msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V9.14.022.2026.06.11: enforce secret and cleanup safeguards

Browse Source
This commit is contained in:
André H. Zimnol
2026-06-11 05:08:01 +02:00
parent 74897d85b1
commit 9d3f283297
10 changed files with 182 additions and 154 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/lib_clean_up.sh
+29 -32
View File
@@ -32,15 +32,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# 0: on success
#######################################
clean_up() {
declare clean_exit_code="$1" fs_type="" _old_nullglob="" _old_dotglob="" _old_failglob=""
### Enable nullglob/dotglob, disable failglob for safe globbing.
_old_nullglob="$(shopt -p nullglob || true)"
_old_dotglob="$( shopt -p dotglob || true)"
_old_failglob="$(shopt -p failglob || true)"
shopt -s nullglob dotglob
shopt -u failglob
declare chroot_directory="" clean_exit_code="$1" fs_type="" includes_directory=""
if [[ -e /dev/mapper/crypt_liveiso ]]; then
cryptsetup close crypt_liveiso || true
@@ -52,10 +44,10 @@ clean_up() {
rm -f -- "${VAR_NOTES}"
### Release advisory lock on FD 127.
flock -u 127
flock -u 127 2>/dev/null || true
### Close file descriptor 127.
exec 127>&-
exec 127>&- 2>/dev/null || true
### Remove the lockfile artifact.
rm -f /run/lock/ciss_live_builder.lock
@@ -100,36 +92,41 @@ clean_up() {
### No tracing for security reasons ------------------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
### Removes secrets securely.
# shellcheck disable=SC2312
find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete
### Securely shred all regular files below ./includes.chroot, then remove empty dirs.
if [[ -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
### Removes secrets securely only after re-validating the fixed tmpfs staging area.
if validate_secret_staging_area "true"; then
# shellcheck disable=SC2312
find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
### Remove empty directories (bottom-up).
find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -depth -xdev -type d -empty -delete
find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 -- || true
find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete || true
else
printf "\e[93m⚠ Secret cleanup skipped because the staging area failed validation. \e[0m\n" >&2
fi
### Delete all files and directories below ./chroot.
if [[ -d "${VAR_HANDLER_BUILD_DIR}/chroot" ]]; then
rm -rf "${VAR_HANDLER_BUILD_DIR}/chroot"
### Destructive build cleanup requires the exact builder-owned directory marker.
if [[ -n "${VAR_HANDLER_BUILD_DIR}" ]] && validate_build_directory_marker "${VAR_HANDLER_BUILD_DIR}" "true"; then
if [[ -e "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" || -L "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
if validate_build_directory_subpath "${VAR_HANDLER_BUILD_DIR}" "config/includes.chroot" includes_directory "true"; then
# shellcheck disable=SC2312
find "${includes_directory}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 -- || true
find "${includes_directory}" -depth -xdev -type d -empty -delete || true
else
printf "\e[93m⚠ Build includes cleanup skipped because the exact subpath failed validation. \e[0m\n" >&2
fi
fi
if [[ -e "${VAR_HANDLER_BUILD_DIR}/chroot" || -L "${VAR_HANDLER_BUILD_DIR}/chroot" ]]; then
if validate_build_directory_subpath "${VAR_HANDLER_BUILD_DIR}" "chroot" chroot_directory "true"; then
remove_build_paths "${chroot_directory}" || true
else
printf "\e[93m⚠ Build chroot cleanup skipped because the exact subpath failed validation. \e[0m\n" >&2
fi
fi
elif [[ -n "${VAR_HANDLER_BUILD_DIR}" ]]; then
printf "\e[93m⚠ Build-directory cleanup skipped because the exact builder-owned marker failed validation. \e[0m\n" >&2
fi
### Turn on tracing again ----------------------------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
eval "${_old_nullglob}" 2>/dev/null || true
eval "${_old_dotglob}" 2>/dev/null || true
eval "${_old_failglob}" 2>/dev/null || true
return 0
}
### Prevents accidental 'unset -f'.