base-files: make some sysctls like kexec setting user-alterable

While at it, relax the pkglint for base-files only.
This commit is contained in:
q66 2021-02-28 01:34:19 +01:00
parent be6bfce212
commit 5949392125
4 changed files with 32 additions and 16 deletions

View file

@ -83,12 +83,17 @@ hook() {
# Prevent packages from installing to these paths in etc, they should use
# their equivalent in usr/lib
for f in udev/{rules.d,hwdb.d} modprobe.d sysctl.d; do
if [ -d ${PKGDESTDIR}/etc/${f} ]; then
msg_red "${pkgver}: /etc/${f} is forbidden. Use /usr/lib/${f}.\n"
error=1
fi
done
#
# But base-files is a special case, since it may contains suggested but
# still user-alterable default files (particularly sysctl.d)
if [ "${pkgname}" != "base-files" ]; then
for f in udev/{rules.d,hwdb.d} modprobe.d sysctl.d; do
if [ -d ${PKGDESTDIR}/etc/${f} ]; then
msg_red "${pkgver}: /etc/${f} is forbidden. Use /usr/lib/${f}.\n"
error=1
fi
done
fi
# Likewise with the comment above but for usr/share
for f in X11/xorg.conf.d gconf/schemas; do

View file

@ -0,0 +1,13 @@
# These are some recommended defaults that users can alter if needed.
# For example, developer systems may want to enable kexec for kernel
# testing, or disable the ptrace restrictions to be able to gdb attach
# to processes without root.
# Avoid kernel memory address exposures via dmesg.
kernel.dmesg_restrict=1
# Turn off kexec, even if it's built in.
kernel.kexec_load_disabled=1
# Avoid non-ancestor ptrace access to running processes and their credentials.
kernel.yama.ptrace_scope=1

View file

@ -1,3 +1,8 @@
# These are hardening options that users should typically not be altering.
# This file is not tracked as a configuration file, so any changes in it
# will get overwritten with updates. Void systems also by default install
# certain hardening options that may be altered, in /etc/sysctl.d.
# Append the PID to the core filename
kernel.core_uses_pid = 1
@ -8,14 +13,5 @@ fs.protected_symlinks=1
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
kernel.kptr_restrict=1
# Avoid kernel memory address exposures via dmesg.
kernel.dmesg_restrict=1
# Block non-uid-0 kernel profiling
kernel.perf_event_paranoid=2
# Turn off kexec, even if it's built in.
kernel.kexec_load_disabled=1
# Avoid non-ancestor ptrace access to running processes and their credentials.
kernel.yama.ptrace_scope=1

View file

@ -1,7 +1,7 @@
# Template file for 'base-files'
pkgname=base-files
version=0.141
revision=7
revision=8
bootstrap=yes
depends="xbps-triggers"
short_desc="Void Linux base system files"
@ -18,6 +18,7 @@ conf_files="
/etc/skel/.bash_logout
/etc/skel/.bashrc
/etc/skel/.inputrc
/etc/sysctl.d/10-void.conf
/etc/subuid
/etc/subgid
/etc/issue
@ -74,6 +75,7 @@ do_install() {
vinstall ${FILESDIR}/blacklist.conf 644 usr/lib/modprobe.d
# sysctl(8) files
vinstall ${FILESDIR}/sysctl.conf 644 usr/lib/sysctl.d 10-void.conf
vinstall ${FILESDIR}/sysctl-user.conf 644 etc/sysctl.d 10-void.conf
# Install common licenses, from Debian.
vmkdir usr/share/licenses