summaryrefslogtreecommitdiff
path: root/aports/base-layout/APKBUILD
blob: fe07fb647dd1447dba2d6e35379e3aac7205e835 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
# Maintainer: Gabor Pali <pali.gabor@gmail.com>

pkgname=baselayout # base: alpine-baselayout, alpine-baselayout-data
pkgver=3.4.3
pkgrel=2 # base: 2
pkgdesc="Base dir structure and init scripts"
url="https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout"
arch="noarch"
license="GPL-2.0-only"
pkggroups="shadow"
options="!fhs !check"
install=
_nbver=6.4
source="crontab
	20locale.sh

	group
	inittab
	passwd
	profile
	protocols-$_nbver::https://salsa.debian.org/md/netbase/-/raw/v$_nbver/etc/protocols
	services-$_nbver::https://salsa.debian.org/md/netbase/-/raw/v$_nbver/etc/services
	"
builddir="$srcdir/build"

prepare() {
	default_prepare
	mkdir -p "$builddir"
	mv "$srcdir"/protocols-$_nbver "$srcdir"/protocols
	mv "$srcdir"/services-$_nbver "$srcdir"/services
}

build() {
	# generate shadow
	awk -F: '{
		pw = ":!:"
		if ($1 == "root") { pw = "::" }
		print($1 pw ":0:::::")
	}' "$srcdir"/passwd > shadow
}

package() {
	mkdir -p "$pkgdir"
	cd "$pkgdir"
	install -m 0755 -d \
		dev \
		dev/pts \
		dev/shm \
		etc \
		etc/conf.d \
		etc/crontabs \
		etc/init.d \
		etc/modprobe.d \
		etc/modules-load.d \
		etc/network/if-down.d \
		etc/network/if-post-down.d \
		etc/network/if-pre-up.d \
		etc/network/if-up.d \
		etc/periodic/15min \
		etc/periodic/daily \
		etc/periodic/hourly \
		etc/periodic/monthly \
		etc/periodic/weekly \
		etc/profile.d \
		etc/sysctl.d \
		lib/firmware \
		lib/mdev \
		lib/modules-load.d \
		lib/sysctl.d \
		media/etc \
		proc \
		run \
		sbin \
		sys \
		usr/bin \
		usr/lib/modules-load.d \
		usr/local/bin \
		usr/local/lib \
		usr/local/share \
		usr/sbin \
		usr/share \
		usr/share/man \
		usr/share/misc \
		var/cache \
		var/cache/misc \
		var/lib \
		var/lib/misc \
		var/local \
		var/lock/subsys \
		var/log \
		var/opt \
		var/spool \
		var/spool/cron \
		var/mail

	ln -s /run var/run
	install -d -m 0555 var/empty
	install -d -m 0700 "$pkgdir"/root
	install -d -m 1777 "$pkgdir"/tmp "$pkgdir"/var/tmp

	install -m600 "$srcdir"/crontab "$pkgdir"/etc/crontabs/root
	install -m644 \
		"$srcdir"/20locale.sh \
		"$pkgdir"/etc/profile.d/

	cat > "$pkgdir"/etc/hosts <<-EOF
		127.0.0.1	localhost localhost.localdomain
		::1		localhost localhost.localdomain
	EOF
	cat > "$pkgdir"/etc/modules <<-EOF
		af_packet
		ipv6
	EOF
	cat > "$pkgdir"/etc/shells <<-EOF
		/bin/sh
		/bin/ash
	EOF
	cat > "$pkgdir"/etc/sysctl.conf <<-EOF
		net.ipv4.ip_forward = 1
		net.ipv6.conf.all.forwarding = 2
		net.ipv6.conf.default.forwarding = 2
		# Enable IPv6 Privacy Extensions
		net.ipv6.conf.all.use_tempaddr = 2
		net.ipv6.conf.default.use_tempaddr = 2
		net.ipv6.conf.eth0.use_tempaddr = 2
		net.ipv6.conf.wlan0.use_tempaddr = 2
	EOF
	cat > "$pkgdir"/lib/sysctl.d/00-alpine.conf <<-EOF
		# Prevents SYN DOS attacks. Applies to ipv6 as well, despite name.
		net.ipv4.tcp_syncookies = 1

		# Prevents ip spoofing.
		net.ipv4.conf.default.rp_filter = 1
		net.ipv4.conf.all.rp_filter = 1

		# Only groups within this id range can use ping.
		net.ipv4.ping_group_range=999 59999

		# Redirects can potentially be used to maliciously alter hosts
		# routing tables.
		net.ipv4.conf.all.accept_redirects = 0
		net.ipv4.conf.all.secure_redirects = 1
		net.ipv6.conf.all.accept_redirects = 0

		# The source routing feature includes some known vulnerabilities.
		net.ipv4.conf.all.accept_source_route = 0
		net.ipv6.conf.all.accept_source_route = 0

		# See RFC 1337
		net.ipv4.tcp_rfc1337 = 1

		## Enable IPv6 Privacy Extensions (see RFC4941 and RFC3041)
		net.ipv6.conf.default.use_tempaddr = 2
		net.ipv6.conf.all.use_tempaddr = 2

		# Restarts computer after 120 seconds after kernel panic
		kernel.panic = 120

		# Users should not be able to create soft or hard links to files
		# which they do not own. This mitigates several privilege
		# escalation vulnerabilities.
		fs.protected_hardlinks = 1
		fs.protected_symlinks = 1
	EOF
	cat > "$pkgdir"/etc/fstab <<-EOF
		tmpfs      /tmp       tmpfs    size=128K                                     0 0
		config     /media/etc 9p       trans=virtio,ro,noatime,nodiratime,norelatime 0 0
		var        /var       9p       trans=virtio,rw                               0 0
	EOF
	cat > "$pkgdir"/etc/nsswitch.conf <<-EOF
		# musl itself does not support NSS, however some third-party DNS
		# implementations use the nsswitch.conf file to determine what
		# policy to follow.
		# Editing this file is not recommended.
		hosts: files dns
	EOF

	install -m644 \
		"$srcdir"/group \
		"$srcdir"/passwd \
		"$srcdir"/inittab \
		"$srcdir"/profile \
		"$srcdir"/protocols \
		"$srcdir"/services \
		"$pkgdir"/etc/

	install -m640 -g shadow "$builddir"/shadow \
		"$pkgdir"/etc/

	# symlinks
	ln -s /dev/null "$pkgdir"/root/.ash_history
	ln -s /etc/crontabs "$pkgdir"/var/spool/cron/crontabs
	ln -s /proc/mounts "$pkgdir"/etc/mtab
	ln -s /var/mail "$pkgdir"/var/spool/mail
	ln -s /tmp/resolv.conf "$pkgdir"/etc/resolv.conf
	ln -s /media/etc/hostname "$pkgdir"/etc/hostname
}

sha512sums="
6e169c0975a1ad1ad871a863e8ee83f053de9ad0b58d94952efa4c28a8c221445d9e9732ad8b52832a50919c2f39aa965a929b3d5b3f9e62f169e2b2e0813d82  crontab
b2fc9b72846a43a45ba9a8749e581cef34d1915836833b51b7919dfbf4e275b7d55fec4dea7b23df3796380910971a41331e53e8cf0d304834e3da02cc135e5a  20locale.sh
0b786df3a610e84ae98cbef8dc74998404a048c4a48d7acf57eafb04fb481b4b7f8a80c065f1ca10cced22c89243cc6e81b0ad46d5ca4a194d63ce49969cce09  group
7cc3c23062c730ec7a1d7850423d9901047005520da5b347b7b24e5f33a9c9a9129b430557f7f41e565f143624b7f3c47e3f6e4a6a446e75f0ea245c03d70880  inittab
b3508f9dc77e7eeb761c2d72b5f1003d09dbeaef1cd2d6b7ac47fb5c770cad507c89713d70d5ab0b645378e486cab2e130e9862cbfd2eea783b1808d4ca075f5  passwd
4eb857ed59c2edb257636d2bf196989e514a273e9701e9f076c9ae8c1589b4898269180569960acf072c0981ec7ea54014fd230f014401d6bb92314285d1e6aa  profile
3a00083bcdf5a9e884c9d07877d52311e3d99e79cbee656e236ba06e08ba0dddb7ba76494fdc9dd1a826c48e197a790a69e6bb458e9df64832d6b5e904e9fd15  protocols-6.4
47b0f3ee73af2d259bd206a026204be0ea25531a895a0b035a904b38fe5407bc3dd2beab7f8fcb3d760587e6159702ebdb9cbc4f508942befdf7f10c10c87888  services-6.4
"