From f1e4008cb1fd71014510368252fa919aa5a658c2 Mon Sep 17 00:00:00 2001 From: Tobias Powalowski Date: Sat, 11 Nov 2023 18:18:55 +0100 Subject: [PATCH] further tightening --- usr/lib/archboot/cpio/hooks/base_common | 3 +- .../archboot/cpio/hooks/base_common_system | 30 +++++++++---------- .../cpio/hooks/base_common_system_cleanup | 11 ++++--- usr/lib/archboot/cpio/hooks/base_system | 6 ++-- 4 files changed, 23 insertions(+), 27 deletions(-) diff --git a/usr/lib/archboot/cpio/hooks/base_common b/usr/lib/archboot/cpio/hooks/base_common index f814f6ef9..358daf535 100644 --- a/usr/lib/archboot/cpio/hooks/base_common +++ b/usr/lib/archboot/cpio/hooks/base_common @@ -16,8 +16,7 @@ _run () _map _file /etc/{bash.bash_logout,bash.bashrc,profile,shells} # add kmod related config file(s) _file /usr/lib/depmod.d/search.conf - _BASIC_CONFIG="dialogrc hostname modprobe.d/modprobe.conf os-release" - for i in ${_BASIC_CONFIG}; do + for i in dialogrc hostname modprobe.d/modprobe.conf os-release; do _file_rename "/usr/share/archboot/base/etc/${i}" "/etc/${i}" done # add bash configuration, use color bash prompt, use color grep and ls output diff --git a/usr/lib/archboot/cpio/hooks/base_common_system b/usr/lib/archboot/cpio/hooks/base_common_system index f0fcd0687..15f671c1d 100644 --- a/usr/lib/archboot/cpio/hooks/base_common_system +++ b/usr/lib/archboot/cpio/hooks/base_common_system @@ -16,7 +16,7 @@ usr/share/{bash-completion,dbus-1,factory,hwdata,i18n/locales,makepkg,nano,pacma | tar -C "${_ROOTFS}" -xpf - # only run on archboot container if grep -qw 'archboot' /etc/hostname; then - _map _binary locale-gen localedef + _map _binary locale{-gen,def} _map _file /etc/locale.gen /usr/share/locale/locale.alias # only support UTF-8 _file /usr/share/i18n/charmaps/UTF-8.gz @@ -34,7 +34,6 @@ usr/share/{locale/{be,bg,cs,da,de,en_US,el,es,fi,fr,hu,it,lt,lv,mk,nl,nn,pl,pt,r var/lib/pacman/local \ | tar -C "${_ROOTFS}" -xpf - fi - # add basic apps _map _binary agetty awk basename bsdtar chmod clear date dd df dir du \ false gawk insmod install kill killall ldconfig mktemp \ more od partprobe passwd pgrep pidof printf ps \ @@ -60,23 +59,22 @@ protocols,request-key.conf,securetty,services} # fixing network support from glibc _map _file /usr/lib/{libnss_files.so.2,libnss_dns.so.2} ## add pam and shadow - _map _binary mkhomedir_helper pam_timestamp_check unix_chkpwd unix_update login nologin + _map _binary mkhomedir_helper pam_timestamp_check unix_{chkpwd,update} login nologin _map _file /etc/{environment,login.defs} # add systemd service apps - _map _binary mount.nfs4 umount.nfs umount.nfs4 mount.nfs loadkeys + _map _binary mount.nfs{,4} umount.nfs{,4} loadkeys # dbus files _map _binary dbus-{cleanup-sockets,daemon,launch,monitor,run-session,send,test-tool,\ update-activation-environment,uuidgen} /usr/lib/dbus-1.0/dbus-daemon-launch-helper # tpm2-tss files - _map _binary secret-tool pinentry pinentry-curses gpgme-tool gpgme-json + _map _binary secret-tool pinentry{,-curses} gpgme-{tool,json} # systemd files - _map _binary busctl bootctl coredumpctl hostnamectl journalctl \ - kernel-install localectl loginctl machinectl mount.ddi networkctl \ - systemctl systemd-{ac-power,analyze,ask-password,cat,cgls,cgtop,confext\ -delta,detect-virt,escape,firstboot,hwdb,inhibit,machine-id-setup,mount,notify,nspawn,path,resolve,repart\ -run,socket-activate,stdio-bridge,sysusers,tty-ask-password-agent,umount,creds,cryptenroll,dissect,id128,sysext} \ - timedatectl systemd- userdbctl homectl oomctl portablectl - _map _dir /etc/tmpfiles.d /etc/modules-load.d /etc/binfmt.d/ + _map _binary {bus,boot,coredump,hostname,journal,locale,login,machine,network,\ +system,timedate,userdb,home,oom,portable}ctl kernel-install mount.ddi systemd-{ac-power,\ +analyze,ask-password,cat,cgls,cgtop,confextdelta,detect-virt,escape,firstboot,hwdb,inhibit,\ +machine-id-setup,mount,notify,nspawn,path,resolve,repartrun,socket-activate,stdio-bridge,\ +sysusers,tty-ask-password-agent,umount,creds,cryptenroll,dissect,id128,sysext} + _map _dir /etc/tmpfiles.d /etc/modules-load.d /etc/binfmt.d _file_rename /usr/share/archboot/base/etc/locale.conf /etc/locale.conf _file_rename /usr/share/archboot/base/etc/vconsole.conf /etc/vconsole.conf _file_rename /usr/share/archboot/base/etc/systemd/system/systemd-user-sessions.service \ @@ -118,10 +116,10 @@ linux-with-alt-and-altgr,linux-keys-bare}.inc,qwerty/us.map.gz} \ # add swapiness sysctl config file _file_rename /usr/share/archboot/base/etc/sysctl.d/99-sysctl.conf /etc/sysctl.d/99-sysctl.conf # add pacman - _map _binary pacman pacman-conf pacman-key pacman-db-upgrade makepkg \ - repo-add repo-elephant testpkg vercmp curl gpg-agent gpg \ - gpgconf gpg-connect-agent repo-remove archlinux-keyring-wkd-sync - _map _dir /var/cache/pacman/pkg /var/lib/pacman + _map _binary pacman{,-conf,-key,-db-upgrade} makepkg \ + repo-{add,elephant,remove} testpkg vercmp curl gpg{,-agent,conf,-connect-agent} \ + archlinux-keyring-wkd-sync + _map _dir /var/{cache/pacman/pkg,lib/pacman} _map _file /etc/{pacman.conf,makepkg.conf,pacman.d/mirrorlist} # add pacman initialization of gpg keys _dir /etc/pacman.d/gnupg diff --git a/usr/lib/archboot/cpio/hooks/base_common_system_cleanup b/usr/lib/archboot/cpio/hooks/base_common_system_cleanup index a68d41745..4ef797b78 100644 --- a/usr/lib/archboot/cpio/hooks/base_common_system_cleanup +++ b/usr/lib/archboot/cpio/hooks/base_common_system_cleanup @@ -11,12 +11,11 @@ _run () # add created gpg keyring cp -ar /etc/pacman.d/gnupg /tmp/etc/pacman.d _install_files - rm /usr/bin/{login,nologin,mount.{nfs,nfs4},umount.{nfs,nfs4},loadkeys,dbus-{cleanup-sockets,daemon,\ -launch,monitor,run-session,send,test-tool,update-activation-environment,uuidgen},busctl,bootctl,coredumpctl,\ -hostnamectl,kernel-install,localectl,loginctl,machinectl,networkctl,systemd-{analyze,ask-password,cat,cgls,\ -cgtop,delta,detect-virt,escape,firstboot,hwdb,inhibit,machine-id-setup,mount,notify,nspawn,path,resolve,\ -run,umount,socket-activate,stdio-bridge,sysusers,tty-ask-password-agent,repart,creds,cryptenroll,dissect,\ -id128,sysext},timedatectl,userdbctl,homectl,oomctl,portablectl} + rm /usr/bin/{login,nologin,mount.nfs{,4},umount.nfs{,4},loadkeys,dbus-{cleanup-sockets,\ +daemon,launch,monitor,run-session,send,test-tool,update-activation-environment,uuidgen},\ +kernel-install,systemd-{analyze,ask-password,cat,cgls,cgtop,delta,detect-virt,escape,firstboot,\ +hwdb,inhibit,machine-id-setup,mount,notify,nspawn,path,resolve,run,umount,socket-activate,\ +stdio-bridge,sysusers,tty-ask-password-agent,repart,creds,cryptenroll,dissect,id128,sysext},\{bus,boot,coredump,locale,login,machine,network,hostname,timedate,userdb,home,oom,portable}ctl} } # vim: set ft=sh ts=4 sw=4 et: diff --git a/usr/lib/archboot/cpio/hooks/base_system b/usr/lib/archboot/cpio/hooks/base_system index 89ec8cb3f..07f14472e 100644 --- a/usr/lib/archboot/cpio/hooks/base_system +++ b/usr/lib/archboot/cpio/hooks/base_system @@ -38,9 +38,9 @@ _run () # add custom locale [[ -e "/usr/lib/locale/locale-archive" ]] && _file /usr/lib/locale/locale-archive # add shadow - _map _binary groups chage chfn chsh expiry faillog gpasswd lastlog \ - chgpasswd chpasswd groupadd groupdel groupmems groupmod grpck grpconv grpunconv \ - newusers pwck pwconv pwunconv useradd userdel usermod sg getsubids + _map _binary groups ch{age,fn,sh} expiry {fail,last}log \ + {chg,ch,g}passwd group{add,del,mems,mod} grp{ck,conv,unconv} \ + newusers pw{ck,conv,unconv} user{add,del,mod} sg getsubids # fix licenses _map _file /usr/share/licenses/file/COPYING /usr/share/licenses/bzip2/LICENSE \ /usr/share/licenses/hdparm/LICENSE.TXT /usr/share/licenses/ncurses/COPYING \