matt/patronageos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: matt:json_config
Branches Tags
matt:main
...
pull from: matt:main
Branches Tags
matt:main

30 Commits
json_confi ... main

Author SHA1 Message Date
matt
8ff4349ffb seperate downloading of the hardened malloc. 2026-02-08 21:14:39 -07:00
matt
543de5bdce build filesystem folder. 2026-02-08 14:48:15 -07:00
matt
1b1e74d67f hardened malloc download. 2026-02-08 14:13:14 -07:00
matt
19ede9ac58 add in bootstrapping of root folder. 2026-02-08 13:19:48 -07:00
matt
2770dfc964 hardened malloc. networking + firewall. json based config. 2026-02-08 12:36:23 -07:00
Matt Knoop
cdb972579a bootable. 2025-12-10 09:09:44 -07:00
Matt Knoop
c3a573a91e updated kernel options. 2025-12-09 22:06:11 -07:00
Matt Knoop
e914ac9619 changes to the initramfs. very specific changes to included kernel modules. 2025-12-09 17:17:07 -07:00
Matt Knoop
09eb3c54ba . 2025-12-09 00:07:51 -07:00
Matt Knoop
fb75cc36df fix networking. 2025-12-08 22:02:35 -07:00
Matt Knoop
98e8ee8800 permission changes. 2025-12-08 10:17:25 -07:00
Matt
71833416e4 booting to gnome, with debootstrap. 2025-12-08 08:21:43 -08:00
Matt
221c49ccbb update scripts. relative directories. boot to ubuntu noble command line. 2025-12-06 23:24:59 -08:00
Matt Knoop
191a3c9568 folder reorganization. 2025-12-04 09:48:10 -07:00
Matt Knoop
3a77b4a3cd build the kernel in the container. 2025-11-23 11:36:55 -07:00
Matt Knoop
26645cc10d boots to DE. 2025-11-23 11:26:08 -07:00
Matt Knoop
704fa1b0aa updates nov 16th. 2025-11-16 20:50:46 -07:00
matt
248948f9f9 Update README.md 2025-11-12 18:59:14 -07:00
matt
2d681243e7 Update README.md 2025-11-12 18:50:16 -07:00
matt
b3ad06ca5f Update README.md 2025-11-12 18:45:41 -07:00
Matt Knoop
46a74c8dcc remove scripts that are no longer used. 2025-11-12 18:43:03 -07:00
Matt Knoop
112169798d build the kernel. create a bootable efi image. 2025-11-12 18:37:10 -07:00
matt
bde0a7e0fb Update containerfile 2025-10-31 14:32:53 -06:00
matt
c0bd63ebf8 Update build.sh 2025-10-31 08:56:23 -06:00
matt
d2e14bfed4 Update build.sh 2025-10-31 08:55:09 -06:00
matt
8892901369 Update containerfile 2025-10-31 08:52:19 -06:00
matt
601ee1739f Upload files to "/" 2025-10-31 08:45:25 -06:00
matt
24dbc38792 Add kernelb.sh 2025-10-31 08:40:19 -06:00
matt
f18d9b53e4 Add containerfile 2025-10-31 08:39:47 -06:00
matt
1b11644604 Add build.sh 2025-10-31 08:39:12 -06:00
61 changed files with 11383 additions and 0 deletions
Expand all files Collapse all files

9
.gitignore vendored Normal file
View File

@@ -0,0 +1,9 @@
# artifacts
outputs/
artifacts/
dependencies/
# Compiled Python bytecode
*.py[cod]

0
LICENSE Normal file → Executable file
View File

6
README.md Normal file → Executable file
View File

@@ -1,2 +1,8 @@
# PatronageOS # PatronageOS
modern linux distro based on the latest kernel.
minimal dependencies.
kernel and subsystems are/will be built in a rootless containers.
start with ./scripts/build_everything.sh

BIN
busybox Executable file
View File

Binary file not shown.

54
config/apply_initial_host_configuration.sh Normal file
View File

@@ -0,0 +1,54 @@
#!/bin/bash
set -e
set -x
echo 'initial configuration'
# Parse the JSON file
while IFS="=" read -r key value; do
declare "$key=$value"
done < <(jq -r 'to_entries|map("\(.key)=\(.value|tostring)")|.[]' config.json)
echo "$hostname" > /etc/hostname
echo "127.0.0.1 $hostname"> /etc/hosts
echo "$timezone" > /etc/timezone
ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
# Set the root password
echo "root:$root_password" | chpasswd
#set additional profile options.
jq --compact-output -r '.profile[]' config.json | while read -r line; do
echo "$line" >> /etc/profile
done
echo "export PATH=$PATH:/usr/local/go/bin" >> /etc/profile
#set default shell to bash.
sed -i 's|^SHELL=.*|SHELL=/bin/bash|' /etc/default/useradd
user_mod() {
echo "$1"
username=$(echo "$1" | jq -r '.username')
password=$(echo "$1" | jq -r '.password')
# Create user
if getent passwd "$username" >/dev/null 2>&1; then
echo "User already exists"
else
useradd -m "$username"
fi
# Set password
echo "$username:$password" | chpasswd
# Add to sudo group
usermod -aG sudo "$username"
}
jq --compact-output -r '.users[]' config.json | while read -r line; do
user_mod "$line"
done
echo "Configuration applied."
rm /config.json
rm /apply_initial_host_configuration.sh
rm /filesystem_chroot_install.sh

9
config/build_containerfile Executable file
View File

@@ -0,0 +1,9 @@
from ubuntu:latest
run apt-get update
run apt-get upgrade -y
run apt-get install -y bison flex gcc make libncurses-dev git bc build-essential git libncurses5-dev lzop perl libssl-dev bison flex kmod device-tree-compiler dwarves libelf-dev libdwarf-dev libdw-dev python3 gawk zstd
workdir /linux
add ./config/container_cmd.sh /
add ./config/update_kernel_make_config.py /
run chmod +x /container_cmd.sh
cmd ["/usr/bin/bash","-c","/container_cmd.sh"]

28
config/config.json Normal file
View File

@@ -0,0 +1,28 @@
{
"hostname": "linuxhost",
"timezone": "America/Denver",
"root_password": "password",
"locale":"en_US.UTF-8",
"users": [
{
"username": "user1",
"password": "password1"
},
{
"username": "user2",
"password": "password2"
}
],
"packages": [
"htop",
"git",
"ffmpeg",
"vlc",
"pciutils",
"usbutils"
],
"profile":[],
"allowed_dns":[],
"allowed_host":[]
}

11
config/container_cmd.sh Executable file
View File

@@ -0,0 +1,11 @@
set -e
cores=$(nproc)
echo "${cores}"
/usr/bin/make clean
/usr/bin/make defconfig
cat ./.config | python3 /update_kernel_make_config.py --file /linux/kernel_options.json
cat ./.config | python3 /update_kernel_make_config.py --file /linux/kernel_options.json > ./.config
/usr/bin/make olddefconfig
/usr/bin/make -j ${cores}
mkdir -p /linux/modules
/usr/bin/make modules_install INSTALL_MOD_PATH=/linux/modules

54
config/filesystem_chroot_install.sh Normal file
View File

@@ -0,0 +1,54 @@
#add sources list for questing.
set -e
set -x
echo "deb https://archive.ubuntu.com/ubuntu questing main restricted universe multiverse" > /etc/apt/sources.list
echo "deb https://archive.ubuntu.com/ubuntu questing-updates main restricted universe multiverse" >> /etc/apt/sources.list
echo "deb https://archive.ubuntu.com/ubuntu questing-backports main restricted universe multiverse" >> /etc/apt/sources.list
echo "deb https://security.ubuntu.com/ubuntu questing-security main restricted universe multiverse" >> /etc/apt/sources.list
apt update
apt upgrade -y
apt install -y jq bubblewrap curl make build-essential git libselinux1 iptables nftables libnetfilter-queue-dev
#install base system packages
apt install -y --install-recommends --install-suggests systemd
apt install -y vanilla-gnome-desktop vanilla-gnome-default-settings gdm3 gnome-shell-extension-appindicator gnome-shell-extension-ubuntu-dock gnome-shell-extension-ubuntu-tiling-assistant
apt install -y rlwrap dnsutils systemd-resolved ufw nano htop ipset lm-sensors net-tools iputils-ping python3-pip keepassxc ufw opensnitch
#install packages from config
jq -r '.packages | .[]' config.json | while read -r item; do
apt install -y "$item"
done
#set locale
locale=$(jq -r '.locale' config.json)
echo "$locale"
locale-gen "$locale"
echo "LANG=$locale" > /etc/default/locale
#add setuid for some applications
chmod u+s /usr/bin/bwrap
chmod u+s /usr/bin/ping
#disable setup screen config
mkdir -p ~/.config
touch ~/.config/gnome-initial-setup-done
#enable services
systemctl enable systemd-resolved
systemctl enable systemd-networkd
systemctl enable mem-alloc
#firewall enable (inbound block)
ufw enable
#install brave browser
curl -fsSLo /usr/share/keyrings/brave-browser-archive-keyring.gpg https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg
curl -fsSLo /etc/apt/sources.list.d/brave-browser-release.sources https://brave-browser-apt-release.s3.brave.com/brave-browser.sources
apt update
apt install -y brave-browser
#configure permissions for opensnitch firewall
rsync -a /usr/src/opensnitchd/ /etc/opensnitchd/
chown -R root:root /etc/opensnitchd/
chmod 777 /etc/opensnitchd/settings.conf

5
config/filesystem_cmd.sh Normal file
View File

@@ -0,0 +1,5 @@
#!/bin/bash
set -e
fakechroot
debootstrap --version
debootstrap --variant=fakechroot --arch amd64 bionic /tmp/rootfs/ http://archive.ubuntu.com/ubuntu

11
config/filesystem_containerfile Executable file
View File

@@ -0,0 +1,11 @@
FROM ubuntu:latest
run ls /
run apt-get update
run apt-get install -y pacstrap
run mkdir -p /tmp/
run mkdir -p /tmp/rootfs/
workdir /linux
add ./config/filesystem_cmd.sh /
add ./config/polystrap.cfg /tmp
run chmod +x /filesystem_cmd.sh
cmd ["/usr/bin/bash","-c","/filesystem_cmd.sh"]

19
config/grub.cfg Executable file
View File

@@ -0,0 +1,19 @@
set timeout=1
set default=0
echo 'loading modules..'
insmod normal
insmod fat
insmod part_gpt
insmod gzio
insmod ext
echo 'loading menu..'
set root='(hd0,gpt1)'
ls (hd0,gpt1)/EFI/patronage/
menuentry "PatronageOS" {
linux /EFI/patronage/bzImage quiet splash boot=/init
echo 'loaded kernel...'
initrd /EFI/patronage/initramfs.cpio.gz
echo 'loaded initial ramdisk...'
boot
}

23
config/init.sh Executable file
View File

@@ -0,0 +1,23 @@
#!/bin/busybox sh
set -e
/bin/busybox echo 'mounting /proc..'
/bin/busybox mount -t proc proc /proc
/bin/busybox echo 'mounting /sys..'
/bin/busybox mount -t sysfs sysfs /sys
/bin/busybox echo 'mounting /dev..'
/bin/busybox mount -t devtmpfs devtmpfs /dev
/bin/busybox echo 'creating root..'
/bin/busybox mkdir -p /newroot
/bin/busybox echo 'mounting root..'
/bin/busybox mount $(/bin/busybox findfs LABEL=ROOT) /newroot
#/bin/busybox echo 'moving /sys..'
#/bin/busybox mount --move /sys /newroot/sys
#/bin/busybox echo 'moving /dev..'
#/bin/busybox mount --move /dev /newroot/dev
#/bin/busybox echo 'moving /proc..'
#/bin/busybox mount --move /proc /newroot/proc
#/bin/busybox modprobe encryptfs
#/bin/busybox modprobe dm-crypt
/bin/busybox echo 'switching root..'
exec switch_root /newroot /lib/systemd/systemd --system

5
config/interfaces.network Normal file
View File

@@ -0,0 +1,5 @@
[Match]
Name=*
[Network]
DHCP=yes

9690
config/kernel_options.json Normal file
View File

File diff suppressed because it is too large Load Diff

9
config/resolved.conf Normal file
View File

@@ -0,0 +1,9 @@
[Resolve]
Domains=~.
DNSSEC=true
DNSOverTLS=yes
MulticastDNS=no
LLMNR=no
Cache=yes
DNSStubListener=yes
DNS=9.9.9.11#dns11.quad9.net DNS=1.1.1.1#cloudflare-dns.com

37
config/settings/opensnitch/default-config.json Executable file
View File

@@ -0,0 +1,37 @@
{
"Server": {
"Address": "unix:///tmp/osui.sock",
"LogFile": "/var/log/opensnitchd.log",
"Authentication": {
"Type": "simple",
"TLSOptions": {
"CACert": "",
"ServerCert": "",
"ClientCert": "",
"ClientKey": "",
"SkipVerify": false,
"ClientAuthType": "no-client-cert"
}
}
},
"DefaultAction": "deny",
"DefaultDuration": "once",
"InterceptUnknown": false,
"ProcMonitorMethod": "ebpf",
"LogLevel": 2,
"LogUTC": true,
"LogMicro": false,
"Firewall": "nftables",
"Rules": {
"Path": "/etc/opensnitchd/rules/"
},
"Stats": {
"MaxEvents": 150,
"MaxStats": 25,
"Workers": 6
},
"Internal": {
"GCPercent": 100,
"FlushConnsOnStart": false
}
}

26
config/settings/opensnitch/rules/allow-always-list-usr-changelog.json Executable file
View File

@@ -0,0 +1,26 @@
{
"created": "2026-01-28T11:11:49-07:00",
"updated": "2026-01-28T11:11:49-07:00",
"name": "allow-always-list-usr-changelog",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "changelogs.ubuntu.com",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

33
config/settings/opensnitch/rules/allow-always-list-usr-dot.json Executable file
View File

@@ -0,0 +1,33 @@
{
"created": "2026-01-28T11:10:32-07:00",
"updated": "2026-01-28T11:10:32-07:00",
"name": "allow-always-list-usr-lib-systemd-systemd-resolved-853",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.port",
"data": "853",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/systemd/systemd-resolved",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-443-42.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:12:09-07:00",
"updated": "2026-01-28T11:12:09-07:00",
"name": "allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-443-42",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "brave-browser-apt-release.s3.brave.com",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "443",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "42",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/apt/methods/http",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-53-42.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:12:05-07:00",
"updated": "2026-01-28T11:12:05-07:00",
"name": "allow-always-list-usr-lib-apt-methods-http-brave-browser-apt-release-s3-brave-com-53-42",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "brave-browser-apt-release.s3.brave.com",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "42",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/apt/methods/http",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-https-tcp-brave-browser-apt-release-s3-brave-com-53-42.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:13:04-07:00",
"updated": "2026-01-28T11:13:04-07:00",
"name": "allow-always-list-usr-lib-apt-methods-http-https-tcp-brave-browser-apt-release-s3-brave-com-53-42",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "_https._tcp.brave-browser-apt-release.s3.brave.com",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "42",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/apt/methods/http",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-53-42.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:11:49-07:00",
"updated": "2026-01-28T11:11:49-07:00",
"name": "allow-always-list-usr-lib-apt-methods-http-ubuntu-com-53-42",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "^(|.*\\.)ubuntu\\.com$",
"type": "regexp",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "42",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/apt/methods/http",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/allow-always-list-usr-lib-apt-methods-http-ubuntu-com-80-42.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:11:57-07:00",
"updated": "2026-01-28T11:11:57-07:00",
"name": "allow-always-list-usr-lib-apt-methods-http-ubuntu-com-80-42",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "^(|.*\\.)ubuntu\\.com$",
"type": "regexp",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "80",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "42",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/apt/methods/http",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-443.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-02-07T11:02:20-07:00",
"updated": "2026-02-07T11:02:20-07:00",
"name": "allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-443",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "api.snapcraft.io",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "443",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/snapd/snapd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-53.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-02-07T11:01:46-07:00",
"updated": "2026-02-07T11:01:46-07:00",
"name": "allow-always-list-usr-lib-snapd-snapd-api-snapcraft-io-53",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "api.snapcraft.io",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/snapd/snapd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-443.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-02-07T11:02:56-07:00",
"updated": "2026-02-07T11:02:56-07:00",
"name": "allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-443",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "dashboard.snapcraft.io",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "443",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/snapd/snapd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-53.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-02-07T11:02:48-07:00",
"updated": "2026-02-07T11:02:48-07:00",
"name": "allow-always-list-usr-lib-snapd-snapd-dashboard-snapcraft-io-53",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "dashboard.snapcraft.io",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/snapd/snapd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-443.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-02-07T11:02:38-07:00",
"updated": "2026-02-07T11:02:38-07:00",
"name": "allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-443",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "^(|.*\\.)snapcraftcontent\\.com$",
"type": "regexp",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "443",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/snapd/snapd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-53.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-02-07T11:02:28-07:00",
"updated": "2026-02-07T11:02:28-07:00",
"name": "allow-always-list-usr-lib-snapd-snapd-snapcraftcontent-com-53",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "^(|.*\\.)snapcraftcontent\\.com$",
"type": "regexp",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/lib/snapd/snapd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-123.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-01-28T11:09:37-07:00",
"updated": "2026-01-28T11:09:37-07:00",
"name": "allow-always-list-usr-sbin-chronyd-123",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.port",
"data": "123",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "102",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/sbin/chronyd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4-ntp-ubuntu-com-53.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-01-31T00:30:23-07:00",
"updated": "2026-01-31T00:30:23-07:00",
"name": "allow-always-list-usr-sbin-chronyd-4-ntp-ubuntu-com-53",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "^(|.*\\.)ubuntu\\.com$",
"type": "regexp",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/sbin/chronyd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

33
config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-4460.json Executable file
View File

@@ -0,0 +1,33 @@
{
"created": "2026-01-28T11:13:38-07:00",
"updated": "2026-01-28T11:13:38-07:00",
"name": "allow-always-list-usr-sbin-chronyd-4460",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.port",
"data": "4460",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/sbin/chronyd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/allow-always-list-usr-sbin-chronyd-ntp-bootstrap-ubuntu-com-53.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-01-31T00:30:27-07:00",
"updated": "2026-01-31T00:30:27-07:00",
"name": "allow-always-list-usr-sbin-chronyd-ntp-bootstrap-ubuntu-com-53",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "ntp-bootstrap.ubuntu.com",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/sbin/chronyd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/allow-always-list-usr-sbin-networkmanager-connectivity-check-ubuntu-com-80-0.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:12:41-07:00",
"updated": "2026-01-28T11:12:41-07:00",
"name": "allow-always-list-usr-sbin-networkmanager-connectivity-check-ubuntu-com-80-0",
"description": "",
"action": "allow",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "connectivity-check.ubuntu.com",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "80",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "0",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/sbin/NetworkManager",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-224-0-0-251-5353-1000.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-02-01T16:52:56-07:00",
"updated": "2026-02-01T16:52:56-07:00",
"name": "deny-always-list-opt-brave-com-brave-brave-224-0-0-251-5353-1000",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.ip",
"data": "224.0.0.251",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "5353",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "1000",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/opt/brave.com/brave/brave",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/deny-always-list-opt-brave-com-brave-brave-239-255-255-250-1900.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-01-28T18:26:38-07:00",
"updated": "2026-01-28T18:26:38-07:00",
"name": "deny-always-list-opt-brave-com-brave-brave-239-255-255-250-1900",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.ip",
"data": "239.255.255.250",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "1900",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/opt/brave.com/brave/brave",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

33
config/settings/opensnitch/rules/deny-always-list-usr-bin-python3-13-239-255-255-250.json Executable file
View File

@@ -0,0 +1,33 @@
{
"created": "2026-01-28T11:12:27-07:00",
"updated": "2026-01-28T11:12:27-07:00",
"name": "deny-always-list-usr-bin-python3-13-239-255-255-250",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.ip",
"data": "239.255.255.250",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/bin/python3.13",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

47
config/settings/opensnitch/rules/deny-always-list-usr-libexec-colord-sane-239-255-255-250-3702-118.json Executable file
View File

@@ -0,0 +1,47 @@
{
"created": "2026-01-28T11:31:29-07:00",
"updated": "2026-01-28T11:31:29-07:00",
"name": "deny-always-list-usr-libexec-colord-sane-239-255-255-250-3702-118",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.ip",
"data": "239.255.255.250",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "3702",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "user.id",
"data": "118",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/libexec/colord-sane",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

26
config/settings/opensnitch/rules/deny-always-list-usr-sbin-avahi-daemon-224-0-0-251-5353.json Executable file
View File

@@ -0,0 +1,26 @@
{
"created": "2026-01-28T11:08:56-07:00",
"updated": "2026-01-28T11:08:56-07:00",
"name": "deny-always-list-usr-sbin-avahi-daemon-224-0-0-251-5353",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "process.path",
"data": "/usr/sbin/avahi-daemon",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

40
config/settings/opensnitch/rules/deny-always-list-usr-sbin-chronyd-3-ntp-ubuntu-com-53.json Executable file
View File

@@ -0,0 +1,40 @@
{
"created": "2026-01-28T11:33:02-07:00",
"updated": "2026-01-28T11:33:02-07:00",
"name": "deny-always-list-usr-sbin-chronyd-3-ntp-ubuntu-com-53",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "list",
"data": "",
"type": "list",
"list": [
{
"operand": "dest.host",
"data": "^(|.*\\.)ubuntu\\.com$",
"type": "regexp",
"list": null,
"sensitive": false
},
{
"operand": "dest.port",
"data": "53",
"type": "simple",
"list": null,
"sensitive": false
},
{
"operand": "process.path",
"data": "/usr/sbin/chronyd",
"type": "simple",
"list": null,
"sensitive": false
}
],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

18
config/settings/opensnitch/rules/deny-always-simple-usr-geoclue.json Executable file
View File

@@ -0,0 +1,18 @@
{
"created": "2026-01-28T14:32:45-07:00",
"updated": "2026-01-28T14:32:45-07:00",
"name": "deny-always-simple-usr-geoclue",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "process.path",
"data": "/usr/libexec/geoclue",
"type": "simple",
"list": [],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

18
config/settings/opensnitch/rules/deny-always-simple-usr-sbin-cups-browsed.json Executable file
View File

@@ -0,0 +1,18 @@
{
"created": "2026-01-28T14:32:45-07:00",
"updated": "2026-01-28T14:32:45-07:00",
"name": "deny-always-simple-usr-sbin-cups-browsed",
"description": "",
"action": "deny",
"duration": "always",
"operator": {
"operand": "process.path",
"data": "/usr/sbin/cups-browsed",
"type": "simple",
"list": [],
"sensitive": false
},
"enabled": true,
"precedence": false,
"nolog": false
}

46
config/settings/opensnitch/settings.conf Executable file
View File

@@ -0,0 +1,46 @@
[General]
statsDialog=1
[database]
file=:memory:
max_days=1
purge_interval=5
purge_oldest=true
type=0
[global]
default_action=0
default_duration=6
default_ignore_rules=false
default_ignore_temporary_rules=0
default_popup_advanced=true
default_popup_advanced_dstip=true
default_popup_advanced_dstport=true
default_popup_advanced_uid=false
default_popup_position=0
default_target=0
default_timeout=30
disable_popups=false
[notifications]
enabled=true
type=0
[promptDialog]
geometry=@ByteArray(\x1\xd9\xd0\xcb\0\x3\0\0\0\0\x6\x93\0\0\x3\x86\0\0\b\x9a\0\0\x4\xde\0\0\x6\x93\0\0\x3\xab\0\0\b\x9a\0\0\x4\xde\0\0\0\0\0\0\0\0\xf\0\0\0\x6\x93\0\0\x3\xab\0\0\b\x9a\0\0\x4\xde)
[statsDialog]
general_columns_state=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x4o\0\0\0\a\0\x1\x1\x1\0\0\0\0\0\0\0\0\0\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\a\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\x1\x1\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\xf5\0\0\0\x1\0\0\0\0\0\0\0\xe9\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64)
general_filter_text=
general_limit_results=0
geometry=@ByteArray(\x1\xd9\xd0\xcb\0\x3\0\0\0\0\a\x84\0\0\x4&\0\0\f\b\0\0\a\xf7\0\0\a\x84\0\0\x4K\0\0\f\b\0\0\a\xf7\0\0\0\0\0\0\0\0\xf\0\0\0\a\x84\0\0\x4K\0\0\f\b\0\0\a\xf7)
last_tab=0
nodes_columns_state=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x5\x88\0\0\0\n\0\x1\x1\x1\0\0\0\0\0\0\0\0\x1\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\n\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0>\0\0\0\x1\0\0\0\x3\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\x2*\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64)
rules_columns_state=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\xff\xff\xff\xff\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x4\x46\0\0\0\n\0\x1\x1\x1\0\0\0\0\0\0\0\0\0\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\n\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\xc2\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64)
rules_tree_0_expanded=false
rules_tree_1_expanded=false
show_columns=0, 1, 2, 3, 4, 5, 6
view_columns_state2=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\xff\xff\xff\xff\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x4\xaa\0\0\0\v\0\x1\x1\x1\0\0\0\0\0\0\0\0\0\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\v\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\xc2\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64)
view_columns_state4=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x3\xe2\0\0\0\x2\0\x1\x1\x1\0\0\0\0\0\0\0\0\x1\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\x2\0\0\x1\x64\0\0\0\x1\0\0\0\x3\0\0\x2~\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64)
view_details_columns_state0=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xc8\0\0\0\x2\0\x1\x1\x1\0\0\0\0\0\0\0\0\x1\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\x2\0\0\0\x64\0\0\0\x1\0\0\0\x3\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64)
view_details_columns_state2=@ByteArray(\0\0\0\xff\0\0\0\0\0\0\0\x1\0\0\0\x1\xff\xff\xff\xff\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x4\x46\0\0\0\n\0\x1\x1\x1\0\0\0\0\0\0\0\0\0\0\0\0\x64\xff\xff\xff\xff\0\0\0\x84\0\0\0\0\0\0\0\n\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\x64\0\0\0\x1\0\0\0\0\0\0\0\xc2\0\0\0\x1\0\0\0\0\0\0\x3\xe8\0\0\0\0\x64)

13
config/settings/services/mem-alloc.service Normal file
View File

@@ -0,0 +1,13 @@
[Unit]
Description=build and install memory hardened allocator
DefaultDependencies=no
After=sysinit.target local-fs.target
Before=basic.target
[Service]
Type=oneshot
ExecStart=/usr/mem_alloc.sh
RemainAfterExit=yes
[Install]
WantedBy=basic.target

11
config/settings/services/mem_alloc.sh Executable file
View File

@@ -0,0 +1,11 @@
#!/usr/bin/env bash
set -e
set -x
if [ -f '/usr/src/hardened_malloc/Makefile' ]; then
cd /usr/src/hardened_malloc/
make -s VARIANT=default CONFIG_NATIVE=false
fi
if [ -f '/usr/src/hardened_malloc/out/libhardened_malloc.so' ]; then
echo '/usr/src/hardened_malloc/out/libhardened_malloc.so' | tee /etc/ld.so.preload
fi

6
config/settings/skel/autorun.desktop Normal file
View File

@@ -0,0 +1,6 @@
[Desktop Entry]
Name=Enable GNOME Extensions
Exec=/usr/gnome_settings.sh
Type=Application
Hidden=false
X-GNOME-Autostart-enabled=true

5
config/settings/skel/bash_profile Normal file
View File

@@ -0,0 +1,5 @@
# ~/.bash_profile
chsh -s /bin/bash
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi

8
config/settings/skel/bashrc Normal file
View File

@@ -0,0 +1,8 @@
# ~/.bashrc
# Custom aliases
alias la='ls -la'
# Set a custom prompt
PS1="[\u@\h \W]\$ "

3
config/settings/skel/gnome_settings.sh Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
gnome-extensions enable ubuntu-appindicators@ubuntu.com
gsettings set org.gnome.desktop.interface color-scheme prefer-dark

14
config/settings/skel/profile Normal file
View File

@@ -0,0 +1,14 @@
# ~/.profile
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
if [ ! -f $HOME/.config/opensnitch/firstrun]; then
mkdir -p $HOME/.config/opensnitch/
cp /etc/opensnitchd/settings.conf $HOME/.config/opensnitch/settings.conf
touch $HOME/.config/opensnitch/firstrun
fi

27
config/update_kernel_make_config.py Normal file
View File

@@ -0,0 +1,27 @@
# -*- coding: utf-8 -*-
import sys,json,argparse
text = sys.stdin.readlines()
parser = argparse.ArgumentParser()
parser.add_argument("-f","--file")
args = parser.parse_args()
config = {}
for i in range(len(text)):
if '#' not in text[i] and len(str(text[i]).strip())>0:
key = str(text[i]).strip().split('=')
config[str(key[0])]=str(key[1])
with open(args.file,'r',encoding='utf-8') as f:
changes = json.loads(f.read())
for c in changes.keys():
config[str(c)]=changes[str(c)]
config_to_write = ['='.join([str(i),str(config[str(i)])]) for i in config.keys()]
print('\n'.join(config_to_write))

8
scripts/boot_image.sh Executable file
View File

@@ -0,0 +1,8 @@
#!/bin/bash
cd "$(dirname "$0")"
cd ..
disk="./outputs/boot_image.img"
qemu-system-x86_64 -bios /usr/share/ovmf/OVMF.fd -drive if=none,format=raw,file=$disk,id=hd -device virtio-blk-pci,drive=hd -m 16G -smp 8 -vga none --display default,gl=off -usb -device virtio-tablet-pci -device virtio-keyboard-pci --device virtio-gpu-pci -usb -enable-kvm -machine type=q35,accel=kvm,kernel_irqchip=on -netdev user,id=net0 -device virtio-net-pci,netdev=net0,mac=52:54:00:12:34:56
#--display gtk,gl=off --device virtio-gpu

19
scripts/bootstrap_filesystem.sh Executable file
View File

@@ -0,0 +1,19 @@
#!/bin/bash
if [ "$(id -u)" -ne 0 ]; then
echo "switching from $(id -un) to root"
exec sudo "$0" "$@"
fi
set -e
cd "$(dirname "$0")"
DIR="$(dirname "$0")"
cd ..
echo $PWD
rm -rf './outputs/root'
if [ ! -d ./outputs/root/bin ]; then
rm -rf './outputs/root'
mkdir -p ./outputs/root/
debootstrap questing ./outputs/root https://us.archive.ubuntu.com/ubuntu
fi

15
scripts/build_everything.sh Executable file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
set -e
dir=$(dirname "$0")
echo $dir
cd $dir
#./install_dependencies.sh
#./build_kernel.sh
#./build_initramfs.sh
#./bootstrap_filesystem.sh
#./build_initramfs.sh
./build_filesystem.sh
./build_image.sh
./boot_image.sh

73
scripts/build_filesystem.sh Executable file
View File

@@ -0,0 +1,73 @@
#!/bin/bash
set -e
set -x
#switching to root to perform chroot
if [ "$(id -u)" -ne 0 ]; then
echo "switching from $(id -un) to root"
exec sudo "$0" "$@"
fi
cd "$(dirname "$0")"
DIR="$(dirname "$0")"
cd ..
echo $PWD
if mountpoint -q "./outputs/chroot/proc/"; then
umount -lf "./outputs/chroot/proc/"
fi
rm -rf './outputs/chroot'
mkdir -p ./outputs/chroot/
if mountpoint -q "./outputs/root/proc/"; then
umount -lf "./outputs/root/proc/"
fi
rsync -a ./outputs/root/ ./outputs/chroot/
mkdir -p ./outputs/chroot/proc
mount --bind /proc ./outputs/chroot/proc
cp ./config/filesystem_chroot_install.sh ./outputs/chroot/filesystem_chroot_install.sh
cp ./config/apply_initial_host_configuration.sh ./outputs/chroot/apply_initial_host_configuration.sh
cp ./config/config.json ./outputs/chroot/config.json
#copy opensnitch rules.
echo "copying firewall rules"
rsync -a ./config/settings/opensnitch/ ./outputs/chroot/usr/src/opensnitchd/
#setup user skeleton
sudo mkdir -p ./outputs/chroot/etc/skel/.config
printf "yes" | tee ./outputs/chroot/etc/skel/.config/gnome-initial-setup-done
cp ./config/settings/skel/bash_profile ./outputs/chroot/etc/skel/.bash_profile
cp ./config/settings/skel/bashrc ./outputs/chroot/etc/skel/.bashrc
cp ./config/settings/skel/profile ./outputs/chroot/etc/skel/.profile
cp ./config/settings/skel/gnome_settings.sh ./outputs/chroot/usr/gnome_settings.sh
chmod +x ./outputs/chroot/usr/gnome_settings.sh
#installing hardened memory allocator if built
if [ -f ./dependencies/hardened_malloc/Makefile ]; then
rsync -a ./dependencies/hardened_malloc/ ./outputs/chroot/usr/src/hardened_malloc/
fi
cp ./config/settings/services/*.service ./outputs/chroot/etc/systemd/system/
find ./config/settings/services/ -type f -name '*.sh' -exec chmod +x {} \;
cp ./config/settings/services/*.sh ./outputs/chroot/usr/
echo "installing system from within chroot"
chmod +x ./outputs/chroot/filesystem_chroot_install.sh
chmod +x ./outputs/chroot/apply_initial_host_configuration.sh
mkdir -p ./outputs/chroot/lib/modules/
echo "installing kernel modules"
rsync -a ./dependencies/linux/modules/lib/modules/ ./outputs/chroot/lib/modules/
echo "installing filesystem"
chroot ./outputs/chroot /bin/bash -c "/filesystem_chroot_install.sh"
chroot ./outputs/chroot /bin/bash -c "/apply_initial_host_configuration.sh"
cp ./config/settings/skel/autorun.desktop ./outputs/chroot/etc/xdg/autostart/autorun.desktop
cd $DIR
cd ..
if mountpoint -q "./outputs/chroot/proc/"; then
umount -lf "./outputs/chroot/proc/"
fi
echo 'root filesystem created.'

86
scripts/build_image.sh Executable file
View File

@@ -0,0 +1,86 @@
#!/bin/bash
if [ "$(id -u)" -ne 0 ]; then
echo "switching from $(id -un) to root"
exec sudo ionice -c 3 "$0" "$@"
fi
set -e
cd "$(dirname "$0")"
cd ..
echo "$PWD"
sync
if mountpoint -q "./outputs/efi"; then
umount "./outputs/efi"
fi
if mountpoint -q "./outputs/sys"; then
umount "./outputs/sys"
fi
echo 'creating image..'
disk="./outputs/boot_image.img"
efi_part="1"
root_part="2"
dd if=/dev/zero of="$disk" count=12000 bs=1M
parted -s "$disk" mklabel gpt
parted -s --align=optimal "$disk" mkpart ESP fat32 1MiB 50Mib
parted -s "$disk" set "$efi_part" esp on
parted -s --align=optimal "$disk" mkpart ext4 100MiB 100%
parted -s "$disk" set "$root_part" boot on
parted -s "$disk" print
kpartx -d "$disk"
kpartx -avs "$disk"
echo 'mounting image as loopback device..'
loop="$(kpartx -l $disk | grep -ow 'loop[0-9]*' | head -n 1)"
disk_efi="${loop}p1"
disk_sys="${loop}p2"
echo 'formatting image partitions..'
mkfs.fat -F32 -n EFI /dev/mapper/${disk_efi}
mkfs.ext4 -L ROOT /dev/mapper/${disk_sys}
echo 'creating mount points..'
rm -rf ./outputs/{efi,sys,grub}
mkdir -p ./outputs/
mkdir -p ./outputs/{efi,sys,grub}
echo 'mounting loopback devices..'
mount -t vfat /dev/mapper/${disk_efi} ./outputs/efi
mount -t ext4 /dev/mapper/${disk_sys} ./outputs/sys
echo 'installing grub..'
echo "loop dev: ${loop}"
echo "efi loop: ${disk_efi}"
echo "sys loop: ${disk_sys}"
grub-install -s --compress=gz --target=x86_64-efi --recheck --no-floppy --efi-directory=./outputs/efi --boot-directory=./outputs/efi --root-directory=./outputs/sys --bootloader-id=patronage /dev/$loop
echo 'copying filesystem to mounted image..'
if mountpoint -q "./outputs/chroot/proc/"; then
umount -lf "./outputs/chroot/proc/"
fi
cp ./config/interfaces.network ./outputs/chroot/etc/systemd/network/10-all.network
cp ./config/resolved.conf ./outputs/chroot/etc/systemd/resolved.conf
rsync -a './outputs/chroot/' './outputs/sys/'
#tar -xf ./patronagefs.tar --directory ./mnt/sys/
echo 'copied..'
echo 'copying boot files..'
mkdir -p ./outputs/efi/boot/
cp ./outputs/initramfs.cpio.gz ./outputs/efi/
mkdir -p ./outputs/efi/EFI/patronage/
cp ./outputs/bzImage ./outputs/efi/EFI/patronage/bzImage
cp ./outputs/initramfs.cpio.gz ./outputs/efi/EFI/patronage/
cp ./config/grub.cfg ./outputs/efi/EFI/patronage/
#cp $dir/grub.cfg $dir/mnt/sys/boot/grub/
cp ./config/grub.cfg ./outputs/efi/EFI/BOOT/
echo 'unmounting..'
if mountpoint -q "./outputs/efi"; then
sync
#fuser -kmv "$dir/mnt/efi"
umount -lf "./outputs/efi"
fi
if mountpoint -q "./outputs/sys"; then
sync
#fuser -kmv "$dir/mnt/sys"
umount -lf "./outputs/sys"
fi
kpartx -d "$disk"
chmod 777 "$disk"
echo 'image built..'

30
scripts/build_initramfs.sh Executable file
View File

@@ -0,0 +1,30 @@
#!/bin/bash
set -e
cd "$(dirname "$0")"
cd ..
echo $PWD
echo "cleaning filesystem and creating initram directories"
rm -rf ./dependencies/initram/
mkdir -p ./outputs/
mkdir -p ./dependencies/
mkdir -p ./dependencies/initram/
mkdir -p ./dependencies/initram/{bin,dev,etc,lib,proc,sbin,sys,tmp,usr}
mkdir -p ./dependencies/initram/usr/{bin,sbin}
mkdir -p ./dependencies/initram/etc/{bin,sbin}
mkdir -p ./dependencies/initram/lib/modules/
echo "installing busybox"
cp ./busybox ./dependencies/initram/bin/
chmod +x ./dependencies/initram/bin/busybox
chmod 4755 ./dependencies/initram/bin/busybox
./dependencies/initram/bin/busybox --install -s "./dependencies/initram/bin/"
cp ./config/init.sh ./dependencies/initram/init
chmod +x ./dependencies/initram/init
#chmod 4755 ./dependencies/initram/bin/init
echo "copying kernel"
cp ./dependencies/linux/arch/x86_64/boot/bzImage ./outputs/bzImage
cd ./dependencies/initram/
find ./bin -type f -name "*" -exec chmod +x {} +
find . -print0 | cpio --null -o --format=newc --owner root:root | zstd -19 > ../../outputs/initramfs.cpio.gz
echo "created initramfs."

17
scripts/build_kernel.sh Executable file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
set -e
cd "$(dirname "$0")"
cd ..
mkdir -p ./dependencies
rootdir=$(dirname "$0")
dir=./$(dirname "$0")
cd dependencies
[[ -d ./linux ]] || git clone --depth 1 https://github.com/torvalds/linux.git ./linux
cd "$(dirname "$0")"
cd ..
echo $PWD
cp ./config/kernel_options.json ./dependencies/linux/kernel_options.json
cat ./config/build_containerfile | /usr/bin/podman build --volume /lib/modules:/lib/modules:z -f - -t patronagekernel:latest .
nice -n 20 /usr/bin/podman run -it --volume /lib/modules:/lib/modules:z --volume ./dependencies/linux:/linux patronagekernel:latest
mkdir -p ./outputs/
cp ./dependencies/linux/arch/x86_64/boot/bzImage ./outputs/bzImage

16
scripts/download_malloc.sh Executable file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
set -e
set -x
cd "$(dirname "$0")"
DIR="$(dirname "$0")"
cd ..
echo $PWD
#downloading graphene malloc
if [ ! -f ./dependencies/hardened_malloc/Makefile ]; then
cd ./dependencies/
git clone https://github.com/GrapheneOS/hardened_malloc.git
fi
echo 'graphene malloc downloaded.'

13
scripts/install_dependencies.sh Executable file
View File

@@ -0,0 +1,13 @@
#install dependencies
if [ "$(id -u)" -ne 0 ]; then
echo "switching from $(id -un) to root"
exec sudo "$0" "$@"
fi
set -e
list="kpartx podman debootstrap qemu-system"
apt update
for item in $list; do
apt install -y $item
done
cd "$(dirname "$0")"
find . -type f -name "*" -exec chmod +x {} +