Fixing permission error

bootstrap.d/11-apt.sh

@@ -16,7 +16,11 @@ install_readonly files/apt/sources.list "${ETC_DIR}/apt/sources.list"
 
 # Use specified APT server and release
 sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "${ETC_DIR}/apt/sources.list"
+if [ "$RELEASE" = "bullseye" ] || [ "$RELEASE" = "testing" ] ; then
+sed -i "s,stretch\\/updates,testing-security," "${ETC_DIR}/apt/sources.list"
+else
 sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list"
+fi
 
 # Upgrade package index and update all installed packages and changed dependencies
 chroot_exec apt-get -qq -y update

bootstrap.d/13-kernel.sh

@@ -52,6 +52,10 @@ if [ "$BUILD_KERNEL" = true ] ; then
   if [ "$KERNEL_THREADS" = "1" ] && [ -r /proc/cpuinfo ] ; then
     KERNEL_THREADS=$(grep -c processor /proc/cpuinfo)
   fi
+
+  if [ "$ENABLE_QEMU" = true ] && [ "$KERNEL_ARCH" = arm64 ]; then
+  cp "${KERNEL_DIR}"/arch/arm/configs/vexpress_defconfig "${KERNEL_DIR}"/arch/arm64/configs/
+  fi
 
   # Configure and build kernel
   if [ "$KERNELSRC_PREBUILT" = false ] ; then
@@ -98,7 +102,7 @@ if [ "$BUILD_KERNEL" = true ] ; then
       #Switch to KERNELSRC_DIR so we can use set_kernel_config
       cd "${KERNEL_DIR}" || exit
 
-	  if [ "$KERNEL_ARCH" = arm64 ] ; then
+	  if [ "$KERNEL_ARCH" = arm64 ] && [ "$ENABLE_QEMU" = false ]; then
 	    #Fix SD_DRIVER upstream and downstream mess in 64bit RPIdeb_config
 	    # use correct driver MMC_BCM2835_MMC instead of MMC_BCM2835_SDHOST - see https://www.raspberrypi.org/forums/viewtopic.php?t=210225
 	    set_kernel_config CONFIG_MMC_BCM2835 n
@@ -110,21 +114,23 @@ if [ "$BUILD_KERNEL" = true ] ; then
 	    set_kernel_config CONFIG_IPVLAN m
 	  fi
 
-	  # enable ZSWAP see https://askubuntu.com/a/472227 or https://wiki.archlinux.org/index.php/zswap
+      # enable ZSWAP see https://askubuntu.com/a/472227 or https://wiki.archlinux.org/index.php/zswap
       if [ "$KERNEL_ZSWAP" = true ] ; then
         set_kernel_config CONFIG_ZPOOL y
         set_kernel_config CONFIG_ZSWAP y
         set_kernel_config CONFIG_ZBUD y
         set_kernel_config CONFIG_Z3FOLD y
         set_kernel_config CONFIG_ZSMALLOC y
         set_kernel_config CONFIG_PGTABLE_MAPPING y
-		set_kernel_config CONFIG_LZO_COMPRESS y
+	set_kernel_config CONFIG_LZO_COMPRESS y
 
 	  fi
 
       # enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453
-	  if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
-		set_kernel_config CONFIG_HAVE_KVM_IRQCHIP y
+      if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
+      	set_kernel_config CONFIG_SLAB_FREELIST_RANDOM=y
+	set_kernel_config CONFIG_SLAB_FREELIST_HARDENED=y
+	set_kernel_config CONFIG_HAVE_KVM_IRQCHIP y
         set_kernel_config CONFIG_HAVE_KVM_ARCH_TLB_FLUSH_ALL y
         set_kernel_config CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT y
         set_kernel_config CONFIG_HAVE_KVM_EVENTFD y
@@ -142,18 +148,17 @@ if [ "$BUILD_KERNEL" = true ] ; then
         set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y
         set_kernel_config CONFIG_VHOST_NET m
         set_kernel_config CONFIG_VIRTUALIZATION y
-
-		set_kernel_config CONFIG_MMU_NOTIFIER y
-
-		# erratum
-		set_kernel_config ARM64_ERRATUM_834220 y
-
-		# https://sourceforge.net/p/kvm/mailman/message/18440797/
-		set_kernel_config CONFIG_PREEMPT_NOTIFIERS y
-	  fi
+	set_kernel_config CONFIG_MMU_NOTIFIER y
+
+	# erratum
+	set_kernel_config ARM64_ERRATUM_834220 y
+
+	# https://sourceforge.net/p/kvm/mailman/message/18440797/
+	set_kernel_config CONFIG_PREEMPT_NOTIFIERS y
+      fi
 
       # enable apparmor,integrity audit,
-	  if [ "$KERNEL_SECURITY" = true ] ; then
+      if [ "$KERNEL_SECURITY" = true ] ; then
 
         # security filesystem, security models and audit
         set_kernel_config CONFIG_SECURITYFS y
@@ -211,12 +216,11 @@ if [ "$BUILD_KERNEL" = true ] ; then
         set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y
         set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y
         set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y
-        set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y
         set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y
         set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y
         set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n
-		set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS m
-		set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE 4096
+	set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS m
+	set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE 4096
 
         set_kernel_config CONFIG_ARM64_CRYPTO y
         set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m
@@ -326,11 +330,11 @@ if [ "$BUILD_KERNEL" = true ] ; then
         set_kernel_config CONFIG_NF_LOG_IPV6 m
         set_kernel_config CONFIG_NF_NAT_IPV4 m
         set_kernel_config CONFIG_NF_NAT_IPV6 m
-        set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV4 m
-        set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV6 m
+        set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV4 y
+        set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV6 y
         set_kernel_config CONFIG_NF_NAT_PPTP m
         set_kernel_config CONFIG_NF_NAT_PROTO_GRE m
-        set_kernel_config CONFIG_NF_NAT_REDIRECT m
+        set_kernel_config CONFIG_NF_NAT_REDIRECT y
         set_kernel_config CONFIG_NF_NAT_SIP m
         set_kernel_config CONFIG_NF_NAT_SNMP_BASIC m
         set_kernel_config CONFIG_NF_NAT_TFTP m
@@ -340,16 +344,32 @@ if [ "$BUILD_KERNEL" = true ] ; then
         set_kernel_config CONFIG_NF_TABLES_ARP m
         set_kernel_config CONFIG_NF_TABLES_BRIDGE m
         set_kernel_config CONFIG_NF_TABLES_INET m
-        set_kernel_config CONFIG_NF_TABLES_IPV4 m
-        set_kernel_config CONFIG_NF_TABLES_IPV6 m
+        set_kernel_config CONFIG_NF_TABLES_IPV4 y
+        set_kernel_config CONFIG_NF_TABLES_IPV6 y
         set_kernel_config CONFIG_NF_TABLES_NETDEV m
+	set_kernel_config CONFIG_NF_TABLES_SET m
+	set_kernel_config CONFIG_NF_TABLES_INET y
+	set_kernel_config CONFIG_NF_TABLES_NETDEV y
+	set_kernel_config CONFIG_NFT_CONNLIMIT m
+	set_kernel_config CONFIG_NFT_TUNNEL m
+	set_kernel_config CONFIG_NFT_SOCKET m
+	set_kernel_config CONFIG_NFT_TPROXY m
+	set_kernel_config CONFIG_NF_FLOW_TABLE m
+	set_kernel_config CONFIG_NFT_FLOW_OFFLOAD m
+	set_kernel_config CONFIG_NF_FLOW_TABLE_INET m
+	set_kernel_config CONFIG_NF_TABLES_ARP y
+	set_kernel_config CONFIG_NF_FLOW_TABLE_IPV4 y
+	set_kernel_config CONFIG_NF_FLOW_TABLE_IPV6 y
+	set_kernel_config CONFIG_NF_TABLES_BRIDGE y
+	set_kernel_config CONFIG_NF_CT_NETLINK_TIMEOUT m
+	set_kernel_config CONFIG_NFT_OSF m
       fi
 
 	  # Enables BPF syscall for systemd-journald see https://github.com/torvalds/linux/blob/master/init/Kconfig#L848 or https://groups.google.com/forum/#!topic/linux.gentoo.user/_2aSc_ztGpA
 	  if [ "$KERNEL_BPF" = true ] ; then
-        set_kernel_config CONFIG_BPF_SYSCALL y
-		set_kernel_config CONFIG_BPF_EVENTS y
-		set_kernel_config CONFIG_BPF_STREAM_PARSER y
+            set_kernel_config CONFIG_BPF_SYSCALL y
+	    set_kernel_config CONFIG_BPF_EVENTS y
+	    set_kernel_config CONFIG_BPF_STREAM_PARSER y
 	    set_kernel_config CONFIG_CGROUP_BPF y
 	  fi
 
@@ -537,19 +557,27 @@ if [ "$BUILD_KERNEL" = true ] ; then
   fi
 
 else # BUILD_KERNEL=false
-  if [ "$SET_ARCH" = 64 ] && { [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then
-
-	# Use Sakakis modified kernel if ZSWAP is active
-    if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then
-	  RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}"
-	fi
+  if [ "$SET_ARCH" = 64 ] ; then
+    if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
+	  # Use Sakakis modified kernel if ZSWAP is active
+      if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then
+	    RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}"
+	  fi
 
-    # Create temporary directory for dl
-    temp_dir=$(as_nobody mktemp -d)
+      # Create temporary directory for dl
+      temp_dir=$(as_nobody mktemp -d)
 
-    # Fetch kernel dl
-    as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL" 
+      # Fetch kernel dl
+      as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL" 
+    fi
+    if [ "$SET_ARCH" = 64 ] && [ "$RPI_MODEL" = 4 ] ; then
+      # Create temporary directory for dl
+      temp_dir=$(as_nobody mktemp -d)
 
+      # Fetch kernel dl
+      as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI4_64_KERNEL_URL" 
+    fi
+
     #extract download
     tar -xJf "${temp_dir}"/kernel.tar.xz -C "${temp_dir}"
 
@@ -566,15 +594,15 @@ else # BUILD_KERNEL=false
     chown -R root:root "${R}/lib/modules"
   fi
 
-  # Install Kernel from hypriot comptabile with all Raspberry PI
-  if [ "$SET_ARCH" = 32 ] ; then
+  # Install Kernel from hypriot comptabile with all Raspberry PI (dunno if its compatible with RPI4 - better compile your own kernel)
+  if [ "$SET_ARCH" = 32 ] && [ "$RPI_MODEL" != 4 ] ; then
     # Create temporary directory for dl
     temp_dir=$(as_nobody mktemp -d)
 
     # Fetch kernel
     as_nobody wget -O "${temp_dir}"/kernel.deb -c "$RPI_32_KERNEL_URL"
 
-    # Copy downloaded U-Boot sources
+    # Copy downloaded kernel package
     mv "${temp_dir}"/kernel.deb "${R}"/tmp/kernel.deb
 
     # Set permissions

bootstrap.d/15-rpi-config.sh

@@ -112,7 +112,7 @@ if [ "$ENABLE_TURBO" = true ] ; then
   echo "boot_delay=1" >> "${BOOT_DIR}/config.txt"
 fi
 
-if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
+if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] || [ "$RPI_MODEL" = 4 ]; then
 
   # Bluetooth enabled
   if [ "$ENABLE_BLUETOOTH" = true ] ; then
@@ -126,8 +126,8 @@ if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
     mv "${temp_dir}/pi-bluetooth" "${R}/tmp/"
 
     # Bluetooth firmware from arch aur https://aur.archlinux.org/packages/pi-bluetooth/
-    as_nobody wget -q -O "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" https://aur.archlinux.org/cgit/aur.git/plain/LICENCE.broadcom_bcm43xx?h=pi-bluetooth
-    as_nobody wget -q -O "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" https://raw.githubusercontent.com/RPi-Distro/bluez-firmware/master/broadcom/BCM43430A1.hcd
+    wget -q -O "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" https://aur.archlinux.org/cgit/aur.git/plain/LICENCE.broadcom_bcm43xx?h=pi-bluetooth
+    wget -q -O "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" https://raw.githubusercontent.com/RPi-Distro/bluez-firmware/master/broadcom/BCM43430A1.hcd
 
     # Set permissions
     chown -R root:root "${R}/tmp/pi-bluetooth"

bootstrap.d/20-networking.sh

@@ -106,7 +106,7 @@ if [ "$ENABLE_WIRELESS" = true ] ; then
   temp_dir=$(as_nobody mktemp -d)
 
   # Fetch firmware binary blob for RPI3B+
-  if [ "$RPI_MODEL" = 3P ] ; then
+  if [ "$RPI_MODEL" = 3P ] || [ "$RPI_MODEL" = 4 ] ; then
     # Fetch firmware binary blob for RPi3P
     as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.bin"
     as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.txt"

bootstrap.d/43-videocore.sh

@@ -34,11 +34,11 @@ if [ "$ENABLE_VIDEOCORE" = true ] ; then
   cd "${R}"/tmp/userland/build
 
   if [ "$RELEASE_ARCH" = "arm64" ] ; then
-  cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DARM64=ON -DCMAKE_C_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_CXX_COMPILER=aarch64-linux-gnu-g++ -DCMAKE_ASM_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
+  cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_TOOLCHAIN_FILE="${R}"/tmp/userland/makefiles/cmake/toolchains/aarch64-linux-gnu.cmake -DARM64=ON -DCMAKE_C_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_CXX_COMPILER=aarch64-linux-gnu-g++ -DCMAKE_ASM_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
   fi
 
   if [ "$RELEASE_ARCH" = "armel" ] ; then
-  cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_C_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_CXX_COMPILER=arm-linux-gnueabi-g++ -DCMAKE_ASM_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DCMAKE_SYSTEM_PROCESSOR="arm" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
+  cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_TOOLCHAIN_FILE="${R}"/tmp/userland/makefiles/cmake/toolchains/arm-linux-gnueabihf.cmake -DCMAKE_C_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_CXX_COMPILER=arm-linux-gnueabi-g++ -DCMAKE_ASM_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DCMAKE_SYSTEM_PROCESSOR="arm" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland"
   fi
 
   if [ "$RELEASE_ARCH" = "armhf" ] ; then

bootstrap.d/44-nexmon_monitor_patch.sh

@@ -74,7 +74,7 @@ if [ "$ENABLE_NEXMON" = true ] && [ "$ENABLE_WIRELESS" = true ]; then
     cp -f "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.bin
   fi
 
-  if [ "$RPI_MODEL" = 3P ] ; then
+  if [ "$RPI_MODEL" = 3P ] || [ "$RPI_MODEL" = 4 ] ; then
     cd "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon || exit
 	sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43455c0/7_45_154/nexmon/Makefile
     make clean

rpi23-gen-image.sh

@@ -470,7 +470,7 @@ if [ -n "$MISSING_PACKAGES" ] ; then
   [ "$confirm" != "y" ] && exit 1
 
   # Make sure all missing required packages are installed
-  apt-get -qq -y install `echo "${MISSING_PACKAGES}" | sed "s/ //"`
+  apt-get update && apt-get -qq -y install `echo "${MISSING_PACKAGES}" | sed "s/ //"`
 fi
 
 # Check if ./bootstrap.d directory exists