From f559a983f725fe00bb7e23b706e4c25cd59d5593 Mon Sep 17 00:00:00 2001 From: qoijjj <129108030+qoijjj@users.noreply.github.com> Date: Thu, 30 Nov 2023 21:13:11 -0800 Subject: [PATCH] Add back yafti and include various new steps, including kernel and flatpak hardening automation --- README.md | 7 +- .../usr/share/ublue-os/firstboot/yafti.yml | 107 ++++++------------ .../usr/share/ublue-os/just/60-custom.just | 3 + config/recipe-kinoite-main.yml | 4 +- config/recipe-kinoite-nvidia.yml | 4 +- config/recipe-silverblue-main.yml | 4 +- config/recipe-silverblue-nvidia.yml | 4 +- 7 files changed, 53 insertions(+), 80 deletions(-) diff --git a/README.md b/README.md index 909420f..98e46ed 100644 --- a/README.md +++ b/README.md @@ -80,14 +80,9 @@ To rebase an existing Silverblue/Kinoite installation to the latest build: ``` systemctl reboot ``` + ### Post-install -The following command is available to append kernel boot parameters that apply additional hardening (reboot required): - -``` -just set-kargs-hardening -``` - #### Nvidia If you are using an nvidia image, run this after installation: diff --git a/config/files/usr/share/ublue-os/firstboot/yafti.yml b/config/files/usr/share/ublue-os/firstboot/yafti.yml index e063729..ebf3968 100644 --- a/config/files/usr/share/ublue-os/firstboot/yafti.yml +++ b/config/files/usr/share/ublue-os/firstboot/yafti.yml @@ -1,37 +1,45 @@ -title: Welcome to uBlue +title: Welcome to secureblue! properties: mode: "run-on-change" screens: first-screen: source: yafti.screen.title values: - title: "Welcome to uBlue (Alpha)" + title: "Welcome to secureblue!" icon: "/path/to/icon" description: | This guided installer will help you get started with your new system. + + can-we-harden-your-kargs: + source: yafti.screen.consent + values: + title: Kernel hardening + description: | + This step will enable additional kernel hardening. You must run this manually, since it requires sudo. Run "just set-kargs-hardening" in a terminal, then click accept. + actions: + - run: just set-kargs-hardening + + can-we-harden-your-flatpaks: + source: yafti.screen.consent + values: + title: Flatpak hardening + description: | + This step will enable hardening for installed flatpaks. + actions: + - run: flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so + can-we-modify-your-flatpaks: source: yafti.screen.consent values: - title: Welcome, Traveler! - condition: - run: flatpak remotes --columns=name | grep fedora + title: Flathub setup description: | - We have detected the limited, Fedora-provided Flatpak remote on your system, whose applications are usually missing important codecs and other features. This step will therefore remove all basic Fedora Flatpaks from your system! We will instead switch all core Flatpak applications over to the vastly superior, unfiltered Flathub. If you don't want to do this, simply exit this installer. + This step will therefore remove all basic Fedora Flatpaks from your system and replace it with Flathub's verified repository. It will also disable the system flatpaks in favor of user flatpaks. actions: - run: flatpak remote-delete --system --force fedora - run: flatpak remote-delete --user --force fedora - run: flatpak remove --system --noninteractive --all - - run: flatpak remote-add --if-not-exists --user flathub https://flathub.org/repo/flathub.flatpakrepo - check-user-flathub: - source: yafti.screen.consent - values: - title: Missing Flathub Repository (User) - condition: - run: flatpak remotes --user --columns=name | grep flathub | wc -l | grep '^0$' - description: | - We have detected that you don't have Flathub's repository on your current user account. We will now add that repository to your account. - actions: - - run: flatpak remote-add --if-not-exists --user flathub https://flathub.org/repo/flathub.flatpakrepo + - run: flatpak remote-add --if-not-exists --user --subset=verified flathub-verified https://flathub.org/repo/flathub.flatpakrepo + applications: source: yafti.screen.package values: @@ -39,8 +47,8 @@ screens: show_terminal: true package_manager: yafti.plugin.flatpak package_manager_defaults: - user: false - system: true + user: true + system: false groups: Core GNOME Apps: description: Core system applications for the GNOME desktop environment. @@ -66,55 +74,18 @@ screens: - Text Editor: org.gnome.TextEditor - Videos (Player): org.gnome.Totem - Weather: org.gnome.Weather + + Core KDE Plasma Apps: + description: Core system applications for the KDE Plasma desktop environment. + default: false + packages: + - Gwenview: org.kde.gwenview + System Apps: description: System applications for all desktop environments. - default: false + default: true packages: - - Deja Dup Backups: org.gnome.DejaDup - - Fedora Media Writer: org.fedoraproject.MediaWriter - Flatseal (Permission Manager): com.github.tchx84.Flatseal - - Font Downloader: org.gustavoperedo.FontDownloader - - Mozilla Firefox: org.mozilla.firefox - Web Browsers: - description: Additional browsers to complement or replace Firefox. - default: false - packages: - - Brave: com.brave.Browser - - GNOME Web: org.gnome.Epiphany - - Google Chrome: com.google.Chrome - - Microsoft Edge: com.microsoft.Edge - - Opera: com.opera.Opera - Gaming: - description: "Rock and Stone!" - default: false - packages: - - Bottles: com.usebottles.bottles - - Discord: com.discordapp.Discord - - Heroic Games Launcher: com.heroicgameslauncher.hgl - - Steam: com.valvesoftware.Steam - - Gamescope (Utility): org.freedesktop.Platform.VulkanLayer.gamescope - - MangoHUD (Utility): org.freedesktop.Platform.VulkanLayer.MangoHud//22.08 - - SteamTinkerLaunch (Utility): com.valvesoftware.Steam.Utility.steamtinkerlaunch - - Proton Updater for Steam: net.davidotek.pupgui2 - Office: - description: Boost your productivity. - default: false - packages: - - LibreOffice: org.libreoffice.LibreOffice - - OnlyOffice: org.onlyoffice.desktopeditors - - Obsidian: md.obsidian.Obsidian - - Slack: com.slack.Slack - - Standard Notes: org.standardnotes.standardnotes - - Thunderbird Email: org.mozilla.Thunderbird - Streaming: - description: Stream to the Internet. - default: false - packages: - - OBS Studio: com.obsproject.Studio - - VkCapture for OBS: com.obsproject.Studio.OBSVkCapture - - Gstreamer for OBS: com.obsproject.Studio.Plugin.Gstreamer - - Gstreamer VAAPI for OBS: com.obsproject.Studio.Plugin.GStreamerVaapi - - Boatswain for Streamdeck: com.feaneron.Boatswain final-screen: source: yafti.screen.title @@ -122,11 +93,7 @@ screens: title: "All done!" icon: "/path/to/icon" links: - - "Install More Applications": - run: /usr/bin/gnome-software - "Website": - run: /usr/bin/xdg-open https://ublue.it - - "Join the Discord Community": - run: /usr/bin/xdg-open https://discord.gg/XjG48C7VHx + run: /usr/bin/xdg-open https://github.com/secureblue/secureblue description: | - Thanks for trying uBlue, we hope you enjoy it! + Thanks for trying secureblue, we hope you enjoy it! diff --git a/config/files/usr/share/ublue-os/just/60-custom.just b/config/files/usr/share/ublue-os/just/60-custom.just index dae6404..989534f 100644 --- a/config/files/usr/share/ublue-os/just/60-custom.just +++ b/config/files/usr/share/ublue-os/just/60-custom.just @@ -3,3 +3,6 @@ # Add additional boot parameters for hardening (requires reboot) set-kargs-hardening: rpm-ostree kargs --append="init_on_alloc=1" --append="init_on_free=1" --append="slab_nomerge" --append="page_alloc.shuffle=1" --append="randomize_kstack_offset=on" --append="vsyscall=none" --append="debugfs=off" --append="lockdown=confidentiality" --append="random.trust_cpu=off" --append="random.trust_bootloader=off" --append="intel_iommu=on" --append="amd_iommu=on" --append="efi=disable_early_pci_dma" --append="iommu.passthrough=0" --append="iommu.strict=1" --append="nvme_core.default_ps_max_latency_us=0" --append="mitigations=auto,nosmt" + +harden-flatpak: + flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so diff --git a/config/recipe-kinoite-main.yml b/config/recipe-kinoite-main.yml index 5ac0623..3958b9b 100644 --- a/config/recipe-kinoite-main.yml +++ b/config/recipe-kinoite-main.yml @@ -18,4 +18,6 @@ modules: - from-file: common-packages.yml - from-file: common-bling.yml - - from-file: common-scripts.yml \ No newline at end of file + - from-file: common-scripts.yml + + - type: yafti \ No newline at end of file diff --git a/config/recipe-kinoite-nvidia.yml b/config/recipe-kinoite-nvidia.yml index 9c1310a..f3353e4 100644 --- a/config/recipe-kinoite-nvidia.yml +++ b/config/recipe-kinoite-nvidia.yml @@ -18,4 +18,6 @@ modules: - from-file: common-packages.yml - from-file: common-bling.yml - - from-file: common-scripts.yml \ No newline at end of file + - from-file: common-scripts.yml + + - type: yafti \ No newline at end of file diff --git a/config/recipe-silverblue-main.yml b/config/recipe-silverblue-main.yml index bbcc542..5bd851a 100644 --- a/config/recipe-silverblue-main.yml +++ b/config/recipe-silverblue-main.yml @@ -18,4 +18,6 @@ modules: - from-file: common-packages.yml - from-file: common-bling.yml - - from-file: common-scripts.yml \ No newline at end of file + - from-file: common-scripts.yml + + - type: yafti \ No newline at end of file diff --git a/config/recipe-silverblue-nvidia.yml b/config/recipe-silverblue-nvidia.yml index 3ddb98d..5693ffd 100644 --- a/config/recipe-silverblue-nvidia.yml +++ b/config/recipe-silverblue-nvidia.yml @@ -18,4 +18,6 @@ modules: - from-file: common-packages.yml - from-file: common-bling.yml - - from-file: common-scripts.yml \ No newline at end of file + - from-file: common-scripts.yml + + - type: yafti \ No newline at end of file