Merge branch 'secureblue:live' into chromiumconfinement

.github/workflows/build.yml

@@ -101,7 +101,7 @@ jobs:
       - name: Build secureblue
         uses: blue-build/github-action@4d8b4df657ec923574611eec6fd7e959416c47f0 # v1.8.1
         with:          
-          cli_version: v0.9.0
+          cli_version: v0.9.2
           recipe: ${{ matrix.recipe }}
           cosign_private_key: ${{ secrets.SIGNING_SECRET }}
           registry_token: ${{ github.token }}

.github/workflows/checksum.yml

@@ -0,0 +1,26 @@
+name: installer-checksum
+on: 
+  pull_request:
+    branches:
+      - live
+jobs:
+  verify-installer-checksum:
+    name: Linkspector
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Verify checksum
+        shell: bash
+        env:
+          INSTALL_SCRIPT: files/system/usr/share/secureblue/install_secureblue.sh
+          EXAMPLE_BUTANE: docs/example.butane
+        run: |
+          INSTALLER_CHECKSUM=$(sha256sum $INSTALL_SCRIPT | awk '{ print $1 }')
+          BUTANE_CHECKSUM=$(grep -oP 'sha256-\K[a-f0-9]{64}' $EXAMPLE_BUTANE)
+          if [ "$INSTALLER_CHECKSUM" != "$BUTANE_CHECKSUM" ]; then
+            echo "Checksum mismatch."
+            echo "Installer checksum: $INSTALLER_CHECKSUM"
+            echo "Butane checksum: $BUTANE_CHECKSUM"
+            exit 1
+          fi

.github/workflows/pull_request.yml

@@ -45,7 +45,7 @@ jobs:
         run: |
           docker create \
             --name blue-build-installer \
-            ghcr.io/blue-build/cli:v0.9.0-installer
+            ghcr.io/blue-build/cli:v0.9.2-installer
           docker cp blue-build-installer:/out/bluebuild /usr/local/bin/bluebuild
           docker rm blue-build-installer
           bluebuild --version

docs/FAQ.md

@@ -150,3 +150,9 @@ Extensions in `hardened-chromium` are disabled by default, for security reasons
 \
 \
 If the extension you installed doesn't work, it is likely because it requires WebAssembly (WASM) for some cryptographic library or some other optimizations (this is the case with the Bitwarden extension). To re-enable JavaScript JIT and WASM for extensions, enable the feature `chrome://flags/#internal-page-jit`.
+
+#### Why doesn't SPICE features like automatic window resizing and shared clipboard work?
+
+The SPICE protocol uses an agent called `spice-vdagentd` which handles these various features. However, the implementation of this requires an X server. This is why it works on standard Silverblue and not secureblue. 
+
+To enable this, run `ujust toggle-xwayland` and reboot. This will allow `spice-vdagentd` to use an X server and will enable these features.

docs/README.md

@@ -81,6 +81,8 @@ Have a look at [PREINSTALL-README](PREINSTALL-README.md) before proceeding.
 > If you don't already have a Fedora Atomic installation, use a Fedora Atomic ISO that matches your secureblue target image to install one. If you want to use a secureblue Silverblue image, start with the Fedora Silverblue ISO, Kinoite for Kinoite, Sericea (Sway Atomic) for Sericea and all the Wayblue images, and CoreOS for all the securecore images.
 > 
 > For more details on the available images, have a look at [IMAGES](IMAGES.md) before proceeding.
+>
+> For instructions on installing Fedora CoreOS, please see the documentation [here](https://docs.fedoraproject.org/en-US/fedora-coreos/). There is a sample butane configuration file [here](example.butane).
 
 To rebase a [Fedora Atomic](https://fedoraproject.org/atomic-desktops/) or [Fedora CoreOS](https://fedoraproject.org/coreos/) installation, download the script below. This script does not install secureblue into the existing system. It rebases (fully replaces the existing system) with secureblue.
 

docs/example.butane

@@ -0,0 +1,43 @@
+variant: fcos
+version: 1.5.0
+passwd:
+  users:
+    - name: core
+      groups:
+        - wheel
+      password_hash: $y$j9T$mefBCJbp/a49aSkTT4hpE1$6BXtrIuV8856t4A9r/R1GW4aR9eKXxsmB8FXt56Hx70 # 'secureblue'
+      ssh_authorized_keys:
+        - ssh-ed25519 <key>
+storage:
+  files:
+    - path: /opt/install_secureblue.sh
+      contents:
+        source: https://raw.githubusercontent.com/secureblue/secureblue/refs/heads/live/files/system/usr/share/secureblue/install_secureblue.sh
+        verification:
+          hash: sha256-1f2f8ac822614eb20c82547aabdd18fbded3906115db8ecd4efcf3a80e19bd7d
+      mode: 0755
+    - path: /opt/run_install_secureblue.sh
+      contents:
+        inline: |
+          sudo systemctl disable --now zincati.service 2>/dev/null
+          sudo systemctl stop rpm-ostreed-automatic.timer rpm-ostreed-automatic.service 2>/dev/null
+          if [ ! -f /opt/install_secureblue.sh ]; then
+            echo "Error: install_secureblue.sh was not downloaded."
+          else
+            sudo /opt/install_secureblue.sh
+            if [ $? != 0 ]; then
+              echo "Error: Secureblue installer failed."
+            else
+              sed -i "/\/opt\/run_install_secureblue.sh/d" /var/home/core/.bash_profile
+              sudo rm -f /opt/*install_secureblue.sh
+              echo "Automatically rebooting in 5 seconds..."
+              sleep 5
+              sudo systemctl reboot
+            fi
+          fi
+      mode: 0755
+    - path: /var/home/core/.bash_profile
+      overwrite: false
+      append:
+      - inline: |
+          /opt/run_install_secureblue.sh

files/justfiles/hardening.just

@@ -24,7 +24,7 @@ flatpak-permissions-lockdown:
     kFeaturePermissions=("per-app-dev-shm" "canbus" "bluetooth" "multiarch" "devel")
     kFilesystemPermissions=("home" "host-etc" "host")
     kDangerousFilesystemPermissions=("~/.bashrc" "~/.bash_profile" "/home" "/var/home" "/var" "/media" "/run/media" "/run" "/mnt")
-    kKnownSessionBusNames=("org.gnome.Settings" "org.gnome.SettingsDaemon.MediaKeys" "org.gnome.SessionManager" "org.kde.kiod5" "org.kde.JobViewServer" "org.gtk.vfs.*" "org.freedesktop.secrets" "org.kde.kconfig.notify" "org.kde.kpasswdserver" "org.kde.*" "org.kde.StatusNotifierWatcher" "org.kde.kded6" "org.kde.kpasswdserver6" "org.kde.kiod6" "com.canonical.Unity" "org.freedesktop.Notifications" "org.freedesktop.FileManager1" "org.freedesktop.impl.portal.PermissionStore" "org.freedesktop.Flatpak" "com.canonical.AppMenu.Registrar" "org.kde.KGlobalSettings" "org.kde.kded5" "com.canonical.Unity.LauncherEntry" "org.kde.kwalletd5" "org.gnome.SettingsDaemon" "org.a11y.Bus" "com.canonical.indicator.application" "org.freedesktop.ScreenSaver" "ca.desrt.dconf" "org.freedesktop.PowerManagement" "org.gnome.Software" "org.freedesktop.Tracker3.Writeback" "io.missioncenter.MissionCenter.Gatherer")
+    kKnownSessionBusNames=("org.gnome.Settings" "org.gnome.SettingsDaemon.MediaKeys" "org.gnome.SessionManager" "org.gnome.Shell.Screenshot" "org.kde.kiod5" "org.kde.kwin.Screenshot" "org.kde.JobViewServer" "org.gtk.vfs.*" "org.freedesktop.secrets" "org.kde.kconfig.notify" "org.kde.kpasswdserver" "org.kde.*" "org.kde.StatusNotifierWatcher" "org.kde.kded6" "org.kde.kpasswdserver6" "org.kde.kiod6" "com.canonical.Unity" "org.freedesktop.Notifications" "org.freedesktop.FileManager1" "org.freedesktop.impl.portal.PermissionStore" "org.freedesktop.Flatpak" "com.canonical.AppMenu.Registrar" "org.kde.KGlobalSettings" "org.kde.kded5" "com.canonical.Unity.LauncherEntry" "org.kde.kwalletd5" "org.gnome.SettingsDaemon" "org.a11y.Bus" "com.canonical.indicator.application" "org.freedesktop.ScreenSaver" "ca.desrt.dconf" "org.freedesktop.PowerManagement" "org.gnome.Software" "org.freedesktop.Tracker3.Writeback" "io.missioncenter.MissionCenter.Gatherer")
     kKnownSystemBusNames=("org.freedesktop.systemd1" "org.freedesktop.Avahi.*" "org.freedesktop.login1" "org.freedesktop.NetworkManager" "org.freedesktop.UPower" "org.freedesktop.UDisks2" "org.freedesktop.fwupd")
     kFlatsealNameAccess=("org.gnome.Software" "org.freedesktop.impl.portal.PermissionStore")