matt/patronageos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hardened malloc, working firewall.

Browse Source
This commit is contained in:
matt
2026-02-08 08:49:55 -07:00
parent d26067b2fa
commit 5b7a3ccd9b
41 changed files with 1141 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
config/apply_initial_host_configuration.sh
View File

@@ -48,3 +48,7 @@ jq --compact-output -r '.users[]' config.json | while read -r line; do
user_mod "$line"
done
echo "Configuration applied."
rm /config.json
rm /apply_initial_host_configuration.sh
rm /filesystem_chroot_install.sh

2
config/container_cmd.sh
View File

@@ -7,3 +7,5 @@ cat ./.config | python3 /update_kernel_make_config.py --file /linux/kernel_optio
cat ./.config | python3 /update_kernel_make_config.py --file /linux/kernel_options.json > ./.config
/usr/bin/make olddefconfig
/usr/bin/make -j ${cores}
mkdir -p /linux/modules
/usr/bin/make modules_install INSTALL_MOD_PATH=/linux/modules

27
config/filesystem_chroot_install.sh
View File

@@ -7,11 +7,12 @@ echo "deb https://archive.ubuntu.com/ubuntu questing-backports main restricted u
echo "deb https://security.ubuntu.com/ubuntu questing-security main restricted universe multiverse" >> /etc/apt/sources.list
apt update
apt upgrade -y
apt install -y jq bubblewrap curl make build-essential git libselinux1 iptables nftables libnetfilter-queue-dev
#install base system packages
apt install -y --install-recommends --install-suggests systemd
apt install -y --no-install-recommends gnome-core
apt install -y jq git rlwrap dnsutils curl systemd-resolved ufw nano htop ipset lm-sensors net-tools iputils-ping python3-pip bpfcc-tools gnome-shell-extension-ubuntu-dock gnome-shell-extension-ubuntu-tiling-assistant gnome-shell-extension-appindicator keepassxc libnetfilter-queue-dev libpcap-dev protobuf-compiler bpftool golang ufw
apt install -y vanilla-gnome-desktop vanilla-gnome-default-settings gdm3 gnome-shell-extension-appindicator gnome-shell-extension-ubuntu-dock gnome-shell-extension-ubuntu-tiling-assistant
apt install -y rlwrap dnsutils systemd-resolved ufw nano htop ipset lm-sensors net-tools iputils-ping python3-pip keepassxc ufw opensnitch
#install packages from config
jq -r '.packages | .[]' config.json | while read -r item; do
@@ -24,29 +25,29 @@ echo "$locale"
locale-gen "$locale"
echo "LANG=$locale" > /etc/default/locale
#install python systemwide
#pip install --break-system-packages dnslib psutil
#add setuid for some applications
chmod u+s /usr/bin/bwrap
chmod u+s /usr/bin/ping
#install firewall
#mkdir -p /usr/local/src/
#cd /usr/local/src/
#git clone https://git.patronage.systems/matt/dnsf.git
#chmod +x /usr/local/src/dnsf/dnsf_install.sh
#/bin/bash -c /usr/local/src/dnsf/dnsf_install.sh
#disable setup screen config
mkdir -p ~/.config
touch ~/.config/gnome-initial-setup-done
#configure permissions for opensnitch firewall
chown -R root:root /etc/opensnitchd/
chmod 777 /etc/opensnitchd/settings.conf
#enable services
systemctl enable systemd-resolved
systemctl enable systemd-networkd
systemctl enable mem-alloc
#ui changes
gsettings set org.gnome.desktop.interface color-scheme 'prefer-dark'
#firewall enable (inbound block)
ufw enable
#install brave browser
curl -fsSLo /usr/share/keyrings/brave-browser-archive-keyring.gpg https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg
curl -fsSLo /etc/apt/sources.list.d/brave-browser-release.sources https://brave-browser-apt-release.s3.brave.com/brave-browser.sources
apt update
apt install -y brave-browser

5
config/kernel_options.json
View File

@@ -1,5 +1,5 @@
{
"CONFIG_IKCONFIG":"m",
"CONFIG_IKCONFIG":"y",
"CONFIG_IKCONFIG_PROC":"y",
"CONFIG_104_QUAD_8": "m",
"CONFIG_60XX_WDT": "m",
@@ -2910,6 +2910,8 @@
"CONFIG_HDC100X": "m",
"CONFIG_HDC2010": "m",
"CONFIG_HDC3020": "m",
"CONFIG_BPF_SUPPORT_RAW_CT":"y",
"CONFIG_NFT_DNS":"y",
"CONFIG_HDLC": "m",
"CONFIG_HDLC_CISCO": "m",
"CONFIG_HDLC_FR": "m",
@@ -5031,6 +5033,7 @@
"CONFIG_NETFILTER_XT_MATCH_U32": "y",
"CONFIG_NETFILTER_XT_NAT": "y",
"CONFIG_NETFILTER_XT_SET": "y",
"CONFIG_NETFILTER_XT_TARGET_BPF": "y",
"CONFIG_NETFILTER_XT_TARGET_AUDIT": "y",
"CONFIG_NETFILTER_XT_TARGET_CHECKSUM": "y",
"CONFIG_NETFILTER_XT_TARGET_CLASSIFY": "y",

37
config/settings/opensnitch/default-config.json Executable file
View File

@@ -0,0 +1,37 @@
{
"Server": {
"Address": "unix:///tmp/osui.sock",
"LogFile": "/var/log/opensnitchd.log",
"Authentication": {
"Type": "simple",
"TLSOptions": {
"CACert": "",
"ServerCert": "",
"ClientCert": "",
"ClientKey": "",
"SkipVerify": false,
"ClientAuthType": "no-client-cert"
}
}
},
"DefaultAction": "deny",
"DefaultDuration": "once",
"InterceptUnknown": false,
"ProcMonitorMethod": "ebpf",
"LogLevel": 2,
"LogUTC": true,
"LogMicro": false,
"Firewall": "nftables",
"Rules": {
"Path": "/etc/opensnitchd/rules/"
},
"Stats": {
"MaxEvents": 150,
"MaxStats": 25,
"Workers": 6
},
"Internal": {
"GCPercent": 100,
"FlushConnsOnStart": false
}
}

26
config/settings/opensnitch/rules/allow-always-list-usr-changelog.json Executable file
View File

@@ -0,0 +1,26 @@
{
"created": "2026-01-28T11:11:49-07:00",
"updated": "2026-01-28T11:11:49-07:00",
"name": "allow-always-list-usr-changelog",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "changelogs.ubuntu.com",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

33
config/settings/opensnitch/rules/allow-always-list-usr-dot.json Executable file
View File

@@ -0,0 +1,33 @@
{
"created": "2026-01-28T11:10:32-07:00",
"updated": "2026-01-28T11:10:32-07:00",
"name": "allow-always-list-usr-lib-systemd-systemd-resolved-853",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.port",
"data": "853",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/systemd/systemd-resolved",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-443-42.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:12:09-07:00",
"updated": "2026-01-28T11:12:09-07:00",
"name": "allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-443-42",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "brave-browser-apt-release.s3.brave.com",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "443",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "42",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/apt/methods/http",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-53-42.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:12:05-07:00",
"updated": "2026-01-28T11:12:05-07:00",
"name": "allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-53-42",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "brave-browser-apt-release.s3.brave.com",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "42",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/apt/methods/http",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-https-tcp-brave-browser-apt-release-s3-brave-com-53-42.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:13:04-07:00",
"updated": "2026-01-28T11:13:04-07:00",
"name": "allow-always-list-usr-lib-apt-methods-http-https-tcp-brave-browser-apt-release-s3-brave-com-53-42",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "_https._tcp.brave-browser-apt-release.s3.brave.com",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "42",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/apt/methods/http",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-53-42.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:11:49-07:00",
"updated": "2026-01-28T11:11:49-07:00",
"name": "allow-always-list-usr-lib-apt-methods-http-ubuntu-com-53-42",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "^(|.*\\.)ubuntu\\.com$",
"type": "regexp",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "42",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/apt/methods/http",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-80-42.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:11:57-07:00",
"updated": "2026-01-28T11:11:57-07:00",
"name": "allow-always-list-usr-lib-apt-methods-http-ubuntu-com-80-42",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "^(|.*\\.)ubuntu\\.com$",
"type": "regexp",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "80",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "42",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/apt/methods/http",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-443.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-02-07T11:02:20-07:00",
"updated": "2026-02-07T11:02:20-07:00",
"name": "allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-443",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "api.snapcraft.io",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "443",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/snapd/snapd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-53.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-02-07T11:01:46-07:00",
"updated": "2026-02-07T11:01:46-07:00",
"name": "allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-53",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "api.snapcraft.io",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/snapd/snapd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-443.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-02-07T11:02:56-07:00",
"updated": "2026-02-07T11:02:56-07:00",
"name": "allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-443",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "dashboard.snapcraft.io",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "443",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/snapd/snapd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-53.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-02-07T11:02:48-07:00",
"updated": "2026-02-07T11:02:48-07:00",
"name": "allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-53",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "dashboard.snapcraft.io",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/snapd/snapd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-443.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-02-07T11:02:38-07:00",
"updated": "2026-02-07T11:02:38-07:00",
"name": "allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-443",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "^(|.*\\.)snapcraftcontent\\.com$",
"type": "regexp",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "443",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/snapd/snapd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-53.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-02-07T11:02:28-07:00",
"updated": "2026-02-07T11:02:28-07:00",
"name": "allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-53",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "^(|.*\\.)snapcraftcontent\\.com$",
"type": "regexp",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/snapd/snapd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-123.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-01-28T11:09:37-07:00",
"updated": "2026-01-28T11:09:37-07:00",
"name": "allow-always-list-usr-sbin-chronyd-123",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.port",
"data": "123",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "102",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/sbin/chronyd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4-ntp-ubuntu-com-53.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-01-31T00:30:23-07:00",
"updated": "2026-01-31T00:30:23-07:00",
"name": "allow-always-list-usr-sbin-chronyd-4-ntp-ubuntu-com-53",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "^(|.*\\.)ubuntu\\.com$",
"type": "regexp",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/sbin/chronyd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

33
config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4460.json Executable file
View File

@@ -0,0 +1,33 @@
{
"created": "2026-01-28T11:13:38-07:00",
"updated": "2026-01-28T11:13:38-07:00",
"name": "allow-always-list-usr-sbin-chronyd-4460",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.port",
"data": "4460",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/sbin/chronyd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-ntp-bootstrap-ubuntu-com-53.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-01-31T00:30:27-07:00",
"updated": "2026-01-31T00:30:27-07:00",
"name": "allow-always-list-usr-sbin-chronyd-ntp-bootstrap-ubuntu-com-53",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "ntp-bootstrap.ubuntu.com",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/sbin/chronyd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/allow-always-list-usr-sbin-networkmanager-connectivity-check-ubuntu-com-80-0.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:12:41-07:00",
"updated": "2026-01-28T11:12:41-07:00",
"name": "allow-always-list-usr-sbin-networkmanager-connectivity-check-ubuntu-com-80-0",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "connectivity-check.ubuntu.com",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "80",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "0",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/sbin/NetworkManager",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-224-0-0-251-5353-1000.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-02-01T16:52:56-07:00",
"updated": "2026-02-01T16:52:56-07:00",
"name": "deny-always-list-opt-brave-com-brave-brave-224-0-0-251-5353-1000",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.ip",
"data": "224.0.0.251",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "5353",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "1000",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/opt/brave.com/brave/brave",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-239-255-255-250-1900.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-01-28T18:26:38-07:00",
"updated": "2026-01-28T18:26:38-07:00",
"name": "deny-always-list-opt-brave-com-brave-brave-239-255-255-250-1900",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.ip",
"data": "239.255.255.250",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "1900",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/opt/brave.com/brave/brave",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

33
config/settings/opensnitch/rules/deny-always-list-usr-bin-python3-13-239-255-255-250.json Executable file
View File

@@ -0,0 +1,33 @@
{
"created": "2026-01-28T11:12:27-07:00",
"updated": "2026-01-28T11:12:27-07:00",
"name": "deny-always-list-usr-bin-python3-13-239-255-255-250",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.ip",
"data": "239.255.255.250",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/bin/python3.13",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/deny-always-list-usr-libexec-colord-sane-239-255-255-250-3702-118.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:31:29-07:00",
"updated": "2026-01-28T11:31:29-07:00",
"name": "deny-always-list-usr-libexec-colord-sane-239-255-255-250-3702-118",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.ip",
"data": "239.255.255.250",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "3702",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "118",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/libexec/colord-sane",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

26
config/settings/opensnitch/rules/deny-always-list-usr-sbin-avahi-daemon-224-0-0-251-5353.json Executable file
View File

@@ -0,0 +1,26 @@
{
"created": "2026-01-28T11:08:56-07:00",
"updated": "2026-01-28T11:08:56-07:00",
"name": "deny-always-list-usr-sbin-avahi-daemon-224-0-0-251-5353",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "process.path",
"data": "/usr/sbin/avahi-daemon",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/deny-always-list-usr-sbin-chronyd-3-ntp-ubuntu-com-53.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-01-28T11:33:02-07:00",
"updated": "2026-01-28T11:33:02-07:00",
"name": "deny-always-list-usr-sbin-chronyd-3-ntp-ubuntu-com-53",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "^(|.*\\.)ubuntu\\.com$",
"type": "regexp",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/sbin/chronyd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

18
config/settings/opensnitch/rules/deny-always-simple-usr-geoclue.json Executable file
View File

@@ -0,0 +1,18 @@
{
"created": "2026-01-28T14:32:45-07:00",
"updated": "2026-01-28T14:32:45-07:00",
"name": "deny-always-simple-usr-geoclue",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "process.path",
"data": "/usr/libexec/geoclue",
"type": "simple",
"list": [],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

18
config/settings/opensnitch/rules/deny-always-simple-usr-sbin-cups-browsed.json Executable file
View File

@@ -0,0 +1,18 @@
{
"created": "2026-01-28T14:32:45-07:00",
"updated": "2026-01-28T14:32:45-07:00",
"name": "deny-always-simple-usr-sbin-cups-browsed",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "process.path",
"data": "/usr/sbin/cups-browsed",
"type": "simple",
"list": [],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

0
config/settings/opensnitch/settings.conf Normal file → Executable file
View File

13
config/settings/services/mem-alloc.service Normal file
View File

@@ -0,0 +1,13 @@
[Unit]
Description=build and install memory hardened allocator
DefaultDependencies=no
After=sysinit.target local-fs.target
Before=basic.target
[Service]
Type=oneshot
ExecStart=/usr/mem_alloc.sh
RemainAfterExit=yes
[Install]
WantedBy=basic.target

11
config/settings/services/mem_alloc.sh Executable file
View File

@@ -0,0 +1,11 @@
#!/usr/bin/env bash
set -e
set -x
if [ -f '/usr/src/hardened_malloc/Makefile' ]; then
cd /usr/src/hardened_malloc/
make -s VARIANT=default CONFIG_NATIVE=false
fi
if [ -f '/usr/src/hardened_malloc/out/libhardened_malloc.so' ]; then
echo '/usr/src/hardened_malloc/out/libhardened_malloc.so' | tee /etc/ld.so.preload
fi

6
config/settings/skel/autorun.desktop Normal file
View File

@@ -0,0 +1,6 @@
[Desktop Entry]
Name=Enable GNOME Extensions
Exec=/usr/gnome_settings.sh
Type=Application
Hidden=false
X-GNOME-Autostart-enabled=true

3
config/settings/skel/gnome_settings.sh Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
gnome-extensions enable ubuntu-appindicators@ubuntu.com
gsettings set org.gnome.desktop.interface color-scheme prefer-dark

9
config/settings/skel/profile
View File

@@ -3,3 +3,12 @@
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
if [ ! -f $HOME/.config/opensnitch/firstrun]; then
mkdir -p $HOME/.config/opensnitch/
cp /etc/opensnitchd/settings.conf $HOME/.config/opensnitch/settings.conf
touch $HOME/.config/opensnitch/firstrun
fi

2
scripts/boot_image.sh
View File

@@ -4,5 +4,5 @@ cd ..
disk="./outputs/boot_image.img"
qemu-system-x86_64 -bios /usr/share/ovmf/OVMF.fd -drive if=none,format=raw,file=$disk,id=hd -device virtio-blk-pci,drive=hd -m 16G -smp 8 -vga none --display default,gl=off -usb -device virtio-tablet-pci -device virtio-keyboard-pci --device virtio-gpu-pci -usb -enable-kvm -machine type=pc-q35-3.1,accel=kvm,kernel_irqchip=on -netdev user,id=net0 -device virtio-net-pci,netdev=net0,mac=52:54:00:12:34:56
qemu-system-x86_64 -bios /usr/share/ovmf/OVMF.fd -drive if=none,format=raw,file=$disk,id=hd -device virtio-blk-pci,drive=hd -m 16G -smp 8 -vga none --display default,gl=off -usb -device virtio-tablet-pci -device virtio-keyboard-pci --device virtio-gpu-pci -usb -enable-kvm -machine type=q35,accel=kvm,kernel_irqchip=on -netdev user,id=net0 -device virtio-net-pci,netdev=net0,mac=52:54:00:12:34:56
#--display gtk,gl=off --device virtio-gpu

33
scripts/build_filesystem.sh
View File

@@ -1,5 +1,6 @@
#!/bin/bash
set -e
set -x
if [ "$(id -u)" -ne 0 ]; then
echo "switching from $(id -un) to root"
exec sudo "$0" "$@"
@@ -19,21 +20,49 @@ if mountpoint -q "./outputs/root/proc/"; then
fi
rsync -a ./outputs/root/ ./outputs/chroot/
mkdir -p ./outputs/chroot/proc
mount --bind /proc ./outputs/chroot/proc
cp ./config/filesystem_chroot_install.sh ./outputs/chroot/filesystem_chroot_install.sh
cp ./config/apply_initial_host_configuration.sh ./outputs/chroot/apply_initial_host_configuration.sh
cp ./config/config.json ./outputs/chroot/config.json
#copy opensnitch rules.
echo "copying firewall rules"
mkdir -p ./outputs/chroot/etc/
mkdir -p ./outputs/chroot/etc/opensnitchd/
rsync -a ./config/settings/opensnitch/ ./outputs/chroot/etc/opensnitchd/
#setup user skeleton
sudo mkdir -p ./outputs/chroot/etc/skel/.config
printf "yes" | tee ./outputs/chroot/etc/skel/.config/gnome-initial-setup-done
cp ./config/settings/skel/bash_profile ./outputs/chroot/etc/skel/.bash_profile
cp ./config/settings/skel/bashrc ./outputs/chroot/etc/skel/.bashrc
cp ./config/settings/skel/profile ./outputs/chroot/etc/skel/.profile
cp ./config/settings/skel/gnome_settings.sh ./outputs/chroot/usr/gnome_settings.sh
chmod +x ./outputs/chroot/usr/gnome_settings.sh
#installing hardened memory allocator if built
if [ -f ./dependencies/hardened_malloc/Makefile ]; then
rsync -a ./dependencies/hardened_malloc/ ./outputs/chroot/usr/src/hardened_malloc/
fi
cp ./config/settings/services/*.service ./outputs/chroot/etc/systemd/system/
find ./config/settings/services/ -type f -name '*.sh' -exec chmod +x {} \;
cp ./config/settings/services/*.sh ./outputs/chroot/usr/
echo "installing system from within chroot"
chmod +x ./outputs/chroot/filesystem_chroot_install.sh
chmod +x ./outputs/chroot/apply_initial_host_configuration.sh
mkdir -p ./outputs/chroot/lib/modules/
echo "installing kernel modules"
rsync -a ./dependencies/linux/modules/lib/modules/ ./outputs/chroot/lib/modules/
echo "installing filesystem"
chroot ./outputs/chroot /bin/bash -c "/filesystem_chroot_install.sh"
chroot ./outputs/chroot /bin/bash -c "/apply_initial_host_configuration.sh"
cp ./config/settings/skel/autorun.desktop ./outputs/chroot/etc/xdg/autostart/autorun.desktop
cd $DIR

2
scripts/build_image.sh
View File

@@ -1,7 +1,7 @@
#!/bin/bash
if [ "$(id -u)" -ne 0 ]; then
echo "switching from $(id -un) to root"
exec sudo "$0" "$@"
exec sudo ionice -c 3 "$0" "$@"
fi
set -e
cd "$(dirname "$0")"

2
scripts/install_dependencies.sh
View File

@@ -4,7 +4,7 @@ if [ "$(id -u)" -ne 0 ]; then
exec sudo "$0" "$@"
fi
set -e
list="kpartx podman debootstrap "
list="kpartx podman debootstrap qemu-system"
apt update
for item in $list; do
apt install -y $item