msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.392.2025.11.07
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m15s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-07 20:46:09 +01:00
parent f797c16278
commit f4cec85f7f
10 changed files with 72 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ciss_live_builder.sh
View File

@@ -136,6 +136,7 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
source_guard "./lib/lib_check_kernel.sh" source_guard "./lib/lib_check_kernel.sh"
source_guard "./lib/lib_check_pkgs.sh" source_guard "./lib/lib_check_pkgs.sh"
source_guard "./lib/lib_check_provider.sh" source_guard "./lib/lib_check_provider.sh"
source_guard "./lib/lib_check_secrets.sh"
source_guard "./lib/lib_check_stats.sh" source_guard "./lib/lib_check_stats.sh"
source_guard "./lib/lib_check_var.sh" source_guard "./lib/lib_check_var.sh"
source_guard "./lib/lib_ciss_upgrades_boot.sh" source_guard "./lib/lib_ciss_upgrades_boot.sh"
@@ -249,6 +250,7 @@ note_target
provider_netcup provider_netcup
update_microcode update_microcode
x_hooks x_hooks
x_remove
### Start the build process ---------------------------------------------------------------------------------------------------- ### Start the build process ----------------------------------------------------------------------------------------------------
set +o errtrace set +o errtrace

3
docs/CHANGELOG.md
View File

@@ -14,7 +14,8 @@ include_toc: true
## V8.13.392.2025.11.07 ## V8.13.392.2025.11.07
* **Global**: Changed ``guard_sourcing`` to ``guard_sourcing || return "${ERR_GUARD_SRCE}"`` * **Global**: Changed ``guard_sourcing`` to ``guard_sourcing || return "${ERR_GUARD_SRCE}"``
* **Added**: [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh) + ``print_stacktrace`() * **Added**: [lib_check_secrets.sh](../lib/lib_check_secrets.sh) + Final secrets wiper before starting ``lb build``.
* **Added**: [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh) + ``print_stacktrace()``
* **Added**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh) + Trap on ``EXIT`` handler for 'non-0' exit-code. * **Added**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh) + Trap on ``EXIT`` handler for 'non-0' exit-code.
* **Bugfixes**: [lib_gnupg.sh](../lib/lib_gnupg.sh) + modified passphrase handling * **Bugfixes**: [lib_gnupg.sh](../lib/lib_gnupg.sh) + modified passphrase handling

44
lib/lib_check_secrets.sh Normal file
View File

@@ -0,0 +1,44 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing || return "${ERR_GUARD_SRCE}"
#######################################
# Removes secrets securely before 'lb build' execution.
# Globals:
# BASH_SOURCE
# VAR_TMP_SECRET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
x_remove() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
shopt -s nullglob dotglob
### Removes secrets securely.
# shellcheck disable=SC2312
find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete
shopt -u nullglob dotglob
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f x_remove
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

14
lib/lib_clean_up.sh
View File

@@ -39,19 +39,19 @@ clean_up() {
rm -f -- "${VAR_KERNEL_TMP}" rm -f -- "${VAR_KERNEL_TMP}"
rm -f -- "${VAR_NOTES}" rm -f -- "${VAR_NOTES}"
# Release advisory lock on FD 127. ### Release advisory lock on FD 127.
flock -u 127 flock -u 127
# Close file descriptor 127. ### Close file descriptor 127.
exec 127>&- exec 127>&-
# Remove the lockfile artifact. ### Remove the lockfile artifact.
rm -f /run/lock/ciss_live_builder.lock rm -f /run/lock/ciss_live_builder.lock
# Removes the error log on clean exit. ### Removes the error log on clean exit.
if (( clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi if (( clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi
# Cleaning TCP wrapper artifacts. ### Cleaning TCP wrapper artifacts.
if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
rm -f "${VAR_WORKDIR}/hosts.allow" rm -f "${VAR_WORKDIR}/hosts.allow"
fi fi
@@ -59,7 +59,7 @@ clean_up() {
rm -f "${VAR_WORKDIR}/hosts.deny" rm -f "${VAR_WORKDIR}/hosts.deny"
fi fi
# Kill gpg-agent and remove artifacts securely. ### Kill gpg-agent and remove artifacts securely.
if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
if [[ -n "${GNUPGHOME:-}" && -d "${GNUPGHOME}" ]]; then if [[ -n "${GNUPGHOME:-}" && -d "${GNUPGHOME}" ]]; then
@@ -85,7 +85,7 @@ clean_up() {
fi fi
# Removes secrets securely. ### Removes secrets securely.
# shellcheck disable=SC2312 # shellcheck disable=SC2312
find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 -- find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete

4
lib/lib_hardening_ultra.sh
View File

@@ -75,13 +75,13 @@ hardening_ultra() {
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
rsync -aHAX --delete ./config/includes.chroot/ "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/" cp -af ./config/includes.chroot/ "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/"
chmod 0755 ./config/includes.chroot/etc/ciss/keys chmod 0755 ./config/includes.chroot/etc/ciss/keys
chmod 0444 ./config/includes.chroot/etc/ciss/keys/* chmod 0444 ./config/includes.chroot/etc/ciss/keys/*
else else
rsync -aHAX --delete ./config/includes.chroot/ "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/" cp -af ./config/includes.chroot/ "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/"
chmod 0755 ./config/includes.chroot/etc/ciss/keys chmod 0755 ./config/includes.chroot/etc/ciss/keys
chmod 0444 ./config/includes.chroot/etc/ciss/keys/* chmod 0444 ./config/includes.chroot/etc/ciss/keys/*

6
lib/lib_note_target.sh
View File

@@ -70,9 +70,9 @@ export CDLB_VERSION="${VAR_VERSION}"
export CDLB_GIT_REL="${VAR_GIT_REL}" export CDLB_GIT_REL="${VAR_GIT_REL}"
export CDLB_CR_DATE="${VAR_DATE_INFO}" export CDLB_CR_DATE="${VAR_DATE_INFO}"
export CDLB_CR_HOST="${VAR_HOST}" export CDLB_CR_HOST="${VAR_HOST}"
export CDLB_BASHVER="${VAR_VER_BASH}" export CDLB_VER_BASH="${VAR_VER_BASH}"
export CDLB_DS_VER="${VAR_VER_DS}" export CDLB_VER_DS="${VAR_VER_DS}"
export CDLB_LB_VER="${VAR_VER_LB}" export CDLB_VER_LB="${VAR_VER_LB}"
export CDLB_SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH}" export CDLB_SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH}"
EOF EOF
chmod 0444 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ciss-debian-live-builder.env" chmod 0444 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ciss-debian-live-builder.env"

2
lib/lib_primordial.sh
View File

@@ -73,8 +73,6 @@ init_primordial() {
fi fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0 return 0

12
lib/lib_trap_on_err.sh
View File

@@ -167,13 +167,13 @@ readonly -f print_scr_err
trap_on_err() { trap_on_err() {
trap - DEBUG ERR INT TERM trap - DEBUG ERR INT TERM
declare -g ERRCODE="$1" declare -gx ERRCODE="$1"
declare -g ERRSCRT="$2" declare -gx ERRSCRT="$2"
declare -g ERRLINE="$3" declare -gx ERRLINE="$3"
declare -g ERRFUNC="$4" declare -gx ERRFUNC="$4"
declare -g ERRCMMD="$5" declare -gx ERRCMMD="$5"
# shellcheck disable=SC2034 # shellcheck disable=SC2034
declare -g ERRTRAP="true" declare -gx ERRTRAP="true"
if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi

47
var/error.var.sh
View File

@@ -1,47 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# shellcheck disable=SC2034
### Definition of error codes.
declare -gir ERR_UNCRITICAL=127
declare -gir ERR_NOT_USER_0=128 # Not running as root
declare -gir ERR_FLOCK_WRTG=129 # Cannot open lockfile for writing
declare -gir ERR_FLOCK_COLL=130 # The Script is already running
declare -gir ERR_GUARD_SRCE=131 # Module tried to load twice.
declare -gir ERR_GPG__AGENT=132 # GNUPG agent error.
declare -gir ERR_SPLASH_PNG=200 # --change-splash MUST be 'club' or 'hexagon'
declare -gir ERR_CONTROL_CT=201 # --control MUST be an integer between '1' and '65535'
declare -gir ERR_RENICE_PRI=202 # --renice-priority MUST an integer between '-19' and '19'
declare -gir ERR_REIONICE_P=203 # --reionice-priority no values provided.
declare -gir ERR_REIO_P_VAL=204 # --reionice-priority PRIORITY MUST be an integer between '0' and '7'
declare -gir ERR_REIO_C_VAL=205 # --reionice-priority CLASS MUST be an integer between '1' and '3'
declare -gir ERR_MISS_PWD_P=206 # --root-password-file missing password file path argument
declare -gir ERR_MISS_PWD_F=207 # --root-password-file password file does not exist
declare -gir ERR_OWNS_PWD_F=208 # --root-password-file failed to set owner root:root on the PWD file
declare -gir ERR_RGHT_PWD_F=209 # --root-password-file failed to set permissions 0400 on the PWD file
declare -gir ERR_PASS_LENGH=210 # --root-password-file password MUST be between 20 and 64 characters
declare -gir ERR_PASS_PLICY=211 # --root-password-file password MUST NOT contain double quotes
declare -gir ERR__SSH__PORT=212 # --ssh-port MUST be an integer between '1' and '65535'
declare -gir ERR_ARG_MSMTCH=213 # Wrong Number of optional Arguments provided
declare -gir ERR_NOTABSPATH=252 # Not an absolute path
declare -gir ERR_INVLD_CHAR=253 # Invalid Character
declare -gir ERR_UNBOUNDVAR=254 # Unbound Variable
declare -gir ERR_UNSPPTBASH=255 # Unsupported Bash
### Definition of error trap vars
declare -g ERRCODE="" # = $? = $1 = ERRCODE
declare -g ERRSCRT="" # = ${BASH_SOURCE[0]} = $2 = ERRSCRT
declare -g ERRLINE="" # = ${LINENO} = $3 = ERRLINE
declare -g ERRFUNC="" # = ${FUNCNAME[0]:-main} = $4 = ERRFUNC
declare -g ERRCMMD="" # = ${$BASH_COMMAND} = $5 = ERRCMMD
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

11
var/global.var.sh
View File

@@ -87,10 +87,11 @@ declare -gir ERR_UNBOUNDVAR=254 # Unbound Variable
declare -gir ERR_UNSPPTBASH=255 # Unsupported Bash declare -gir ERR_UNSPPTBASH=255 # Unsupported Bash
### Definition of error trap vars ### Definition of error trap vars
declare -g ERRCODE="" # = $? = $1 = ERRCODE declare -gx ERRCODE="" # = $? = $1 = ERRCODE
declare -g ERRSCRT="" # = ${BASH_SOURCE[0]} = $2 = ERRSCRT declare -gx ERRSCRT="" # = ${BASH_SOURCE[0]} = $2 = ERRSCRT
declare -g ERRLINE="" # = ${LINENO} = $3 = ERRLINE declare -gx ERRLINE="" # = ${LINENO} = $3 = ERRLINE
declare -g ERRFUNC="" # = ${FUNCNAME[0]:-main} = $4 = ERRFUNC declare -gx ERRFUNC="" # = ${FUNCNAME[0]:-main} = $4 = ERRFUNC
declare -g ERRCMMD="" # = ${$BASH_COMMAND} = $5 = ERRCMMD declare -gx ERRCMMD="" # = ${$BASH_COMMAND} = $5 = ERRCMMD
declare -gx ERRTRAP="false"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh