From cf52c15301c96c97500171322e16ee2d00d6e0cd Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Sun, 7 Jul 2024 11:15:20 -0400 Subject: [PATCH] Harden DNF config This uses a postinstall script for DNF5 and a configuration file otherwise. --- package-managers/Makefile | 2 ++ package-managers/dnf-harden.conf | 3 +++ rpm_spec/core-agent.spec.in | 8 ++++++++ 3 files changed, 13 insertions(+) create mode 100644 package-managers/dnf-harden.conf diff --git a/package-managers/Makefile b/package-managers/Makefile index 88765ab4..3a722782 100644 --- a/package-managers/Makefile +++ b/package-managers/Makefile @@ -94,6 +94,8 @@ endif install-dnf5: install-rpm install -D -m 0644 qubes-post-update.actions \ $(DESTDIR)$(SYSCONFDIR)/dnf/libdnf5-plugins/actions.d/qubes-post-update.actions + install -D -m 0644 dnf-harden.conf \ + $(DESTDIR)$(SYSCONFDIR)/dnf/libdnf5.conf.d/10-qubes.conf install-yum: install-rpm install -d $(DESTDIR)$(LIBDIR)/yum-plugins diff --git a/package-managers/dnf-harden.conf b/package-managers/dnf-harden.conf new file mode 100644 index 00000000..a4a24f8e --- /dev/null +++ b/package-managers/dnf-harden.conf @@ -0,0 +1,3 @@ +[main] +deltarpm=0 +zchunk=0 diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in index 7f6dbc13..a6b1d355 100644 --- a/rpm_spec/core-agent.spec.in +++ b/rpm_spec/core-agent.spec.in @@ -582,6 +582,13 @@ if [ -L /usr/local ]; then mount /usr/local || : fi +%if 0%{?fedora} < 41 +if [ ! -f /etc/qubes-dnf-hardened ]; then + dnf config-manager --setopt=zchunk=0 --setopt=deltarpm=0 --save && + touch /etc/qubes-dnf-hardened +fi +%endif + # workaround for Fedora's systemd package bug # https://bugzilla.redhat.com/1559286 if [ -d /var/lib/private ]; then @@ -963,6 +970,7 @@ rm -f %{name}-%{version} %config(noreplace) /etc/yum.repos.d/qubes-r4.repo %if 0%{?fedora} >= 41 /etc/dnf/libdnf5-plugins/actions.d/qubes-post-update.actions +/etc/dnf/libdnf5.conf.d/10-qubes.conf %else %if 0%{?rhel} == 7 /etc/yum/pluginconf.d/yum-qubes-hooks.conf