diff --git a/code_review.md b/code_review.md new file mode 100644 index 0000000..5a63861 --- /dev/null +++ b/code_review.md @@ -0,0 +1,84 @@ +# code_review.md + +Use this file for explicit review tasks and final self-review after implementation. Do not treat it as a mandate for an +unlimited audit unless the user asks for one. + +## Review priorities + +Review findings in this order: + +1. Correctness +2. Security regressions +3. Data loss risk +4. Boot-chain integrity +5. Reproducibility and deterministic behavior +6. Error handling and cleanup +7. Test or validation coverage +8. Maintainability +9. Minimality of diff +10. Style consistency + +## Finding classes + +- `BLOCKER`: proven correctness bug, security regression, installer break, boot break, or data loss risk that must be fixed + before merge. +- `RISK`: plausible issue or security concern that is not fully proven from the available context. +- `CLEANUP`: maintainability, readability, or consistency improvement that is not required for correctness. +- `NOTE`: observation only; no change requested. + +## Review output format + +List findings first, ordered by severity. + +For each finding include: + +- class +- file path and line number where possible +- observation +- concrete impact +- smallest reasonable fix + +Then include: + +- missing checks or validation gaps +- residual risks +- concise final recommendation + +If there are no findings, say so explicitly and still mention relevant validation gaps. + +## Scope control + +- Review the requested change, touched files, and directly affected code paths. +- Do not expand a small implementation task into a broad repository audit. +- Do not nitpick formatting when automated tooling exists. +- Do not invent requirements not present in the task, repository, or documentation. +- Do not request a full installer run, debootstrap run, destructive disk test, or network-heavy validation unless the changed + path cannot be checked responsibly any other way. +- Prefer a small actionable finding over a broad speculative warning. +- Separate observation, inference, and recommendation when the evidence is incomplete. + +## Installer-specific security checklist + +Check whether the change affects: + +- destructive disk operations, disk selection, partition table wiping, or formatting +- partition boundaries, GPT/MBR type codes, bootable flags, or firmware mode selection +- cryptsetup/LUKS2 parameters, passphrases, key files, key slots, LUKS UUIDs, header backups, or nuke behavior +- Btrfs filesystem creation, subvolumes, snapshots, labels, compression, or mount options +- `/etc/fstab`, `/etc/crypttab`, UUIDs, PARTUUIDs, mapper names, or initramfs flags +- initramfs-tools hooks, scripts, included binaries, early boot paths, or update-initramfs behavior +- Dropbear initramfs remote unlock, forced commands, host keys, firewalling, unlock-wrapper signatures, or hashes +- GRUB package selection, GRUB modules, encrypted `/boot`, UEFI fallback paths, BIOS install paths, or NVRAM behavior +- chroot command construction, `env -i` sanitization, target mount handling, or host/target path separation +- APT source generation, package authentication, Debian suite selection, signature verification, or hash verification +- remote downloads, TLS settings, bundled source archives, provenance, or checksum files +- key material, SSH keys, PGP keys, SOPS/AGE values, passphrase files, or secret cleanup +- logging, debug traces, trap output, and accidental disclosure of sensitive values +- file permissions, ownership, sudo policy, PAM, SSH policy, UFW, fail2ban, sysctl, modprobe, or hardening files +- recovery target behavior and consistency with the primary target +- reproducibility, deterministic ordering, and generated file stability +- direct or indirect data loss risk + +--- +**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** + diff --git a/func/cdi_4300_network/4310_dropbear_build.sh b/func/cdi_4300_network/4310_dropbear_build.sh index 7cba5db..85fe170 100644 --- a/func/cdi_4300_network/4310_dropbear_build.sh +++ b/func/cdi_4300_network/4310_dropbear_build.sh @@ -13,31 +13,146 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}" ####################################### -# Build Ultra Hardened dropbear-2025.88 from sources. +# Build Ultra Hardened dropbear from sources. # Globals: -# DIR_TMP # TARGET # VAR_SETUP_PATH # Arguments: # None # Returns: # 0: on success +# 126: on permission, noexec, or interpreter execution failure +# 127: on missing build command # ERR_PATH_NOT_VALID: on failure ####################################### dropbear_build() { ### Declare Arrays, HashMaps, and Variables. declare var_dropbear_version="2026.91" declare var_tar="${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2" - declare var_build_dir="${DIR_TMP}/build/dropbear-${var_dropbear_version}" + declare var_build_root="/opt/.ciss/build" + declare var_build_dir="${var_build_root}/dropbear-${var_dropbear_version}" declare -r var_logfile="/root/.ciss/cdi/log/4310_dropbear_build.log" + declare -r var_build_log="${TARGET}${var_logfile}" + declare -r var_build_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + declare var_command="" var_command_path="" var_configure_interpreter="" var_configure_shebang="" + declare var_mount_options="" var_mount_target="" + declare -a ary_required_commands=(bash setsid musl-gcc make nproc) - chroot_logger "${TARGET}${var_logfile}" + chroot_logger "${var_build_log}" + + mkdir -p "${var_build_root}" + chmod 0700 "${var_build_root}" + + if ! PATH="${var_build_path}" command -v findmnt >/dev/null 2>&1; then + do_log "error" "file_only" "4310() Required Dropbear build command missing from sterile PATH: 'findmnt'." + printf 'ERROR: required Dropbear build command missing from sterile PATH: findmnt\n' >> "${var_build_log}" + return 127 + fi + + case "${var_build_dir}" in + /opt/.ciss/build/dropbear-*) ;; + *) + do_log "error" "file_only" "4310() Refusing to clean unexpected Dropbear build directory: '${var_build_dir}'." + printf 'ERROR: refusing to clean unexpected Dropbear build directory: %s\n' "${var_build_dir}" >> "${var_build_log}" + return "${ERR_PATH_NOT_VALID}" + ;; + esac + + rm -rf -- "${var_build_dir}" + tar xjf "${var_tar}" -C "${var_build_root}" || return "${ERR_PATH_NOT_VALID}" + + if [[ ! -d "${var_build_dir}" ]]; then + do_log "error" "file_only" "4310() Dropbear build directory missing: '${var_build_dir}'." + printf 'ERROR: Dropbear build directory missing: %s\n' "${var_build_dir}" >> "${var_build_log}" + return "${ERR_PATH_NOT_VALID}" + fi - mkdir -p "${DIR_TMP}/build" - cp "${var_tar}" "${DIR_TMP}/build" - tar xjf "${DIR_TMP}/build/dropbear-${var_dropbear_version}.tar.bz2" -C "${DIR_TMP}/build" || return "${ERR_PATH_NOT_VALID}" cp "${VAR_SETUP_PATH}/upgrades/dropbear/localoptions.h" "${var_build_dir}" - cd "${var_build_dir}" || return "${ERR_PATH_NOT_VALID}" + + if ! var_mount_target="$(PATH="${var_build_path}" findmnt -T "${var_build_dir}" -no TARGET)"; then + do_log "error" "file_only" "4310() Cannot determine mount target for Dropbear build directory: '${var_build_dir}'." + printf 'ERROR: cannot determine mount target for Dropbear build directory: %s\n' "${var_build_dir}" >> "${var_build_log}" + return "${ERR_PATH_NOT_VALID}" + fi + + if ! var_mount_options="$(PATH="${var_build_path}" findmnt -T "${var_build_dir}" -no OPTIONS)"; then + do_log "error" "file_only" "4310() Cannot determine mount options for Dropbear build directory: '${var_build_dir}'." + printf 'ERROR: cannot determine mount options for Dropbear build directory: %s\n' "${var_build_dir}" >> "${var_build_log}" + return "${ERR_PATH_NOT_VALID}" + fi + + if [[ ! -f "${var_build_dir}/configure" ]]; then + do_log "error" "file_only" "4310() Dropbear configure script missing: '${var_build_dir}/configure'." + printf 'ERROR: Dropbear configure script missing: %s/configure\n' "${var_build_dir}" >> "${var_build_log}" + return "${ERR_PATH_NOT_VALID}" + fi + + if ! IFS= read -r var_configure_shebang < "${var_build_dir}/configure"; then + do_log "error" "file_only" "4310() Cannot read Dropbear configure script: '${var_build_dir}/configure'." + printf 'ERROR: cannot read Dropbear configure script: %s/configure\n' "${var_build_dir}" >> "${var_build_log}" + return "${ERR_PATH_NOT_VALID}" + fi + + if [[ ! -x "${var_build_dir}/configure" ]]; then + do_log "warn" "file_only" "4310() Dropbear configure script is not executable; correcting trusted source tree mode." + printf 'WARNING: Dropbear configure script is not executable; correcting trusted source tree mode.\n' >> "${var_build_log}" + chmod u+x "${var_build_dir}/configure" || return 126 + fi + + if [[ ! -x "${var_build_dir}/configure" ]]; then + do_log "error" "file_only" "4310() Dropbear configure script is not executable: '${var_build_dir}/configure'." + printf 'ERROR: Dropbear configure script is not executable: %s/configure\n' "${var_build_dir}" >> "${var_build_log}" + return 126 + fi + + ( + set -Ceuo pipefail + PATH="${var_build_path}" + export PATH + cd "${var_build_dir}" + printf '4310 Dropbear build preflight diagnostics\n' + pwd + id + for var_command in bash setsid musl-gcc make nproc; do + if var_command_path="$(command -v "${var_command}")"; then + printf 'command -v %s: %s\n' "${var_command}" "${var_command_path}" + else + printf 'command -v %s: not found\n' "${var_command}" + fi + done + findmnt -T . + ls -ld . + ls -l ./configure + stat ./configure + head -n 1 ./configure + ) >> "${var_build_log}" 2>&1 + + if [[ ",${var_mount_options}," == *,noexec,* ]]; then + do_log "error" "file_only" "4310() Dropbear build directory is on a noexec mount: '${var_mount_target}' options '${var_mount_options}'. Use an exec-capable build directory." + printf 'ERROR: Dropbear build directory is on a noexec mount: %s options %s\n' "${var_mount_target}" "${var_mount_options}" >> "${var_build_log}" + return 126 + fi + + if [[ "${var_configure_shebang}" != "#!"* ]]; then + do_log "error" "file_only" "4310() Dropbear configure script has no interpreter line: '${var_build_dir}/configure'." + printf 'ERROR: Dropbear configure script has no interpreter line: %s/configure\n' "${var_build_dir}" >> "${var_build_log}" + return 126 + fi + + read -r var_configure_interpreter _ <<< "${var_configure_shebang#\#!}" + if [[ "${var_configure_interpreter}" != /* || ! -x "${var_configure_interpreter}" ]]; then + do_log "error" "file_only" "4310() Dropbear configure interpreter is not executable: '${var_configure_interpreter}'." + printf 'ERROR: Dropbear configure interpreter is not executable: %s\n' "${var_configure_interpreter}" >> "${var_build_log}" + return 126 + fi + + for var_command in "${ary_required_commands[@]}"; do + if ! PATH="${var_build_path}" command -v "${var_command}" >/dev/null 2>&1; then + do_log "error" "file_only" "4310() Required Dropbear build command missing from sterile PATH: '${var_command}'." + printf 'ERROR: required Dropbear build command missing from sterile PATH: %s\n' "${var_command}" >> "${var_build_log}" + return 127 + fi + done ### Flag Purpose: # -fPIE : Generate position-independent executable code @@ -49,13 +164,17 @@ dropbear_build() { guard_trace on # shellcheck disable=SC2016,SC2312 - setsid bash -c ' + PATH="${var_build_path}" setsid bash -c ' + set -Ceuo pipefail ### Sterile environment for the build-process. export -n SHELLOPTS - set +u unset PATH_SEPARATOR PATH_SEPARATOR=":" - PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + export PATH_SEPARATOR + PATH="${1}" + export PATH + cd "${2}" + CC=musl-gcc \ CFLAGS="-Os -fPIE -Wno-undef -fstack-protector-strong -D_FORTIFY_SOURCE=2" \ LDFLAGS="-static -pie -s -Wl,-z,relro,-z,now" \ @@ -67,7 +186,7 @@ dropbear_build() { # shellcheck disable=2312 make -j"$(nproc)" - ' >> "${TARGET}${var_logfile}" 2>&1 + ' bash "${var_build_path}" "${var_build_dir}" >> "${var_build_log}" 2>&1 guard_trace off