From 5e947beb2a522ab07d66c8e04491a5a6eac774a3 Mon Sep 17 00:00:00 2001 From: Mathieu Strypsteen Date: Tue, 21 Jan 2025 11:41:56 +0100 Subject: [PATCH] Update kernel lockdown --- common/etc/tmpfiles.d/common.conf | 1 - ignition/home-gw.bu | 3 +++ setup-gpu.sh | 4 ++-- setup-home.sh | 2 +- setup-infra.sh | 2 +- setup-laptop.sh | 4 ++-- setup-ostree.sh | 4 ++++ setup-qubes-fedora.sh | 2 +- setup-qubes.sh | 1 + setup-sandbox.sh | 2 +- setup-server.sh | 2 +- setup-vps.sh | 2 +- setup.sh | 18 +++++++++--------- sync-changes.sh | 1 + 14 files changed, 28 insertions(+), 20 deletions(-) delete mode 100644 common/etc/tmpfiles.d/common.conf create mode 100644 setup-ostree.sh diff --git a/common/etc/tmpfiles.d/common.conf b/common/etc/tmpfiles.d/common.conf deleted file mode 100644 index aa3f911..0000000 --- a/common/etc/tmpfiles.d/common.conf +++ /dev/null @@ -1 +0,0 @@ -w- /sys/kernel/security/lockdown - - - - confidentiality diff --git a/ignition/home-gw.bu b/ignition/home-gw.bu index a871e6b..8b43bd8 100644 --- a/ignition/home-gw.bu +++ b/ignition/home-gw.bu @@ -33,3 +33,6 @@ passwd: ssh_authorized_keys: - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHSZEZAdsx64pSt+2uSHU25K6m3peo2nt2oQJW3jm6i6AAAABHNzaDo= mathieu@yubikey" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIH33pRp93TOK5OyidgYVYtWBNKawKFzUilOA7Nb2NWzAAAABHNzaDo= mathieu@yubikey-c" +kernel_arguments: + should_exist: + - lockdown=confidentiality diff --git a/setup-gpu.sh b/setup-gpu.sh index 1db0bfd..5970dfd 100644 --- a/setup-gpu.sh +++ b/setup-gpu.sh @@ -1,10 +1,10 @@ #!/bin/bash set -euo pipefail cp -R desktop/* gpu/* / -sh setup-desktop.sh +bash setup-desktop.sh +bash setup-ostree.sh rpm-ostree install --idempotent akmod-nvidia nvidia-container-toolkit rpmfusion-free-release rpmfusion-nonfree-release xorg-x11-drv-nvidia xorg-x11-drv-nvidia-cuda systemctl enable --now podman-auto-update.timer sshd -systemctl disable auditd sed "s/SUB_UID_COUNT.*/SUB_UID_COUNT 16777216/" -i /etc/login.defs sed "s/SUB_GID_COUNT.*/SUB_GID_COUNT 16777216/" -i /etc/login.defs useradd -M containers || true diff --git a/setup-home.sh b/setup-home.sh index e03003b..3d6b1d4 100644 --- a/setup-home.sh +++ b/setup-home.sh @@ -1,4 +1,4 @@ #!/bin/bash set -euo pipefail cp -R home/* / -sh setup-server.sh +bash setup-server.sh diff --git a/setup-infra.sh b/setup-infra.sh index 7f0c79d..2c286c7 100644 --- a/setup-infra.sh +++ b/setup-infra.sh @@ -1,4 +1,4 @@ #!/bin/bash set -euo pipefail cp -R infra/* / -sh setup-server.sh +bash setup-server.sh diff --git a/setup-laptop.sh b/setup-laptop.sh index 3542440..fdb28b3 100644 --- a/setup-laptop.sh +++ b/setup-laptop.sh @@ -1,7 +1,7 @@ #!/bin/bash set -euo pipefail cp -R desktop/* laptop/* / -sh setup-desktop.sh -systemctl disable auditd +bash setup-desktop.sh +bash setup-ostree.sh flatpak remote-add --if-not-exists flathub /usr/lib/fedora-third-party/conf.d/fedora-flathub.flatpakrepo flatpak install com.github.tchx84.Flatseal com.github.wwmm.easyeffects com.github.xournalpp.xournalpp com.moonlight_stream.Moonlight com.spotify.Client com.valvesoftware.Steam com.vscodium.codium com.yubico.yubioath im.riot.Riot io.mpv.Mpv net.lutris.Lutris org.chromium.Chromium org.gimp.GIMP org.gnome.Calculator org.gnome.Evince org.gnome.Evolution org.gnome.FileRoller org.gnome.Snapshot org.gnome.TextEditor org.libreoffice.LibreOffice org.mozilla.firefox org.remmina.Remmina org.torproject.torbrowser-launcher org.virt_manager.virt-manager diff --git a/setup-ostree.sh b/setup-ostree.sh new file mode 100644 index 0000000..559c8e2 --- /dev/null +++ b/setup-ostree.sh @@ -0,0 +1,4 @@ +#!/bin/bash +set -euo pipefail +rpm-ostree kargs --append-if-missing=lockdown=confidentiality +systemctl disable auditd diff --git a/setup-qubes-fedora.sh b/setup-qubes-fedora.sh index b3aca19..010e371 100644 --- a/setup-qubes-fedora.sh +++ b/setup-qubes-fedora.sh @@ -7,6 +7,6 @@ dnf config-manager setopt rpmfusion-free.enabled=true dnf config-manager setopt rpmfusion-free-updates.enabled=true dnf install --allowerasing bash-color-prompt bash-completion borgbackup bind-utils butane default-fonts fcitx5-anthy fcitx5-autostart fedora-flathub-remote ffmpeg file-roller fuse-sshfs gcc gcc-gdb-plugin glibc-all-langpacks helm htop kubernetes-client nautilus netcat nodejs-npm pipx qubes-ctap ShellCheck toolbox wireguard-tools whois xdg-desktop-portal-gtk yt-dlp dnf remove cheese evolution-data-server firefox gnome-software gnome-weather PackageKit-command-not-found rpmfusion-nonfree-release thunderbird totem -sh setup-desktop.sh +bash setup-desktop.sh all_proxy=127.0.0.1:8082 flatpak remote-add --if-not-exists flathub /usr/lib/fedora-third-party/conf.d/fedora-flathub.flatpakrepo all_proxy=127.0.0.1:8082 flatpak install com.github.tchx84.Flatseal com.github.xournalpp.xournalpp com.moonlight_stream.Moonlight com.yubico.yubioath im.riot.Riot io.mpv.Mpv org.chromium.Chromium org.freedesktop.Platform.ffmpeg-full/x86_64/23.08 org.gimp.GIMP org.gnome.Evolution org.libreoffice.LibreOffice org.mozilla.firefox diff --git a/setup-qubes.sh b/setup-qubes.sh index 5076b2a..1cab129 100644 --- a/setup-qubes.sh +++ b/setup-qubes.sh @@ -7,3 +7,4 @@ qvm-features dom0 gui-default-secure-paste-sequence Ctrl-Mod4-v sudo qubes-dom0-update bash-completion kernel-latest-qubes-vm pipewire pipewire-pulseaudio qubes-ctap-dom0 qubes-screenshot-helper sudo dnf remove kernel-qubes-vm qvm-features sys-net ipv6 1 +qvm-prefs fedora-41 kernelopts "swiotlb=2048 lockdown=confidentiality" diff --git a/setup-sandbox.sh b/setup-sandbox.sh index db43e5e..2dfc130 100644 --- a/setup-sandbox.sh +++ b/setup-sandbox.sh @@ -1,5 +1,5 @@ #!/bin/bash set -euo pipefail cp -R sandbox/* / -sh setup-server.sh +bash setup-server.sh systemctl enable --now podman.socket diff --git a/setup-server.sh b/setup-server.sh index 2f56c5a..d35a40e 100644 --- a/setup-server.sh +++ b/setup-server.sh @@ -1,7 +1,7 @@ #!/bin/bash set -euo pipefail cp -R server/* / -systemctl disable auditd +bash setup-ostree.sh systemctl disable --now docker.socket rpm-ostree-countme.timer systemctl enable --now podman-auto-update.timer systemctl enable --global podman-auto-update.timer diff --git a/setup-vps.sh b/setup-vps.sh index 15e2234..5724e9e 100644 --- a/setup-vps.sh +++ b/setup-vps.sh @@ -2,4 +2,4 @@ set -euo pipefail cp -R vps/* / ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf -sh setup-server.sh +bash setup-server.sh diff --git a/setup.sh b/setup.sh index 142ebca..c440a36 100755 --- a/setup.sh +++ b/setup.sh @@ -6,29 +6,29 @@ if [ "$USER" != root ]; then exit 1 fi if [ -f /etc/qubes-release ]; then - sh setup-qubes.sh + bash setup-qubes.sh exit fi if [ ! -f /etc/fedora-release ]; then exit fi -sh setup-common.sh +bash setup-common.sh if [ -f /usr/share/qubes/marker-vm ]; then - sh setup-qubes-fedora.sh + bash setup-qubes-fedora.sh elif [ -d /usr/lib/coreos ]; then if [ "$1" = vps ]; then - sh setup-vps.sh + bash setup-vps.sh elif [ "$1" = home ]; then - sh setup-home.sh + bash setup-home.sh elif [ "$1" = sandbox ]; then - sh setup-sandbox.sh + bash setup-sandbox.sh elif [ "$1" = infra ]; then - sh setup-infra.sh + bash setup-infra.sh fi elif [ -d /ostree ]; then if [ "$1" = laptop ]; then - sh setup-laptop.sh + bash setup-laptop.sh elif [ "$1" = gpu ]; then - sh setup-gpu.sh + bash setup-gpu.sh fi fi diff --git a/sync-changes.sh b/sync-changes.sh index 1df2134..77fe68f 100755 --- a/sync-changes.sh +++ b/sync-changes.sh @@ -5,3 +5,4 @@ ssh infra "cd /var/lib/system-config; git pull; ./setup.sh infra" ssh home "cd /var/lib/system-config; git pull; ./setup.sh home" ssh sandbox "cd /var/lib/system-config; git pull; ./setup.sh sandbox" ssh vps "cd /var/lib/system-config; git pull; ./setup.sh vps" +ssh gpu "cd /var/lib/system-config; git pull; ./setup.sh gpu"