V8.13.536.2025.12.04

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-12-04 22:17:40 +01:00
parent 1b5fc26993
commit aedd03513e
8 changed files with 150 additions and 30 deletions
--- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
+++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
@@ -354,6 +354,9 @@ readonly -f verify_script
 main() {
  declare PASS="" COUNTER=0 PASS_SENT=0 WAIT_LOOP=0

+  mkdir -p /var/log
+  : >| /var/log/wtmp
+
  exec 1>&2

  trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
--- a/config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
+++ b/config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
@@ -22,6 +22,9 @@ case "${1}" in
  prereqs) prereqs; exit 0 ;;
 esac

+mkdir -p /var/log
+: >| /var/log/wtmp
+
 mkdir -p /run/ciss
 printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_premount_early.log

--- a/config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
+++ b/config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
@@ -22,6 +22,9 @@ case "${1}" in
  prereqs) prereqs; exit 0 ;;
 esac

+mkdir -p /var/log
+: >| /var/log/wtmp
+
 mkdir -p /run/ciss
 printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_top_early.log

--- a/config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf
+++ b/config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf
@@ -94,9 +94,11 @@ blacklist gfs2
 # The vivid driver is only useful for testing purposes and has been the cause of privilege escalation vulnerabilities, so it should be disabled.
 install vivid /bin/true

-##### Disable access to USB #####
-install usb_storage /bin/true
+##### Disable access to USB and UAS #####
+install usb-storage /bin/true
+install uas /bin/true
 blacklist usb-storage
+blacklist uas

 ##### Disable access to IEEE1394 #####
 install firewire-core /bin/true
--- a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
+++ b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
@@ -364,17 +364,26 @@ done
 if [ ! -b "${CDLB_MAPPER_DEV}" ]; then

  printf "\e[91m[WARN] CISS LUKS decryption : Timeout LUKS mapper [%s] not present after %s seconds. \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_REMOTE_WAIT_SECS}"
+
  kill "${PID_PROMPT}" 2>/dev/null || true
  kill "${PID_BROKER}" 2>/dev/null || true
+  wait "${PID_PROMPT}" 2>/dev/null || true
+  wait "${PID_BROKER}" 2>/dev/null || true
+
  rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
+
  sleep 60
+
  log   "[WARN] CISS LUKS decryption : Timeout LUKS mapper [${CDLB_MAPPER_DEV}] not present after ${CDLB_REMOTE_WAIT_SECS} seconds."
  panic "[WARN] CISS LUKS decryption : Timeout LUKS mapper [${CDLB_MAPPER_DEV}] not present after ${CDLB_REMOTE_WAIT_SECS} seconds."

 fi

 kill "${PID_PROMPT}" 2>/dev/null || true
+kill "${PID_BROKER}" 2>/dev/null || true
+wait "${PID_PROMPT}" 2>/dev/null || true
 wait "${PID_BROKER}" 2>/dev/null || true
+
 rm -f /lib/cryptsetup/passfifo 2>/dev/null || true

 printf "\e[92m[INFO] CISS LUKS decryption : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}"