diff --git a/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs b/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs index bd6cc84..c3dbdd6 100644 --- a/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs +++ b/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs @@ -17,6 +17,8 @@ # Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay. # Phase : premount (executed by live-boot inside the initramfs). +_SAVED_SET_OPTS="$(set +o)" + set -eu sleep 3 @@ -43,6 +45,8 @@ printf "\e[92m[INFO] mount -t tmpfs -o \"size=%s,mode=0700,nosuid,nodev,noexec\" # shellcheck disable=SC2174 mkdir -p -m 0700 "${UPPER}" "${WORK}" +eval "${_SAVED_SET_OPTS}" + printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] \n\e[0m" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash index c9f2129..b20d20a 100644 --- a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash +++ b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash @@ -17,6 +17,8 @@ # Purpose: Open /live/ciss_rootfs.crypt (LUKS) for final processing in '9990-overlay.sh' # Phase : premount (executed by live-boot inside the initramfs) +_SAVED_SET_OPTS="$(set +o)" + set -eu printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0024-ciss-crypt-squash] ... \n\e[0m" @@ -343,6 +345,8 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then fi +eval "${_SAVED_SET_OPTS}" + printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl b/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl index 4d40ae4..44b48f9 100644 --- a/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl +++ b/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl @@ -17,18 +17,22 @@ # Purpose: Enforce early sysctls before services start. # Phase : premount (executed by live-boot inside the initramfs). +_SAVED_SET_OPTS="$(set +o)" + set -eu printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] ... \n\e[0m" -#echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true -#echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true -#echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true -#echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true -#echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true -#echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true -#echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true -#echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true +echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true +echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true +echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true +echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true +echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true +echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true +echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true +echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true + +eval "${_SAVED_SET_OPTS}" printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m" diff --git a/config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest b/config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest index 9663f43..4161639 100644 --- a/config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest +++ b/config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest @@ -17,6 +17,8 @@ # Purpose: Late rootfs attestation and dmsetup health checking. # Phase : bottom (executed by live-boot inside the initramfs). +_SAVED_SET_OPTS="$(set +o)" + set -eu printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0042-ciss-post-decrypt-attest] ... \n\e[0m" @@ -174,6 +176,8 @@ log_ok "dm-crypt and dm-integrity(HMAC-SHA512, 4096B) chain looks healthy." fi +eval "${_SAVED_SET_OPTS}" + printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0042-ciss-post-decrypt-attest]\n\e[0m" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/usr/lib/live/boot/9990-main.sh b/config/includes.chroot/usr/lib/live/boot/9990-main.sh index fc2b97c..c7dcacf 100644 --- a/config/includes.chroot/usr/lib/live/boot/9990-main.sh +++ b/config/includes.chroot/usr/lib/live/boot/9990-main.sh @@ -20,6 +20,8 @@ # set -e +printf "\e[95m[INFO] Sourcing: [/usr/lib/live/boot/9990-main.sh] ... \n\e[0m" + Live () { printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/9990-main.sh] ... \n\e[0m" diff --git a/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh b/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh index b4c886d..5c87b93 100644 --- a/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh +++ b/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh @@ -20,6 +20,8 @@ #set -e +printf "\e[95m[INFO] Sourcing: [/usr/lib/live/boot/9990-overlay.sh] ... \n\e[0m" + setup_unionfs () { printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/9990-overlay.sh] ... \n\e[0m"