V9.14.000.2026.06.07

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

code_review.md

@@ -0,0 +1,84 @@
+# code_review.md
+
+Use this file for explicit review tasks and final self-review after implementation. Do not treat it as a mandate for an
+unlimited audit unless the user asks for one.
+
+## Review priorities
+
+Review findings in this order:
+
+1. Correctness
+2. Security regressions
+3. Data loss risk
+4. Boot-chain integrity
+5. Reproducibility and deterministic behavior
+6. Error handling and cleanup
+7. Test or validation coverage
+8. Maintainability
+9. Minimality of diff
+10. Style consistency
+
+## Finding classes
+
+- `BLOCKER`: proven correctness bug, security regression, installer break, boot break, or data loss risk that must be fixed
+  before merge.
+- `RISK`: plausible issue or security concern that is not fully proven from the available context.
+- `CLEANUP`: maintainability, readability, or consistency improvement that is not required for correctness.
+- `NOTE`: observation only; no change requested.
+
+## Review output format
+
+List findings first, ordered by severity.
+
+For each finding include:
+
+- class
+- file path and line number where possible
+- observation
+- concrete impact
+- smallest reasonable fix
+
+Then include:
+
+- missing checks or validation gaps
+- residual risks
+- concise final recommendation
+
+If there are no findings, say so explicitly and still mention relevant validation gaps.
+
+## Scope control
+
+- Review the requested change, touched files, and directly affected code paths.
+- Do not expand a small implementation task into a broad repository audit.
+- Do not nitpick formatting when automated tooling exists.
+- Do not invent requirements not present in the task, repository, or documentation.
+- Do not request a full installer run, debootstrap run, destructive disk test, or network-heavy validation unless the changed
+  path cannot be checked responsibly any other way.
+- Prefer a small actionable finding over a broad speculative warning.
+- Separate observation, inference, and recommendation when the evidence is incomplete.
+
+## Installer-specific security checklist
+
+Check whether the change affects:
+
+- destructive disk operations, disk selection, partition table wiping, or formatting
+- partition boundaries, GPT/MBR type codes, bootable flags, or firmware mode selection
+- cryptsetup/LUKS2 parameters, passphrases, key files, key slots, LUKS UUIDs, header backups, or nuke behavior
+- Btrfs filesystem creation, subvolumes, snapshots, labels, compression, or mount options
+- `/etc/fstab`, `/etc/crypttab`, UUIDs, PARTUUIDs, mapper names, or initramfs flags
+- initramfs-tools hooks, scripts, included binaries, early boot paths, or update-initramfs behavior
+- Dropbear initramfs remote unlock, forced commands, host keys, firewalling, unlock-wrapper signatures, or hashes
+- GRUB package selection, GRUB modules, encrypted `/boot`, UEFI fallback paths, BIOS install paths, or NVRAM behavior
+- chroot command construction, `env -i` sanitization, target mount handling, or host/target path separation
+- APT source generation, package authentication, Debian suite selection, signature verification, or hash verification
+- remote downloads, TLS settings, bundled source archives, provenance, or checksum files
+- key material, SSH keys, PGP keys, SOPS/AGE values, passphrase files, or secret cleanup
+- logging, debug traces, trap output, and accidental disclosure of sensitive values
+- file permissions, ownership, sudo policy, PAM, SSH policy, UFW, fail2ban, sysctl, modprobe, or hardening files
+- recovery target behavior and consistency with the primary target
+- reproducibility, deterministic ordering, and generated file stability
+- direct or indirect data loss risk
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

func/cdi_4300_network/4310_dropbear_build.sh

@@ -13,31 +13,146 @@
 guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
-# Build Ultra Hardened dropbear-2025.88 from sources.
+# Build Ultra Hardened dropbear from sources.
 # Globals:
-#   DIR_TMP
 #   TARGET
 #   VAR_SETUP_PATH
 # Arguments:
 #   None
 # Returns:
 #   0: on success
+#   126: on permission, noexec, or interpreter execution failure
+#   127: on missing build command
 #   ERR_PATH_NOT_VALID: on failure
 #######################################
 dropbear_build() {
   ### Declare Arrays, HashMaps, and Variables.
   declare     var_dropbear_version="2026.91"
   declare     var_tar="${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
-  declare     var_build_dir="${DIR_TMP}/build/dropbear-${var_dropbear_version}"
+  declare     var_build_root="/opt/.ciss/build"
+  declare     var_build_dir="${var_build_root}/dropbear-${var_dropbear_version}"
   declare -r  var_logfile="/root/.ciss/cdi/log/4310_dropbear_build.log"
+  declare -r  var_build_log="${TARGET}${var_logfile}"
+  declare -r  var_build_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+  declare     var_command="" var_command_path="" var_configure_interpreter="" var_configure_shebang=""
+  declare     var_mount_options="" var_mount_target=""
+  declare -a  ary_required_commands=(bash setsid musl-gcc make nproc)
 
-  chroot_logger "${TARGET}${var_logfile}"
+  chroot_logger "${var_build_log}"
+
+  mkdir -p "${var_build_root}"
+  chmod 0700 "${var_build_root}"
+
+  if ! PATH="${var_build_path}" command -v findmnt >/dev/null 2>&1; then
+    do_log "error" "file_only" "4310() Required Dropbear build command missing from sterile PATH: 'findmnt'."
+    printf 'ERROR: required Dropbear build command missing from sterile PATH: findmnt\n' >> "${var_build_log}"
+    return 127
+  fi
+
+  case "${var_build_dir}" in
+    /opt/.ciss/build/dropbear-*) ;;
+    *)
+      do_log "error" "file_only" "4310() Refusing to clean unexpected Dropbear build directory: '${var_build_dir}'."
+      printf 'ERROR: refusing to clean unexpected Dropbear build directory: %s\n' "${var_build_dir}" >> "${var_build_log}"
+      return "${ERR_PATH_NOT_VALID}"
+      ;;
+  esac
+
+  rm -rf -- "${var_build_dir}"
+  tar xjf "${var_tar}" -C "${var_build_root}" || return "${ERR_PATH_NOT_VALID}"
+
+  if [[ ! -d "${var_build_dir}" ]]; then
+    do_log "error" "file_only" "4310() Dropbear build directory missing: '${var_build_dir}'."
+    printf 'ERROR: Dropbear build directory missing: %s\n' "${var_build_dir}" >> "${var_build_log}"
+    return "${ERR_PATH_NOT_VALID}"
+  fi
 
-  mkdir -p "${DIR_TMP}/build"
-  cp "${var_tar}" "${DIR_TMP}/build"
-  tar xjf "${DIR_TMP}/build/dropbear-${var_dropbear_version}.tar.bz2" -C "${DIR_TMP}/build" || return "${ERR_PATH_NOT_VALID}"
   cp "${VAR_SETUP_PATH}/upgrades/dropbear/localoptions.h" "${var_build_dir}"
-  cd "${var_build_dir}" || return "${ERR_PATH_NOT_VALID}"
+
+  if ! var_mount_target="$(PATH="${var_build_path}" findmnt -T "${var_build_dir}" -no TARGET)"; then
+    do_log "error" "file_only" "4310() Cannot determine mount target for Dropbear build directory: '${var_build_dir}'."
+    printf 'ERROR: cannot determine mount target for Dropbear build directory: %s\n' "${var_build_dir}" >> "${var_build_log}"
+    return "${ERR_PATH_NOT_VALID}"
+  fi
+
+  if ! var_mount_options="$(PATH="${var_build_path}" findmnt -T "${var_build_dir}" -no OPTIONS)"; then
+    do_log "error" "file_only" "4310() Cannot determine mount options for Dropbear build directory: '${var_build_dir}'."
+    printf 'ERROR: cannot determine mount options for Dropbear build directory: %s\n' "${var_build_dir}" >> "${var_build_log}"
+    return "${ERR_PATH_NOT_VALID}"
+  fi
+
+  if [[ ! -f "${var_build_dir}/configure" ]]; then
+    do_log "error" "file_only" "4310() Dropbear configure script missing: '${var_build_dir}/configure'."
+    printf 'ERROR: Dropbear configure script missing: %s/configure\n' "${var_build_dir}" >> "${var_build_log}"
+    return "${ERR_PATH_NOT_VALID}"
+  fi
+
+  if ! IFS= read -r var_configure_shebang < "${var_build_dir}/configure"; then
+    do_log "error" "file_only" "4310() Cannot read Dropbear configure script: '${var_build_dir}/configure'."
+    printf 'ERROR: cannot read Dropbear configure script: %s/configure\n' "${var_build_dir}" >> "${var_build_log}"
+    return "${ERR_PATH_NOT_VALID}"
+  fi
+
+  if [[ ! -x "${var_build_dir}/configure" ]]; then
+    do_log "warn" "file_only" "4310() Dropbear configure script is not executable; correcting trusted source tree mode."
+    printf 'WARNING: Dropbear configure script is not executable; correcting trusted source tree mode.\n' >> "${var_build_log}"
+    chmod u+x "${var_build_dir}/configure" || return 126
+  fi
+
+  if [[ ! -x "${var_build_dir}/configure" ]]; then
+    do_log "error" "file_only" "4310() Dropbear configure script is not executable: '${var_build_dir}/configure'."
+    printf 'ERROR: Dropbear configure script is not executable: %s/configure\n' "${var_build_dir}" >> "${var_build_log}"
+    return 126
+  fi
+
+  (
+    set -Ceuo pipefail
+    PATH="${var_build_path}"
+    export PATH
+    cd "${var_build_dir}"
+    printf '4310 Dropbear build preflight diagnostics\n'
+    pwd
+    id
+    for var_command in bash setsid musl-gcc make nproc; do
+      if var_command_path="$(command -v "${var_command}")"; then
+        printf 'command -v %s: %s\n' "${var_command}" "${var_command_path}"
+      else
+        printf 'command -v %s: not found\n' "${var_command}"
+      fi
+    done
+    findmnt -T .
+    ls -ld .
+    ls -l ./configure
+    stat ./configure
+    head -n 1 ./configure
+  ) >> "${var_build_log}" 2>&1
+
+  if [[ ",${var_mount_options}," == *,noexec,* ]]; then
+    do_log "error" "file_only" "4310() Dropbear build directory is on a noexec mount: '${var_mount_target}' options '${var_mount_options}'. Use an exec-capable build directory."
+    printf 'ERROR: Dropbear build directory is on a noexec mount: %s options %s\n' "${var_mount_target}" "${var_mount_options}" >> "${var_build_log}"
+    return 126
+  fi
+
+  if [[ "${var_configure_shebang}" != "#!"* ]]; then
+    do_log "error" "file_only" "4310() Dropbear configure script has no interpreter line: '${var_build_dir}/configure'."
+    printf 'ERROR: Dropbear configure script has no interpreter line: %s/configure\n' "${var_build_dir}" >> "${var_build_log}"
+    return 126
+  fi
+
+  read -r var_configure_interpreter _ <<< "${var_configure_shebang#\#!}"
+  if [[ "${var_configure_interpreter}" != /* || ! -x "${var_configure_interpreter}" ]]; then
+    do_log "error" "file_only" "4310() Dropbear configure interpreter is not executable: '${var_configure_interpreter}'."
+    printf 'ERROR: Dropbear configure interpreter is not executable: %s\n' "${var_configure_interpreter}" >> "${var_build_log}"
+    return 126
+  fi
+
+  for var_command in "${ary_required_commands[@]}"; do
+    if ! PATH="${var_build_path}" command -v "${var_command}" >/dev/null 2>&1; then
+      do_log "error" "file_only" "4310() Required Dropbear build command missing from sterile PATH: '${var_command}'."
+      printf 'ERROR: required Dropbear build command missing from sterile PATH: %s\n' "${var_command}" >> "${var_build_log}"
+      return 127
+    fi
+  done
 
   ### Flag Purpose:
   #  -fPIE              : Generate position-independent executable code
@@ -49,13 +164,17 @@ dropbear_build() {
   guard_trace on
 
   # shellcheck disable=SC2016,SC2312
-  setsid bash -c '
+  PATH="${var_build_path}" setsid bash -c '
+    set -Ceuo pipefail
     ### Sterile environment for the build-process.
     export -n SHELLOPTS
-    set +u
     unset PATH_SEPARATOR
     PATH_SEPARATOR=":"
-    PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+    export PATH_SEPARATOR
+    PATH="${1}"
+    export PATH
+    cd "${2}"
+
     CC=musl-gcc \
       CFLAGS="-Os -fPIE -Wno-undef -fstack-protector-strong -D_FORTIFY_SOURCE=2" \
       LDFLAGS="-static -pie -s -Wl,-z,relro,-z,now" \
@@ -67,7 +186,7 @@ dropbear_build() {
 
     # shellcheck disable=2312
     make -j"$(nproc)"
-  ' >> "${TARGET}${var_logfile}" 2>&1
+  ' bash "${var_build_path}" "${var_build_dir}" >> "${var_build_log}" 2>&1
 
   guard_trace off