Tomster/Fedora-CoreOS-Ignition
1
0
Fork 0
mirror of https://github.com/tommytran732/Fedora-CoreOS-Ignition synced 2024-11-22 09:21:32 -05:00
Code

Use secureblue hardenedmalloc

Browse Source 
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2024-06-06 22:54:40 -07:00
parent 37ab9797c7
commit d9bd0f9563
Signed by: Tomster
GPG Key ID: 555C902A34EC968F
4 changed files with 11 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
UTM-Chrony.ign
View File

@ -201,7 +201,7 @@
"name": "postinst.service" "name": "postinst.service"
}, },
{ {
"contents": "[Unit]\nDescription=Initial System Setup Part 3\n# We run this after the packages have been overlayed\nAfter=firewalld.service\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/systemctl enable --now firewalld\nExecStart=/usr/bin/firewall-cmd --lockdown-on\nExecStart=/usr/bin/firewall-cmd --permanent --add-service=ntp\nExecStart=/usr/bin/firewall-cmd --reload\n\n[Install]\nWantedBy=multi-user.target\n", "contents": "[Unit]\nDescription=Initial System Setup Part 3\n# We run this after the packages have been overlayed\nAfter=firewalld.service\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/echo 'libhardened_malloc.so' \u003e /etc/ld.so.preload\nExecStart=/usr/bin/systemctl enable --now firewalld\nExecStart=/usr/bin/firewall-cmd --lockdown-on\nExecStart=/usr/bin/firewall-cmd --permanent --add-service=ntp\nExecStart=/usr/bin/firewall-cmd --reload\n\n[Install]\nWantedBy=multi-user.target\n",
"enabled": true, "enabled": true,
"name": "postinst2.service" "name": "postinst2.service"
}, },

1
UTM-Chrony.yml
View File

@ -70,6 +70,7 @@ systemd:
[Service] [Service]
Type=oneshot Type=oneshot
RemainAfterExit=yes RemainAfterExit=yes
ExecStart=/usr/bin/echo 'libhardened_malloc.so' > /etc/ld.so.preload
ExecStart=/usr/bin/systemctl enable --now firewalld ExecStart=/usr/bin/systemctl enable --now firewalld
ExecStart=/usr/bin/firewall-cmd --lockdown-on ExecStart=/usr/bin/firewall-cmd --lockdown-on
ExecStart=/usr/bin/firewall-cmd --permanent --add-service=ntp ExecStart=/usr/bin/firewall-cmd --permanent --add-service=ntp

18
x86-QEMU-Docker.ign
View File

@ -69,6 +69,12 @@
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/zincati/config.d/55-updates-strategy.toml" "source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/zincati/config.d/55-updates-strategy.toml"
} }
}, },
{
"path": "/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo",
"contents": {
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo"
}
},
{ {
"path": "/etc/yum.repos.d/docker-ce.repo", "path": "/etc/yum.repos.d/docker-ce.repo",
"contents": { "contents": {
@ -81,18 +87,6 @@
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/docker/daemon.json" "source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/docker/daemon.json"
} }
}, },
{
"path": "/etc/yum.repos.d/divested-release.repo",
"contents": {
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/divested-release.repo"
}
},
{
"path": "/etc/pki/rpm-gpg/RPM-GPG-KEY-divested",
"contents": {
"source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/pki/rpm-gpg/RPM-GPG-KEY-divested"
}
},
{ {
"overwrite": true, "overwrite": true,
"path": "/etc/chrony.conf", "path": "/etc/chrony.conf",

9
x86-QEMU-Docker.yml
View File

@ -180,18 +180,15 @@ storage:
- path: /etc/zincati/config.d/55-updates-strategy.toml - path: /etc/zincati/config.d/55-updates-strategy.toml
contents: contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/zincati/config.d/55-updates-strategy.toml source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/zincati/config.d/55-updates-strategy.toml
- path: /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo
- path: /etc/yum.repos.d/docker-ce.repo - path: /etc/yum.repos.d/docker-ce.repo
contents: contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/docker-ce.repo source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/docker-ce.repo
- path: /etc/docker/daemon.json - path: /etc/docker/daemon.json
contents: contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/docker/daemon.json source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/docker/daemon.json
- path: /etc/yum.repos.d/divested-release.repo
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/divested-release.repo
- path: /etc/pki/rpm-gpg/RPM-GPG-KEY-divested
contents:
source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/pki/rpm-gpg/RPM-GPG-KEY-divested
- path: /etc/chrony.conf - path: /etc/chrony.conf
contents: contents:
source: https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf source: https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf