chore: switch to bluebuild's justfile module with validation (#556)

files/justfiles/brew.just

@@ -17,8 +17,8 @@ install-brew:
           echo "Capitalization matters when you type \"YES I UNDERSTAND\""
         fi
     fi
-    
+
 # Removes homebrew from system
 remove-brew:
     echo "Removing homebrew ..."
-    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/uninstall.sh)"
+    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/uninstall.sh)"

files/justfiles/secureblue.just

@@ -160,7 +160,7 @@ override-enable-module mod_name:
       sudo chmod 644 $MOD_FILE
       echo "Override created to enable $MOD_NAME module. Reboot to take effect."
     fi
-  
+
 # reset the override by `just override-enable-module`, i.e. disable the module again (requires restart)
 override-reset-module mod_name:
     #!/usr/bin/pkexec /usr/bin/bash
@@ -173,7 +173,6 @@ override-reset-module mod_name:
       echo "No override found for $MOD_NAME module."
     fi
 
-
 # Setup USBGuard
 setup-usbguard:
     #!/usr/bin/bash
@@ -193,7 +192,6 @@ setup-usbguard:
 rerun-yafti:
     yafti -f /usr/share/ublue-os/firstboot/yafti.yml
 
-
 # Toggle anticheat support by changing ptrace scope (requires restart)
 toggle-anticheat-support:
     #!/usr/bin/pkexec /usr/bin/bash
@@ -495,7 +493,6 @@ audit-secureblue:
         print_status "$USBGUARD_TEST_STRING" "$STATUS_FAILURE"
     fi
 
-
     CHRONYD_TEST_STRING="Ensuring chronyd is active"
     if systemctl is-active --quiet chronyd; then
         print_status "$CHRONYD_TEST_STRING" "$STATUS_SUCCESS"
@@ -620,7 +617,7 @@ audit-secureblue:
                 print_status "$remote_string" "$STATUS_SUCCESS"
             fi
         done <<< "$remotes"
-        
+
         declare -A flatpaks
         while read -r ref version; do
             flatpaks+=(["${ref}"]="${ref}//${version}")
@@ -671,4 +668,3 @@ audit-secureblue:
             done
         done
     fi
-

files/scripts/addbrewjustimport.sh

@@ -1,10 +0,0 @@
-#!/usr/bin/env bash
-
-# Tell build process to exit if there are any errors.
-set -oue pipefail
-
-brewimport='import "/usr/share/ublue-os/just/50-brew.just"'
-
-if ! grep -qF "$brewimport" /usr/share/ublue-os/justfile; then
-    echo "$brewimport" >> /usr/share/ublue-os/justfile
-fi

files/scripts/addjustconfig.sh

@@ -1,9 +0,0 @@
-#!/usr/bin/env bash
-
-# Tell this script to exit if there are any errors.
-# You should have this in every custom script, to ensure that your completed
-# builds actually ran successfully without any errors!
-set -oue pipefail
-
-# add our just config
-echo 'import "/usr/share/ublue-os/just/70-secureblue.just"' >> /usr/share/ublue-os/justfile

files/system/usr/share/ublue-os/just/70-secureblue.just.readme.md

@@ -1,99 +0,0 @@
-## Included in set-kargs-hardening
-
-**Zero newly allocated pages and heaps, mitigating use-after-free vulnerabilities**
-
-`init_on_alloc=1` 
-
-**Fills freed pages and heaps with zeroes, mitigating use-after-free vulnerabilities**
-
-`init_on_free=1` 
-
-**Disables the merging of slabs, increasing difficulty of heap exploitation**
-
-`slab_nomerge`
-
-**Enables page allocator freelist randomization, reducing page allocation predictability**
-
-`page_alloc.shuffle=1` 
-
-**Randomize kernel stack offset on each syscall, making certain types of attacks more difficult**
-
-`randomize_kstack_offset=on` 
-
-**Disable vsyscall as it is both obsolete and enables an ROP attack vector**
-
-`vsyscall=none` 
-
-**Enable kernel lockdown in the strictest mode**
-
-`lockdown=confidentiality` 
-
-**Disable CPU-based entropy sources as it's not auditable and has resulted in vulnerabilities**
-
-`random.trust_cpu=off` 
-
-**Disable trusting the use of the a seed passed by the bootloader**
-
-`random.trust_bootloader=off`
-
-**Mitigate DMA attacks by enabling IOMMU**
-
-`iommu=force` 
-`intel_iommu=on` 
-`amd_iommu=force_isolation` 
-
-**Disable IOMMU bypass**
-
-`iommu.passthrough=0` 
-
-**Synchronously invalidate IOMMU hardware TLBs**
-
-`iommu.strict=1` 
-
-**Enable kernel page table isolation**
-
-`pti=on` 
-
-**Only allows kernel modules that have been signed with a valid key to be loaded**
-
-`module.sig_enforce=1` 
-
-**Automatically mitigate all known CPU vulnerabilities, including disabling SMT if necessary.**
-
-`mitigations=auto,nosmt` 
-
-**Turn on spectre_v2 mitigations at boot time for all programs**
-
-`spectre_v2=on` 
-
-**Disable spec store bypass for all programs**
-
-`spec_store_bypass_disable=on`
-
-**Enable the mechanism to flush the L1D cache on context switch.**
-
-`l1d_flush=on`
-
-**Mitigate unprivileged speculative access to data by using the microcode mitigation when available or by disabling AVX on affected systems where the microcode hasn’t been updated to include the mitigation.**
-
-`gather_data_sampling=force`
-
-### Force disable simultaneous multithreading
-
-**Disables this hardware feature on user request, regardless of whether it is affected by known vulnerabilities**
-
-`nosmt=force`
-
-### Additional (unstable) kargs
-
-**Fill IOMMU protection gap by setting the busmaster bit during early boot**
-
-`efi=disable_early_pci_dma`
-
-**Disable debugfs to prevent exposure of sensitive kernel information**
-
-`debugfs=off` 
-
-**Disables support for 32-bit processes, and syscalls**
-
-`ia32_emulation=0`