dbd-autobuild/files/RELEASE

   1 IR/AE v0.0.7.1
   2
   3 Amendment: actually we're not doing that whole thing with locked down mounts
   4 I'm keeping the fstab around for future use, but for now that technology is not easily achievable
   5
   6 ---
   7
   8 IR/AE v0.0.7
   9
  10 Remember in v0.0.2 when we made ALL of /etc and /var have rw+exec+suid?
  11 This update reverts that behaviour, because it was a security vulnerability.
  12
  13 Instead, we do something much more paranoid - we draw inspiration from OpenBSD's pledge syscall, but kinda in reverse.
  14 With pledge, you signal what behaviours you need as your program starts up, gradually dropping privs as they are no longer required.
  15 With the IRAE startup sequence, we start with the bare minimum of privs - root has noexec,nodev,nosuid - and then give exec/dev/suid privs where needed.
  16 In our case, only the directories /etc/runit,/usr/bin,/usr/lib,/usr/libexec get exec, and even then they don't get suid.
  17 Among the few programs that do request suid privs in a base Linux install, about a quarter get denied those privs because those programs are either outdated or have other ways to be run with modified privs.
  18
  19 Something pledge does have that IRAE doesn't is the ability to lock the program from making any more pledge calls, stopping a potentially compromised program from modifying its privs.
  20 We could accomplish this by stopping the kernel from mounting ANY new filesystems, but this obviously gets in the way of day-to-day tasks like mounting USB drives, or setting up containers.
  21
  22 I'm not sure how to address this behaviour.
  23 As far as I know, Linux has no way to restrict mounts to *only* a particular part of the filesystem - ideally we would only allow new mounts in /mnt and /home - which might be possible with a highly custom SELinux module but is currently too complicated for now.
  24
  25 The other big thing we did was fully add our initrd infra - codenamed init3 to the base IRAE image.
  26 init3 can be found in the directory /initrd
  27
  28 ---
  29
  30 IR/Abigail Everlasting v0.0.6 Second Edition
  31
  32 Building a kernel and initrd required to boot the system is now considered within the scope of IRAE, expect infra in the next update
  33
  34 Added packages:
  35 * pax-utils - provides the lddtree utility, which is used for our intrd infrastructure
  36 * busybox - general shell for initrd
  37
  38 We REPLACED ConsoleKit2 with elogind, because CK2 hasn't been maintained since 2017
  39
  40 ---
  41
  42 Abigail Everlasting v0.0.6 First Edition
  43
  44 Added the following packages to a default install:
  45 * vsv - a simple runit service manager, similar to systemctl on systemd
  46 * NetworkManager-{openconnect,openvpn,strongswan,pptp} - support for VPNs in NetworkManager
  47 * gnome-ssh-askpass - a simple GTK askpass program, meant so that people using encfs can get a nicer password dialog
  48 * podman - Container manager
  49
  50 PodMan is the big package there - it should allow unprivileged containers, opposed to a traditional chroot, which requires root privs to bind-mount appropriate filesystems and exec the chroot syscall.
  51 Unprivileged containers are needed because some software should not necesarilly be flatpak'ed - common command line tools, or virtual machine managers (libvirt), or software that needs suid.
  52 Flatpak is a wonderful application format, but not a catch-all solution.
  53 By leveraging podman, we can set up an unprivileged traditional package-based Linux environment while keeping the host system immutable.
  54
  55 This release is also the first to use the 20191109 tarball
  56
  57 ---
  58
  59 Abigail v0.0.5.9
  60
  61 Few major changes since 0052
  62 Last update before 006
  63
  64 ---
  65
  66 Abigail v0.0.5.2
  67
  68 Added xtools for if some folx want to build Void packages
  69 Might use this to transition mtowards using our own custom-built pkges
  70
  71 ---
  72
  73 Abigail v0.0.5.1
  74
  75 Added lvm2 to pkgs because I have the big dumb
  76
  77 ---
  78
  79 Abigail v0.0.5
  80
  81 Refined the build system a little bit, so that /rw would be automatically created, and also (hopefully) got LightDM to work on startup
  82
  83 ---
  84
  85 Abigail v0.0.4.9
  86
  87 Updated version of 0.0.4
  88 Mostly involved adding some stuff for pulseaudio, no major changes
  89
  90 ---
  91
  92 Abigail v0.0.4
  93
  94 Went back to using Void as a base system, and kept the /.pkgs /.svcs files from 0.0.2
  95 The build process was further automated by the file /.build, and patches were added to the directory /.patches
  96
  97 An xfce4 desktop was packaged in this release, but users are free to compile other desktops as they like
  98
  99 The biggest change was that we reverted to using glibc over musl. musl presented some interesting challenges, and hohnestly there's not much reason to use it anyways.
 100
 101 ---
 102
 103 Abby v0.0.3-kiss
 104
 105 Third prototype.
 106 Experimented with using KISS Linux as a base instead of Void.
 107 Kiss retained many of the benefits of Gentoo, without the USE-based dependency hell that bootstrapping from Gentoo (which I tried originally) involved.
 108 Kiss was dropped due to having too few packages in its repos, and due to Flatpak failing to compile.
 109
 110 This release was relatively insignifigant.
 111
 112 ---
 113
 114 Abyssal Penguin v0.0.2
 115
 116 Second prototype!
 117 The previous version booted fine, but NetworkManager failed to work and xorg (granted, I'm testing this on a nvidia system) would always do the black-screen-no-response-cursor thingy
 118
 119 The build process was improved, I added the files /.pkgs and /.svcs, which describe the packages used to build the base system, and the services enabled in the base system, respectively
 120 As such, most of the build process consists of two bash for-loops.
 121
 122 The file /etc/runit/core-services/03-filesystems.sh still needs fixing.
 123 I opened an issue with upstream Void
 124
 125 We switched to using musl-based Void
 126
 127 Finally, the biggest change is that the entirety of /etc and /var is now mutable.
 128 This was decided after I took a look at how Fedora Silverblue was doing their OS; it should hopefully result in less fuckery, and means I won't have to rebuild the rootfs every time I find /another/ directory that needs rw
 129 From a security standpoint, this opens up a few new theoretical attack vectors, but given that you still need root to write to /etc or /var, it shouldn't be too big a deal
 130
 131 ---
 132
 133 Abyssal Penguin v0.0.1
 134
 135 Prototype!
 136 I think I have a working rootfs now
 137
 138 TODO: automate the build process
 139
 140 BUILD:
 141 extract voidstrap tarball
 142 update it
 143 install: NetworkManager acpi acpid encfs gpm base-devel linux lm_sensors openntpd xz xorg xdm wget ecryptfs-utils btrfs-progs e2fsprogs hfsprogs reiserfs-progs reiser4-progs xfs-progs
 144 enable: NetworkManager acpid gpm ldm sshd openntpd xdm
 145 !!fix /etc/runit/core-services/03-filesystems.sh to not panic on a readonly root