def __call__(self, location: Location, system_context: SystemContext,
*args: typing.Any, **kwargs: typing.Any) -> None:
"""Execute command."""
location.set_description("Handle different kernel flavors")
vmlinuz = os.path.join(system_context.boot_directory, "vmlinuz")
makedirs(system_context, "/etc/mkinitcpio.d", exist_ok=True)
# Clean up after the mkinitcpio hook:
for kernel in (
"",
"-hardened",
"-lts",
"-zen",
"-git",
):
remove("/boot/vmlinuz{}".format(kernel), force=True)
# New style linux packages that put vmlinuz into /usr/lib/modules:
self._execute(
location.next_line(),
system_context,
"move",
"/usr/lib/modules/*/vmlinuz",
vmlinuz,
to_outside=True,
ignore_missing_sources=True,
)
assert os.path.isfile(vmlinuz)
def __call__(self, location: Location, system_context: SystemContext,
*args: typing.Any, **kwargs: typing.Any) -> None:
"""Execute command."""
location.set_description('Handle different kernel flavors')
vmlinuz = os.path.join(system_context.boot_directory, 'vmlinuz')
makedirs(system_context, '/etc/mkinitcpio.d', exist_ok=True)
# Clean up after the mkinitcpio hook:
for kernel in (
'',
'-hardened',
'-lts',
'-zen',
'-git',
):
remove('/boot/vmlinuz{}'.format(kernel), force=True)
# New style linux packages that put vmlinuz into /usr/lib/modules:
self._execute(location.next_line(),
system_context,
'move',
'/usr/lib/modules/*/vmlinuz',
vmlinuz,
to_outside=True,
ignore_missing_sources=True)
assert (os.path.isfile(vmlinuz))
def __call__(self, location: Location, system_context: SystemContext,
*args: typing.Any, **kwargs: typing.Any) -> None:
"""Execute command."""
private_key = args[0]
public_key = args[1]
location.set_description("Validate keys")
if not "BEGIN PRIVATE KEY" in private_key:
raise GenerateError("Private key blob is not a private key.",
location=location)
if not "BEGIN PUBLIC KEY" in public_key:
raise GenerateError("Public key blob is not a public key.",
location=location)
# enable the daemon (actually set up socket activation)
location.set_description("Enableing homed service")
self._execute(
location.next_line(),
system_context,
"systemd_enable",
"systemd-homed.service",
)
# Install keys into /usr:
location.set_description("Setup keys")
makedirs(system_context,
"/usr/share/factory/var/lib/systemd/home",
mode=0o700)
create_file(
system_context,
"/usr/share/factory/var/lib/systemd/home/local.private",
private_key.encode("utf-8"),
mode=0o600,
)
create_file(
system_context,
"/usr/share/factory/var/lib/systemd/home/local.public",
public_key.encode("utf-8"),
mode=0o600,
)
chmod(system_context, 0o600,
"/usr/share/factory/var/lib/systemd/home/*")
chown(system_context, 0, 0,
"/usr/share/factory/var/lib/systemd/home/*")
# Set up copying of keys to var:
create_file(
system_context,
"/usr/lib/tmpfiles.d/systemd-homed.conf",
textwrap.dedent("""\
C /var/lib/systemd/home - - - -
""").encode("utf-8"),
mode=0o644,
)
def _check_or_create_directory(self, location: Location,
system_context: SystemContext,
directory: str,
**kwargs: typing.Any) -> None:
if not exists(system_context, directory):
makedirs(system_context, directory, **kwargs)
return
if not isdir(system_context, directory):
raise GenerateError(
'"{}" needs directory "{}", but that exists and is not a directory.'
.format(self.name, directory),
location=location)
def __call__(self, location: Location, system_context: SystemContext,
*args: typing.Any, **kwargs: typing.Any) -> None:
"""Execute command."""
self._execute(location, system_context, 'pacman', 'usbguard')
# Do setup:
# enable the daemon (actually set up socket activation)
self._execute(location.next_line(), system_context, 'systemd_enable',
'usbguard-dbus.service')
create_file(
system_context, '/usr/lib/tmpfiles.d/usbguard.conf',
textwrap.dedent('''\
d /var/log/usbguard 0750 root root - -
d /var/lib/usbguard 0750 root root - -
d /var/lib/usbguard/IPCAccessControl.d 0755 root root - -
f /var/lib/usbguard/rules.conf 0600 root root - -
''').encode('utf-8'))
self._execute(
location.next_line(), system_context, 'sed',
'/RuleFile=\/etc/ cRuleFile=/var/lib/usbguard/rules.conf',
'/etc/usbguard/usbguard-daemon.conf')
self._execute(
location.next_line(), system_context, 'sed',
'/IPCAccessControlFiles=\/etc/ cIPCAccessControlFiles=/var/lib/usbguard/IPCAccessControl.d',
'/etc/usbguard/usbguard-daemon.conf')
remove(system_context,
'/etc/usbguard/rules.conf',
'/etc/usbguard/IPCAccessControl.d',
recursive=True)
# Fix for https://github.com/USBGuard/usbguard/issues/287
makedirs(system_context, '/usr/lib/systemd/system/usbguard.service.d')
create_file(
system_context,
'/usr/lib/systemd/system/usbguard.service.d/bugfix.conf',
textwrap.dedent('''\
[Service]
CapabilityBoundingSet=CAP_DAC_OVERRIDE
ReadWritePaths=-/var/lib/usbguard/rules.conf
''').encode('utf-8'))
def __call__(self, location: Location, system_context: SystemContext,
*args: typing.Any, **kwargs: typing.Any) -> None:
"""Execute command."""
makedirs(system_context, *args, **kwargs)
def __call__(
self,
location: Location,
system_context: SystemContext,
*args: typing.Any,
**kwargs: typing.Any
) -> None:
"""Execute command."""
private_key = args[0]
public_key = args[1]
location.set_description("Validate keys")
if not "BEGIN PRIVATE KEY" in private_key:
raise GenerateError(
"Private key blob is not a private key.", location=location
)
if not "BEGIN PUBLIC KEY" in public_key:
raise GenerateError(
"Public key blob is not a public key.", location=location
)
# enable the daemon (actually set up socket activation)
location.set_description("Enableing homed service")
self._execute(
location.next_line(),
system_context,
"systemd_enable",
"systemd-homed.service",
)
# Install keys into /usr:
location.set_description("Setup keys")
makedirs(system_context, "/usr/share/factory/var/lib/systemd/home", mode=0o700)
create_file(
system_context,
"/usr/share/factory/var/lib/systemd/home/local.private",
private_key.encode("utf-8"),
mode=0o600,
)
create_file(
system_context,
"/usr/share/factory/var/lib/systemd/home/local.public",
public_key.encode("utf-8"),
mode=0o600,
)
chmod(system_context, 0o600, "/usr/share/factory/var/lib/systemd/home/*")
chown(system_context, 0, 0, "/usr/share/factory/var/lib/systemd/home/*")
# Set up copying of keys to var:
create_file(
system_context,
"/usr/lib/tmpfiles.d/systemd-homed.conf",
textwrap.dedent(
"""\
C /var/lib/systemd/home - - - -
"""
).encode("utf-8"),
mode=0o644,
)
# Fix up pam:
location.set_description("Setting up PAM for homed")
create_file(
system_context,
"/etc/pam.d/nss-auth",
textwrap.dedent(
"""\
#%PAM-1.0
auth sufficient pam_unix.so try_first_pass nullok
auth sufficient pam_systemd_home.so
auth required pam_deny.so
account sufficient pam_unix.so
account sufficient pam_systemd_home.so
account required pam_deny.so
password sufficient pam_unix.so try_first_pass nullok sha512 shadow
password sufficient pam_systemd_home.so
password required pam_deny.so
"""
).encode("utf-8"),
mode=0o644,
)
create_file(
system_context,
"/etc/pam.d/system-auth",
textwrap.dedent(
"""\
#%PAM-1.0
auth substack nss-auth
auth optional pam_permit.so
auth required pam_env.so
account substack nss-auth
account optional pam_permit.so
account required pam_time.so
password substack nss-auth
password optional pam_permit.so
session required pam_limits.so
session optional pam_systemd_home.so
session required pam_unix.so
session optional pam_permit.so
"""
).encode("utf-8"),
mode=0o644,
force=True,
)
def __call__(self, location: Location, system_context: SystemContext,
*args: typing.Any, **kwargs: typing.Any) -> None:
"""Execute command."""
self._execute(location, system_context, "pacman", "usbguard")
# Do setup:
# enable the daemon (actually set up socket activation)
self._execute(
location.next_line(),
system_context,
"systemd_enable",
"usbguard-dbus.service",
)
create_file(
system_context,
"/usr/lib/tmpfiles.d/usbguard.conf",
textwrap.dedent("""\
d /var/log/usbguard 0750 root root - -
d /var/etc/usbguard 0750 root root - -
C /var/etc/usbguard - - - - -
""").encode("utf-8"),
)
self._execute(
location.next_line(),
system_context,
"sed",
"/RuleFile=\\/etc/ cRuleFile=/var/etc/usbguard/rules.conf",
"/etc/usbguard/usbguard-daemon.conf",
)
self._execute(
location.next_line(),
system_context,
"sed",
"/IPCAccessControlFiles=\\/etc/ cIPCAccessControlFiles=/var/etc/usbguard/IPCAccessControl.d",
"/etc/usbguard/usbguard-daemon.conf",
)
self._execute(
location.next_line(),
system_context,
"sed",
"/ImplicitPolicyTarget=/ cImplicitPolicyTarget=allow",
"/etc/usbguard/usbguard-daemon.conf",
)
makedirs(system_context,
"/usr/share/factory/var/etc/usbguard/IPCaccessControl.d")
move(
system_context,
"/etc/usbguard/usbguard-daemon.conf",
"/usr/share/factory/var/etc/usbguard",
)
create_file(
system_context,
"/usr/share/factory/var/etc/usbguard/rules.conf",
b"",
mode=0o600,
)
remove(
system_context,
"/etc/usbguard",
recursive=True,
)
# Fix for https://github.com/USBGuard/usbguard/issues/287
makedirs(system_context, "/usr/lib/systemd/system/usbguard.service.d")
create_file(
system_context,
"/usr/lib/systemd/system/usbguard.service.d/bugfix.conf",
textwrap.dedent("""\
[Service]
CapabilityBoundingSet=CAP_DAC_OVERRIDE
ReadWritePaths=-/var/etc/usbguard/rules.conf
ExecStart=
ExecStart=/usr/bin/usbguard-daemon -k -c /var/etc/usbguard/usbguard-daemon.conf
""").encode("utf-8"),
)
def __call__(self, location: Location, system_context: SystemContext,
*args: typing.Any, **kwargs: typing.Any) -> None:
"""Execute command."""
private_key = args[0]
public_key = args[1]
location.set_description('Validate keys')
if not "BEGIN PRIVATE KEY" in private_key:
raise GenerateError("Private key blob is not a private key.",
location=location)
if not "BEGIN PUBLIC KEY" in public_key:
raise GenerateError("Public key blob is not a public key.",
location=location)
# enable the daemon (actually set up socket activation)
location.set_description('Enableing homed service')
self._execute(location.next_line(), system_context, 'systemd_enable',
'systemd-homed.service')
# Install keys into /usr:
location.set_description('Setup keys')
makedirs(system_context,
'/usr/share/factory/var/lib/systemd/home',
mode=0o700)
create_file(system_context,
'/usr/share/factory/var/lib/systemd/home/local.private',
private_key.encode('utf-8'),
mode=0o600)
create_file(system_context,
'/usr/share/factory/var/lib/systemd/home/local.public',
public_key.encode('utf-8'),
mode=0o600)
chmod(system_context, 0o600,
'/usr/share/factory/var/lib/systemd/home/*')
chown(system_context, 0, 0,
'/usr/share/factory/var/lib/systemd/home/*')
# Set up copying of keys to var:
create_file(system_context,
'/usr/lib/tmpfiles.d/systemd-homed.conf',
textwrap.dedent('''\
C /var/lib/systemd/home - - - -
''').encode('utf-8'),
mode=0o644)
# Fix up pam:
location.set_description('Setting up PAM for homed')
create_file(system_context,
'/etc/pam.d/system-auth',
textwrap.dedent('''\
#%PAM-1.0
auth [success=1 new_authtok_reqd=1 ignore=ignore user_unknown=ignore default=bad] pam_systemd_home.so
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
auth required pam_env.so
account [success=1 new_authtok_reqd=1 ignore=ignore user_unknown=ignore default=bad] pam_systemd_home.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password [success=1 new_authtok_reqd=1 ignore=ignore user_unknown=ignore default=bad] pam_systemd_home.so
password required pam_unix.so try_first_pass nullok sha512 shadow
password optional pam_permit.so
session required pam_limits.so
session [success=1 new_authtok_reqd=1 ignore=ignore user_unknown=ignore default=bad] pam_systemd_home.so
session required pam_unix.so
session optional pam_permit.so
''').encode('utf-8'),
mode=0o644,
force=True)
