veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
veilor-os/overlay/etc
History
s8n-ru dfda66ac7e
Some checks failed
Lint / Kickstart syntax (pull_request) Failing after 0s
Details
Lint / Shell scripts (pull_request) Failing after 0s
Details
Lint / No personal/onyx leaks (pull_request) Failing after 0s
Details
sec: AppArmor v0.6 stub — load profiles in complain mode 
Per docs/research/2026-05-05-agent-wave/04-hardening-tier-2.md (v0.6
scope item 1).

Adds:
  - apparmor-parser apparmor-utils apparmor-profiles to %packages in
    BOTH kickstart/veilor-os.ks (live ks) and overlay/usr/local/bin/
    veilor-installer (generated install ks heredoc).
  - scripts/40-apparmor.sh — wires aa-complain on every veilor-shipped
    profile. Idempotent. "loaded, present, nothing breaks".
  - overlay/etc/apparmor.d/veilor.d/firefox — 1-liner stub (binary
    confinement marker only; full policy post-v0.6).
  - overlay/etc/apparmor.d/veilor.d/thunderbird — same pattern.
  - Wired 40-apparmor.sh into install %post chain after
    30-apply-v03-theme.sh.

Complain mode means: profiles loaded, kernel logs syscall denials but
does NOT enforce. Operator can review audit.log post-install to
inform v0.7 policy authoring.
2026-05-06 11:15:30 +01:00
..
apparmor.d/veilor.d sec: AppArmor v0.6 stub — load profiles in complain mode 2026-05-06 11:15:30 +01:00
audisp sec: AppArmor profile skeletons + audit shipping draft + veilor-firstboot SELinux module (#3) 2026-05-02 04:39:39 +01:00
audit/plugins.d sec: AppArmor profile skeletons + audit shipping draft + veilor-firstboot SELinux module (#3) 2026-05-02 04:39:39 +01:00
firewalld/zones v0.5.32: ship 7 blockers from 9-agent wave 2026-05-05 15:36:24 +01:00
os-release.d v0.5.27: rd.luks.uuid via grubby, GRUB rebrand, fbcon=nodefer, ASCII gum cursor 2026-05-05 01:43:00 +01:00
sddm.conf.d veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme 2026-04-30 03:43:33 +01:00
skel v0.5.32: ship 7 blockers from 9-agent wave 2026-05-05 15:36:24 +01:00
ssh/sshd_config.d v0.5.16: sshd UseDNS no — fix banner timeout on NAT/slirp 2026-05-03 15:41:15 +01:00
sudoers.d veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme 2026-04-30 03:43:33 +01:00
sysctl.d veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme 2026-04-30 03:43:33 +01:00
systemd/system v0.5.32: ship 7 blockers from 9-agent wave 2026-05-05 15:36:24 +01:00
tuned/profiles ci: quote $@ in tuned profile scripts (SC2068) (#10) 2026-05-02 04:17:22 +01:00
udev/rules.d veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme 2026-04-30 03:43:33 +01:00
usbguard v0.5.32: ship 7 blockers from 9-agent wave 2026-05-05 15:36:24 +01:00