scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-03 20:07:53 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c1a6df74e661ac294fa50026d7ebef9b0fa8ce7b
secureblue/files/scripts/disableuserns.sh

66 lines
1.1 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# Tell build process to exit if there are any errors.
set -oue pipefail
echo "
# Disables user namespaces
# DO NOT REMOVE
# https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj
user.max_user_namespaces = 0
" >> /etc/sysctl.d/hardening.conf
mkdir -p /etc/systemd/system/upower.service.d/
echo "
[Service]
# Namespaces
PrivateUsers=no
" >> /etc/systemd/system/upower.service.d/namespaces.conf
mkdir -p /etc/systemd/system/colord.service.d/
echo "
[Service]
# Namespaces
PrivateUsers=no
" >> /etc/systemd/system/colord.service.d/namespaces.conf
chown root:root /usr/bin/bwrap
chmod u+s /usr/bin/bwrap
# https://bugzilla.redhat.com/show_bug.cgi?id=2300183
echo "
module chrome_sandbox 1.0;
require {
type chrome_sandbox_home_t;
type chrome_sandbox_t;
class file map;
}
#============= chrome_sandbox_t ==============
allow chrome_sandbox_t chrome_sandbox_home_t:file map;
" > chrome_sandbox.te
checkmodule -M -m -o chrome_sandbox.mod chrome_sandbox.te
semodule_package -o chrome_sandbox.pp -m chrome_sandbox.mod
semodule -i chrome_sandbox.pp
rm chrome_sandbox.te
rm chrome_sandbox.mod
rm chrome_sandbox.pp
Reference in New Issue View Git Blame Copy Permalink