From bcbf7c6c9fc7d8a96b1d5c4cc9247b85fe3da2ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=81LI=20G=C3=A1bor=20J=C3=A1nos?= Date: Sun, 10 Apr 2022 18:17:21 +0200 Subject: Move towards custom packages. Change the build image process in a way that custom-built packages can be utilized. This means a simpler `Makefile` since every modification is implemented on the level of packages. Include the sources for every customized package. --- aports/base-layout/APKBUILD | 195 ++++++++++++++++++++++++++++++++++++++++ aports/base-layout/aliases.conf | 57 ++++++++++++ aports/base-layout/crontab | 8 ++ aports/base-layout/group | 48 ++++++++++ aports/base-layout/inittab | 6 ++ aports/base-layout/locale.sh | 3 + aports/base-layout/passwd | 27 ++++++ aports/base-layout/profile | 45 ++++++++++ 8 files changed, 389 insertions(+) create mode 100644 aports/base-layout/APKBUILD create mode 100644 aports/base-layout/aliases.conf create mode 100644 aports/base-layout/crontab create mode 100644 aports/base-layout/group create mode 100644 aports/base-layout/inittab create mode 100644 aports/base-layout/locale.sh create mode 100644 aports/base-layout/passwd create mode 100644 aports/base-layout/profile (limited to 'aports/base-layout') diff --git a/aports/base-layout/APKBUILD b/aports/base-layout/APKBUILD new file mode 100644 index 0000000..616cfc5 --- /dev/null +++ b/aports/base-layout/APKBUILD @@ -0,0 +1,195 @@ +# Maintainer: Gabor Pali + +pkgname=baselayout +pkgver=3.2.0 +pkgrel=18 +pkgdesc="Base dir structure and init scripts (Alpine Linux)" +url="https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout" +arch="all" +license="GPL-2.0-only" +pkggroups="shadow" +options="!fhs !check" +install= +_nbver=6.2 +source="crontab + locale.sh + + group + inittab + passwd + profile + protocols-$_nbver::https://salsa.debian.org/md/netbase/-/raw/v$_nbver/etc/protocols + services-$_nbver::https://salsa.debian.org/md/netbase/-/raw/v$_nbver/etc/services + " +builddir="$srcdir/build" + +prepare() { + default_prepare + mkdir -p "$builddir" + mv "$srcdir"/protocols-$_nbver "$srcdir"/protocols + mv "$srcdir"/services-$_nbver "$srcdir"/services +} + +build() { + # generate shadow + awk -F: '{ + pw = ":!:" + if ($1 == "root") { pw = "::" } + print($1 pw ":0:::::") + }' "$srcdir"/passwd > shadow +} + +package() { + mkdir -p "$pkgdir" + cd "$pkgdir" + install -m 0755 -d \ + dev \ + dev/pts \ + dev/shm \ + etc \ + etc/conf.d \ + etc/crontabs \ + etc/init.d \ + etc/modprobe.d \ + etc/modules-load.d \ + etc/network/if-down.d \ + etc/network/if-post-down.d \ + etc/network/if-pre-up.d \ + etc/network/if-up.d \ + etc/periodic/15min \ + etc/periodic/daily \ + etc/periodic/hourly \ + etc/periodic/monthly \ + etc/periodic/weekly \ + etc/profile.d \ + etc/sysctl.d \ + lib/firmware \ + lib/mdev \ + lib/modules-load.d \ + lib/sysctl.d \ + media/etc \ + media/wpa \ + proc \ + run \ + sbin \ + sys \ + usr/bin \ + usr/lib/modules-load.d \ + usr/local/bin \ + usr/local/lib \ + usr/local/share \ + usr/sbin \ + usr/share \ + usr/share/man \ + usr/share/misc \ + var/cache \ + var/cache/misc \ + var/lib \ + var/lib/misc \ + var/local \ + var/lock/subsys \ + var/log \ + var/opt \ + var/spool \ + var/spool/cron \ + var/mail + + ln -s /run var/run + install -d -m 0555 var/empty + install -d -m 0700 "$pkgdir"/root + install -d -m 1777 "$pkgdir"/tmp "$pkgdir"/var/tmp + + install -m600 "$srcdir"/crontab "$pkgdir"/etc/crontabs/root + install -m644 \ + "$srcdir"/locale.sh \ + "$pkgdir"/etc/profile.d/ + + echo "wifibox" > "$pkgdir"/etc/hostname + cat > "$pkgdir"/etc/hosts <<-EOF + 127.0.0.1 localhost localhost.localdomain + ::1 localhost localhost.localdomain + EOF + cat > "$pkgdir"/etc/modules <<-EOF + af_packet + ipv6 + EOF + cat > "$pkgdir"/etc/shells <<-EOF + /bin/sh + /bin/ash + EOF + cat > "$pkgdir"/etc/sysctl.conf <<-EOF + net.ipv4.ip_forward=1 + EOF + cat > "$pkgdir"/lib/sysctl.d/00-alpine.conf <<-EOF + # Prevents SYN DOS attacks. Applies to ipv6 as well, despite name. + net.ipv4.tcp_syncookies = 1 + + # Prevents ip spoofing. + net.ipv4.conf.default.rp_filter = 1 + net.ipv4.conf.all.rp_filter = 1 + + # Only groups within this id range can use ping. + net.ipv4.ping_group_range=999 59999 + + # Redirects can potentially be used to maliciously alter hosts + # routing tables. + net.ipv4.conf.all.accept_redirects = 0 + net.ipv4.conf.all.secure_redirects = 1 + net.ipv6.conf.all.accept_redirects = 0 + + # The source routing feature includes some known vulnerabilities. + net.ipv4.conf.all.accept_source_route = 0 + net.ipv6.conf.all.accept_source_route = 0 + + # See RFC 1337 + net.ipv4.tcp_rfc1337 = 1 + + ## Enable IPv6 Privacy Extensions (see RFC4941 and RFC3041) + net.ipv6.conf.default.use_tempaddr = 2 + net.ipv6.conf.all.use_tempaddr = 2 + + # Restarts computer after 120 seconds after kernel panic + kernel.panic = 120 + + # Users should not be able to create soft or hard links to files + # which they do not own. This mitigates several privilege + # escalation vulnerabilities. + fs.protected_hardlinks = 1 + fs.protected_symlinks = 1 + EOF + cat > "$pkgdir"/etc/fstab <<-EOF + tmpfs /tmp tmpfs size=128K 0 0 + config /media/etc 9p trans=virtio,ro,noatime,nodiratime,norelatime 0 0 + wpa_config /media/wpa 9p trans=virtio,rw 0 0 + var /var 9p trans=virtio,rw 0 0 + EOF + + install -m644 \ + "$srcdir"/group \ + "$srcdir"/passwd \ + "$srcdir"/inittab \ + "$srcdir"/profile \ + "$srcdir"/protocols \ + "$srcdir"/services \ + "$pkgdir"/etc/ + + install -m640 -g shadow "$builddir"/shadow \ + "$pkgdir"/etc/ + + # symlinks + ln -s /dev/null "$pkgdir"/root/.ash_history + ln -s /etc/crontabs "$pkgdir"/var/spool/cron/crontabs + ln -s /proc/mounts "$pkgdir"/etc/mtab + ln -s /var/mail "$pkgdir"/var/spool/mail +} + +sha512sums=" +6e169c0975a1ad1ad871a863e8ee83f053de9ad0b58d94952efa4c28a8c221445d9e9732ad8b52832a50919c2f39aa965a929b3d5b3f9e62f169e2b2e0813d82 crontab +b2fc9b72846a43a45ba9a8749e581cef34d1915836833b51b7919dfbf4e275b7d55fec4dea7b23df3796380910971a41331e53e8cf0d304834e3da02cc135e5a locale.sh +806b8f23f823a9471846d12fa6b55690b95eedb4c613b82aefaba7ffef23f83e17552befd891a487864f72ef24e395d8611738933f684a85eb4c336cb20994f8 group +7cc3c23062c730ec7a1d7850423d9901047005520da5b347b7b24e5f33a9c9a9129b430557f7f41e565f143624b7f3c47e3f6e4a6a446e75f0ea245c03d70880 inittab +06d12a7b9ca14fe17e412d0f24814620b67d035ae859be7906cbf4782dd69e359a6a555dafb98060b7fb7e4714aaa676c88d9017cded36e6d8398e23369bb290 passwd +b14920eae431d1f15b066e264a94f804540c5dcbf91caef034019d95456c975c0c054672e53369082682dd9454a034f26bd45b312adfc0ab68a0311d97b037ac profile +eadc83e47fcc354ab83fd109bee452bda170886fb684e67faf615930c11480919505f4af60c685b124efc54af0ded9522663132f911eac6622144f8b4c8be695 protocols-6.2 +adfae0d2f569c2a2f413b7e27683a007fc8ca689b8c3349672fe0dcb6208c192ede4402eff09c604b7e7b4fd9d8df93b875efa5bdaa6c14ff1d8022a7caad5cd services-6.2 +" diff --git a/aports/base-layout/aliases.conf b/aports/base-layout/aliases.conf new file mode 100644 index 0000000..b179017 --- /dev/null +++ b/aports/base-layout/aliases.conf @@ -0,0 +1,57 @@ +# Aliases to tell insmod/modprobe which modules to use + +# Uncomment the network protocols you don't want loaded: +# alias net-pf-1 off # Unix +# alias net-pf-2 off # IPv4 +# alias net-pf-3 off # Amateur Radio AX.25 +# alias net-pf-4 off # IPX +# alias net-pf-5 off # DDP / appletalk +# alias net-pf-6 off # Amateur Radio NET/ROM +# alias net-pf-9 off # X.25 +# alias net-pf-10 off # IPv6 +# alias net-pf-11 off # ROSE / Amateur Radio X.25 PLP +# alias net-pf-19 off # Acorn Econet + +alias char-major-10-175 agpgart +alias char-major-10-200 tun +alias char-major-81 bttv +alias char-major-108 ppp_generic +alias /dev/ppp ppp_generic +alias tty-ldisc-3 ppp_async +alias tty-ldisc-14 ppp_synctty +alias ppp-compress-21 bsd_comp +alias ppp-compress-24 ppp_deflate +alias ppp-compress-26 ppp_deflate + +# Crypto modules (see http://www.kerneli.org/) +alias loop-xfer-gen-0 loop_gen +alias loop-xfer-3 loop_fish2 +alias loop-xfer-gen-10 loop_gen +alias cipher-2 des +alias cipher-3 fish2 +alias cipher-4 blowfish +alias cipher-6 idea +alias cipher-7 serp6f +alias cipher-8 mars6 +alias cipher-11 rc62 +alias cipher-15 dfc2 +alias cipher-16 rijndael +alias cipher-17 rc5 + +# Support for i2c and lm_sensors +alias char-major-89 i2c-dev + +# xfrm +alias xfrm-type-2-4 xfrm4_tunnel +alias xfrm-type-2-50 esp4 +alias xfrm-type-2-51 ah4 +alias xfrm-type-2-108 ipcomp +alias xfrm-type-10-41 xfrm6_tunnel +alias xfrm-type-10-50 esp6 +alias xfrm-type-10-51 ah6 +alias xfrm-type-10-108 ipcomp6 + +alias sha1 sha1-generic +# change to aes-i586 to boost performance +alias aes aes-generic + diff --git a/aports/base-layout/crontab b/aports/base-layout/crontab new file mode 100644 index 0000000..fd8acd8 --- /dev/null +++ b/aports/base-layout/crontab @@ -0,0 +1,8 @@ +# do daily/weekly/monthly maintenance +# min hour day month weekday command +*/15 * * * * run-parts /etc/periodic/15min +0 * * * * run-parts /etc/periodic/hourly +0 2 * * * run-parts /etc/periodic/daily +0 3 * * 6 run-parts /etc/periodic/weekly +0 5 1 * * run-parts /etc/periodic/monthly + diff --git a/aports/base-layout/group b/aports/base-layout/group new file mode 100644 index 0000000..23b124b --- /dev/null +++ b/aports/base-layout/group @@ -0,0 +1,48 @@ +root:x:0:root +bin:x:1:root,bin,daemon +daemon:x:2:root,bin,daemon +sys:x:3:root,bin,adm +adm:x:4:root,adm,daemon +tty:x:5: +disk:x:6:root,adm +lp:x:7:lp +mem:x:8: +kmem:x:9: +wheel:x:10:root +floppy:x:11:root +mail:x:12:mail +news:x:13:news +uucp:x:14:uucp +man:x:15:man +cron:x:16:cron +console:x:17: +audio:x:18: +cdrom:x:19: +dialout:x:20:root +ftp:x:21: +sshd:x:22: +input:x:23: +at:x:25:at +tape:x:26:root +video:x:27:root +netdev:x:28: +readproc:x:30: +squid:x:31:squid +xfs:x:33:xfs +kvm:x:34:kvm +games:x:35: +shadow:x:42: +cdrw:x:80: +www-data:x:82: +usb:x:85: +vpopmail:x:89: +users:x:100:games +ntp:x:123: +nofiles:x:200: +smmsp:x:209:smmsp +locate:x:245: +abuild:x:300: +utmp:x:406: +ping:x:999: +nogroup:x:65533: +nobody:x:65534: diff --git a/aports/base-layout/inittab b/aports/base-layout/inittab new file mode 100644 index 0000000..d4dbd79 --- /dev/null +++ b/aports/base-layout/inittab @@ -0,0 +1,6 @@ +::sysinit:/sbin/openrc sysinit +::sysinit:/sbin/openrc boot +::wait:/sbin/openrc default +::restart:/sbin/init +ttyS0::respawn:/sbin/getty -L ttyS0 115200 vt100 +::shutdown:/sbin/openrc shutdown diff --git a/aports/base-layout/locale.sh b/aports/base-layout/locale.sh new file mode 100644 index 0000000..bf75c08 --- /dev/null +++ b/aports/base-layout/locale.sh @@ -0,0 +1,3 @@ +export CHARSET=UTF-8 +export LANG=C.UTF-8 +export LC_COLLATE=C diff --git a/aports/base-layout/passwd b/aports/base-layout/passwd new file mode 100644 index 0000000..cc124a9 --- /dev/null +++ b/aports/base-layout/passwd @@ -0,0 +1,27 @@ +root:x:0:0:root:/root:/bin/ash +bin:x:1:1:bin:/bin:/sbin/nologin +daemon:x:2:2:daemon:/sbin:/sbin/nologin +adm:x:3:4:adm:/var/adm:/sbin/nologin +lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin +sync:x:5:0:sync:/sbin:/bin/sync +shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +halt:x:7:0:halt:/sbin:/sbin/halt +mail:x:8:12:mail:/var/mail:/sbin/nologin +news:x:9:13:news:/usr/lib/news:/sbin/nologin +uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin +operator:x:11:0:operator:/root:/sbin/nologin +man:x:13:15:man:/usr/man:/sbin/nologin +postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin +cron:x:16:16:cron:/var/spool/cron:/sbin/nologin +ftp:x:21:21::/var/lib/ftp:/sbin/nologin +sshd:x:22:22:sshd:/dev/null:/sbin/nologin +at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin +squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin +xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin +games:x:35:35:games:/usr/games:/sbin/nologin +cyrus:x:85:12::/usr/cyrus:/sbin/nologin +vpopmail:x:89:89::/var/vpopmail:/sbin/nologin +ntp:x:123:123:NTP:/var/empty:/sbin/nologin +smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin +guest:x:405:100:guest:/dev/null:/sbin/nologin +nobody:x:65534:65534:nobody:/:/sbin/nologin diff --git a/aports/base-layout/profile b/aports/base-layout/profile new file mode 100644 index 0000000..fd7506b --- /dev/null +++ b/aports/base-layout/profile @@ -0,0 +1,45 @@ +# Append "$1" to $PATH when not already in. +# Copied from Arch Linux, see #12803 for details. +append_path () { + case ":$PATH:" in + *:"$1":*) + ;; + *) + PATH="${PATH:+$PATH:}$1" + ;; + esac +} + +append_path "/usr/local/sbin" +append_path "/usr/local/bin" +append_path "/usr/sbin" +append_path "/usr/bin" +append_path "/sbin" +append_path "/bin" +unset -f append_path + +export PATH +export PAGER=less +umask 022 + +# set up fallback default PS1 +: "${HOSTNAME:=$(hostname)}" +PS1='${HOSTNAME%%.*}:$PWD' +[ "$(id -u)" = "0" ] && PS1="${PS1}# " +[ "$(id -u)" = "0" ] || PS1="${PS1}\$ " + +# use nicer PS1 for bash and busybox ash +[ -n "$BASH_VERSION" -o "$BB_ASH_VERSION" ] && PS1='\h:\w\$ ' + +# use nicer PS1 for zsh +[ -n "$ZSH_VERSION" ] && PS1='%m:%~%# ' + +# export PS1 as before +export PS1 + +for script in /etc/profile.d/*.sh ; do + if [ -r "$script" ] ; then + . "$script" + fi +done +unset script -- cgit v1.2.3