def __call__(self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any) -> None: """Execute command.""" location.set_description("Handle different kernel flavors") vmlinuz = os.path.join(system_context.boot_directory, "vmlinuz") makedirs(system_context, "/etc/mkinitcpio.d", exist_ok=True) # Clean up after the mkinitcpio hook: for kernel in ( "", "-hardened", "-lts", "-zen", "-git", ): remove("/boot/vmlinuz{}".format(kernel), force=True) # New style linux packages that put vmlinuz into /usr/lib/modules: self._execute( location.next_line(), system_context, "move", "/usr/lib/modules/*/vmlinuz", vmlinuz, to_outside=True, ignore_missing_sources=True, ) assert os.path.isfile(vmlinuz)
def __call__(self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any) -> None: """Execute command.""" location.set_description('Handle different kernel flavors') vmlinuz = os.path.join(system_context.boot_directory, 'vmlinuz') makedirs(system_context, '/etc/mkinitcpio.d', exist_ok=True) # Clean up after the mkinitcpio hook: for kernel in ( '', '-hardened', '-lts', '-zen', '-git', ): remove('/boot/vmlinuz{}'.format(kernel), force=True) # New style linux packages that put vmlinuz into /usr/lib/modules: self._execute(location.next_line(), system_context, 'move', '/usr/lib/modules/*/vmlinuz', vmlinuz, to_outside=True, ignore_missing_sources=True) assert (os.path.isfile(vmlinuz))
def __call__(self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any) -> None: """Execute command.""" private_key = args[0] public_key = args[1] location.set_description("Validate keys") if not "BEGIN PRIVATE KEY" in private_key: raise GenerateError("Private key blob is not a private key.", location=location) if not "BEGIN PUBLIC KEY" in public_key: raise GenerateError("Public key blob is not a public key.", location=location) # enable the daemon (actually set up socket activation) location.set_description("Enableing homed service") self._execute( location.next_line(), system_context, "systemd_enable", "systemd-homed.service", ) # Install keys into /usr: location.set_description("Setup keys") makedirs(system_context, "/usr/share/factory/var/lib/systemd/home", mode=0o700) create_file( system_context, "/usr/share/factory/var/lib/systemd/home/local.private", private_key.encode("utf-8"), mode=0o600, ) create_file( system_context, "/usr/share/factory/var/lib/systemd/home/local.public", public_key.encode("utf-8"), mode=0o600, ) chmod(system_context, 0o600, "/usr/share/factory/var/lib/systemd/home/*") chown(system_context, 0, 0, "/usr/share/factory/var/lib/systemd/home/*") # Set up copying of keys to var: create_file( system_context, "/usr/lib/tmpfiles.d/systemd-homed.conf", textwrap.dedent("""\ C /var/lib/systemd/home - - - - """).encode("utf-8"), mode=0o644, )
def _check_or_create_directory(self, location: Location, system_context: SystemContext, directory: str, **kwargs: typing.Any) -> None: if not exists(system_context, directory): makedirs(system_context, directory, **kwargs) return if not isdir(system_context, directory): raise GenerateError( '"{}" needs directory "{}", but that exists and is not a directory.' .format(self.name, directory), location=location)
def __call__(self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any) -> None: """Execute command.""" self._execute(location, system_context, 'pacman', 'usbguard') # Do setup: # enable the daemon (actually set up socket activation) self._execute(location.next_line(), system_context, 'systemd_enable', 'usbguard-dbus.service') create_file( system_context, '/usr/lib/tmpfiles.d/usbguard.conf', textwrap.dedent('''\ d /var/log/usbguard 0750 root root - - d /var/lib/usbguard 0750 root root - - d /var/lib/usbguard/IPCAccessControl.d 0755 root root - - f /var/lib/usbguard/rules.conf 0600 root root - - ''').encode('utf-8')) self._execute( location.next_line(), system_context, 'sed', '/RuleFile=\/etc/ cRuleFile=/var/lib/usbguard/rules.conf', '/etc/usbguard/usbguard-daemon.conf') self._execute( location.next_line(), system_context, 'sed', '/IPCAccessControlFiles=\/etc/ cIPCAccessControlFiles=/var/lib/usbguard/IPCAccessControl.d', '/etc/usbguard/usbguard-daemon.conf') remove(system_context, '/etc/usbguard/rules.conf', '/etc/usbguard/IPCAccessControl.d', recursive=True) # Fix for https://github.com/USBGuard/usbguard/issues/287 makedirs(system_context, '/usr/lib/systemd/system/usbguard.service.d') create_file( system_context, '/usr/lib/systemd/system/usbguard.service.d/bugfix.conf', textwrap.dedent('''\ [Service] CapabilityBoundingSet=CAP_DAC_OVERRIDE ReadWritePaths=-/var/lib/usbguard/rules.conf ''').encode('utf-8'))
def __call__(self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any) -> None: """Execute command.""" makedirs(system_context, *args, **kwargs)
def __call__( self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any ) -> None: """Execute command.""" private_key = args[0] public_key = args[1] location.set_description("Validate keys") if not "BEGIN PRIVATE KEY" in private_key: raise GenerateError( "Private key blob is not a private key.", location=location ) if not "BEGIN PUBLIC KEY" in public_key: raise GenerateError( "Public key blob is not a public key.", location=location ) # enable the daemon (actually set up socket activation) location.set_description("Enableing homed service") self._execute( location.next_line(), system_context, "systemd_enable", "systemd-homed.service", ) # Install keys into /usr: location.set_description("Setup keys") makedirs(system_context, "/usr/share/factory/var/lib/systemd/home", mode=0o700) create_file( system_context, "/usr/share/factory/var/lib/systemd/home/local.private", private_key.encode("utf-8"), mode=0o600, ) create_file( system_context, "/usr/share/factory/var/lib/systemd/home/local.public", public_key.encode("utf-8"), mode=0o600, ) chmod(system_context, 0o600, "/usr/share/factory/var/lib/systemd/home/*") chown(system_context, 0, 0, "/usr/share/factory/var/lib/systemd/home/*") # Set up copying of keys to var: create_file( system_context, "/usr/lib/tmpfiles.d/systemd-homed.conf", textwrap.dedent( """\ C /var/lib/systemd/home - - - - """ ).encode("utf-8"), mode=0o644, ) # Fix up pam: location.set_description("Setting up PAM for homed") create_file( system_context, "/etc/pam.d/nss-auth", textwrap.dedent( """\ #%PAM-1.0 auth sufficient pam_unix.so try_first_pass nullok auth sufficient pam_systemd_home.so auth required pam_deny.so account sufficient pam_unix.so account sufficient pam_systemd_home.so account required pam_deny.so password sufficient pam_unix.so try_first_pass nullok sha512 shadow password sufficient pam_systemd_home.so password required pam_deny.so """ ).encode("utf-8"), mode=0o644, ) create_file( system_context, "/etc/pam.d/system-auth", textwrap.dedent( """\ #%PAM-1.0 auth substack nss-auth auth optional pam_permit.so auth required pam_env.so account substack nss-auth account optional pam_permit.so account required pam_time.so password substack nss-auth password optional pam_permit.so session required pam_limits.so session optional pam_systemd_home.so session required pam_unix.so session optional pam_permit.so """ ).encode("utf-8"), mode=0o644, force=True, )
def __call__(self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any) -> None: """Execute command.""" self._execute(location, system_context, "pacman", "usbguard") # Do setup: # enable the daemon (actually set up socket activation) self._execute( location.next_line(), system_context, "systemd_enable", "usbguard-dbus.service", ) create_file( system_context, "/usr/lib/tmpfiles.d/usbguard.conf", textwrap.dedent("""\ d /var/log/usbguard 0750 root root - - d /var/etc/usbguard 0750 root root - - C /var/etc/usbguard - - - - - """).encode("utf-8"), ) self._execute( location.next_line(), system_context, "sed", "/RuleFile=\\/etc/ cRuleFile=/var/etc/usbguard/rules.conf", "/etc/usbguard/usbguard-daemon.conf", ) self._execute( location.next_line(), system_context, "sed", "/IPCAccessControlFiles=\\/etc/ cIPCAccessControlFiles=/var/etc/usbguard/IPCAccessControl.d", "/etc/usbguard/usbguard-daemon.conf", ) self._execute( location.next_line(), system_context, "sed", "/ImplicitPolicyTarget=/ cImplicitPolicyTarget=allow", "/etc/usbguard/usbguard-daemon.conf", ) makedirs(system_context, "/usr/share/factory/var/etc/usbguard/IPCaccessControl.d") move( system_context, "/etc/usbguard/usbguard-daemon.conf", "/usr/share/factory/var/etc/usbguard", ) create_file( system_context, "/usr/share/factory/var/etc/usbguard/rules.conf", b"", mode=0o600, ) remove( system_context, "/etc/usbguard", recursive=True, ) # Fix for https://github.com/USBGuard/usbguard/issues/287 makedirs(system_context, "/usr/lib/systemd/system/usbguard.service.d") create_file( system_context, "/usr/lib/systemd/system/usbguard.service.d/bugfix.conf", textwrap.dedent("""\ [Service] CapabilityBoundingSet=CAP_DAC_OVERRIDE ReadWritePaths=-/var/etc/usbguard/rules.conf ExecStart= ExecStart=/usr/bin/usbguard-daemon -k -c /var/etc/usbguard/usbguard-daemon.conf """).encode("utf-8"), )
def __call__(self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any) -> None: """Execute command.""" private_key = args[0] public_key = args[1] location.set_description('Validate keys') if not "BEGIN PRIVATE KEY" in private_key: raise GenerateError("Private key blob is not a private key.", location=location) if not "BEGIN PUBLIC KEY" in public_key: raise GenerateError("Public key blob is not a public key.", location=location) # enable the daemon (actually set up socket activation) location.set_description('Enableing homed service') self._execute(location.next_line(), system_context, 'systemd_enable', 'systemd-homed.service') # Install keys into /usr: location.set_description('Setup keys') makedirs(system_context, '/usr/share/factory/var/lib/systemd/home', mode=0o700) create_file(system_context, '/usr/share/factory/var/lib/systemd/home/local.private', private_key.encode('utf-8'), mode=0o600) create_file(system_context, '/usr/share/factory/var/lib/systemd/home/local.public', public_key.encode('utf-8'), mode=0o600) chmod(system_context, 0o600, '/usr/share/factory/var/lib/systemd/home/*') chown(system_context, 0, 0, '/usr/share/factory/var/lib/systemd/home/*') # Set up copying of keys to var: create_file(system_context, '/usr/lib/tmpfiles.d/systemd-homed.conf', textwrap.dedent('''\ C /var/lib/systemd/home - - - - ''').encode('utf-8'), mode=0o644) # Fix up pam: location.set_description('Setting up PAM for homed') create_file(system_context, '/etc/pam.d/system-auth', textwrap.dedent('''\ #%PAM-1.0 auth [success=1 new_authtok_reqd=1 ignore=ignore user_unknown=ignore default=bad] pam_systemd_home.so auth required pam_unix.so try_first_pass nullok auth optional pam_permit.so auth required pam_env.so account [success=1 new_authtok_reqd=1 ignore=ignore user_unknown=ignore default=bad] pam_systemd_home.so account required pam_unix.so account optional pam_permit.so account required pam_time.so password [success=1 new_authtok_reqd=1 ignore=ignore user_unknown=ignore default=bad] pam_systemd_home.so password required pam_unix.so try_first_pass nullok sha512 shadow password optional pam_permit.so session required pam_limits.so session [success=1 new_authtok_reqd=1 ignore=ignore user_unknown=ignore default=bad] pam_systemd_home.so session required pam_unix.so session optional pam_permit.so ''').encode('utf-8'), mode=0o644, force=True)