V9.14.022.2026.06.11: enforce secret and cleanup safeguards

2026-06-11 05:08:01 +02:00
parent 74897d85b1
commit 9d3f283297
10 changed files with 182 additions and 154 deletions
@@ -66,6 +66,49 @@ readonly -f preallocate
 declare ROOTFS="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs"
 declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt"
 declare KEYFD=""
+declare LUKS_KEY_FILE=""
+declare LUKS_KEY_FILENAME="${VAR_LUKS_KEY:-luks.txt}"
+declare LUKS_KEY_LINK_COUNT=""
+declare LUKS_KEY_MODE=""
+declare LUKS_KEY_OWNER=""
+declare SECRET_ROOT_FS=""
+declare SECRET_ROOT_MODE=""
+declare SECRET_ROOT_OWNER=""
+
+if [[ -L "${VAR_TMP_SECRET}" || ! -d "${VAR_TMP_SECRET}" ]]; then
+  printf "\e[91m❌ Unsafe secret root rejected. \e[0m\n" >&2
+  exit 42
+fi
+
+SECRET_ROOT_OWNER="$(stat -c '%u' "${VAR_TMP_SECRET}")"
+SECRET_ROOT_MODE="$(stat -c '%a' "${VAR_TMP_SECRET}")"
+SECRET_ROOT_FS="$(stat -f -c '%T' "${VAR_TMP_SECRET}")"
+if [[ "${SECRET_ROOT_OWNER}" != "${EUID}" || "${SECRET_ROOT_MODE}" != "700" \
+  || ( "${SECRET_ROOT_FS}" != "tmpfs" && "${SECRET_ROOT_FS}" != "ramfs" ) ]]; then
+  printf "\e[91m❌ Unsafe secret-root ownership, permissions, or filesystem rejected. \e[0m\n" >&2
+  exit 42
+fi
+
+if [[ -z "${LUKS_KEY_FILENAME}" || "${LUKS_KEY_FILENAME}" == "." || "${LUKS_KEY_FILENAME}" == ".." \
+  || "${LUKS_KEY_FILENAME}" == */* || ! "${LUKS_KEY_FILENAME}" =~ ^[A-Za-z0-9._@%+=:,~-]+$ ]]; then
+  printf "\e[91m❌ Unsafe LUKS key filename rejected. \e[0m\n" >&2
+  exit 42
+fi
+
+LUKS_KEY_FILE="${VAR_TMP_SECRET}/${LUKS_KEY_FILENAME}"
+if [[ -L "${LUKS_KEY_FILE}" || ! -f "${LUKS_KEY_FILE}" ]]; then
+  printf "\e[91m❌ Unsafe LUKS key file rejected. \e[0m\n" >&2
+  exit 42
+fi
+
+LUKS_KEY_OWNER="$(stat -c '%u' "${LUKS_KEY_FILE}")"
+LUKS_KEY_MODE="$(stat -c '%a' "${LUKS_KEY_FILE}")"
+LUKS_KEY_LINK_COUNT="$(stat -c '%h' "${LUKS_KEY_FILE}")"
+if [[ "${LUKS_KEY_OWNER}" != "${EUID}" || "${LUKS_KEY_LINK_COUNT}" != "1" \
+  || ( "${LUKS_KEY_MODE}" != "400" && "${LUKS_KEY_MODE}" != "600" ) ]]; then
+  printf "\e[91m❌ Unsafe LUKS key ownership, permissions, or link count rejected. \e[0m\n" >&2
+  exit 42
+fi

 # shellcheck disable=SC2155
 declare -i VAR_ROOTFS_SIZE=$(stat -c%s -- "${ROOTFS}")
@@ -82,7 +125,7 @@ declare -i VAR_LUKSFS_SIZE=$(( ( (BASE_SIZE + ALIGN_BYTES - 1) / ALIGN_BYTES ) *

 preallocate "${LUKSFS}" "${VAR_LUKSFS_SIZE}"

-exec {KEYFD}<"${VAR_TMP_SECRET}/luks.txt"
+exec {KEYFD}<"${LUKS_KEY_FILE}"

 if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then

@@ -146,7 +189,7 @@ cryptsetup close crypt_liveiso

 exec {KEYFD}<&-

-shred -fzu -n 5 -- "${VAR_TMP_SECRET}/luks.txt"
+shred -fzu -n 5 -- "${LUKS_KEY_FILE}"

 rm -f -- "${ROOTFS}"