Skip to content

Commit

Permalink
Small tweaks
Browse files Browse the repository at this point in the history 
brace-audit:
- adjust resovlers
- check for vaapi drivers

proc overrides: fixup gnome-system monitor
closes #4

Signed-off-by: Tavi <[email protected]>
  • Loading branch information
@SkewedZeppelin
SkewedZeppelin committed Jul 22, 2024
1 parent 3369291 commit ba768aa
Show file tree
Hide file tree
Showing 5 changed files with 12 additions and 6 deletions.
2 changes: 1 addition & 1 deletion PKGBUILD
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Maintainer: Tad <[email protected]>
pkgname=brace
pkgver=20240719
pkgver=20240722
pkgrel=1
pkgdesc="Increases privacy/security through various configs."
arch=('any')
Expand Down
2 changes: 1 addition & 1 deletion brace.spec
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
Name: brace
Version: 20240719
Version: 20240722
Release: 1
Summary: Increases privacy/security through various configs.
License: GPLv3+
Expand Down
2 changes: 1 addition & 1 deletion brace/DEBIAN/control
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
Package: brace
Version: 20240719-1
Version: 20240722-1
Section: custom
Priority: optional
Architecture: all
Expand Down
10 changes: 8 additions & 2 deletions brace/usr/bin/brace-audit
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ verifyFapolicydIntegrity() {
logNo "fapolicyd integrity mode:" "none";
fi;
else
logUnknown "fapolicyd integrity mode:" "unknown" "run: sudo brace-audit";
logUnknown "fapolicyd integrity mode:" "unknown" "sudo brace-audit";
fi;
}

Expand All @@ -117,10 +117,12 @@ verifyKernelCommandLine() {
if grep -q "init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on kpti=on randomize_kstack_offset=1 slab_nomerge iommu=force iommu.passthrough=0 iommu.strict=1 intel_iommu=on amd_iommu=force_isolation spec_store_bypass_disable=on ssbd=force-on spectre_v2=on spectre_bhi=on tsx=off lockdown=confidentiality mce=0 module.sig_enforce=1 vsyscall=none fsck.mode=force i8042.reset=1" /proc/cmdline > /dev/null 2>&1; then
logYes "kernel hardening via command line";
else
logNo "kernel hardening via command line" "run: sudo brace-supplemental-changes";
logNo "kernel hardening via command line" "sudo brace-supplemental-changes";
fi;
}

#verifyFST() { #TODO
#}

if [ -f /etc/fedora-release ] || [ -f /etc/centos-release ]; then
if grep -q hypervisor /proc/cpuinfo; then
Expand Down Expand Up @@ -168,6 +170,7 @@ if [ -f /etc/fedora-release ] || [ -f /etc/centos-release ]; then
if [ "$isDesktop" == "true" ]; then
rpmPackageInstalled "firejail";
rpmPackageInstalled "rpmfusion-free-release" "sudo brace-enable-rpmfusion";
rpmPackageInstalled "mesa-va-drivers-freeworld" "sudo dnf swap mesa-va-drivers mesa-va-drivers-freeworld --allowerasing";
fi;

echo -e "\nChecking fapolicyd";
Expand Down Expand Up @@ -206,6 +209,9 @@ if [ -f /etc/fedora-release ] || [ -f /etc/centos-release ]; then
echo -e "\nChecking kernel";
verifyKernelCommandLine;

#echo -e "\nChecking file system table";
#verifyFST;

echo -e "\n================================================================"
echo "END OF brace-audit"
echo "================================================================"
Expand Down
2 changes: 1 addition & 1 deletion brace/usr/lib/tmpfiles.d/99-brace-proc.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ z /proc/cgroups 0400 root root
z /proc/consoles 0400 root root
#z /proc/crypto 0400 root root #XXX: breaks zram-generator: https://github.com/systemd/zram-generator/blob/7e14ee973dd5d6ac00fcc4a392425e5d12d7c0ac/src/generator.rs#L125
z /proc/devices 0400 root root
z /proc/diskstats 0400 root root
#z /proc/diskstats 0400 root root #XXX: breaks libgtop: https://gitlab.gnome.org/GNOME/libgtop/-/commit/a067db056927db232a2eb8cf79d4af096962eced
z /proc/dma 0400 root root
z /proc/execdomains 0400 root root
z /proc/fb 0400 root root
Expand Down

0 comments on commit ba768aa

Please sign in to comment.