From 4f6602e11d94cfa86d3273a8a3f8cb553c0cc41d Mon Sep 17 00:00:00 2001 From: Mateus Melchiades Date: Thu, 3 Aug 2023 10:03:48 -0300 Subject: [PATCH] Implement FsGuard --- .../usr/bin/gen_fsguard_filelist | 12 ++++++++++++ includes.container/usr/bin/sign_filelist | 14 ++++++++++++++ recipe.yml | 18 ++++++++++++++++++ 3 files changed, 44 insertions(+) create mode 100755 includes.container/usr/bin/gen_fsguard_filelist create mode 100755 includes.container/usr/bin/sign_filelist diff --git a/includes.container/usr/bin/gen_fsguard_filelist b/includes.container/usr/bin/gen_fsguard_filelist new file mode 100755 index 0000000..ab00bb1 --- /dev/null +++ b/includes.container/usr/bin/gen_fsguard_filelist @@ -0,0 +1,12 @@ +#!/bin/sh + +mkdir -p /FsGuard +touch /FsGuard/filelist + +while [ $# -gt 0 ]; do + BASEPATH="$1" + for f in $(ls -1 $BASEPATH); do + echo "$BASEPATH/$f $(sha1sum $BASEPATH/$f | sed 's/ .*//g') $(ls -al $BASEPATH/$f | awk 'BEGIN{FS=" "}; {print $1};' | grep s > /dev/null && echo "true" || echo "false")" >> /FsGuard/filelist + done + shift +done diff --git a/includes.container/usr/bin/sign_filelist b/includes.container/usr/bin/sign_filelist new file mode 100755 index 0000000..57ddc1b --- /dev/null +++ b/includes.container/usr/bin/sign_filelist @@ -0,0 +1,14 @@ +#!/bin/sh + +set -e + +minisign -WG +minisign -Sm /FsGuard/filelist + +touch /FsGuard/signature +echo -n "----begin attach----" >> /FsGuard/signature +cat /FsGuard/filelist.minisig >> /FsGuard/signature +echo -n "----begin second attach----" >> /FsGuard/signature +tail -n1 ./minisign.pub >> /FsGuard/signature + +cat /FsGuard/signature >> /usr/bin/FsGuard diff --git a/recipe.yml b/recipe.yml index 1313001..77142b4 100644 --- a/recipe.yml +++ b/recipe.yml @@ -48,6 +48,24 @@ modules: - apt remove -y meson build-essential libadwaita-1-dev gettext - apt autoremove -y - apt clean + +- name: fsguard + type: shell + source: + type: tar + url: https://github.com/linux-immutability-tools/FsGuard/releases/download/v0.1.2/FsGuard_0.1.2_linux_amd64.tar.gz + commands: + - mv /sources/FsGuard /usr/bin + - /usr/bin/gen_fsguard_filelist /usr/bin + - sed -i '\/usr\/bin\/gen_fsguard_filelist.*/d' /FsGuard/filelist + - sed -i '\/usr\/bin\/sign_filelist.*/d' /FsGuard/filelist + - /usr/bin/sign_filelist + +- name: finish + type: shell + commands: + - rm /usr/bin/gen_fsguard_filelist + - rm /usr/bin/sign_filelist - chmod +x /usr/bin/pkg-lock && chmod +x /usr/bin/pkg-unlock - pkg-lock