feat: add fsguard module

ref Vanilla-OS/security#4

.github/workflows/vib-build.yml

@@ -18,7 +18,10 @@ jobs:
     steps:
     - uses: actions/checkout@v4
 
-    - uses: vanilla-os/[email protected]
+    - uses: vanilla-os/[email protected]
+      with:
+        recipe: 'recipe.yml'
+        plugins: 'Vanilla-OS/vib-fsguard:v1.0-3'
 
     - name: Build the Docker image
       run: docker image build -f Containerfile --tag ghcr.io/vanilla-os/desktop:main .

.github/workflows/vib-pr.yml

@@ -13,7 +13,10 @@ jobs:
     steps:
     - uses: actions/checkout@v4
 
-    - uses: vanilla-os/[email protected]
+    - uses: vanilla-os/[email protected]
+      with:
+        recipe: 'recipe.yml'
+        plugins: 'Vanilla-OS/vib-fsguard:v1.0-3'
 
     - name: Build the Docker image
       run: docker image build -f Containerfile --tag vanillaos/desktop .

includes.container/usr/sbin/init

@@ -0,0 +1,3 @@
+#!/bin/bash
+/usr/sbin/FsGuard verify /FsGuard/filelist
+exec /usr/lib/systemd/systemd "$@"

recipe.yml

@@ -18,6 +18,7 @@ modules:
   - apt upgrade -y
   - apt clean
   - apt-mark hold snapd gnome-software-plugin-snap
+  - apt install minisign
 
 - name: vanilla-tools
   type: shell
@@ -79,3 +80,16 @@ modules:
   - apt autoremove -y
   - apt clean
   - lpkg --lock
+
+- name: fsguard
+  type: fsguard
+  FsGuardLocation: "/usr/sbin/FsGuard"
+  GenerateKey: true
+  FilelistPaths: ["/usr/bin"]
+  modules:
+    - name: remove-prev-fsguard
+      type: shell
+      commands:
+        - rm -rf /FsGuard
+        - rm -f ./minisign.pub ./minisign.key
+        - chmod +x /usr/sbin/init