolved", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-443-42.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-443-42.json new file mode 100755 index 0000000..c6cd860 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-443-42.json @@ -0,0 +1,47 @@ +{ + "created": "2026-01-28T11:12:09-07:00", + "updated": "2026-01-28T11:12:09-07:00", + "name": "allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-443-42", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "brave-browser-apt-release.s3.brave.com", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "443", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "user.id", + "data": "42", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/apt/methods/http", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-53-42.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-53-42.json new file mode 100755 index 0000000..458c31c --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-53-42.json @@ -0,0 +1,47 @@ +{ + "created": "2026-01-28T11:12:05-07:00", + "updated": "2026-01-28T11:12:05-07:00", + "name": "allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-53-42", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "brave-browser-apt-release.s3.brave.com", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "53", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "user.id", + "data": "42", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/apt/methods/http", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-https-tcp-brave-browser-apt-release-s3-brave-com-53-42.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-https-tcp-brave-browser-apt-release-s3-brave-com-53-42.json new file mode 100755 index 0000000..0a77ba2 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-https-tcp-brave-browser-apt-release-s3-brave-com-53-42.json @@ -0,0 +1,47 @@ +{ + "created": "2026-01-28T11:13:04-07:00", + "updated": "2026-01-28T11:13:04-07:00", + "name": "allow-always-list-usr-lib-apt-methods-http-https-tcp-brave-browser-apt-release-s3-brave-com-53-42", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "_https._tcp.brave-browser-apt-release.s3.brave.com", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "53", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "user.id", + "data": "42", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/apt/methods/http", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-53-42.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-53-42.json new file mode 100755 index 0000000..786b3ec --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-53-42.json @@ -0,0 +1,47 @@ +{ + "created": "2026-01-28T11:11:49-07:00", + "updated": "2026-01-28T11:11:49-07:00", + "name": "allow-always-list-usr-lib-apt-methods-http-ubuntu-com-53-42", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "^(|.*\\.)ubuntu\\.com$", + "type": "regexp", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "53", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "user.id", + "data": "42", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/apt/methods/http", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-80-42.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-80-42.json new file mode 100755 index 0000000..629b8cd --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-80-42.json @@ -0,0 +1,47 @@ +{ + "created": "2026-01-28T11:11:57-07:00", + "updated": "2026-01-28T11:11:57-07:00", + "name": "allow-always-list-usr-lib-apt-methods-http-ubuntu-com-80-42", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "^(|.*\\.)ubuntu\\.com$", + "type": "regexp", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "80", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "user.id", + "data": "42", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/apt/methods/http", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-443.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-443.json new file mode 100755 index 0000000..2967ecd --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-443.json @@ -0,0 +1,40 @@ +{ + "created": "2026-02-07T11:02:20-07:00", + "updated": "2026-02-07T11:02:20-07:00", + "name": "allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-443", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "api.snapcraft.io", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "443", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/snapd/snapd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-53.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-53.json new file mode 100755 index 0000000..6fff3e4 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-53.json @@ -0,0 +1,40 @@ +{ + "created": "2026-02-07T11:01:46-07:00", + "updated": "2026-02-07T11:01:46-07:00", + "name": "allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-53", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "api.snapcraft.io", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "53", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/snapd/snapd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-443.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-443.json new file mode 100755 index 0000000..9264d0b --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-443.json @@ -0,0 +1,40 @@ +{ + "created": "2026-02-07T11:02:56-07:00", + "updated": "2026-02-07T11:02:56-07:00", + "name": "allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-443", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "dashboard.snapcraft.io", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "443", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/snapd/snapd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-53.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-53.json new file mode 100755 index 0000000..7ae9362 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-53.json @@ -0,0 +1,40 @@ +{ + "created": "2026-02-07T11:02:48-07:00", + "updated": "2026-02-07T11:02:48-07:00", + "name": "allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-53", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "dashboard.snapcraft.io", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "53", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/snapd/snapd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-443.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-443.json new file mode 100755 index 0000000..a495414 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-443.json @@ -0,0 +1,40 @@ +{ + "created": "2026-02-07T11:02:38-07:00", + "updated": "2026-02-07T11:02:38-07:00", + "name": "allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-443", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "^(|.*\\.)snapcraftcontent\\.com$", + "type": "regexp", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "443", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/snapd/snapd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-53.json b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-53.json new file mode 100755 index 0000000..f94b40a --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-53.json @@ -0,0 +1,40 @@ +{ + "created": "2026-02-07T11:02:28-07:00", + "updated": "2026-02-07T11:02:28-07:00", + "name": "allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-53", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "^(|.*\\.)snapcraftcontent\\.com$", + "type": "regexp", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "53", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/lib/snapd/snapd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-123.json b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-123.json new file mode 100755 index 0000000..894f832 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-123.json @@ -0,0 +1,40 @@ +{ + "created": "2026-01-28T11:09:37-07:00", + "updated": "2026-01-28T11:09:37-07:00", + "name": "allow-always-list-usr-sbin-chronyd-123", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.port", + "data": "123", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "user.id", + "data": "102", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/sbin/chronyd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4-ntp-ubuntu-com-53.json b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4-ntp-ubuntu-com-53.json new file mode 100755 index 0000000..1be74d9 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4-ntp-ubuntu-com-53.json @@ -0,0 +1,40 @@ +{ + "created": "2026-01-31T00:30:23-07:00", + "updated": "2026-01-31T00:30:23-07:00", + "name": "allow-always-list-usr-sbin-chronyd-4-ntp-ubuntu-com-53", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "^(|.*\\.)ubuntu\\.com$", + "type": "regexp", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "53", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/sbin/chronyd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4460.json b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4460.json new file mode 100755 index 0000000..23336e1 --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4460.json @@ -0,0 +1,33 @@ +{ + "created": "2026-01-28T11:13:38-07:00", + "updated": "2026-01-28T11:13:38-07:00", + "name": "allow-always-list-usr-sbin-chronyd-4460", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.port", + "data": "4460", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/sbin/chronyd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-ntp-bootstrap-ubuntu-com-53.json b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-ntp-bootstrap-ubuntu-com-53.json new file mode 100755 index 0000000..d5072ce --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-ntp-bootstrap-ubuntu-com-53.json @@ -0,0 +1,40 @@ +{ + "created": "2026-01-31T00:30:27-07:00", + "updated": "2026-01-31T00:30:27-07:00", + "name": "allow-always-list-usr-sbin-chronyd-ntp-bootstrap-ubuntu-com-53", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "ntp-bootstrap.ubuntu.com", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "53", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/sbin/chronyd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/allow-always-list-usr-sbin-networkmanager-connectivity-check-ubuntu-com-80-0.json b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-networkmanager-connectivity-check-ubuntu-com-80-0.json new file mode 100755 index 0000000..753612f --- /dev/null +++ b/config/settings/opensnitch/rules/allow-always-list-usr-sbin-networkmanager-connectivity-check-ubuntu-com-80-0.json @@ -0,0 +1,47 @@ +{ + "created": "2026-01-28T11:12:41-07:00", + "updated": "2026-01-28T11:12:41-07:00", + "name": "allow-always-list-usr-sbin-networkmanager-connectivity-check-ubuntu-com-80-0", + "description": "", + "action": "allow", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "connectivity-check.ubuntu.com", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "80", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "user.id", + "data": "0", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/sbin/NetworkManager", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} diff --git a/config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-224-0-0-251-5353-1000.json b/config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-224-0-0-251-5353-1000.json new file mode 100755 index 0000000..f87c346 --- /dev/null +++ b/config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-224-0-0-251-5353-1000.json @@ -0,0 +1,47 @@ +{ + "created": "2026-02-01T16:52:56-07:00", + "updated": "2026-02-01T16:52:56-07:00", + "name": "deny-always-list-opt-brave-com-brave-brave-224-0-0-251-5353-1000", + "description": "", + "action": "deny", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.ip", + "data": "224.0.0.251", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "5353", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "user.id", + "data": "1000", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/opt/brave.com/brave/brave", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-239-255-255-250-1900.json b/config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-239-255-255-250-1900.json new file mode 100755 index 0000000..8435e63 --- /dev/null +++ b/config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-239-255-255-250-1900.json @@ -0,0 +1,40 @@ +{ + "created": "2026-01-28T18:26:38-07:00", + "updated": "2026-01-28T18:26:38-07:00", + "name": "deny-always-list-opt-brave-com-brave-brave-239-255-255-250-1900", + "description": "", + "action": "deny", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.ip", + "data": "239.255.255.250", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "1900", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/opt/brave.com/brave/brave", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/deny-always-list-usr-bin-python3-13-239-255-255-250.json b/config/settings/opensnitch/rules/deny-always-list-usr-bin-python3-13-239-255-255-250.json new file mode 100755 index 0000000..3c55537 --- /dev/null +++ b/config/settings/opensnitch/rules/deny-always-list-usr-bin-python3-13-239-255-255-250.json @@ -0,0 +1,33 @@ +{ + "created": "2026-01-28T11:12:27-07:00", + "updated": "2026-01-28T11:12:27-07:00", + "name": "deny-always-list-usr-bin-python3-13-239-255-255-250", + "description": "", + "action": "deny", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.ip", + "data": "239.255.255.250", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/bin/python3.13", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/deny-always-list-usr-libexec-colord-sane-239-255-255-250-3702-118.json b/config/settings/opensnitch/rules/deny-always-list-usr-libexec-colord-sane-239-255-255-250-3702-118.json new file mode 100755 index 0000000..03d7a6a --- /dev/null +++ b/config/settings/opensnitch/rules/deny-always-list-usr-libexec-colord-sane-239-255-255-250-3702-118.json @@ -0,0 +1,47 @@ +{ + "created": "2026-01-28T11:31:29-07:00", + "updated": "2026-01-28T11:31:29-07:00", + "name": "deny-always-list-usr-libexec-colord-sane-239-255-255-250-3702-118", + "description": "", + "action": "deny", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.ip", + "data": "239.255.255.250", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "3702", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "user.id", + "data": "118", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/libexec/colord-sane", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/rules/deny-always-list-usr-sbin-avahi-daemon-224-0-0-251-5353.json b/config/settings/opensnitch/rules/deny-always-list-usr-sbin-avahi-daemon-224-0-0-251-5353.json new file mode 100755 index 0000000..76f1cab --- /dev/null +++ b/config/settings/opensnitch/rules/deny-always-list-usr-sbin-avahi-daemon-224-0-0-251-5353.json @@ -0,0 +1,26 @@ +{ + "created": "2026-01-28T11:08:56-07:00", + "updated": "2026-01-28T11:08:56-07:00", + "name": "deny-always-list-usr-sbin-avahi-daemon-224-0-0-251-5353", + "description": "", + "action": "deny", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "process.path", + "data": "/usr/sbin/avahi-daemon", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} diff --git a/config/settings/opensnitch/rules/deny-always-list-usr-sbin-chronyd-3-ntp-ubuntu-com-53.json b/config/settings/opensnitch/rules/deny-always-list-usr-sbin-chronyd-3-ntp-ubuntu-com-53.json new file mode 100755 index 0000000..307e9fd --- /dev/null +++ b/config/settings/opensnitch/rules/deny-always-list-usr-sbin-chronyd-3-ntp-ubuntu-com-53.json @@ -0,0 +1,40 @@ +{ + "created": "2026-01-28T11:33:02-07:00", + "updated": "2026-01-28T11:33:02-07:00", + "name": "deny-always-list-usr-sbin-chronyd-3-ntp-ubuntu-com-53", + "description": "", + "action": "deny", + "duration": "always", + "operator": { + "operand": "list", + "data": "", + "type": "list", + "list": [ + { + "operand": "dest.host", + "data": "^(|.*\\.)ubuntu\\.com$", + "type": "regexp", + "list": null, + "sensitive": false + }, + { + "operand": "dest.port", + "data": "53", + "type": "simple", + "list": null, + "sensitive": false + }, + { + "operand": "process.path", + "data": "/usr/sbin/chronyd", + "type": "simple", + "list": null, + "sensitive": false + } + ], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} diff --git a/config/settings/opensnitch/rules/deny-always-simple-usr-geoclue.json b/config/settings/opensnitch/rules/deny-always-simple-usr-geoclue.json new file mode 100755 index 0000000..1d296e6 --- /dev/null +++ b/config/settings/opensnitch/rules/deny-always-simple-usr-geoclue.json @@ -0,0 +1,18 @@ +{ + "created": "2026-01-28T14:32:45-07:00", + "updated": "2026-01-28T14:32:45-07:00", + "name": "deny-always-simple-usr-geoclue", + "description": "", + "action": "deny", + "duration": "always", + "operator": { + "operand": "process.path", + "data": "/usr/libexec/geoclue", + "type": "simple", + "list": [], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} diff --git a/config/settings/opensnitch/rules/deny-always-simple-usr-sbin-cups-browsed.json b/config/settings/opensnitch/rules/deny-always-simple-usr-sbin-cups-browsed.json new file mode 100755 index 0000000..d8108d3 --- /dev/null +++ b/config/settings/opensnitch/rules/deny-always-simple-usr-sbin-cups-browsed.json @@ -0,0 +1,18 @@ +{ + "created": "2026-01-28T14:32:45-07:00", + "updated": "2026-01-28T14:32:45-07:00", + "name": "deny-always-simple-usr-sbin-cups-browsed", + "description": "", + "action": "deny", + "duration": "always", + "operator": { + "operand": "process.path", + "data": "/usr/sbin/cups-browsed", + "type": "simple", + "list": [], + "sensitive": false + }, + "enabled": true, + "precedence": false, + "nolog": false +} \ No newline at end of file diff --git a/config/settings/opensnitch/settings.conf b/config/settings/opensnitch/settings.conf old mode 100644 new mode 100755 diff --git a/config/settings/services/mem-alloc.service b/config/settings/services/mem-alloc.service new file mode 100644 index 0000000..545514f --- /dev/null +++ b/config/settings/services/mem-alloc.service @@ -0,0 +1,13 @@ +[Unit] +Description=build and install memory hardened allocator +DefaultDependencies=no +After=sysinit.target local-fs.target +Before=basic.target + +[Service] +Type=oneshot +ExecStart=/usr/mem_alloc.sh +RemainAfterExit=yes + +[Install] +WantedBy=basic.target diff --git a/config/settings/services/mem_alloc.sh b/config/settings/services/mem_alloc.sh new file mode 100755 index 0000000..6d17180 --- /dev/null +++ b/config/settings/services/mem_alloc.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +set -e +set -x +if [ -f '/usr/src/hardened_malloc/Makefile' ]; then + cd /usr/src/hardened_malloc/ + make -s VARIANT=default CONFIG_NATIVE=false +fi +if [ -f '/usr/src/hardened_malloc/out/libhardened_malloc.so' ]; then + echo '/usr/src/hardened_malloc/out/libhardened_malloc.so' | tee /etc/ld.so.preload +fi + diff --git a/config/settings/skel/autorun.desktop b/config/settings/skel/autorun.desktop new file mode 100644 index 0000000..24b95f8 --- /dev/null +++ b/config/settings/skel/autorun.desktop @@ -0,0 +1,6 @@ +[Desktop Entry] +Name=Enable GNOME Extensions +Exec=/usr/gnome_settings.sh +Type=Application +Hidden=false +X-GNOME-Autostart-enabled=true diff --git a/config/settings/skel/gnome_settings.sh b/config/settings/skel/gnome_settings.sh new file mode 100644 index 0000000..548d63a --- /dev/null +++ b/config/settings/skel/gnome_settings.sh @@ -0,0 +1,3 @@ +#!/bin/bash +gnome-extensions enable ubuntu-appindicators@ubuntu.com +gsettings set org.gnome.desktop.interface color-scheme prefer-dark diff --git a/config/settings/skel/profile b/config/settings/skel/profile index a12e64d..3616d30 100644 --- a/config/settings/skel/profile +++ b/config/settings/skel/profile @@ -3,3 +3,12 @@ if [ -f ~/.bashrc ]; then . ~/.bashrc fi + +if [ ! -f $HOME/.config/opensnitch/firstrun]; then + mkdir -p $HOME/.config/opensnitch/ + cp /etc/opensnitchd/settings.conf $HOME/.config/opensnitch/settings.conf + touch $HOME/.config/opensnitch/firstrun +fi + + + diff --git a/scripts/boot_image.sh b/scripts/boot_image.sh index f31fc43..62bb85a 100755 --- a/scripts/boot_image.sh +++ b/scripts/boot_image.sh @@ -4,5 +4,5 @@ cd .. disk="./outputs/boot_image.img" -qemu-system-x86_64 -bios /usr/share/ovmf/OVMF.fd -drive if=none,format=raw,file=$disk,id=hd -device virtio-blk-pci,drive=hd -m 16G -smp 8 -vga none --display default,gl=off -usb -device virtio-tablet-pci -device virtio-keyboard-pci --device virtio-gpu-pci -usb -enable-kvm -machine type=pc-q35-3.1,accel=kvm,kernel_irqchip=on -netdev user,id=net0 -device virtio-net-pci,netdev=net0,mac=52:54:00:12:34:56 +qemu-system-x86_64 -bios /usr/share/ovmf/OVMF.fd -drive if=none,format=raw,file=$disk,id=hd -device virtio-blk-pci,drive=hd -m 16G -smp 8 -vga none --display default,gl=off -usb -device virtio-tablet-pci -device virtio-keyboard-pci --device virtio-gpu-pci -usb -enable-kvm -machine type=q35,accel=kvm,kernel_irqchip=on -netdev user,id=net0 -device virtio-net-pci,netdev=net0,mac=52:54:00:12:34:56 #--display gtk,gl=off --device virtio-gpu diff --git a/scripts/build_filesystem.sh b/scripts/build_filesystem.sh index eec34fc..c81e546 100755 --- a/scripts/build_filesystem.sh +++ b/scripts/build_filesystem.sh @@ -1,5 +1,6 @@ #!/bin/bash - +set -e +set -x if [ "$(id -u)" -ne 0 ]; then echo "switching from $(id -un) to root" exec sudo "$0" "$@" @@ -19,21 +20,49 @@ if mountpoint -q "./outputs/root/proc/"; then fi rsync -a ./outputs/root/ ./outputs/chroot/ mkdir -p ./outputs/chroot/proc + mount --bind /proc ./outputs/chroot/proc cp ./config/filesystem_chroot_install.sh ./outputs/chroot/filesystem_chroot_install.sh cp ./config/apply_initial_host_configuration.sh ./outputs/chroot/apply_initial_host_configuration.sh cp ./config/config.json ./outputs/chroot/config.json +#copy opensnitch rules. +echo "copying firewall rules" +mkdir -p ./outputs/chroot/etc/ +mkdir -p ./outputs/chroot/etc/opensnitchd/ +rsync -a ./config/settings/opensnitch/ ./outputs/chroot/etc/opensnitchd/ + #setup user skeleton +sudo mkdir -p ./outputs/chroot/etc/skel/.config +printf "yes" | tee ./outputs/chroot/etc/skel/.config/gnome-initial-setup-done cp ./config/settings/skel/bash_profile ./outputs/chroot/etc/skel/.bash_profile cp ./config/settings/skel/bashrc ./outputs/chroot/etc/skel/.bashrc cp ./config/settings/skel/profile ./outputs/chroot/etc/skel/.profile +cp ./config/settings/skel/gnome_settings.sh ./outputs/chroot/usr/gnome_settings.sh +chmod +x ./outputs/chroot/usr/gnome_settings.sh + +#installing hardened memory allocator if built +if [ -f ./dependencies/hardened_malloc/Makefile ]; then + rsync -a ./dependencies/hardened_malloc/ ./outputs/chroot/usr/src/hardened_malloc/ +fi + +cp ./config/settings/services/*.service ./outputs/chroot/etc/systemd/system/ +find ./config/settings/services/ -type f -name '*.sh' -exec chmod +x {} \; +cp ./config/settings/services/*.sh ./outputs/chroot/usr/ + +echo "installing system from within chroot" chmod +x ./outputs/chroot/filesystem_chroot_install.sh chmod +x ./outputs/chroot/apply_initial_host_configuration.sh +mkdir -p ./outputs/chroot/lib/modules/ + +echo "installing kernel modules" +rsync -a ./dependencies/linux/modules/lib/modules/ ./outputs/chroot/lib/modules/ + +echo "installing filesystem" chroot ./outputs/chroot /bin/bash -c "/filesystem_chroot_install.sh" chroot ./outputs/chroot /bin/bash -c "/apply_initial_host_configuration.sh" - +cp ./config/settings/skel/autorun.desktop ./outputs/chroot/etc/xdg/autostart/autorun.desktop cd $DIR diff --git a/scripts/build_image.sh b/scripts/build_image.sh index 8bccb11..184dd63 100755 --- a/scripts/build_image.sh +++ b/scripts/build_image.sh @@ -1,7 +1,7 @@ #!/bin/bash if [ "$(id -u)" -ne 0 ]; then echo "switching from $(id -un) to root" - exec sudo "$0" "$@" + exec sudo ionice -c 3 "$0" "$@" fi set -e cd "$(dirname "$0")" diff --git a/scripts/install_dependencies.sh b/scripts/install_dependencies.sh index d043847..77632d7 100755 --- a/scripts/install_dependencies.sh +++ b/scripts/install_dependencies.sh @@ -4,7 +4,7 @@ if [ "$(id -u)" -ne 0 ]; then exec sudo "$0" "$@" fi set -e -list="kpartx podman debootstrap " +list="kpartx podman debootstrap qemu-system" apt update for item in $list; do apt install -y $item