further tightening

2024-09-20 03:50:37 +02:00 · 2023-11-11 18:18:55 +01:00 · 2023-11-11 18:18:55 +01:00 · f1e4008cb1
commit f1e4008cb1
parent 6ae49f5c00
4 changed files with 23 additions and 27 deletions
--- a/usr/lib/archboot/cpio/hooks/base_common
+++ b/usr/lib/archboot/cpio/hooks/base_common
@ -16,8 +16,7 @@ _run ()
    _map _file /etc/{bash.bash_logout,bash.bashrc,profile,shells}
    # add kmod related config file(s)
    _file /usr/lib/depmod.d/search.conf
-    _BASIC_CONFIG="dialogrc hostname modprobe.d/modprobe.conf os-release"
-    for i in ${_BASIC_CONFIG}; do
+    for i in dialogrc hostname modprobe.d/modprobe.conf os-release; do
        _file_rename "/usr/share/archboot/base/etc/${i}" "/etc/${i}"
    done
    # add bash configuration, use color bash prompt, use color grep and ls output
--- a/usr/lib/archboot/cpio/hooks/base_common_system
+++ b/usr/lib/archboot/cpio/hooks/base_common_system
@ -16,7 +16,7 @@ usr/share/{bash-completion,dbus-1,factory,hwdata,i18n/locales,makepkg,nano,pacma
 | tar -C "${_ROOTFS}" -xpf -
    # only run on archboot container
    if grep -qw 'archboot' /etc/hostname; then
-        _map _binary locale-gen localedef
+        _map _binary locale{-gen,def}
        _map _file /etc/locale.gen /usr/share/locale/locale.alias
        # only support UTF-8
        _file /usr/share/i18n/charmaps/UTF-8.gz
@ -34,7 +34,6 @@ usr/share/{locale/{be,bg,cs,da,de,en_US,el,es,fi,fr,hu,it,lt,lv,mk,nl,nn,pl,pt,r
 var/lib/pacman/local \
 | tar -C "${_ROOTFS}" -xpf -
    fi
-    # add basic apps
    _map _binary agetty awk basename bsdtar chmod clear date dd df dir du \
                 false gawk insmod install kill killall ldconfig mktemp \
                 more od partprobe passwd pgrep pidof printf ps \
@ -60,23 +59,22 @@ protocols,request-key.conf,securetty,services}
    # fixing network support from glibc
    _map _file /usr/lib/{libnss_files.so.2,libnss_dns.so.2}
    ## add pam and shadow
-    _map _binary mkhomedir_helper pam_timestamp_check unix_chkpwd unix_update login nologin
+    _map _binary mkhomedir_helper pam_timestamp_check unix_{chkpwd,update} login nologin
    _map _file /etc/{environment,login.defs}
    # add systemd service apps
-    _map _binary mount.nfs4 umount.nfs umount.nfs4 mount.nfs loadkeys
+    _map _binary mount.nfs{,4} umount.nfs{,4} loadkeys
    # dbus files
    _map _binary dbus-{cleanup-sockets,daemon,launch,monitor,run-session,send,test-tool,\
 update-activation-environment,uuidgen} /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    # tpm2-tss files
-    _map _binary secret-tool pinentry pinentry-curses gpgme-tool gpgme-json
+    _map _binary secret-tool pinentry{,-curses} gpgme-{tool,json}
    # systemd files
-    _map _binary busctl bootctl coredumpctl hostnamectl journalctl \
-                 kernel-install localectl loginctl machinectl mount.ddi networkctl \
-                 systemctl systemd-{ac-power,analyze,ask-password,cat,cgls,cgtop,confext\
-delta,detect-virt,escape,firstboot,hwdb,inhibit,machine-id-setup,mount,notify,nspawn,path,resolve,repart\
-run,socket-activate,stdio-bridge,sysusers,tty-ask-password-agent,umount,creds,cryptenroll,dissect,id128,sysext} \
-                 timedatectl systemd- userdbctl homectl oomctl portablectl
-    _map _dir /etc/tmpfiles.d /etc/modules-load.d /etc/binfmt.d/
+    _map _binary {bus,boot,coredump,hostname,journal,locale,login,machine,network,\
+system,timedate,userdb,home,oom,portable}ctl kernel-install  mount.ddi systemd-{ac-power,\
+analyze,ask-password,cat,cgls,cgtop,confextdelta,detect-virt,escape,firstboot,hwdb,inhibit,\
+machine-id-setup,mount,notify,nspawn,path,resolve,repartrun,socket-activate,stdio-bridge,\
+sysusers,tty-ask-password-agent,umount,creds,cryptenroll,dissect,id128,sysext}
+    _map _dir /etc/tmpfiles.d /etc/modules-load.d /etc/binfmt.d
    _file_rename /usr/share/archboot/base/etc/locale.conf /etc/locale.conf
    _file_rename /usr/share/archboot/base/etc/vconsole.conf /etc/vconsole.conf
    _file_rename /usr/share/archboot/base/etc/systemd/system/systemd-user-sessions.service \
@ -118,10 +116,10 @@ linux-with-alt-and-altgr,linux-keys-bare}.inc,qwerty/us.map.gz} \
    # add swapiness sysctl config file
    _file_rename /usr/share/archboot/base/etc/sysctl.d/99-sysctl.conf /etc/sysctl.d/99-sysctl.conf
    # add pacman
-    _map _binary pacman pacman-conf pacman-key pacman-db-upgrade makepkg \
-          repo-add repo-elephant testpkg vercmp curl gpg-agent gpg \
-          gpgconf gpg-connect-agent repo-remove archlinux-keyring-wkd-sync
-    _map _dir /var/cache/pacman/pkg /var/lib/pacman
+    _map _binary pacman{,-conf,-key,-db-upgrade} makepkg \
+          repo-{add,elephant,remove} testpkg vercmp curl gpg{,-agent,conf,-connect-agent} \
+          archlinux-keyring-wkd-sync
+    _map _dir /var/{cache/pacman/pkg,lib/pacman}
    _map _file /etc/{pacman.conf,makepkg.conf,pacman.d/mirrorlist}
    # add pacman initialization of gpg keys
    _dir /etc/pacman.d/gnupg
--- a/usr/lib/archboot/cpio/hooks/base_common_system_cleanup
+++ b/usr/lib/archboot/cpio/hooks/base_common_system_cleanup
@ -11,12 +11,11 @@ _run ()
    # add created gpg keyring
    cp -ar /etc/pacman.d/gnupg /tmp/etc/pacman.d
    _install_files
-    rm /usr/bin/{login,nologin,mount.{nfs,nfs4},umount.{nfs,nfs4},loadkeys,dbus-{cleanup-sockets,daemon,\
-launch,monitor,run-session,send,test-tool,update-activation-environment,uuidgen},busctl,bootctl,coredumpctl,\
-hostnamectl,kernel-install,localectl,loginctl,machinectl,networkctl,systemd-{analyze,ask-password,cat,cgls,\
-cgtop,delta,detect-virt,escape,firstboot,hwdb,inhibit,machine-id-setup,mount,notify,nspawn,path,resolve,\
-run,umount,socket-activate,stdio-bridge,sysusers,tty-ask-password-agent,repart,creds,cryptenroll,dissect,\
-id128,sysext},timedatectl,userdbctl,homectl,oomctl,portablectl}
+    rm /usr/bin/{login,nologin,mount.nfs{,4},umount.nfs{,4},loadkeys,dbus-{cleanup-sockets,\
+daemon,launch,monitor,run-session,send,test-tool,update-activation-environment,uuidgen},\
+kernel-install,systemd-{analyze,ask-password,cat,cgls,cgtop,delta,detect-virt,escape,firstboot,\
+hwdb,inhibit,machine-id-setup,mount,notify,nspawn,path,resolve,run,umount,socket-activate,\
+stdio-bridge,sysusers,tty-ask-password-agent,repart,creds,cryptenroll,dissect,id128,sysext},\{bus,boot,coredump,locale,login,machine,network,hostname,timedate,userdb,home,oom,portable}ctl}
 }

 # vim: set ft=sh ts=4 sw=4 et:
--- a/usr/lib/archboot/cpio/hooks/base_system
+++ b/usr/lib/archboot/cpio/hooks/base_system
@ -38,9 +38,9 @@ _run ()
    # add custom locale
    [[ -e "/usr/lib/locale/locale-archive" ]] && _file /usr/lib/locale/locale-archive
    # add shadow
-    _map _binary groups chage chfn chsh expiry faillog gpasswd lastlog \
-          chgpasswd chpasswd groupadd groupdel groupmems groupmod grpck grpconv grpunconv \
-          newusers pwck pwconv pwunconv useradd userdel usermod sg getsubids
+    _map _binary groups ch{age,fn,sh} expiry {fail,last}log \
+          {chg,ch,g}passwd group{add,del,mems,mod} grp{ck,conv,unconv} \
+          newusers pw{ck,conv,unconv} user{add,del,mod} sg getsubids
    # fix licenses
    _map _file /usr/share/licenses/file/COPYING /usr/share/licenses/bzip2/LICENSE \
                 /usr/share/licenses/hdparm/LICENSE.TXT /usr/share/licenses/ncurses/COPYING \