scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-03 20:07:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: disable ghns by default

Browse Source
This commit is contained in:
qoijjj
2024-03-21 18:27:52 -07:00
parent f7856e7098
commit cb67ab87f6
4 changed files with 30 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
FAQ.md
View File

@@ -54,10 +54,16 @@ To use flatpak steam you need to:
- Be on a [userns](USERNS.md) variant - Be on a [userns](USERNS.md) variant
- Remove `LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so` from flatpak steam's environment variables in Flatseal - Remove `LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so` from flatpak steam's environment variables in Flatseal
#### How do I enable bluetooth kernel modules? #### Why are bluetooth kernel modules disabled? How do I enable them?
Run `ujust toggle-bluetooth-modules` Bluetooth has a long and consistent history of security issues. However, if you still need it, run `ujust toggle-bluetooth-modules`
#### Why are upgrades so large? #### Why are upgrades so large?
https://universal-blue.org/faq/?h=diff#why-does-it-download-more-changes-than-it-seems-like-it-should https://universal-blue.org/faq/?h=diff#why-does-it-download-more-changes-than-it-seems-like-it-should
#### Why can't I install new KDE themes?
The functionality that provides this, called GHNS, is disabled by default due to the risk posed by the installation of potentially damaging or malicious scripts. This has caused [real damage](https://blog.davidedmundson.co.uk/blog/kde-store-content/).
If you still want to enable this functionality, run `ujust toggle-ghns`

1
README.md
View File

@@ -39,6 +39,7 @@ Hardening applied:
- Installing chkrootkit, usbguard, and bubblejail - Installing chkrootkit, usbguard, and bubblejail
- Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved - Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved
- Configure chronyd to use Network Time Security (NTS) <sup>[using chrony config from GrapheneOS](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf)</sup> - Configure chronyd to use Network Time Security (NTS) <sup>[using chrony config from GrapheneOS](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf)</sup>
- Disable KDE GHNS by default <sup>[why?](https://blog.davidedmundson.co.uk/blog/kde-store-content/)</sup>
- (Non-userns variants) Disabling unprivileged user namespaces - (Non-userns variants) Disabling unprivileged user namespaces
- (Non-userns variants) Replacing bubblewrap with bubblewrap-suid so flatpak can be used without unprivileged user namespaces - (Non-userns variants) Replacing bubblewrap with bubblewrap-suid so flatpak can be used without unprivileged user namespaces

2
config/files/kinoite/usr/etc/xdg/kdeglobals Normal file
View File

@@ -0,0 +1,2 @@
[KDE Action Restrictions][$i]
ghns=false

18
config/files/usr/share/ublue-os/just/60-custom.just
View File

@@ -70,3 +70,21 @@ toggle-bluetooth-modules:
sudo chmod 644 $BLUE_MOD_FILE sudo chmod 644 $BLUE_MOD_FILE
echo "Bluetooth kernel modules enabled. Reboot to take effect." echo "Bluetooth kernel modules enabled. Reboot to take effect."
fi fi
# Toggle GHNS (KDE Get New Stuff)
toggle-ghns:
#!/usr/bin/pkexec /usr/bin/bash
KDE_GLOBALS_FILE="/etc/xdg/kdeglobals"
if test -e $KDE_GLOBALS_FILE; then
if grep -q "ghns=false" "$KDE_GLOBALS_FILE"; then
sed -i "s/ghns=false/ghns=true/" "$KDE_GLOBALS_FILE"
echo "GHNS enabled."
elif grep -q "ghns=true" "$KDE_GLOBALS_FILE"; then
sed -i "s/ghns=true/ghns=false/" "$KDE_GLOBALS_FILE"
echo "GHNS disabled."
else
echo "The kdeglobals file is missing the ghns toggle."
fi
else
echo "No kdeglobals file found. Are you on kinoite?"
fi