From 5201fedaae03168a11e47014b5b0c41b291a52bf Mon Sep 17 00:00:00 2001 From: Tommy Date: Sat, 2 Dec 2023 08:15:27 -0700 Subject: [PATCH] Run curl unprivileged Signed-off-by: Tommy --- Docker-Compose.ign | 7 +++++-- Docker-Compose.yml | 30 ++++++++++++++++-------------- Generic.ign | 7 +++++-- Generic.yml | 28 +++++++++++++++------------- UTM.ign | 5 ++++- UTM.yml | 17 +++++++++-------- 6 files changed, 54 insertions(+), 40 deletions(-) diff --git a/Docker-Compose.ign b/Docker-Compose.ign index fff76dc..09afebc 100644 --- a/Docker-Compose.ign +++ b/Docker-Compose.ign @@ -41,6 +41,9 @@ "sshAuthorizedKeys": [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkTKkJS7Id1WCyA5Klu/moLG9mP5hTC+v2qYqypMF1u contact@tommytran.io" ] + }, + { + "name": "unpriv" } ] }, @@ -184,7 +187,7 @@ "systemd": { "units": [ { - "contents": "[Unit]\nDescription=Initial System Setup\n# We run after `systemd-machine-id-commit.service` to ensure that\n# `ConditionFirstBoot=true` services won't rerun on the next boot.\nAfter=systemd-machine-id-commit.service\nAfter=network-online.target\n# We run before `zincati.service` to avoid conflicting rpm-ostree\n# transactions.\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf\nExecStart=/usr/bin/systemctl restart chronyd\nExecStart=/usr/bin/rpm-ostree install auditd docker-compose firewalld qemu-guest-agent tuned unbound\nExecStart=/usr/bin/rpm-ostree override remove cifs-utils samba-common-libs samba-client-libs libsmbclient libwbclient samba-common sssd-krb5-common sssd-ipa sssd-nfs-idmap sssd-ldap sssd-client sssd-ad sssd-common sssd-krb5 sssd-common-pac\nExecStart=/usr/bin/sed -i 's/nullok//g' /etc/pam.d/system-auth\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf -o /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf\nExecStart=/usr/bin/mkdir -p /etc/systemd/system/NetworkManager.service.d\nExecStart=/usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf\nExecStart=/usr/bin/mkdir -p /etc/systemd/system/irqbalance.service.d\nExecStart=/usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf\nExecStart=/usr/bin/mkdir -p /etc/systemd/system/sshd.service.d\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/override.conf\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config/10-custom.conf -o /etc/ssh/sshd_config.d/10-custom.conf\nExecStart=/usr/bin/echo \"CtrlAltDelBurstAction=none\" \u003e\u003e /etc/systemd/system.conf\nExecStart=/usr/bin/systemctl disable systemd-resolved\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n", + "contents": "[Unit]\nDescription=Initial System Setup\n# We run after `systemd-machine-id-commit.service` to ensure that\n# `ConditionFirstBoot=true` services won't rerun on the next boot.\nAfter=systemd-machine-id-commit.service\nAfter=network-online.target\n# We run before `zincati.service` to avoid conflicting rpm-ostree\n# transactions.\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | /usr/bin/tee /etc/chrony.conf\nExecStart=/usr/bin/systemctl restart chronyd\nExecStart=/usr/bin/rpm-ostree install auditd docker-compose firewalld qemu-guest-agent tuned unbound\nExecStart=/usr/bin/rpm-ostree override remove cifs-utils samba-common-libs samba-client-libs libsmbclient libwbclient samba-common sssd-krb5-common sssd-ipa sssd-nfs-idmap sssd-ldap sssd-client sssd-ad sssd-common sssd-krb5 sssd-common-pac\nExecStart=/usr/bin/sed -i 's/nullok//g' /etc/pam.d/system-auth\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | /usr/bin/tee /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | /usr/bin/tee /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | /usr/bin/tee /etc/sysctl.d/30_silent-kernel-printk.conf\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | /usr/bin/tee /etc/sysctl.d/30_security-misc_kexec-disable.conf\nExecStart=/usr/bin/mkdir -p /etc/systemd/system/NetworkManager.service.d\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | /usr/bin/tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf\nExecStart=/usr/bin/mkdir -p /etc/systemd/system/irqbalance.service.d\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | /usr/bin/tee /etc/systemd/system/irqbalance.service.d/99-brace.conf\nExecStart=/usr/bin/mkdir -p /etc/systemd/system/sshd.service.d\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | /usr/bin/tee /etc/systemd/system/sshd.service.d/override.conf\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config/10-custom.conf | /usr/bin/tee /etc/ssh/sshd_config.d/10-custom.conf\nExecStart=/usr/bin/echo \"CtrlAltDelBurstAction=none\" \u003e\u003e /etc/systemd/system.conf\nExecStart=/usr/bin/systemctl disable systemd-resolved\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n", "enabled": true, "name": "postinst.service" }, @@ -194,7 +197,7 @@ "name": "setsebool.service" }, { - "contents": "[Unit]\nDescription=gVisor Update\nRequires=network-online.target\nBefore=docker.service\n\n[Service]\nWorkingDirectory=/var/roothome\nType=oneshot\nExecStart=/usr/bin/sleep 5\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1\nExecStart=/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin\nExecStart=/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc\n\n[Install]\nWantedBy=multi-user.target\n", + "contents": "[Unit]\nDescription=gVisor Update\nRequires=network-online.target\nBefore=docker.service\n\n[Service]\nWorkingDirectory=/var/home/unpriv\nType=oneshot\nExecStart=/usr/bin/sleep 5\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/chown root:root runsc containerd-shim-runsc-v1\nExecStart=/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1\nExecStart=/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin\nExecStart=/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc\n\n[Install]\nWantedBy=multi-user.target\n", "enabled": true, "name": "gvisor-updater.service" }, diff --git a/Docker-Compose.yml b/Docker-Compose.yml index edb4a5d..212fa6f 100644 --- a/Docker-Compose.yml +++ b/Docker-Compose.yml @@ -8,6 +8,7 @@ passwd: groups: - wheel - sudo + - name: unpriv systemd: units: - name: postinst.service @@ -27,25 +28,25 @@ systemd: [Service] Type=oneshot RemainAfterExit=yes - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | /usr/bin/tee /etc/chrony.conf ExecStart=/usr/bin/systemctl restart chronyd ExecStart=/usr/bin/rpm-ostree install auditd docker-compose firewalld qemu-guest-agent tuned unbound ExecStart=/usr/bin/rpm-ostree override remove cifs-utils samba-common-libs samba-client-libs libsmbclient libwbclient samba-common sssd-krb5-common sssd-ipa sssd-nfs-idmap sssd-ldap sssd-client sssd-ad sssd-common sssd-krb5 sssd-common-pac ExecStart=/usr/bin/sed -i 's/nullok//g' /etc/pam.d/system-auth - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf -o /etc/sysctl.d/990-security-misc.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | /usr/bin/tee /etc/modprobe.d/30_security-misc.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | /usr/bin/tee /etc/sysctl.d/990-security-misc.conf ExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf ExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf ExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | /usr/bin/tee /etc/sysctl.d/30_silent-kernel-printk.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | /usr/bin/tee /etc/sysctl.d/30_security-misc_kexec-disable.conf ExecStart=/usr/bin/mkdir -p /etc/systemd/system/NetworkManager.service.d - ExecStart=/usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | /usr/bin/tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf ExecStart=/usr/bin/mkdir -p /etc/systemd/system/irqbalance.service.d - ExecStart=/usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | /usr/bin/tee /etc/systemd/system/irqbalance.service.d/99-brace.conf ExecStart=/usr/bin/mkdir -p /etc/systemd/system/sshd.service.d - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/override.conf - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config/10-custom.conf -o /etc/ssh/sshd_config.d/10-custom.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | /usr/bin/tee /etc/systemd/system/sshd.service.d/override.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config/10-custom.conf | /usr/bin/tee /etc/ssh/sshd_config.d/10-custom.conf ExecStart=/usr/bin/echo "CtrlAltDelBurstAction=none" >> /etc/systemd/system.conf ExecStart=/usr/bin/systemctl disable systemd-resolved ExecStart=/usr/bin/touch /var/lib/%N.stamp @@ -73,15 +74,16 @@ systemd: Before=docker.service [Service] - WorkingDirectory=/var/roothome + WorkingDirectory=/var/home/unpriv Type=oneshot ExecStart=/usr/bin/sleep 5 - ExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc - ExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512 - ExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1 - ExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512 + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512 + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1 + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512 ExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512 ExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512 + ExecStart=/usr/bin/chown root:root runsc containerd-shim-runsc-v1 ExecStart=/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1 ExecStart=/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin ExecStart=/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc diff --git a/Generic.ign b/Generic.ign index dc5ea4e..d5eb41d 100644 --- a/Generic.ign +++ b/Generic.ign @@ -41,6 +41,9 @@ "sshAuthorizedKeys": [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkTKkJS7Id1WCyA5Klu/moLG9mP5hTC+v2qYqypMF1u contact@tommytran.io" ] + }, + { + "name": "unpriv" } ] }, @@ -177,7 +180,7 @@ "systemd": { "units": [ { - "contents": "[Unit]\nDescription=Initial System Setup\n# We run after `systemd-machine-id-commit.service` to ensure that\n# `ConditionFirstBoot=true` services won't rerun on the next boot.\nAfter=systemd-machine-id-commit.service\nAfter=network-online.target\n# We run before `zincati.service` to avoid conflicting rpm-ostree\n# transactions.\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf\nExecStart=/usr/bin/systemctl restart chronyd\nExecStart=/usr/bin/rpm-ostree install auditd firewalld qemu-guest-agent tuned unbound\nExecStart=/usr/bin/rpm-ostree override remove cifs-utils samba-common-libs samba-client-libs libsmbclient libwbclient samba-common sssd-krb5-common sssd-ipa sssd-nfs-idmap sssd-ldap sssd-client sssd-ad sssd-common sssd-krb5 sssd-common-pac\nExecStart=/usr/bin/sed -i 's/nullok//g' /etc/pam.d/system-auth\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf -o /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf\nExecStart=/usr/bin/mkdir -p /etc/systemd/system/NetworkManager.service.d\nExecStart=/usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf\nExecStart=/usr/bin/mkdir -p /etc/systemd/system/irqbalance.service.d\nExecStart=/usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf\nExecStart=/usr/bin/mkdir -p /etc/systemd/system/sshd.service.d\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/override.conf\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config/10-custom.conf -o /etc/ssh/sshd_config.d/10-custom.conf\nExecStart=/usr/bin/echo \"CtrlAltDelBurstAction=none\" \u003e\u003e /etc/systemd/system.conf\nExecStart=/usr/bin/systemctl disable systemd-resolved\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n", + "contents": "[Unit]\nDescription=Initial System Setup\n# We run after `systemd-machine-id-commit.service` to ensure that\n# `ConditionFirstBoot=true` services won't rerun on the next boot.\nAfter=systemd-machine-id-commit.service\nAfter=network-online.target\n# We run before `zincati.service` to avoid conflicting rpm-ostree\n# transactions.\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | /usr/bin/tee /etc/chrony.conf\nExecStart=/usr/bin/systemctl restart chronyd\nExecStart=/usr/bin/rpm-ostree install auditd firewalld qemu-guest-agent tuned unbound\nExecStart=/usr/bin/rpm-ostree override remove cifs-utils samba-common-libs samba-client-libs libsmbclient libwbclient samba-common sssd-krb5-common sssd-ipa sssd-nfs-idmap sssd-ldap sssd-client sssd-ad sssd-common sssd-krb5 sssd-common-pac\nExecStart=/usr/bin/sed -i 's/nullok//g' /etc/pam.d/system-auth\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | /usr/bin/tee /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf -o /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | /usr/bin/tee /etc/sysctl.d/30_silent-kernel-printk.conf\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | /usr/bin/tee /etc/sysctl.d/30_security-misc_kexec-disable.conf\nExecStart=/usr/bin/mkdir -p /etc/systemd/system/NetworkManager.service.d\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | /usr/bin/tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf\nExecStart=/usr/bin/mkdir -p /etc/systemd/system/irqbalance.service.d\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | /usr/bin/tee /etc/systemd/system/irqbalance.service.d/99-brace.conf\nExecStart=/usr/bin/mkdir -p /etc/systemd/system/sshd.service.d\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | /usr/bin/tee /etc/systemd/system/sshd.service.d/override.conf\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config/10-custom.conf | /usr/bin/tee /etc/ssh/sshd_config.d/10-custom.conf\nExecStart=/usr/bin/echo \"CtrlAltDelBurstAction=none\" \u003e\u003e /etc/systemd/system.conf\nExecStart=/usr/bin/systemctl disable systemd-resolved\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n", "enabled": true, "name": "postinst.service" }, @@ -192,7 +195,7 @@ "name": "setsebool.service" }, { - "contents": "[Unit]\nDescription=gVisor Update\nRequires=network-online.target\nBefore=docker.service\n\n[Service]\nWorkingDirectory=/var/roothome\nType=oneshot\nExecStart=/usr/bin/sleep 5\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1\nExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1\nExecStart=/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin\nExecStart=/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc\n\n[Install]\nWantedBy=multi-user.target\n", + "contents": "[Unit]\nDescription=gVisor Update\nRequires=network-online.target\nBefore=docker.service\n\n[Service]\nWorkingDirectory=/var/home/unpriv\nType=oneshot\nExecStart=/usr/bin/sleep 5\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/chown root:root runsc containerd-shim-runsc-v1\nExecStart=/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1\nExecStart=/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin\nExecStart=/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc\n\n[Install]\nWantedBy=multi-user.target\n", "enabled": true, "name": "gvisor-updater.service" }, diff --git a/Generic.yml b/Generic.yml index 2f9eb33..f77342b 100644 --- a/Generic.yml +++ b/Generic.yml @@ -8,6 +8,7 @@ passwd: groups: - wheel - sudo + - name: unpriv systemd: units: - name: postinst.service @@ -27,25 +28,25 @@ systemd: [Service] Type=oneshot RemainAfterExit=yes - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | /usr/bin/tee /etc/chrony.conf ExecStart=/usr/bin/systemctl restart chronyd ExecStart=/usr/bin/rpm-ostree install auditd firewalld qemu-guest-agent tuned unbound ExecStart=/usr/bin/rpm-ostree override remove cifs-utils samba-common-libs samba-client-libs libsmbclient libwbclient samba-common sssd-krb5-common sssd-ipa sssd-nfs-idmap sssd-ldap sssd-client sssd-ad sssd-common sssd-krb5 sssd-common-pac ExecStart=/usr/bin/sed -i 's/nullok//g' /etc/pam.d/system-auth - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | /usr/bin/tee /etc/modprobe.d/30_security-misc.conf ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf -o /etc/sysctl.d/990-security-misc.conf ExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf ExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf ExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | /usr/bin/tee /etc/sysctl.d/30_silent-kernel-printk.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | /usr/bin/tee /etc/sysctl.d/30_security-misc_kexec-disable.conf ExecStart=/usr/bin/mkdir -p /etc/systemd/system/NetworkManager.service.d - ExecStart=/usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | /usr/bin/tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf ExecStart=/usr/bin/mkdir -p /etc/systemd/system/irqbalance.service.d - ExecStart=/usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | /usr/bin/tee /etc/systemd/system/irqbalance.service.d/99-brace.conf ExecStart=/usr/bin/mkdir -p /etc/systemd/system/sshd.service.d - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/override.conf - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config/10-custom.conf -o /etc/ssh/sshd_config.d/10-custom.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | /usr/bin/tee /etc/systemd/system/sshd.service.d/override.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config/10-custom.conf | /usr/bin/tee /etc/ssh/sshd_config.d/10-custom.conf ExecStart=/usr/bin/echo "CtrlAltDelBurstAction=none" >> /etc/systemd/system.conf ExecStart=/usr/bin/systemctl disable systemd-resolved ExecStart=/usr/bin/touch /var/lib/%N.stamp @@ -91,15 +92,16 @@ systemd: Before=docker.service [Service] - WorkingDirectory=/var/roothome + WorkingDirectory=/var/home/unpriv Type=oneshot ExecStart=/usr/bin/sleep 5 - ExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc - ExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512 - ExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1 - ExecStart=/usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512 + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512 + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1 + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512 ExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512 ExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512 + ExecStart=/usr/bin/chown root:root runsc containerd-shim-runsc-v1 ExecStart=/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1 ExecStart=/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin ExecStart=/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc diff --git a/UTM.ign b/UTM.ign index 41727f7..d8b1111 100644 --- a/UTM.ign +++ b/UTM.ign @@ -41,6 +41,9 @@ "sshAuthorizedKeys": [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkTKkJS7Id1WCyA5Klu/moLG9mP5hTC+v2qYqypMF1u contact@tommytran.io" ] + }, + { + "name": "unpriv" } ] }, @@ -170,7 +173,7 @@ "systemd": { "units": [ { - "contents": "[Unit]\nDescription=Initial System Setup\n# We run after `systemd-machine-id-commit.service` to ensure that\n# `ConditionFirstBoot=true` services won't rerun on the next boot.\nAfter=systemd-machine-id-commit.service\nAfter=network-online.target\n# We run before `zincati.service` to avoid conflicting rpm-ostree\n# transactions.\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf\nExecStart=/usr/bin/echo \"allow 10.0.2.2/32\" \u003e\u003e /etc/chrony.conf\nExecStart=/usr/bin/systemctl restart chronyd\nExecStart=/usr/bin/rpm-ostree install auditd firewalld qemu-guest-agent tuned unbound\nExecStart=/usr/bin/rpm-ostree override remove cifs-utils samba-common-libs samba-client-libs libsmbclient libwbclient samba-common sssd-krb5-common sssd-ipa sssd-nfs-idmap sssd-ldap sssd-client sssd-ad sssd-common sssd-krb5 sssd-common-pac\nExecStart=/usr/bin/sed -i 's/nullok//g' /etc/pam.d/system-auth\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf -o /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/lib/sysctl.d/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/lib/sysctl.d/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf\nExecStart=/usr/bin/mkdir -p /etc/systemd/system/NetworkManager.service.d\nExecStart=/usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf\nExecStart=/usr/bin/mkdir -p /etc/systemd/system/irqbalance.service.d\nExecStart=/usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf\nExecStart=/usr/bin/mkdir -p /etc/systemd/system/sshd.service.d\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/override.conf\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config/10-custom.conf -o /etc/ssh/sshd_config.d/10-custom.conf\nExecStart=/usr/bin/echo \"CtrlAltDelBurstAction=none\" \u003e\u003e /etc/systemd/system.conf\nExecStart=/usr/bin/systemctl disable systemd-resolved\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n", + "contents": "[Unit]\nDescription=Initial System Setup\n# We run after `systemd-machine-id-commit.service` to ensure that\n# `ConditionFirstBoot=true` services won't rerun on the next boot.\nAfter=systemd-machine-id-commit.service\nAfter=network-online.target\n# We run before `zincati.service` to avoid conflicting rpm-ostree\n# transactions.\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | /usr/bin/tee /etc/chrony.conf\nExecStart=/usr/bin/echo \"allow 10.0.2.2/32\" \u003e\u003e /etc/chrony.conf\nExecStart=/usr/bin/systemctl restart chronyd\nExecStart=/usr/bin/rpm-ostree install auditd firewalld qemu-guest-agent tuned unbound\nExecStart=/usr/bin/rpm-ostree override remove cifs-utils samba-common-libs samba-client-libs libsmbclient libwbclient samba-common sssd-krb5-common sssd-ipa sssd-nfs-idmap sssd-ldap sssd-client sssd-ad sssd-common sssd-krb5 sssd-common-pac\nExecStart=/usr/bin/sed -i 's/nullok//g' /etc/pam.d/system-auth\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | /usr/bin/tee /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf -o /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/lib/sysctl.d/sysctl.d/30_silent-kernel-printk.conf | /usr/bin/tee /etc/sysctl.d/30_silent-kernel-printk.conf\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/lib/sysctl.d/sysctl.d/30_security-misc_kexec-disable.conf | /usr/bin/tee /etc/sysctl.d/30_security-misc_kexec-disable.conf\nExecStart=/usr/bin/mkdir -p /etc/systemd/system/NetworkManager.service.d\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | /usr/bin/tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf\nExecStart=/usr/bin/mkdir -p /etc/systemd/system/irqbalance.service.d\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | /usr/bin/tee /etc/systemd/system/irqbalance.service.d/99-brace.conf\nExecStart=/usr/bin/mkdir -p /etc/systemd/system/sshd.service.d\nExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | /usr/bin/tee /etc/systemd/system/sshd.service.d/override.conf\nExecStart=/usr/bin/sudo -u unpriv https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config/10-custom.conf | /usr/bin/tee /etc/ssh/sshd_config.d/10-custom.conf\nExecStart=/usr/bin/echo \"CtrlAltDelBurstAction=none\" \u003e\u003e /etc/systemd/system.conf\nExecStart=/usr/bin/systemctl disable systemd-resolved\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n", "enabled": true, "name": "postinst.service" }, diff --git a/UTM.yml b/UTM.yml index c70f80c..c6b4232 100644 --- a/UTM.yml +++ b/UTM.yml @@ -8,6 +8,7 @@ passwd: groups: - wheel - sudo + - name: unpriv systemd: units: - name: postinst.service @@ -27,26 +28,26 @@ systemd: [Service] Type=oneshot RemainAfterExit=yes - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | /usr/bin/tee /etc/chrony.conf ExecStart=/usr/bin/echo "allow 10.0.2.2/32" >> /etc/chrony.conf ExecStart=/usr/bin/systemctl restart chronyd ExecStart=/usr/bin/rpm-ostree install auditd firewalld qemu-guest-agent tuned unbound ExecStart=/usr/bin/rpm-ostree override remove cifs-utils samba-common-libs samba-client-libs libsmbclient libwbclient samba-common sssd-krb5-common sssd-ipa sssd-nfs-idmap sssd-ldap sssd-client sssd-ad sssd-common sssd-krb5 sssd-common-pac ExecStart=/usr/bin/sed -i 's/nullok//g' /etc/pam.d/system-auth - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | /usr/bin/tee /etc/modprobe.d/30_security-misc.conf ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf -o /etc/sysctl.d/990-security-misc.conf ExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf ExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf ExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/lib/sysctl.d/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/lib/sysctl.d/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/lib/sysctl.d/sysctl.d/30_silent-kernel-printk.conf | /usr/bin/tee /etc/sysctl.d/30_silent-kernel-printk.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/lib/sysctl.d/sysctl.d/30_security-misc_kexec-disable.conf | /usr/bin/tee /etc/sysctl.d/30_security-misc_kexec-disable.conf ExecStart=/usr/bin/mkdir -p /etc/systemd/system/NetworkManager.service.d - ExecStart=/usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | /usr/bin/tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf ExecStart=/usr/bin/mkdir -p /etc/systemd/system/irqbalance.service.d - ExecStart=/usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | /usr/bin/tee /etc/systemd/system/irqbalance.service.d/99-brace.conf ExecStart=/usr/bin/mkdir -p /etc/systemd/system/sshd.service.d - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/override.conf - ExecStart=/usr/bin/curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config/10-custom.conf -o /etc/ssh/sshd_config.d/10-custom.conf + ExecStart=/usr/bin/sudo -u unpriv /usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | /usr/bin/tee /etc/systemd/system/sshd.service.d/override.conf + ExecStart=/usr/bin/sudo -u unpriv https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config/10-custom.conf | /usr/bin/tee /etc/ssh/sshd_config.d/10-custom.conf ExecStart=/usr/bin/echo "CtrlAltDelBurstAction=none" >> /etc/systemd/system.conf ExecStart=/usr/bin/systemctl disable systemd-resolved ExecStart=/usr/bin/touch /var/lib/%N.stamp