From 1c66ee26444bb07574fc52042485390be7f3088c Mon Sep 17 00:00:00 2001 From: root Date: Fri, 24 Jul 2020 15:02:46 -0400 Subject: [PATCH 1/1] adding files to git --- Makefile | 47 ++++++ bm.sh | 7 + bootstrap.sh | 7 + files/.build | 37 +++++ .../.patches/fix-panic-on-readonly-root.patch | 20 +++ files/.pkgs | 60 ++++++++ files/.svcs | 10 ++ files/RELEASE | 145 ++++++++++++++++++ files/do-mysql.sh | 23 +++ files/install-drupal-toolchain.sh | 16 ++ files/install-packages.sh | 12 ++ files/pkgs | 11 ++ files/pkgs5 | 11 ++ files/sqldefaults | 9 ++ 14 files changed, 415 insertions(+) create mode 100644 Makefile create mode 100644 bm.sh create mode 100755 bootstrap.sh create mode 100644 files/.build create mode 100644 files/.patches/fix-panic-on-readonly-root.patch create mode 100644 files/.pkgs create mode 100644 files/.svcs create mode 100644 files/RELEASE create mode 100644 files/do-mysql.sh create mode 100644 files/install-drupal-toolchain.sh create mode 100644 files/install-packages.sh create mode 100644 files/pkgs create mode 100644 files/pkgs5 create mode 100644 files/sqldefaults diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..758c977 --- /dev/null +++ b/Makefile @@ -0,0 +1,47 @@ +DATE:=`date --iso-8601` + +# recipes for installing this thing onto a "real" (non-chroot) system +setup-real-system: probe-files install-pkgs install-drupal do-mysql + +# test that we have /install-{drupal-toolchain,packages}.sh /pkgs /sqldefaults and /do-mysql-sh +# if we don't have all of these files, BAD THINGS may happen +probe-files: + [ -f /install-packages.sh ] + [ -f /pkgs ] + [ -f /install-drupal-toolchain.sh ] + [ -f /do-mysql.sh ] + [ -f /sqldefaults ] + +install-drupal: + chmod +x /install-drupal-toolchain.sh + /install-drupal-toolchain.sh + +install-pkgs: + chmod +x /install-packages.sh + /install-packages.sh + +do-mysql: + chmod +x /do-mysql.sh + /do-mysql.sh + # secure these two files because they contain passwords in plaintext + chmod og-rwx /do-mysql.sh + chmod 0600 /sqldefaults + +# recipes for building a chroot. notice that sql does not cooperate with chroots, due to some funky postinstall hooks and /proc namespaces conflicting +build-chroot: new-chroot install-pkgs-in-chroot install-drupal-toolchain + +new-chroot: + rm -rf tristrap + mkdir tristrap + debootstrap --merged-usr etiona ./tristrap/ http://mirror.fsf.org/trisquel/ + +install-pkgs-in-chroot: + cp files/pkgs tristrap + cp files/install-packages.sh tristrap + chmod +x tristrap/install-packages.sh + chroot tristrap /install-packages.sh + +install-drupal-toolchain: + cp files/install-drupal-toolchain.sh tristrap + chmod +x tristrap/install-drupal-toolchain.sh + chroot tristrap /install-drupal-toolchain.sh diff --git a/bm.sh b/bm.sh new file mode 100644 index 0000000..14214ba --- /dev/null +++ b/bm.sh @@ -0,0 +1,7 @@ +mount --rbind /proc proc +mount --rbind /sys sys +mount --rbind /dev dev +mount -t tmpfs none tmp +mount -t tmpfs none run +touch etc/resolv.conf +mount --bind /etc/resolv.conf etc/resolv.conf diff --git a/bootstrap.sh b/bootstrap.sh new file mode 100755 index 0000000..c7c49ba --- /dev/null +++ b/bootstrap.sh @@ -0,0 +1,7 @@ +#!/bin/bash +apt install -y build-essential +cp files/do-mysql.sh / +cp files/install-drupal-toolchain.sh / +cp files/install-packages.sh / +cp files/pkgs / +cp files/sqldefaults / diff --git a/files/.build b/files/.build new file mode 100644 index 0000000..7e21273 --- /dev/null +++ b/files/.build @@ -0,0 +1,37 @@ +#!/usr/bin/env bash -xe + +# This build script is meant to be run from the vroot.x(32|64) directory, as part of the build process +# It more-or-less automates the Abigail build process +# Make sure appropriate directories have been bind-mounted (sudo sh ../bm.sh) + +# Update the build chroot, last release published was 20191111 +sudo chroot . /bin/bash -c '(xbps-install -Syu && xbps-install -Syu && exit)' + +# Copy in our RELEASE, etc, files +for F in RELEASE .pkgs .svcs .patches .build; do sudo cp -r ../files/"${F}" ./; done + +# Enter the updated build environment +# Install packages, remake the mandoc db, enable services, patch the boot process, and finally remove orphan packages +sudo chroot . /bin/bash -xe -c '\ +( \ + cd / &&\ + for PKG in $(cat .pkgs); do xbps-install -Suy $PKG; done &&\ + makewhatis /usr/share/man &&\ + for SVC in $(cat .svcs); do ln -s /etc/sv/$SVC /etc/runit/runsvdir/default/$SVC; done &&\ + patch -R -p1 /etc/runit/core-services/03-filesystems.sh < /.patches/fix-panic-on-readonly-root.patch &&\ + xbps-install -Syu &&\ + mkdir -m 755 /rw &&\ + cd / &&\ + mv etc rw/etc &&\ + mv var rw/var &&\ + ln -s rw/etc etc &&\ + ln -s rw/var var &&\ + mkdir -m 0400 /initrd &&\ + xbps-remove --remove-orphans &&\ + rmdir /opt /media ||: &&\ +: )' + +sudo touch ./initrd/init3.btrfs +sudo mkfs.btrfs --shrink --rootdir=../../initrd2 initrd/init3.btrfs +sudo chown root:root initrd/init3.btrfs +sudo chmod 0400 initrd/init3.btrfs diff --git a/files/.patches/fix-panic-on-readonly-root.patch b/files/.patches/fix-panic-on-readonly-root.patch new file mode 100644 index 0000000..ce1fa35 --- /dev/null +++ b/files/.patches/fix-panic-on-readonly-root.patch @@ -0,0 +1,20 @@ +Fixes runit base scripts to continue with the boot process, even if root is read-only +*** /etc/runit/core-services/03-filesystems.sh 2020-02-05 16:28:31.065027149 +0000 +--- /etc/runit/core-services/03-filesystems.sh.orig 2020-02-05 16:27:27.696130689 +0000 +*************** +*** 64,70 **** + fi + + msg "Mounting rootfs read-write..." +! mount -o remount,rw / || msg "Mounting root read-write failed, continuing with boot" + + msg "Mounting all non-network filesystems..." + mount -a -t "nosysfs,nonfs,nonfs4,nosmbfs,nocifs" -O no_netdev || emergency_shell +--- 64,70 ---- + fi + + msg "Mounting rootfs read-write..." +! mount -o remount,rw / || emergency_shell + + msg "Mounting all non-network filesystems..." + mount -a -t "nosysfs,nonfs,nonfs4,nosmbfs,nocifs" -O no_netdev || emergency_shell diff --git a/files/.pkgs b/files/.pkgs new file mode 100644 index 0000000..147abab --- /dev/null +++ b/files/.pkgs @@ -0,0 +1,60 @@ +void-repo-multilib +NetworkManager +NetworkManager-openconnect +NetworkManager-openvpn +NetworkManager-pptp +NetworkManager-strongswan +acpi +acpid +alsa-plugins-pulseaudio +alsa-utils +apulse +base-devel +blueman +btrfs-progs +busybox +cgmanager +cryptsetup +e2fsprogs +ecryptfs-utils +elogind +encfs +flatpak +gnome-ssh-askpass +gpm +hfsprogs +ldm +libglvnd-32bit +libglapi-32bit +libgbm-32bit +libOSMesa-32bit +lightdm +lightdm-gtk3-greeter +linux +lm_sensors +lvm2 +mesa-32bit +mesa-dri-32bit +openntpd +pax-utils +podman +pulseaudio +reiser4-progs +reiserfs-progs +sakura +squashfs-tools +vsv +wget +wine +wine-32bit +wine-gecko +wine-mono +wine-tools +xdg-desktop-portal-gtk +xdg-utils +xfce4 +xfce4-plugins +xfs-progs +xorg +xtools +xz diff --git a/files/.svcs b/files/.svcs new file mode 100644 index 0000000..1cc466a --- /dev/null +++ b/files/.svcs @@ -0,0 +1,10 @@ +NetworkManager +dbus +gpm +ldm +openntpd +sshd +uuidd +lightdm +polkitd +cgmanager diff --git a/files/RELEASE b/files/RELEASE new file mode 100644 index 0000000..c1ad363 --- /dev/null +++ b/files/RELEASE @@ -0,0 +1,145 @@ +IR/AE v0.0.7.1 + +Amendment: actually we're not doing that whole thing with locked down mounts +I'm keeping the fstab around for future use, but for now that technology is not easily achievable + +--- + +IR/AE v0.0.7 + +Remember in v0.0.2 when we made ALL of /etc and /var have rw+exec+suid? +This update reverts that behaviour, because it was a security vulnerability. + +Instead, we do something much more paranoid - we draw inspiration from OpenBSD's pledge syscall, but kinda in reverse. +With pledge, you signal what behaviours you need as your program starts up, gradually dropping privs as they are no longer required. +With the IRAE startup sequence, we start with the bare minimum of privs - root has noexec,nodev,nosuid - and then give exec/dev/suid privs where needed. +In our case, only the directories /etc/runit,/usr/bin,/usr/lib,/usr/libexec get exec, and even then they don't get suid. +Among the few programs that do request suid privs in a base Linux install, about a quarter get denied those privs because those programs are either outdated or have other ways to be run with modified privs. + +Something pledge does have that IRAE doesn't is the ability to lock the program from making any more pledge calls, stopping a potentially compromised program from modifying its privs. +We could accomplish this by stopping the kernel from mounting ANY new filesystems, but this obviously gets in the way of day-to-day tasks like mounting USB drives, or setting up containers. + +I'm not sure how to address this behaviour. +As far as I know, Linux has no way to restrict mounts to *only* a particular part of the filesystem - ideally we would only allow new mounts in /mnt and /home - which might be possible with a highly custom SELinux module but is currently too complicated for now. + +The other big thing we did was fully add our initrd infra - codenamed init3 to the base IRAE image. +init3 can be found in the directory /initrd + +--- + +IR/Abigail Everlasting v0.0.6 Second Edition + +Building a kernel and initrd required to boot the system is now considered within the scope of IRAE, expect infra in the next update + +Added packages: +* pax-utils - provides the lddtree utility, which is used for our intrd infrastructure +* busybox - general shell for initrd + +We REPLACED ConsoleKit2 with elogind, because CK2 hasn't been maintained since 2017 + +--- + +Abigail Everlasting v0.0.6 First Edition + +Added the following packages to a default install: +* vsv - a simple runit service manager, similar to systemctl on systemd +* NetworkManager-{openconnect,openvpn,strongswan,pptp} - support for VPNs in NetworkManager +* gnome-ssh-askpass - a simple GTK askpass program, meant so that people using encfs can get a nicer password dialog +* podman - Container manager + +PodMan is the big package there - it should allow unprivileged containers, opposed to a traditional chroot, which requires root privs to bind-mount appropriate filesystems and exec the chroot syscall. +Unprivileged containers are needed because some software should not necesarilly be flatpak'ed - common command line tools, or virtual machine managers (libvirt), or software that needs suid. +Flatpak is a wonderful application format, but not a catch-all solution. +By leveraging podman, we can set up an unprivileged traditional package-based Linux environment while keeping the host system immutable. + +This release is also the first to use the 20191109 tarball + +--- + +Abigail v0.0.5.9 + +Few major changes since 0052 +Last update before 006 + +--- + +Abigail v0.0.5.2 + +Added xtools for if some folx want to build Void packages +Might use this to transition mtowards using our own custom-built pkges + +--- + +Abigail v0.0.5.1 + +Added lvm2 to pkgs because I have the big dumb + +--- + +Abigail v0.0.5 + +Refined the build system a little bit, so that /rw would be automatically created, and also (hopefully) got LightDM to work on startup + +--- + +Abigail v0.0.4.9 + +Updated version of 0.0.4 +Mostly involved adding some stuff for pulseaudio, no major changes + +--- + +Abigail v0.0.4 + +Went back to using Void as a base system, and kept the /.pkgs /.svcs files from 0.0.2 +The build process was further automated by the file /.build, and patches were added to the directory /.patches + +An xfce4 desktop was packaged in this release, but users are free to compile other desktops as they like + +The biggest change was that we reverted to using glibc over musl. musl presented some interesting challenges, and hohnestly there's not much reason to use it anyways. + +--- + +Abby v0.0.3-kiss + +Third prototype. +Experimented with using KISS Linux as a base instead of Void. +Kiss retained many of the benefits of Gentoo, without the USE-based dependency hell that bootstrapping from Gentoo (which I tried originally) involved. +Kiss was dropped due to having too few packages in its repos, and due to Flatpak failing to compile. + +This release was relatively insignifigant. + +--- + +Abyssal Penguin v0.0.2 + +Second prototype! +The previous version booted fine, but NetworkManager failed to work and xorg (granted, I'm testing this on a nvidia system) would always do the black-screen-no-response-cursor thingy + +The build process was improved, I added the files /.pkgs and /.svcs, which describe the packages used to build the base system, and the services enabled in the base system, respectively +As such, most of the build process consists of two bash for-loops. + +The file /etc/runit/core-services/03-filesystems.sh still needs fixing. +I opened an issue with upstream Void + +We switched to using musl-based Void + +Finally, the biggest change is that the entirety of /etc and /var is now mutable. +This was decided after I took a look at how Fedora Silverblue was doing their OS; it should hopefully result in less fuckery, and means I won't have to rebuild the rootfs every time I find /another/ directory that needs rw +From a security standpoint, this opens up a few new theoretical attack vectors, but given that you still need root to write to /etc or /var, it shouldn't be too big a deal + +--- + +Abyssal Penguin v0.0.1 + +Prototype! +I think I have a working rootfs now + +TODO: automate the build process + +BUILD: +extract voidstrap tarball +update it +install: NetworkManager acpi acpid encfs gpm base-devel linux lm_sensors openntpd xz xorg xdm wget ecryptfs-utils btrfs-progs e2fsprogs hfsprogs reiserfs-progs reiser4-progs xfs-progs +enable: NetworkManager acpid gpm ldm sshd openntpd xdm +!!fix /etc/runit/core-services/03-filesystems.sh to not panic on a readonly root diff --git a/files/do-mysql.sh b/files/do-mysql.sh new file mode 100644 index 0000000..8fb5ae2 --- /dev/null +++ b/files/do-mysql.sh @@ -0,0 +1,23 @@ +#!/bin/bash -xe + +DRUPAL_DB_PASSWORD="please change me" + +# install the mysql server +apt install -y mariadb-server ||: +# installation "fails" when working in a chroot +# so we just ignore it +# should work on a regular system, but this part can't be tested in a chroot + +# set up mysql with defaults +mysql_secure_installation < /sqldefaults + +# add the drupal db +mysql -u root -p -e 'CREATE DATABASE drupal CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;' +mysql -u root -p -e "GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES ON drupal.* TO 'drupaluser'@'localhost' IDENTIFIED BY '$DRUPAL_DB_PASSWORD';" + +# and have drupal do the site-install +cd /var/www/html +vendor/bin/drush site-install --db-url=mysql://drupaluser:$DRUPAL_DB_PASSWORD@localhost/drupal + +# make sure perms are right +chown -R www-data:www-data /var/www/html diff --git a/files/install-drupal-toolchain.sh b/files/install-drupal-toolchain.sh new file mode 100644 index 0000000..d9d0045 --- /dev/null +++ b/files/install-drupal-toolchain.sh @@ -0,0 +1,16 @@ +#!/bin/bash -xe + +# install composer +curl -sS https://getcomposer.org/installer | php +mv composer.phar /usr/local/bin/composer + +# use composer to install drush7 and the drush launcher +cd /var/www/html +composer require drush/drush:8.* +wget -O drush.phar https://github.com/drush-ops/drush-launcher/releases/latest/download/drush.phar +chmod +x drush.phar +mv drush.phar /usr/local/bin/drush + +# use vendor/bin/drush to download drupal +cd /var/www/html +vendor/bin/drush dl drupal-7 diff --git a/files/install-packages.sh b/files/install-packages.sh new file mode 100644 index 0000000..beea2f9 --- /dev/null +++ b/files/install-packages.sh @@ -0,0 +1,12 @@ +#!/bin/bash -xe + +apt update -y && apt upgrade -y + +# actually don't because it seems we don't need it. yet +## add the php5 repo +#add-apt-repository -y ppa:ondrej/php +#apt update -y && apt upgrade -y + +for PKG in $(cat /pkgs); do + apt install -y $PKG ||: # never fail to install a package, because some packages' postinstall hooks fail when /dev /proc /run etc aren't mounted +done diff --git a/files/pkgs b/files/pkgs new file mode 100644 index 0000000..8ded688 --- /dev/null +++ b/files/pkgs @@ -0,0 +1,11 @@ +software-properties-common +tar +coreutils +curl +unzip +wget +php +php-xml +php-zip +php-mbstring +mysql-utilities diff --git a/files/pkgs5 b/files/pkgs5 new file mode 100644 index 0000000..54b43f6 --- /dev/null +++ b/files/pkgs5 @@ -0,0 +1,11 @@ +software-properties-common +tar +coreutils +curl +unzip +wget +php5.6 +php5.6-xml +php5.6-zip +php5.6-mbstring +mysql diff --git a/files/sqldefaults b/files/sqldefaults new file mode 100644 index 0000000..0e4c58b --- /dev/null +++ b/files/sqldefaults @@ -0,0 +1,9 @@ + +y +password +password +y +y +y +y +y -- 2.25.1