From e2454f9d479e8e18d4b6f174782fab0f6165f0fe Mon Sep 17 00:00:00 2001 From: axtloss Date: Sun, 7 Jan 2024 16:29:01 +0100 Subject: [PATCH] feat: add fsguard module ref https://github.com/Vanilla-OS/security/issues/4 --- .github/workflows/vib-build.yml | 5 ++++- .github/workflows/vib-pr.yml | 5 ++++- includes.container/usr/sbin/init | 3 +++ recipe.yml | 14 ++++++++++++++ 4 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 includes.container/usr/sbin/init diff --git a/.github/workflows/vib-build.yml b/.github/workflows/vib-build.yml index 41b94e3..e6895b4 100644 --- a/.github/workflows/vib-build.yml +++ b/.github/workflows/vib-build.yml @@ -18,7 +18,10 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: vanilla-os/vib-gh-action@v0.3.2-2 + - uses: vanilla-os/vib-gh-action@v0.3.3-1 + with: + recipe: 'recipe.yml' + plugins: 'Vanilla-OS/vib-fsguard:v1.0-3' - name: Build the Docker image run: docker image build -f Containerfile --tag ghcr.io/vanilla-os/desktop:main . diff --git a/.github/workflows/vib-pr.yml b/.github/workflows/vib-pr.yml index fffbac4..92cef88 100644 --- a/.github/workflows/vib-pr.yml +++ b/.github/workflows/vib-pr.yml @@ -13,7 +13,10 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: vanilla-os/vib-gh-action@v0.3.2-2 + - uses: vanilla-os/vib-gh-action@v0.3.3-1 + with: + recipe: 'recipe.yml' + plugins: 'Vanilla-OS/vib-fsguard:v1.0-3' - name: Build the Docker image run: docker image build -f Containerfile --tag vanillaos/desktop . diff --git a/includes.container/usr/sbin/init b/includes.container/usr/sbin/init new file mode 100644 index 0000000..076d8ea --- /dev/null +++ b/includes.container/usr/sbin/init @@ -0,0 +1,3 @@ +#!/bin/bash +/usr/sbin/FsGuard verify /FsGuard/filelist +exec /usr/lib/systemd/systemd "$@" diff --git a/recipe.yml b/recipe.yml index 2067ee0..e274c48 100644 --- a/recipe.yml +++ b/recipe.yml @@ -18,6 +18,7 @@ modules: - apt upgrade -y - apt clean - apt-mark hold snapd gnome-software-plugin-snap + - apt install minisign - name: vanilla-tools type: shell @@ -79,3 +80,16 @@ modules: - apt autoremove -y - apt clean - lpkg --lock + +- name: fsguard + type: fsguard + FsGuardLocation: "/usr/sbin/FsGuard" + GenerateKey: true + FilelistPaths: ["/usr/bin"] + modules: + - name: remove-prev-fsguard + type: shell + commands: + - rm -rf /FsGuard + - rm -f ./minisign.pub ./minisign.key + - chmod +x /usr/sbin/init