veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
veilor-os/overlay/etc/firewalld/zones/trusted.xml

13 lines
717 B
XML
Raw Normal View History

v0.5.32: ship 7 blockers from 9-agent wave Per docs/research/2026-05-05-agent-wave/README.md priority list. All 7 land together to keep iteration cycles useful — partial fixes bury the lookahead findings agents already mapped. ## 1. CRITICAL — suspend/resume wifi death (Agent 9, B2) `veilor-modules-lock.service` runs `kernel.modules_disabled=1` 30s after graphical.target. iwlwifi/iwlmvm/cfg80211 reload on resume from S3/S0ix → with modules locked, resume breaks wifi until reboot. Same architectural class as the LUKS bug — security feature breaks legitimate kernel state transitions. The unit already has `ConditionKernelCommandLine=!module.sig_enforce=1` (self-skip when signed-modules enforcement is on cmdline). Adding `module.sig_enforce=1` to the kernel cmdline retains the security property (no unsigned modules) without runtime lock-down → resume works. Files: kickstart/veilor-os.ks line 61 + overlay/usr/local/bin/veilor-installer generated bootloader directive both gain `module.sig_enforce=1`. ## 2. veilor-firstboot.service WantedBy=graphical.target (Agent 2) Was `WantedBy=multi-user.target` only. Real installs default to graphical.target so the unit never ran on installed systems — admin pw stayed at install-time + chage -d 0 expired, SDDM PAM bounced to chauthtok screen (recoverable but ugly UX). Now `WantedBy=graphical.target multi-user.target`. Live ISO + multi-user installs both resolve via this list. ## 3. USBGuard hash → id-based baseline (Agent 9, A3) Mirrors memory feedback_usbguard_dock.md — onyx had hash+parent-hash rules that broke on dock replug; we shipped no rules.conf so first boot blocks the USB keyboard. Adds overlay/etc/usbguard/rules.conf with HID-class allow rule (`allow with-interface match-all { 03:*:* }`) — covers every USB keyboard, mouse, gamepad, fingerprint reader, NFC. Survives dock replug + kernel-bump vendor renumeration. Mass-storage stays implicit-block; user explicitly allows post-firstboot via `ujust veilor-usbguard-enroll` (planned v0.6). ## 4. firewalld trusted zone with tailscale0 pre-bound (Agent 9, D1) User uses Tailscale daily (memory: project_tailscale_mesh.md). Default firewalld zone = drop, blocks tailnet traffic on tailscale0. Adds overlay/etc/firewalld/zones/trusted.xml with `<interface name="tailscale0"/>`. After `tailscale up` brings the interface up, NetworkManager dispatcher associates it with the trusted zone automatically — no user intervention. Default zone stays drop. Only the tailscale0 interface gets ACCEPT. ## 5. /etc/skel branding (Agent 7) Was completely empty. Result: per-user KDE config (~/.config/kdeglobals etc.) pre-empty, so the moment user opened System Settings, KDE wrote fresh ~/.config/* and silently shadowed our /etc/xdg/kdedefaults/*. Visual brand evaporated on first click. Seeds: /etc/skel/.config/kdeglobals (copy of assets/kde/veilor-default.kdeglobals) /etc/skel/.config/breezerc (copy of assets/kde/breezerc) /etc/skel/.config/kwinrc (Plasma 6 wayland defaults: opengl, animspeed=0, blur off, click-to-focus) /etc/skel/.config/konsolerc (default profile = Veilor) /etc/skel/.local/share/konsole/Veilor.profile + .colorscheme User who opens System Settings now writes against branded baseline, not against vanilla Breeze. ## 6. KMS modeset args + initramfs keymap (Agents 1 + 9) Real laptop boot has a 5-15s blank between vt switch and SDDM start because simpledrm releases before i915/nvidia-drm/amdgpu claim. Plus non-US users get locked out at LUKS prompt because initramfs ships en-US keymap by default (RHBZ 1405539, RHBZ 1890085). Adds to bootloader cmdline (live + installed): i915.modeset=1 amdgpu.modeset=1 nvidia-drm.modeset=1 rd.vconsole.keymap=us `rd.vconsole.keymap=us` is a placeholder; the v0.6 firstboot keymap picker will rewrite it from /etc/vconsole.conf. Until then, en-US users get correct LUKS keyboard; non-US users still need the v0.6 fix (per Agent 1). ## 7. virtio-9p log capture (Agent 6) The v0.5.30 virtio-serial wiring depends on rsyslog inside the live ISO (anaconda's setupVirtio writes a rsyslog forward rule), which the live ks doesn't install — files were 0-byte across three install runs. test/run-vm.sh now adds a `-virtfs local,...,mount_tag=hostlogs` share pointing at `test/test-runs/<timestamp>/`. veilor-installer runs `_dump_logs_to_host` via EXIT trap that mounts the share at /mnt/hostlogs and rsyncs /tmp/{anaconda,program,storage,packaging,dnf}.log + /var/log/veilor-installer.log + dmesg + journalctl + the generated ks. Runs on success AND failure AND ^C. No-op on real hardware (9p tag absent) — VM-only debug. ## Validate bash -n overlay/usr/local/bin/veilor-installer # OK ksvalidator kickstart/veilor-os.ks # clean ## Out-of-scope for v0.5.32 (deferred to v0.6) Per Agent 1 follow-ups: argon2id retune for slow CPUs, recovery key generation in firstboot, TPM2/FIDO2 unlock helpers. Per Agent 9 follow-ups: Plasma Wayland fallback X11 install, lid-close handling, SELinux relabel progress UX. Per Agent 4: AppArmor stack + nftables preset + audit log shipping CLI. Per Agent 8 (CI hardening): SHA-pin actions + dependabot + SBOM + SLSA L3 attestation — separate workflow-only commit.
2026-05-05 15:36:24 +01:00
<?xml version="1.0" encoding="utf-8"?>
<!-- veilor-os: trusted zone with tailscale0 pre-bound.
Default zone stays drop (per 10-harden-base.sh). Tailscale's
interface is added here so `tailscale up` traffic isn't dropped.
Without this entry the firewalld drop zone blocks the tailnet
traffic and the user sees: "tailscale up succeeded, but I can't
reach hs.s8n.ru". (Agent 9, 2026-05-05 wave.) -->
<zone target="ACCEPT">
<short>Trusted</short>
<description>All network connections are accepted. veilor-os pre-binds tailscale0 here so the mesh layer-1 (Tailscale via Headscale) works out-of-box without manual firewalld zone juggling.</description>
<interface name="tailscale0"/>
</zone>
Reference in a new issue Copy permalink