scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-08 14:23:38 +00:00
Code Issues Packages Projects Releases Wiki Activity
835 Commits 1 Branch 0 Tags
bebb18c06cec754da96af878840e31db714bbbf4
Commit Graph

84 Commits

Author SHA1 Message Date
qoijjj
ec4fd2bfe8 chore: chromium documentation and flag additions 2024-06-25 17:24:23 -07:00
qoijjj
408f7d7f51 feat: add build-container-installer signing 2024-06-21 09:14:22 -07:00
qoijjj
2e2725346b chore: remove redundant fb blacklists already blacklisted by fedora 2024-06-19 11:19:49 -07:00
qoijjj
4b21d959e8 feat: add additional filesystems to the blacklist (#292) 2024-06-19 11:05:04 -07:00
Tommy
456cac1804 Blacklist reiserfs (#290) 
No one will fix it anytime soon
 2024-06-18 11:49:11 -07:00
qoijjj
c38d505e24 fix: use sigstore attachments for davincibox 2024-06-17 00:45:12 -07:00
qoijjj
791f8846bb feat: add davincibox container signing policy 2024-06-17 00:12:53 -07:00
Tommy
91b823b195 Use /bin/false everywhere in kernel module blacklist (#288) 
Signed-off-by: Tommy <contact@tommytran.io>
 2024-06-16 20:51:20 -07:00
friendly-rabbit-35
062237545e fix: remove Chromium policies that are deprecated and not applicable (#286) 
* Remove deprecated and inapplicable Chromium policies

* Remove mentions of deleted Chromium policies from docs
 2024-06-15 23:02:42 -07:00
qoijjj
fb98c74e4e docs: update based on latest policy 2024-06-11 19:07:55 -07:00
qoijjj
8a74542573 chore: remove policies for whom the default setting requires user consent 
For parity with Vanadium
 2024-06-11 18:02:31 -07:00
qoijjj
8fed632ba8 docs: fix broken link 2024-06-10 22:13:54 -07:00
Tommy
cfe7314af1 Disable fs.binfmt_misc.status (#282) 2024-06-08 18:02:50 -07:00
qoijjj
df2daf1736 chore: drop swappiness sysctl in favor of the default 
Fedora uses zram so this adds no benefit unless the user manually created a swapfile. In that case the user can manually set this if desired.
 2024-06-04 08:53:52 -07:00
qoijjj
3cc114c80a chore: add additional modules to blacklist 2024-06-02 21:43:57 -07:00
qoijjj
c283e2677d chore: document module blacklist and fix typos 2024-06-02 21:36:42 -07:00
qoijjj
87ad303f5d chore: fix tabs/spaces 2024-06-02 14:18:12 -07:00
qoijjj
b897d2a87f docs: add details for new chromium flags 2024-06-02 13:38:04 -07:00
qoijjj
44b433ff9d feat: audio and network sandboxes in chromium policies 2024-06-02 13:35:32 -07:00
qoijjj
4ec0bb93b7 feat: move chromium flags to a script to append to upstream 2024-05-28 10:06:24 -07:00
qoijjj
83da62112d docs: minor clarification 2024-05-24 00:24:25 -07:00
qoijjj
fcad88df91 docs: update vanadium comparison 2024-05-22 23:05:45 -07:00
qoijjj
d3f6ae206e feat: set distrobox/toolbox to default to signed images (#280) 2024-05-18 15:08:52 -07:00
qoijjj
eb9f173fb1 docs: pull in latest vanadium changes 2024-05-12 20:01:37 -07:00
qoijjj
c2d6c72556 docs: another whitespace fix 2024-05-07 18:01:20 +02:00
qoijjj
c3ab4e8107 docs: fix whitespace 2024-05-07 18:00:45 +02:00
qoijjj
9102eb4bfa docs: correct vanadium comparison 2024-05-07 17:59:09 +02:00
qoijjj
828cc318b6 docs: pull latest vanadium patches for comparison 2024-05-07 17:57:36 +02:00
qoijjj
656bf9b5e2 feat: disable chromium internal pdf viewer 2024-04-19 16:22:38 -07:00
qoijjj
a86a3b7a02 feat: add additional chromium hardening based on vanadium 2024-04-17 22:53:33 -07:00
qoijjj
23020bab4e docs: update vanadium comparison readme 2024-04-17 22:28:05 -07:00
qoijjj
e1f6b5ba9f feat: add additional chromium policy hardening and drop chkrootkit as its false positives make it low-utility 2024-03-31 06:32:39 +00:00
qoijjj
d3f2ba5d2e docs: fix broken links to the fedora chromium spec 2024-03-28 17:43:15 +00:00
qoijjj
8712beeb44 docs: add additional chromium documentation and fix existing documentation 2024-03-28 17:39:04 +00:00
qoijjj
67e114ce4b fix: sudo timeout to 1min instead of 0min 2024-03-22 13:30:15 -07:00
qoijjj
e53449e86e docs: fix broken markdown table 2024-03-20 17:47:03 -07:00
qoijjj
476252c130 chore: additional chromium improvements 2024-03-18 19:49:58 -07:00
qoijjj
b9f4abc3b8 feat: add chromium VAAPI flags 2024-03-18 19:11:41 -07:00
qoijjj
6732e2caa8 chore: remove unnecessary quotes 2024-03-18 18:46:03 -07:00
qoijjj
09032c19b0 docs: pull in new patch details from Vanadium 2024-03-18 15:53:20 -07:00
qoijjj
be9f5a54d4 docs: readability improvements 2024-03-18 15:01:22 -07:00
qoijjj
e53fac6fec feat: additional chromium hardening 2024-03-18 14:54:17 -07:00
fiftydinar
efba15919d fix: Assure that "disabling CoreDump tweak" is applied correctly (#241) 
* fix: Assure that "disabling CoreDump tweak" is applied correctly

Since Fedora uses systemd, we need to make this change too, else it won't be applied throughout the system, but only in SSH/TTY sessions.

Bluefin had the same issue with open-file limits tweak here:
https://github.com/ublue-os/bluefin/pull/988

I usually put those config overrides to `/usr/lib`, but I will put them in `/usr/etc` to comply with the project's structure.

As far as I look, this is the only tweak which needs this systemd conf change.

* fix: Assure that "disabling CoreDump tweak" is applied correctly

Since Fedora uses systemd, we need to make this change too, else it won't be applied throughout the system, but only in SSH/TTY sessions.

Bluefin had the same issue with open-file limits tweak here:
https://github.com/ublue-os/bluefin/pull/988

I usually put those config overrides to `/usr/lib`, but I will put them in `/usr/etc` to comply with the project's structure.

As far as I look, this is the only tweak which needs this systemd conf change.

Signed-off-by: fiftydinar <65243233+fiftydinar@users.noreply.github.com>

---------

Signed-off-by: fiftydinar <65243233+fiftydinar@users.noreply.github.com>
 2024-03-15 12:36:20 -07:00
qoijjj
83ad8d1377 improve: move upower workaround to scripts 2024-03-13 12:48:58 -07:00
qoijjj
a15fe0bc1c docs: fix link to JIT setting 2024-03-10 00:31:03 -08:00
qoijjj
e485ec92eb fix: revert one of the previous changes as it has no change from the default 2024-03-04 11:45:23 -08:00
qoijjj
073c40b456 improve: add additional chromium hardening policies 2024-03-04 10:14:54 -08:00
qoijjj
932a68d334 docs: additional update to reflect new upstream patches 2024-02-27 17:21:18 -08:00
qoijjj
d4b973a8ce docs: update to reflect additional chromium patches 2024-02-27 17:16:24 -08:00
qoijjj
00d9871e70 chore: update chromium switches to match upstream JIT changes 2024-02-22 22:39:11 -08:00