From d9bd0f956347a887b4ef6f8ca0aa73bb7ca714eb Mon Sep 17 00:00:00 2001 From: Tommy Date: Thu, 6 Jun 2024 22:54:40 -0700 Subject: [PATCH] Use secureblue hardenedmalloc Signed-off-by: Tommy --- UTM-Chrony.ign | 2 +- UTM-Chrony.yml | 1 + x86-QEMU-Docker.ign | 18 ++++++------------ x86-QEMU-Docker.yml | 9 +++------ 4 files changed, 11 insertions(+), 19 deletions(-) diff --git a/UTM-Chrony.ign b/UTM-Chrony.ign index ca6262c..449a52c 100644 --- a/UTM-Chrony.ign +++ b/UTM-Chrony.ign @@ -201,7 +201,7 @@ "name": "postinst.service" }, { - "contents": "[Unit]\nDescription=Initial System Setup Part 3\n# We run this after the packages have been overlayed\nAfter=firewalld.service\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/systemctl enable --now firewalld\nExecStart=/usr/bin/firewall-cmd --lockdown-on\nExecStart=/usr/bin/firewall-cmd --permanent --add-service=ntp\nExecStart=/usr/bin/firewall-cmd --reload\n\n[Install]\nWantedBy=multi-user.target\n", + "contents": "[Unit]\nDescription=Initial System Setup Part 3\n# We run this after the packages have been overlayed\nAfter=firewalld.service\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/echo 'libhardened_malloc.so' \u003e /etc/ld.so.preload\nExecStart=/usr/bin/systemctl enable --now firewalld\nExecStart=/usr/bin/firewall-cmd --lockdown-on\nExecStart=/usr/bin/firewall-cmd --permanent --add-service=ntp\nExecStart=/usr/bin/firewall-cmd --reload\n\n[Install]\nWantedBy=multi-user.target\n", "enabled": true, "name": "postinst2.service" }, diff --git a/UTM-Chrony.yml b/UTM-Chrony.yml index 94d8a0f..2ec301d 100644 --- a/UTM-Chrony.yml +++ b/UTM-Chrony.yml @@ -70,6 +70,7 @@ systemd: [Service] Type=oneshot RemainAfterExit=yes + ExecStart=/usr/bin/echo 'libhardened_malloc.so' > /etc/ld.so.preload ExecStart=/usr/bin/systemctl enable --now firewalld ExecStart=/usr/bin/firewall-cmd --lockdown-on ExecStart=/usr/bin/firewall-cmd --permanent --add-service=ntp diff --git a/x86-QEMU-Docker.ign b/x86-QEMU-Docker.ign index 3de081d..fa059b9 100644 --- a/x86-QEMU-Docker.ign +++ b/x86-QEMU-Docker.ign @@ -69,6 +69,12 @@ "source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/zincati/config.d/55-updates-strategy.toml" } }, + { + "path": "/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo", + "contents": { + "source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo" + } + }, { "path": "/etc/yum.repos.d/docker-ce.repo", "contents": { @@ -81,18 +87,6 @@ "source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/docker/daemon.json" } }, - { - "path": "/etc/yum.repos.d/divested-release.repo", - "contents": { - "source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/divested-release.repo" - } - }, - { - "path": "/etc/pki/rpm-gpg/RPM-GPG-KEY-divested", - "contents": { - "source": "https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/pki/rpm-gpg/RPM-GPG-KEY-divested" - } - }, { "overwrite": true, "path": "/etc/chrony.conf", diff --git a/x86-QEMU-Docker.yml b/x86-QEMU-Docker.yml index ec9c870..35042fb 100644 --- a/x86-QEMU-Docker.yml +++ b/x86-QEMU-Docker.yml @@ -180,18 +180,15 @@ storage: - path: /etc/zincati/config.d/55-updates-strategy.toml contents: source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/zincati/config.d/55-updates-strategy.toml + - path: /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo + contents: + source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo - path: /etc/yum.repos.d/docker-ce.repo contents: source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/docker-ce.repo - path: /etc/docker/daemon.json contents: source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/docker/daemon.json - - path: /etc/yum.repos.d/divested-release.repo - contents: - source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/yum.repos.d/divested-release.repo - - path: /etc/pki/rpm-gpg/RPM-GPG-KEY-divested - contents: - source: https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/pki/rpm-gpg/RPM-GPG-KEY-divested - path: /etc/chrony.conf contents: source: https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf