base-files: make some sysctls like kexec setting user-alterable
While at it, relax the pkglint for base-files only.
This commit is contained in:
parent
be6bfce212
commit
5949392125
4 changed files with 32 additions and 16 deletions
|
@ -83,12 +83,17 @@ hook() {
|
|||
|
||||
# Prevent packages from installing to these paths in etc, they should use
|
||||
# their equivalent in usr/lib
|
||||
for f in udev/{rules.d,hwdb.d} modprobe.d sysctl.d; do
|
||||
if [ -d ${PKGDESTDIR}/etc/${f} ]; then
|
||||
msg_red "${pkgver}: /etc/${f} is forbidden. Use /usr/lib/${f}.\n"
|
||||
error=1
|
||||
fi
|
||||
done
|
||||
#
|
||||
# But base-files is a special case, since it may contains suggested but
|
||||
# still user-alterable default files (particularly sysctl.d)
|
||||
if [ "${pkgname}" != "base-files" ]; then
|
||||
for f in udev/{rules.d,hwdb.d} modprobe.d sysctl.d; do
|
||||
if [ -d ${PKGDESTDIR}/etc/${f} ]; then
|
||||
msg_red "${pkgver}: /etc/${f} is forbidden. Use /usr/lib/${f}.\n"
|
||||
error=1
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
# Likewise with the comment above but for usr/share
|
||||
for f in X11/xorg.conf.d gconf/schemas; do
|
||||
|
|
13
srcpkgs/base-files/files/sysctl-user.conf
Normal file
13
srcpkgs/base-files/files/sysctl-user.conf
Normal file
|
@ -0,0 +1,13 @@
|
|||
# These are some recommended defaults that users can alter if needed.
|
||||
# For example, developer systems may want to enable kexec for kernel
|
||||
# testing, or disable the ptrace restrictions to be able to gdb attach
|
||||
# to processes without root.
|
||||
|
||||
# Avoid kernel memory address exposures via dmesg.
|
||||
kernel.dmesg_restrict=1
|
||||
|
||||
# Turn off kexec, even if it's built in.
|
||||
kernel.kexec_load_disabled=1
|
||||
|
||||
# Avoid non-ancestor ptrace access to running processes and their credentials.
|
||||
kernel.yama.ptrace_scope=1
|
|
@ -1,3 +1,8 @@
|
|||
# These are hardening options that users should typically not be altering.
|
||||
# This file is not tracked as a configuration file, so any changes in it
|
||||
# will get overwritten with updates. Void systems also by default install
|
||||
# certain hardening options that may be altered, in /etc/sysctl.d.
|
||||
|
||||
# Append the PID to the core filename
|
||||
kernel.core_uses_pid = 1
|
||||
|
||||
|
@ -8,14 +13,5 @@ fs.protected_symlinks=1
|
|||
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
|
||||
kernel.kptr_restrict=1
|
||||
|
||||
# Avoid kernel memory address exposures via dmesg.
|
||||
kernel.dmesg_restrict=1
|
||||
|
||||
# Block non-uid-0 kernel profiling
|
||||
kernel.perf_event_paranoid=2
|
||||
|
||||
# Turn off kexec, even if it's built in.
|
||||
kernel.kexec_load_disabled=1
|
||||
|
||||
# Avoid non-ancestor ptrace access to running processes and their credentials.
|
||||
kernel.yama.ptrace_scope=1
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Template file for 'base-files'
|
||||
pkgname=base-files
|
||||
version=0.141
|
||||
revision=7
|
||||
revision=8
|
||||
bootstrap=yes
|
||||
depends="xbps-triggers"
|
||||
short_desc="Void Linux base system files"
|
||||
|
@ -18,6 +18,7 @@ conf_files="
|
|||
/etc/skel/.bash_logout
|
||||
/etc/skel/.bashrc
|
||||
/etc/skel/.inputrc
|
||||
/etc/sysctl.d/10-void.conf
|
||||
/etc/subuid
|
||||
/etc/subgid
|
||||
/etc/issue
|
||||
|
@ -74,6 +75,7 @@ do_install() {
|
|||
vinstall ${FILESDIR}/blacklist.conf 644 usr/lib/modprobe.d
|
||||
# sysctl(8) files
|
||||
vinstall ${FILESDIR}/sysctl.conf 644 usr/lib/sysctl.d 10-void.conf
|
||||
vinstall ${FILESDIR}/sysctl-user.conf 644 etc/sysctl.d 10-void.conf
|
||||
|
||||
# Install common licenses, from Debian.
|
||||
vmkdir usr/share/licenses
|
||||
|
|
Loading…
Reference in a new issue