Implement hardened_malloc, rename to x86_64-v3

Signed-off-by: Tommy <contact@tommytran.io>
2024-09-07 17:13:30 -04:00 · 2024-02-26 23:36:13 -07:00 · 2024-02-26 23:36:13 -07:00 · 6f0bf8d8a7
commit 6f0bf8d8a7
parent 3cb35c79d5
4 changed files with 63 additions and 3 deletions
--- a/etc/pki/rpm-gpg/RPM-GPG-KEY-divested
+++ b/etc/pki/rpm-gpg/RPM-GPG-KEY-divested
@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF/La4cBEADGUgoiPUJcEs0DRpWgmmpnMtgRxOiqT4b2R1d9cwtWpMOqQ3eN
+OJqSBdzmN+aNwt61XWi4MUAseN5O3L3C+UXIk8HptOmalNySSHcGXk6Kn250Tmy5
+O+ZGHlPng1zqOMBBZs1kNYw9aXuxQFCRk1rfFcePreyF+rHuBx0K2EGJPQ7udEf0
+znq8gRZ29wFz3TzqGmKVv5cWkdGSUUkQc9ecZX89yBMfuqRXUG/ucojD0gLaQyTy
+cjfS/0RE+Bje8Mpe8wswR+hg2qZDO+n9uMY/7dmdctKGU/kdxEBPqe0dak1sJ16M
+0bawI+Rq/5RqPYwgEcfTg4VQotvpENUN/uAqi1b0IRLcPE46kXGpY9HIukFkzRKD
+N1WMz8D6sVNimV99KucKvXzD/1VvyawChPWJsGCow4OoYrvHTU5f8J7PHStLQ61O
+pVjWRbRonpjGBvz3hP0vkwCgy21AkYnRWaSKztwSkIJ36NCqsU24WIH1XgWzxsrf
+kniQdXP6+sMCAxV+u6ig671BdtqYqaIGxb15j/wPXuju92myrTGa4rk0uUTur+VV
+v0ethh3S8c9yisuRjkV+K/xpoJjGv7MsZf6hkcyIT826cv4Jr8LbtSMVD/pQB93i
+olhizs8U0ph+RMnNPC4ZiroPgjDhYDZcIPuWw8WETHrUQDaEj6XgYm8P2QARAQAB
+tEhEaXZlc3RlZCBSZWxlYXNlIFNpZ25pbmcgKDIwMjAgIzEpIDxzdXBwb3J0K3Jl
+bGVhc2VzaWduaW5nQGRpdmVzdGVkLmRldj6JAk4EEwEIADgWIQRjlfyZEe3NYVhx
+Lfe638q92/W2lAUCX8trhwIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC6
+38q92/W2lH49D/9F4f1pGf5ZWZjs7LiW4BQgAOx0NiKsvFTXBAhhUSJwTseB3vnK
+ZGx3qoUCI0pk+4Z/YHhY91QTopJHcg/QW8tj/shjtRbzmfBB6dwFQkZtOHofXHMV
+DowoY2MXZRd9dRIBhwLRvktZA9yKO1iH0M0vSqxuh8ALkvUlDgfzy0QBsAHjsUTB
+FoxGemxT+70zDNx+xL0PusRA25AOn7EXzrjk6E1653KL1sRojqGZ/XzWWw+6dZyM
+4Aap3CGrS7+YrXhJTMokOC/OfariDaN02YtlRizztWYEhkJ5SB0kIIlzgrGmY659
+b0ENjjHAVK16LfRoDprb1PpC3du2QAVFtBRDqD2zwXBmELjyOpAnSYDuJVPgv4T8
+Oty5be+U84lKVIgG5N60VrJzkwi5J+FSx2hTJl0C5BZyKChDXXvlnJI2Y4Qrwjyz
+7mx5gjFLZra/yKrVKnfxp5AJ7DxHxNOYn0dcceWBBVC1L5sniim9z4Q5fNRErJT8
+ayf77gecLuCVt+LhCH1rFejeIZrl0QEw+udrTYrPt3BWUK2OOIzF8PqLHfyUF+7W
+ZuLgMxj0nGLMqOlPSszrQ6RxmL//GmXkmE3CeDNXV+7SpmMYe07pHzycg8+d/tNq
+EajUfLQJqUYj3m51MnKW2r+QUKjkIYsn4iFfk+2aeY5HX1RalWJ7d4NHJQ==
+=qpX+
--- a/etc/yum.repos.d/divested-release.repo
+++ b/etc/yum.repos.d/divested-release.repo
@ -0,0 +1,12 @@
+[divested]
+name=Divested RPM Repository
+#baseurl=https://divested.dev/rpm/fedora
+metalink=https://divested.dev/rpm/fedora/metalink.metalink
+enabled=1
+metadata_expire=7d
+repo_gpgcheck=1
+type=rpm
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-divested
+skip_if_unavailable=True
+includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
--- a/x86-v3-QEMU-Docker.ign
+++ b/x86-v3-QEMU-Docker.ign
@ -74,6 +74,18 @@
          "source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/docker/daemon.json"
        }
      },
+      {
+        "path": "/etc/yum.repos.d/divested-release.repo",
+        "contents": {
+          "source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/divested-release.repo"
+        }
+      },
+      {
+        "path": "/etc/pki/rpm-gpg/RPM-GPG-KEY-divested",
+        "contents": {
+          "source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/pki/rpm-gpg/RPM-GPG-KEY-divested"
+        }
+      },
      {
        "overwrite": true,
        "path": "/etc/chrony.conf",
@ -219,12 +231,12 @@
  "systemd": {
    "units": [
      {
-        "contents": "[Unit]\nDescription=Initial System Setup\n# We run after `systemd-machine-id-commit.service` to ensure that\n# `ConditionFirstBoot=true` services won't rerun on the next boot.\nAfter=systemd-machine-id-commit.service\nAfter=network-online.target\n# We run before `zincati.service` to avoid conflicting rpm-ostree\n# transactions.\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/rpm-ostree override remove bind-license bind-utils bind-libs brcmfmac-firmware intel-gpu-firmware mt7xxx-firmware atheros-firmware amd-ucode-firmware linux-firmware amd-gpu-firmware realtek-firmware btrfs-progs cifs-utils clevis clevis-dracut clevis-luks clevis-systemd containerd containers-common-extra crun crun-wasm cryptsetup dnsmasq e2fsprogs-libs e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 fwupd google-compute-engine-guest-configs-udev iptables-legacy iptables-legacy-libs kexec-tools libnvme lvm2 lvm2-libs mdadm moby-engine nvme-cli podman podman-plugins rsync runc samba-client-libs samba-common libwbclient libsmbclient samba-common-libs socat sssd-client sssd-ldap sssd-common sssd-krb5-common sssd-nfs-idmap sssd-ad sssd-krb5 sssd-ipa sssd-common-pac systemd-resolved toolbox tpm2-tools tpm2-tss-fapi vim-data vim-minimal wireguard-tools\nExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld qemu-guest-agent tuned unbound\nExecStart=/usr/bin/sed -i 's/\\s+nullok//g' /etc/pam.d/system-auth\nExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/systemctl disable systemd-resolved\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n",
+        "contents": "[Unit]\nDescription=Initial System Setup\n# We run after `systemd-machine-id-commit.service` to ensure that\n# `ConditionFirstBoot=true` services won't rerun on the next boot.\nAfter=systemd-machine-id-commit.service\nAfter=network-online.target\n# We run before `zincati.service` to avoid conflicting rpm-ostree\n# transactions.\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/rpm-ostree override remove bind-license bind-utils bind-libs brcmfmac-firmware intel-gpu-firmware mt7xxx-firmware atheros-firmware amd-ucode-firmware linux-firmware amd-gpu-firmware realtek-firmware btrfs-progs cifs-utils clevis clevis-dracut clevis-luks clevis-systemd containerd containers-common-extra crun crun-wasm cryptsetup dnsmasq e2fsprogs-libs e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 fwupd google-compute-engine-guest-configs-udev iptables-legacy iptables-legacy-libs kexec-tools libnvme lvm2 lvm2-libs mdadm moby-engine nvme-cli podman podman-plugins rsync runc samba-client-libs samba-common libwbclient libsmbclient samba-common-libs socat sssd-client sssd-ldap sssd-common sssd-krb5-common sssd-nfs-idmap sssd-ad sssd-krb5 sssd-ipa sssd-common-pac systemd-resolved toolbox tpm2-tools tpm2-tss-fapi vim-data vim-minimal wireguard-tools\nExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld hardened_malloc qemu-guest-agent tuned unbound\nExecStart=/usr/bin/sed -i 's/\\s+nullok//g' /etc/pam.d/system-auth\nExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/systemctl disable systemd-resolved\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n",
        "enabled": true,
        "name": "postinst.service"
      },
      {
-        "contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/systemctl enable --now firewalld\nExecStart=/usr/bin/firewall-cmd --lockdown-on\n\n[Install]\nWantedBy=multi-user.target\n",
+        "contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/echo \"/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so\" | tee /etc/ld.so.preload\nExecStart=/usr/bin/systemctl enable --now firewalld\nExecStart=/usr/bin/firewall-cmd --lockdown-on\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n",
        "enabled": true,
        "name": "postinst2.service"
      },
--- a/x86-v3-QEMU-Docker.yml
+++ b/x86-v3-QEMU-Docker.yml
@ -43,7 +43,7 @@ systemd:
        Type=oneshot
        RemainAfterExit=yes
        ExecStart=/usr/bin/rpm-ostree override remove bind-license bind-utils bind-libs brcmfmac-firmware intel-gpu-firmware mt7xxx-firmware atheros-firmware amd-ucode-firmware linux-firmware amd-gpu-firmware realtek-firmware btrfs-progs cifs-utils clevis clevis-dracut clevis-luks clevis-systemd containerd containers-common-extra crun crun-wasm cryptsetup dnsmasq e2fsprogs-libs e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 fwupd google-compute-engine-guest-configs-udev iptables-legacy iptables-legacy-libs kexec-tools libnvme lvm2 lvm2-libs mdadm moby-engine nvme-cli podman podman-plugins rsync runc samba-client-libs samba-common libwbclient libsmbclient samba-common-libs socat sssd-client sssd-ldap sssd-common sssd-krb5-common sssd-nfs-idmap sssd-ad sssd-krb5 sssd-ipa sssd-common-pac systemd-resolved toolbox tpm2-tools tpm2-tss-fapi vim-data vim-minimal wireguard-tools
-        ExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld qemu-guest-agent tuned unbound
+        ExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld hardened_malloc qemu-guest-agent tuned unbound
        ExecStart=/usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
        ExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf
        ExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf
@ -69,8 +69,10 @@ systemd:
        [Service]
        Type=oneshot
        RemainAfterExit=yes
+        ExecStart=/usr/bin/echo "/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so" | tee /etc/ld.so.preload
        ExecStart=/usr/bin/systemctl enable --now firewalld
        ExecStart=/usr/bin/firewall-cmd --lockdown-on
+        ExecStart=/usr/bin/systemctl --no-block reboot

        [Install]
        WantedBy=multi-user.target
@ -168,6 +170,12 @@ storage:
    - path: /etc/docker/daemon.json
      contents:
        source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/docker/daemon.json
+    - path: /etc/yum.repos.d/divested-release.repo
+      contents:
+        source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/divested-release.repo
+    - path: /etc/pki/rpm-gpg/RPM-GPG-KEY-divested
+      contents:
+        source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/pki/rpm-gpg/RPM-GPG-KEY-divested
    - path: /etc/chrony.conf
      contents:
        source: https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf