V8.13.440.2025.11.19

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs

@@ -17,6 +17,8 @@
 # Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
 # Phase  : premount (executed by live-boot inside the initramfs).
 
+_SAVED_SET_OPTS="$(set +o)"
+
 set -eu
 
 sleep 3
@@ -43,6 +45,8 @@ printf "\e[92m[INFO] mount -t tmpfs -o \"size=%s,mode=0700,nosuid,nodev,noexec\"
 # shellcheck disable=SC2174
 mkdir -p -m 0700 "${UPPER}" "${WORK}"
 
+eval "${_SAVED_SET_OPTS}"
+
 printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] \n\e[0m"
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash

@@ -17,6 +17,8 @@
 # Purpose: Open /live/ciss_rootfs.crypt (LUKS) for final processing in '9990-overlay.sh'
 # Phase  : premount (executed by live-boot inside the initramfs)
 
+_SAVED_SET_OPTS="$(set +o)"
+
 set -eu
 
 printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0024-ciss-crypt-squash] ... \n\e[0m"
@@ -343,6 +345,8 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
 
 fi
 
+eval "${_SAVED_SET_OPTS}"
+
 printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl

@@ -17,18 +17,22 @@
 # Purpose: Enforce early sysctls before services start.
 # Phase  : premount (executed by live-boot inside the initramfs).
 
+_SAVED_SET_OPTS="$(set +o)"
+
 set -eu
 
 printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] ... \n\e[0m"
 
-#echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true
+echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true
-#echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true
+echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true
-#echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true
+echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true
-#echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true
+echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true
-#echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true
+echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true
-#echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true
+echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true
-#echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true
+echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true
-#echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true
+echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true
+
+eval "${_SAVED_SET_OPTS}"
 
 printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"
 

config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest

@@ -17,6 +17,8 @@
 # Purpose: Late rootfs attestation and dmsetup health checking.
 # Phase  : bottom (executed by live-boot inside the initramfs).
 
+_SAVED_SET_OPTS="$(set +o)"
+
 set -eu
 
 printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0042-ciss-post-decrypt-attest] ... \n\e[0m"
@@ -174,6 +176,8 @@ log_ok "dm-crypt and dm-integrity(HMAC-SHA512, 4096B) chain looks healthy."
 
 fi
 
+eval "${_SAVED_SET_OPTS}"
+
 printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0042-ciss-post-decrypt-attest]\n\e[0m"
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/usr/lib/live/boot/9990-main.sh

@@ -20,6 +20,8 @@
 
 # set -e
 
+printf "\e[95m[INFO] Sourcing: [/usr/lib/live/boot/9990-main.sh] ... \n\e[0m"
+
 Live ()
 {
   printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/9990-main.sh] ... \n\e[0m"

config/includes.chroot/usr/lib/live/boot/9990-overlay.sh

@@ -20,6 +20,8 @@
 
 #set -e
 
+printf "\e[95m[INFO] Sourcing: [/usr/lib/live/boot/9990-overlay.sh] ... \n\e[0m"
+
 setup_unionfs ()
 {
   printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/9990-overlay.sh] ... \n\e[0m"