diff --git a/recipe-dx.yml b/recipe-dx.yml index f2fc1b44e4..d08b659022 100644 --- a/recipe-dx.yml +++ b/recipe-dx.yml @@ -11,7 +11,6 @@ scripts: - dx-extras.sh rpm: repos: - - https://terra.fyralabs.com/terra.repo install: - python3-pip - libadwaita @@ -34,10 +33,6 @@ rpm: - libvirt - qemu-img - tmux - - code-insiders - - jetbrainsmono-nerd-fonts - - firacode-nerd-fonts - - firamono-nerd-fonts remove: - wpa_supplicant firstboot: diff --git a/scripts/post/displaylink_remove.sh b/scripts/post/displaylink_remove.sh deleted file mode 100644 index 220b6e1729..0000000000 --- a/scripts/post/displaylink_remove.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -systemctl disable displaylink.service \ No newline at end of file diff --git a/scripts/post/faster_boot_less_services.sh b/scripts/post/faster_boot_less_services.sh new file mode 100644 index 0000000000..13d2176a00 --- /dev/null +++ b/scripts/post/faster_boot_less_services.sh @@ -0,0 +1,2 @@ +#!/bin/sh +systemctl disable displaylink.service bazzite-hardware-setup.service flatpak-system-install.service \ No newline at end of file diff --git a/scripts/post/hardening.sh b/scripts/post/hardening.sh deleted file mode 100755 index 2b37bd95da..0000000000 --- a/scripts/post/hardening.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh -set -euo pipefail -mkdir -p /usr/etc/systemd/system/{NetworkManager,irqbalance}.service.d - -curl -fsSLo \ - /usr/etc/systemd/system/NetworkManager.service.d/99-brace.conf \ - 'https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf' - -curl -fsSLo \ - /usr/etc/systemd/system/irqbalance.service.d/99-brace.conf \ - 'https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf' - -curl -fsSLo \ - /usr/etc/chrony.conf \ - 'https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf' \ No newline at end of file diff --git a/scripts/pre/networkmanager-realtek.sh b/scripts/post/networkmanager-realtek.sh old mode 100755 new mode 100644 similarity index 100% rename from scripts/pre/networkmanager-realtek.sh rename to scripts/post/networkmanager-realtek.sh diff --git a/scripts/post/silead_gsl-firmware.sh b/scripts/post/silead_gsl-firmware.sh deleted file mode 100755 index 0419e9d8eb..0000000000 --- a/scripts/post/silead_gsl-firmware.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -set -euo pipefail - -git clone https://github.com/onitake/gsl-firmware /tmp/firmware -mkdir -p /usr/lib/firmware/silead -cp -f /tmp/firmware/firmware/positivo/c464c/*.fw /usr/lib/firmware/silead diff --git a/usr/lib/firmware/silead/mssl1680.fw b/usr/lib/firmware/silead/mssl1680.fw new file mode 100644 index 0000000000..b53e9f1670 Binary files /dev/null and b/usr/lib/firmware/silead/mssl1680.fw differ diff --git a/usr/lib/firmware/silead/silead.fw b/usr/lib/firmware/silead/silead.fw new file mode 100644 index 0000000000..b53e9f1670 Binary files /dev/null and b/usr/lib/firmware/silead/silead.fw differ diff --git a/usr/lib/firmware/silead/silead_ts.fw b/usr/lib/firmware/silead/silead_ts.fw new file mode 100644 index 0000000000..707d5d913e Binary files /dev/null and b/usr/lib/firmware/silead/silead_ts.fw differ diff --git a/usr/lib/systemd/NetworkManager.service.d/99-brace.conf b/usr/lib/systemd/NetworkManager.service.d/99-brace.conf new file mode 100644 index 0000000000..f54c5126ce --- /dev/null +++ b/usr/lib/systemd/NetworkManager.service.d/99-brace.conf @@ -0,0 +1,28 @@ +[Service] +# Hardening +CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT +LockPersonality=true +MemoryDenyWriteExecute=true +#PrivateDevices=true #breaks tun usage +#ProtectProc=invisible +PrivateTmp=yes +ProtectClock=true +ProtectControlGroups=true +ProtectHome=read-only +ProtectKernelLogs=true +#ProtectKernelModules=true +#ProtectSystem=strict +ReadOnlyPaths=/etc/NetworkManager +ReadOnlyPaths=-/home +ReadWritePaths=-/etc/NetworkManager/system-connections +ReadWritePaths=-/etc/sysconfig/network-scripts +ReadWritePaths=/var/lib/NetworkManager +ReadWritePaths=-/var/run/NetworkManager +ReadWritePaths=-/run/NetworkManager +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +UMask=0077 \ No newline at end of file diff --git a/usr/lib/systemd/irqbalance.service.d/99-brace.conf b/usr/lib/systemd/irqbalance.service.d/99-brace.conf new file mode 100644 index 0000000000..3019ff6b97 --- /dev/null +++ b/usr/lib/systemd/irqbalance.service.d/99-brace.conf @@ -0,0 +1,34 @@ +[Service] +# Hardening +#CapabilityBoundingSet="CAP_SETPCAP" +LockPersonality=true +MemoryDenyWriteExecute=true +#NoNewPrivileges=true +PrivateDevices=true +#ProtectProc=invisible +PrivateTmp=yes +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +ReadOnlyPaths=-/etc/default/irqbalance +ReadOnlyPaths=-/etc/sysconfig/irqbalance +ReadOnlyPaths=-/etc/irqbalance +ReadWritePaths=/proc/irq +ReadWritePaths=-/run/irqbalance +ReadWritePaths=-/var/run/irqbalance +RemoveIPC=true +RestrictAddressFamilies=~AF_INET +RestrictAddressFamilies=~AF_INET6 +#RestrictAddressFamilies=~AF_NETLINK +RestrictAddressFamilies=~AF_PACKET +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +UMask=0077 \ No newline at end of file