From 9ccb1ec673867869bb9f0d77096c5c146551d775 Mon Sep 17 00:00:00 2001 From: axtloss Date: Sat, 6 Jan 2024 16:23:32 +0100 Subject: [PATCH 1/9] feat: Add FsGuard module --- .github/workflows/vib-build.yml | 2 ++ recipe.yml | 25 ++++++++++++------------- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/.github/workflows/vib-build.yml b/.github/workflows/vib-build.yml index 35de435..b82ce0d 100644 --- a/.github/workflows/vib-build.yml +++ b/.github/workflows/vib-build.yml @@ -19,6 +19,8 @@ jobs: - uses: actions/checkout@v4 - uses: vanilla-os/vib-gh-action@v0.3.2-2 + with: + plugins: 'Vanilla-OS/vib-fsguard:v1.0' - name: Build the Docker image run: docker image build -f Containerfile --tag ghcr.io/vanilla-os/core:main . diff --git a/recipe.yml b/recipe.yml index 13e18e3..730fe42 100644 --- a/recipe.yml +++ b/recipe.yml @@ -16,19 +16,6 @@ modules: - apt install -y man-db - mandb -c -- name: fsguard - type: shell - source: - type: tar - url: https://github.com/linux-immutability-tools/FsGuard/releases/download/v0.1.2/FsGuard_0.1.2_linux_amd64.tar.gz - commands: - - apt install -y minisign - - mv /sources/FsGuard /usr/bin - - /usr/bin/gen_fsguard_filelist /usr/bin - - sed -i '\/usr\/bin\/gen_fsguard_filelist.*/d' /FsGuard/filelist - - sed -i '\/usr\/bin\/sign_filelist.*/d' /FsGuard/filelist - - /usr/bin/sign_filelist - - name: packages-modules type: includes includes: @@ -68,3 +55,15 @@ modules: - rm /usr/bin/gen_fsguard_filelist - rm /usr/bin/sign_filelist - mkdir -p /var/cache/apt/archives/partial + +- name: fsguard + type: fsguard + FsGuardLocation: "/usr/sbin/init" + GenerateKey: true + FilelistPaths: ["/usr/bin"] + modules: + - name: minisign + type: apt + sources: + packages: + - "minisign" From 5b6a2c27bb2f2cfcb35e8a89fad1401056abe9b1 Mon Sep 17 00:00:00 2001 From: axtloss Date: Sat, 6 Jan 2024 16:25:10 +0100 Subject: [PATCH 2/9] feat: change workflow for prs --- .github/workflows/.#vib-pr.yml | 1 + 1 file changed, 1 insertion(+) create mode 120000 .github/workflows/.#vib-pr.yml diff --git a/.github/workflows/.#vib-pr.yml b/.github/workflows/.#vib-pr.yml new file mode 120000 index 0000000..7610a4c --- /dev/null +++ b/.github/workflows/.#vib-pr.yml @@ -0,0 +1 @@ +xen@orchid.52924:1704456235 \ No newline at end of file From 9eb78481b933363cdc98c667b36b1344ac788576 Mon Sep 17 00:00:00 2001 From: axtloss Date: Sat, 6 Jan 2024 16:29:26 +0100 Subject: [PATCH 3/9] fix: Add recipe name to workflo --- .github/workflows/.#vib-pr.yml | 1 - .github/workflows/vib-build.yml | 1 + .github/workflows/vib-pr.yml | 3 +++ 3 files changed, 4 insertions(+), 1 deletion(-) delete mode 120000 .github/workflows/.#vib-pr.yml diff --git a/.github/workflows/.#vib-pr.yml b/.github/workflows/.#vib-pr.yml deleted file mode 120000 index 7610a4c..0000000 --- a/.github/workflows/.#vib-pr.yml +++ /dev/null @@ -1 +0,0 @@ -xen@orchid.52924:1704456235 \ No newline at end of file diff --git a/.github/workflows/vib-build.yml b/.github/workflows/vib-build.yml index b82ce0d..ea0a06e 100644 --- a/.github/workflows/vib-build.yml +++ b/.github/workflows/vib-build.yml @@ -20,6 +20,7 @@ jobs: - uses: vanilla-os/vib-gh-action@v0.3.2-2 with: + recipe: 'recipe.yml' plugins: 'Vanilla-OS/vib-fsguard:v1.0' - name: Build the Docker image diff --git a/.github/workflows/vib-pr.yml b/.github/workflows/vib-pr.yml index bcfb7df..26c87dc 100644 --- a/.github/workflows/vib-pr.yml +++ b/.github/workflows/vib-pr.yml @@ -14,6 +14,9 @@ jobs: - uses: actions/checkout@v4 - uses: vanilla-os/vib-gh-action@v0.3.2-2 + with: + recipe: 'recipe.yml' + plugins: 'Vanilla-OS/vib-fsguard:v1.0' - name: Build the Docker image run: docker image build -f Containerfile --tag vanillaos/core:validation . From e13cafdb70f23b42eb89ab44f4df9c3107d4e76d Mon Sep 17 00:00:00 2001 From: axtloss Date: Sat, 6 Jan 2024 16:39:35 +0100 Subject: [PATCH 4/9] fix: use proper name for source --- recipe.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipe.yml b/recipe.yml index 730fe42..54175bf 100644 --- a/recipe.yml +++ b/recipe.yml @@ -64,6 +64,6 @@ modules: modules: - name: minisign type: apt - sources: + source: packages: - "minisign" From 6c8fd9d6d17411292aefaa251483ff7fcbce2f28 Mon Sep 17 00:00:00 2001 From: axtloss Date: Sat, 6 Jan 2024 16:46:10 +0100 Subject: [PATCH 5/9] upadte fsguard plugin version --- .github/workflows/vib-build.yml | 2 +- .github/workflows/vib-pr.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/vib-build.yml b/.github/workflows/vib-build.yml index ea0a06e..bbb2132 100644 --- a/.github/workflows/vib-build.yml +++ b/.github/workflows/vib-build.yml @@ -21,7 +21,7 @@ jobs: - uses: vanilla-os/vib-gh-action@v0.3.2-2 with: recipe: 'recipe.yml' - plugins: 'Vanilla-OS/vib-fsguard:v1.0' + plugins: 'Vanilla-OS/vib-fsguard:v1.0-1' - name: Build the Docker image run: docker image build -f Containerfile --tag ghcr.io/vanilla-os/core:main . diff --git a/.github/workflows/vib-pr.yml b/.github/workflows/vib-pr.yml index 26c87dc..12a0795 100644 --- a/.github/workflows/vib-pr.yml +++ b/.github/workflows/vib-pr.yml @@ -16,7 +16,7 @@ jobs: - uses: vanilla-os/vib-gh-action@v0.3.2-2 with: recipe: 'recipe.yml' - plugins: 'Vanilla-OS/vib-fsguard:v1.0' + plugins: 'Vanilla-OS/vib-fsguard:v1.0-1' - name: Build the Docker image run: docker image build -f Containerfile --tag vanillaos/core:validation . From 4d4760df5fec8fcc5f58d240cedb17c1a809878a Mon Sep 17 00:00:00 2001 From: axtloss Date: Sat, 6 Jan 2024 17:03:59 +0100 Subject: [PATCH 6/9] update vib-fsguard version --- .github/workflows/vib-build.yml | 2 +- .github/workflows/vib-pr.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/vib-build.yml b/.github/workflows/vib-build.yml index bbb2132..d21c305 100644 --- a/.github/workflows/vib-build.yml +++ b/.github/workflows/vib-build.yml @@ -21,7 +21,7 @@ jobs: - uses: vanilla-os/vib-gh-action@v0.3.2-2 with: recipe: 'recipe.yml' - plugins: 'Vanilla-OS/vib-fsguard:v1.0-1' + plugins: 'Vanilla-OS/vib-fsguard:v1.0-2' - name: Build the Docker image run: docker image build -f Containerfile --tag ghcr.io/vanilla-os/core:main . diff --git a/.github/workflows/vib-pr.yml b/.github/workflows/vib-pr.yml index 12a0795..0e097de 100644 --- a/.github/workflows/vib-pr.yml +++ b/.github/workflows/vib-pr.yml @@ -16,7 +16,7 @@ jobs: - uses: vanilla-os/vib-gh-action@v0.3.2-2 with: recipe: 'recipe.yml' - plugins: 'Vanilla-OS/vib-fsguard:v1.0-1' + plugins: 'Vanilla-OS/vib-fsguard:v1.0-2' - name: Build the Docker image run: docker image build -f Containerfile --tag vanillaos/core:validation . From f304bbc703546e52cd9e3eeadf05ba969a7f7364 Mon Sep 17 00:00:00 2001 From: axtloss Date: Sat, 6 Jan 2024 18:09:24 +0100 Subject: [PATCH 7/9] fix: bump vib gh action to latest version --- .github/workflows/vib-build.yml | 2 +- .github/workflows/vib-pr.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/vib-build.yml b/.github/workflows/vib-build.yml index d21c305..fb9b4d2 100644 --- a/.github/workflows/vib-build.yml +++ b/.github/workflows/vib-build.yml @@ -18,7 +18,7 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: vanilla-os/vib-gh-action@v0.3.2-2 + - uses: vanilla-os/vib-gh-action@v0.3.3 with: recipe: 'recipe.yml' plugins: 'Vanilla-OS/vib-fsguard:v1.0-2' diff --git a/.github/workflows/vib-pr.yml b/.github/workflows/vib-pr.yml index 0e097de..08d3ea3 100644 --- a/.github/workflows/vib-pr.yml +++ b/.github/workflows/vib-pr.yml @@ -13,7 +13,7 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: vanilla-os/vib-gh-action@v0.3.2-2 + - uses: vanilla-os/vib-gh-action@v0.3.3 with: recipe: 'recipe.yml' plugins: 'Vanilla-OS/vib-fsguard:v1.0-2' From e76076536bfc14cd72b218cada4daee84637e2da Mon Sep 17 00:00:00 2001 From: axtloss Date: Sat, 6 Jan 2024 19:53:50 +0100 Subject: [PATCH 8/9] Bump vib-fsguard version to include latest fixes --- .github/workflows/vib-build.yml | 2 +- .github/workflows/vib-pr.yml | 2 +- recipe.yml | 18 ++++++++++-------- 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/.github/workflows/vib-build.yml b/.github/workflows/vib-build.yml index fb9b4d2..e44cfa4 100644 --- a/.github/workflows/vib-build.yml +++ b/.github/workflows/vib-build.yml @@ -21,7 +21,7 @@ jobs: - uses: vanilla-os/vib-gh-action@v0.3.3 with: recipe: 'recipe.yml' - plugins: 'Vanilla-OS/vib-fsguard:v1.0-2' + plugins: 'Vanilla-OS/vib-fsguard:v1.0-3' - name: Build the Docker image run: docker image build -f Containerfile --tag ghcr.io/vanilla-os/core:main . diff --git a/.github/workflows/vib-pr.yml b/.github/workflows/vib-pr.yml index 08d3ea3..95294d5 100644 --- a/.github/workflows/vib-pr.yml +++ b/.github/workflows/vib-pr.yml @@ -16,7 +16,7 @@ jobs: - uses: vanilla-os/vib-gh-action@v0.3.3 with: recipe: 'recipe.yml' - plugins: 'Vanilla-OS/vib-fsguard:v1.0-2' + plugins: 'Vanilla-OS/vib-fsguard:v1.0-3' - name: Build the Docker image run: docker image build -f Containerfile --tag vanillaos/core:validation . diff --git a/recipe.yml b/recipe.yml index 54175bf..706b81d 100644 --- a/recipe.yml +++ b/recipe.yml @@ -41,20 +41,13 @@ modules: - modules/140-manpages - modules/999-replace-locale-gen -- name: cleanup +- name: cleanup1 type: shell commands: - apt remove -y linux-image-rt-amd64 linux-image-6.4.0-4-rt-amd64 - apt remove -y dpkg-dev build-essential - apt autoremove -y - apt clean - - rm -rf /var/cache/* - - rm -rf /tmp/* - - rm -rf /var/tmp/* - - rm -rf /sources - - rm /usr/bin/gen_fsguard_filelist - - rm /usr/bin/sign_filelist - - mkdir -p /var/cache/apt/archives/partial - name: fsguard type: fsguard @@ -67,3 +60,12 @@ modules: source: packages: - "minisign" + +- name: cleanup2 + type: shell + commands: + - rm -rf /var/cache/* + - rm -rf /tmp/* + - rm -rf /var/tmp/* + - rm -rf /sources + - mkdir -p /var/cache/apt/archives/partial From aceba552bd74dfd8f98b213c3ae614a6e6369e93 Mon Sep 17 00:00:00 2001 From: axtloss Date: Sat, 6 Jan 2024 20:09:19 +0100 Subject: [PATCH 9/9] Bump vib github action to 0.3.3-1 --- .github/workflows/vib-build.yml | 2 +- .github/workflows/vib-pr.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/vib-build.yml b/.github/workflows/vib-build.yml index e44cfa4..03350f8 100644 --- a/.github/workflows/vib-build.yml +++ b/.github/workflows/vib-build.yml @@ -18,7 +18,7 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: vanilla-os/vib-gh-action@v0.3.3 + - uses: vanilla-os/vib-gh-action@v0.3.3-1 with: recipe: 'recipe.yml' plugins: 'Vanilla-OS/vib-fsguard:v1.0-3' diff --git a/.github/workflows/vib-pr.yml b/.github/workflows/vib-pr.yml index 95294d5..b298cb6 100644 --- a/.github/workflows/vib-pr.yml +++ b/.github/workflows/vib-pr.yml @@ -13,7 +13,7 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: vanilla-os/vib-gh-action@v0.3.3 + - uses: vanilla-os/vib-gh-action@v0.3.3-1 with: recipe: 'recipe.yml' plugins: 'Vanilla-OS/vib-fsguard:v1.0-3'