mirror of
https://github.com/tommytran732/Fedora-CoreOS-Ignition
synced 2024-12-22 14:42:16 -05:00
Implement hardened_malloc, rename to x86_64-v3
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
3cb35c79d5
commit
6f0bf8d8a7
28
etc/pki/rpm-gpg/RPM-GPG-KEY-divested
Normal file
28
etc/pki/rpm-gpg/RPM-GPG-KEY-divested
Normal file
@ -0,0 +1,28 @@
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBF/La4cBEADGUgoiPUJcEs0DRpWgmmpnMtgRxOiqT4b2R1d9cwtWpMOqQ3eN
|
||||
OJqSBdzmN+aNwt61XWi4MUAseN5O3L3C+UXIk8HptOmalNySSHcGXk6Kn250Tmy5
|
||||
O+ZGHlPng1zqOMBBZs1kNYw9aXuxQFCRk1rfFcePreyF+rHuBx0K2EGJPQ7udEf0
|
||||
znq8gRZ29wFz3TzqGmKVv5cWkdGSUUkQc9ecZX89yBMfuqRXUG/ucojD0gLaQyTy
|
||||
cjfS/0RE+Bje8Mpe8wswR+hg2qZDO+n9uMY/7dmdctKGU/kdxEBPqe0dak1sJ16M
|
||||
0bawI+Rq/5RqPYwgEcfTg4VQotvpENUN/uAqi1b0IRLcPE46kXGpY9HIukFkzRKD
|
||||
N1WMz8D6sVNimV99KucKvXzD/1VvyawChPWJsGCow4OoYrvHTU5f8J7PHStLQ61O
|
||||
pVjWRbRonpjGBvz3hP0vkwCgy21AkYnRWaSKztwSkIJ36NCqsU24WIH1XgWzxsrf
|
||||
kniQdXP6+sMCAxV+u6ig671BdtqYqaIGxb15j/wPXuju92myrTGa4rk0uUTur+VV
|
||||
v0ethh3S8c9yisuRjkV+K/xpoJjGv7MsZf6hkcyIT826cv4Jr8LbtSMVD/pQB93i
|
||||
olhizs8U0ph+RMnNPC4ZiroPgjDhYDZcIPuWw8WETHrUQDaEj6XgYm8P2QARAQAB
|
||||
tEhEaXZlc3RlZCBSZWxlYXNlIFNpZ25pbmcgKDIwMjAgIzEpIDxzdXBwb3J0K3Jl
|
||||
bGVhc2VzaWduaW5nQGRpdmVzdGVkLmRldj6JAk4EEwEIADgWIQRjlfyZEe3NYVhx
|
||||
Lfe638q92/W2lAUCX8trhwIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC6
|
||||
38q92/W2lH49D/9F4f1pGf5ZWZjs7LiW4BQgAOx0NiKsvFTXBAhhUSJwTseB3vnK
|
||||
ZGx3qoUCI0pk+4Z/YHhY91QTopJHcg/QW8tj/shjtRbzmfBB6dwFQkZtOHofXHMV
|
||||
DowoY2MXZRd9dRIBhwLRvktZA9yKO1iH0M0vSqxuh8ALkvUlDgfzy0QBsAHjsUTB
|
||||
FoxGemxT+70zDNx+xL0PusRA25AOn7EXzrjk6E1653KL1sRojqGZ/XzWWw+6dZyM
|
||||
4Aap3CGrS7+YrXhJTMokOC/OfariDaN02YtlRizztWYEhkJ5SB0kIIlzgrGmY659
|
||||
b0ENjjHAVK16LfRoDprb1PpC3du2QAVFtBRDqD2zwXBmELjyOpAnSYDuJVPgv4T8
|
||||
Oty5be+U84lKVIgG5N60VrJzkwi5J+FSx2hTJl0C5BZyKChDXXvlnJI2Y4Qrwjyz
|
||||
7mx5gjFLZra/yKrVKnfxp5AJ7DxHxNOYn0dcceWBBVC1L5sniim9z4Q5fNRErJT8
|
||||
ayf77gecLuCVt+LhCH1rFejeIZrl0QEw+udrTYrPt3BWUK2OOIzF8PqLHfyUF+7W
|
||||
ZuLgMxj0nGLMqOlPSszrQ6RxmL//GmXkmE3CeDNXV+7SpmMYe07pHzycg8+d/tNq
|
||||
EajUfLQJqUYj3m51MnKW2r+QUKjkIYsn4iFfk+2aeY5HX1RalWJ7d4NHJQ==
|
||||
=qpX+
|
12
etc/yum.repos.d/divested-release.repo
Normal file
12
etc/yum.repos.d/divested-release.repo
Normal file
@ -0,0 +1,12 @@
|
||||
[divested]
|
||||
name=Divested RPM Repository
|
||||
#baseurl=https://divested.dev/rpm/fedora
|
||||
metalink=https://divested.dev/rpm/fedora/metalink.metalink
|
||||
enabled=1
|
||||
metadata_expire=7d
|
||||
repo_gpgcheck=1
|
||||
type=rpm
|
||||
gpgcheck=1
|
||||
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-divested
|
||||
skip_if_unavailable=True
|
||||
includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
|
@ -74,6 +74,18 @@
|
||||
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/docker/daemon.json"
|
||||
}
|
||||
},
|
||||
{
|
||||
"path": "/etc/yum.repos.d/divested-release.repo",
|
||||
"contents": {
|
||||
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/divested-release.repo"
|
||||
}
|
||||
},
|
||||
{
|
||||
"path": "/etc/pki/rpm-gpg/RPM-GPG-KEY-divested",
|
||||
"contents": {
|
||||
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/pki/rpm-gpg/RPM-GPG-KEY-divested"
|
||||
}
|
||||
},
|
||||
{
|
||||
"overwrite": true,
|
||||
"path": "/etc/chrony.conf",
|
||||
@ -219,12 +231,12 @@
|
||||
"systemd": {
|
||||
"units": [
|
||||
{
|
||||
"contents": "[Unit]\nDescription=Initial System Setup\n# We run after `systemd-machine-id-commit.service` to ensure that\n# `ConditionFirstBoot=true` services won't rerun on the next boot.\nAfter=systemd-machine-id-commit.service\nAfter=network-online.target\n# We run before `zincati.service` to avoid conflicting rpm-ostree\n# transactions.\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/rpm-ostree override remove bind-license bind-utils bind-libs brcmfmac-firmware intel-gpu-firmware mt7xxx-firmware atheros-firmware amd-ucode-firmware linux-firmware amd-gpu-firmware realtek-firmware btrfs-progs cifs-utils clevis clevis-dracut clevis-luks clevis-systemd containerd containers-common-extra crun crun-wasm cryptsetup dnsmasq e2fsprogs-libs e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 fwupd google-compute-engine-guest-configs-udev iptables-legacy iptables-legacy-libs kexec-tools libnvme lvm2 lvm2-libs mdadm moby-engine nvme-cli podman podman-plugins rsync runc samba-client-libs samba-common libwbclient libsmbclient samba-common-libs socat sssd-client sssd-ldap sssd-common sssd-krb5-common sssd-nfs-idmap sssd-ad sssd-krb5 sssd-ipa sssd-common-pac systemd-resolved toolbox tpm2-tools tpm2-tss-fapi vim-data vim-minimal wireguard-tools\nExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld qemu-guest-agent tuned unbound\nExecStart=/usr/bin/sed -i 's/\\s+nullok//g' /etc/pam.d/system-auth\nExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/systemctl disable systemd-resolved\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||
"contents": "[Unit]\nDescription=Initial System Setup\n# We run after `systemd-machine-id-commit.service` to ensure that\n# `ConditionFirstBoot=true` services won't rerun on the next boot.\nAfter=systemd-machine-id-commit.service\nAfter=network-online.target\n# We run before `zincati.service` to avoid conflicting rpm-ostree\n# transactions.\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/rpm-ostree override remove bind-license bind-utils bind-libs brcmfmac-firmware intel-gpu-firmware mt7xxx-firmware atheros-firmware amd-ucode-firmware linux-firmware amd-gpu-firmware realtek-firmware btrfs-progs cifs-utils clevis clevis-dracut clevis-luks clevis-systemd containerd containers-common-extra crun crun-wasm cryptsetup dnsmasq e2fsprogs-libs e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 fwupd google-compute-engine-guest-configs-udev iptables-legacy iptables-legacy-libs kexec-tools libnvme lvm2 lvm2-libs mdadm moby-engine nvme-cli podman podman-plugins rsync runc samba-client-libs samba-common libwbclient libsmbclient samba-common-libs socat sssd-client sssd-ldap sssd-common sssd-krb5-common sssd-nfs-idmap sssd-ad sssd-krb5 sssd-ipa sssd-common-pac systemd-resolved toolbox tpm2-tools tpm2-tss-fapi vim-data vim-minimal wireguard-tools\nExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld hardened_malloc qemu-guest-agent tuned unbound\nExecStart=/usr/bin/sed -i 's/\\s+nullok//g' /etc/pam.d/system-auth\nExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf\nExecStart=/usr/bin/sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf\nExecStart=/usr/bin/systemctl disable systemd-resolved\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||
"enabled": true,
|
||||
"name": "postinst.service"
|
||||
},
|
||||
{
|
||||
"contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/systemctl enable --now firewalld\nExecStart=/usr/bin/firewall-cmd --lockdown-on\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||
"contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/echo \"/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so\" | tee /etc/ld.so.preload\nExecStart=/usr/bin/systemctl enable --now firewalld\nExecStart=/usr/bin/firewall-cmd --lockdown-on\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||
"enabled": true,
|
||||
"name": "postinst2.service"
|
||||
},
|
@ -43,7 +43,7 @@ systemd:
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/bin/rpm-ostree override remove bind-license bind-utils bind-libs brcmfmac-firmware intel-gpu-firmware mt7xxx-firmware atheros-firmware amd-ucode-firmware linux-firmware amd-gpu-firmware realtek-firmware btrfs-progs cifs-utils clevis clevis-dracut clevis-luks clevis-systemd containerd containers-common-extra crun crun-wasm cryptsetup dnsmasq e2fsprogs-libs e2fsprogs flatpak-session-helper fuse-overlayfs fuse-sshfs fuse3 fwupd google-compute-engine-guest-configs-udev iptables-legacy iptables-legacy-libs kexec-tools libnvme lvm2 lvm2-libs mdadm moby-engine nvme-cli podman podman-plugins rsync runc samba-client-libs samba-common libwbclient libsmbclient samba-common-libs socat sssd-client sssd-ldap sssd-common sssd-krb5-common sssd-nfs-idmap sssd-ad sssd-krb5 sssd-ipa sssd-common-pac systemd-resolved toolbox tpm2-tools tpm2-tss-fapi vim-data vim-minimal wireguard-tools
|
||||
ExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld qemu-guest-agent tuned unbound
|
||||
ExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin firewalld hardened_malloc qemu-guest-agent tuned unbound
|
||||
ExecStart=/usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
|
||||
ExecStart=/usr/bin/sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf
|
||||
ExecStart=/usr/bin/sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf
|
||||
@ -69,8 +69,10 @@ systemd:
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/bin/echo "/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so" | tee /etc/ld.so.preload
|
||||
ExecStart=/usr/bin/systemctl enable --now firewalld
|
||||
ExecStart=/usr/bin/firewall-cmd --lockdown-on
|
||||
ExecStart=/usr/bin/systemctl --no-block reboot
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@ -168,6 +170,12 @@ storage:
|
||||
- path: /etc/docker/daemon.json
|
||||
contents:
|
||||
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/docker/daemon.json
|
||||
- path: /etc/yum.repos.d/divested-release.repo
|
||||
contents:
|
||||
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/divested-release.repo
|
||||
- path: /etc/pki/rpm-gpg/RPM-GPG-KEY-divested
|
||||
contents:
|
||||
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/pki/rpm-gpg/RPM-GPG-KEY-divested
|
||||
- path: /etc/chrony.conf
|
||||
contents:
|
||||
source: https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf
|
Loading…
Reference in New Issue
Block a user