mirror of
https://github.com/optim-enterprises-bv/secureblue.git
synced 2025-11-06 21:37:51 +00:00
30 lines
576 B
Bash
30 lines
576 B
Bash
#!/usr/bin/env bash
|
|
|
|
# Tell build process to exit if there are any errors.
|
|
set -oue pipefail
|
|
|
|
echo "
|
|
|
|
# Disables user namespaces
|
|
# DO NOT REMOVE
|
|
# https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj
|
|
user.max_user_namespaces = 0
|
|
kernel.unprivileged_userns_clone = 0
|
|
|
|
" >> /usr/etc/sysctl.d/hardening.conf
|
|
|
|
mkdir -p /usr/etc/systemd/system/upower.service.d/
|
|
|
|
echo "
|
|
|
|
[Service]
|
|
# Namespaces
|
|
PrivateUsers=no
|
|
RestrictNamespaces=no
|
|
|
|
" >> /usr/etc/systemd/system/upower.service.d/namespaces.conf
|
|
|
|
chown root:root /usr/bin/bwrap
|
|
chmod u+s /usr/bin/bwrap
|
|
|